Audit also requested in August 1998, a status update from the Department on action taken and proposed in respect to the Department's formal plan of review of EDS's performance relating to the contracting out arrangement.

The Appendix to Part A.4 of this Report lists the agencies of government that were reviewed in relation to this matter.

Key findings in respect of DAIS and selected agency/EDS contract management arrangements, are presented below. The principal aims of the Government's contracting out of its IT infrastructure and operations, were to:

• deliver cost savings;
• provide for economic development;
• consolidate, rationalise and standardise government IT infrastructure.

Audit's findings are presented in the context of those aims, and in relation to some matters of a management and operational nature.

Audit has provided commentary in Reports to Parliament for the last four years regarding the contracting out of the Government's IT Infrastructure.

Specifically, in 1994-95, Audit included certain observations concerning contract risk management drawn from United Kingdom experience.

One observation related to the importance of establishing the client's known position, notably, finalising due diligence processes in respect of 'in-house costs', 'IT asset valuations', 'human resources', etc. Against that background, Audit notes that certain difficulties have arisen recently that, if not resolved, will be detrimental to the Government. Resolution of these matters will require the goodwill and close cooperation of both the Government and EDS. At this stage, in recognition of the status of contract negotiations, it would not be appropriate to provide detailed comment relating to these matters.

In October 1995, the Government signed a nine year IT Infrastructure contract with EDS. At that time there were a number of matters with regard to which it was envisaged agreement would be reached within established timeframes of agency transfers. The transfer process for most government agencies was finalised by the end of September 1996. As mentioned, some key matters have not been resolved at this stage, and the Department of the Premier and Cabinet in conjunction with the Government's Principal Contract Administrator, have taken some responsibility for finalisation of the arrangements.

Key matters which have not been finally resolved essentially relate to: final assumed costs; revised annual percentage price reductions; and unit pricing arrangements. In addition, final prices for Justice Information System Services' transfer to unit pricing have also not been fully resolved at this stage.

These matters require resolution as they have implications concerning the costs associated with the EDS contract. Once these matters are finalised, Audit will undertake a review of the finalised arrangements.

Some payments to agencies as a result of certain agency asset transfers and supplementation of recurrent budget funding have not been finalised. Audit has been advised that Cabinet approval for asset payment arrangements will be sought once baseline Îassumed costs' are finalised, and consideration will be given to agency budget funding supplementation.

Audit notes that any achievement of savings under the contract arrangements cannot be confirmed until finalisation of the important matters referred to earlier herein.

The EDS Compliance Annual Report (EDSCAR) required to be provided by EDS was in the process of being independently audited by a contracted external firm engaged by DAIS at the time of preparation of this Report. Achievement of economic development obligations by EDS is a significant requirement of the contract and such achievement is fundamental to the success of the contract aims. This matter will be followed up in 1998-99.

EDS is required to consolidate, rationalise and standardise the Government's IT infrastructure.

Whilst the mainframe segment has essentially been finalised, certain aspects of the consolidation, rationalisation and standardisation process were under consideration at the time of preparation of this Report.

Draft Technology Refreshment plans have been submitted by EDS to DAIS and have been forwarded to agencies for review. The plans were under consideration at the time of preparation of this Report.

The restructuring of government agencies undertaken in 1997 has certain implications in respect of the EDS contract arrangements. A number of matters were being addressed by DAIS at the time of preparation of this Report, including any necessary amendment to the contract schedule of agencies and certain matters related to the potential sale of public sector entities.

DAIS's principal means of directing and assisting agencies in management of the contract arrangements with EDS is the provision of a comprehensive Contract Management Manual. The current manual provided by DAIS is in urgent need of update and revision, and does not provide agencies with sufficient information to facilitate their contract management responsibilities. Audit's review of selected agencies during 1997-98 again revealed that a number of agencies sought more direct guidance and assistance from DAIS in managing the contract with EDS.

Similar to last year's findings, Audit reviews in 1997-98 revealed a number of matters still requiring action to achieve a satisfactory state of finalisation. These related, interalia, to the 'covering certification forms' for the identification and authentication of individual agency service level agreements, finalisation of agency procedure manuals, preparation and forwarding of monthly reports by agencies, development of security specification documentation, time taken by EDS to process change requests, provision of forecasts of service level requirements by agencies, and annual review of service level agreements.

With respect to the delay in finalisation of key contract arrangements, Audit was advised by the Chief Executives of DAIS and the Department of the Premier and Cabinet, that the matters were being addressed at a Departmental Head level with EDS with a view to finalisation in the near future.

Regarding the other matters raised by Audit, DAIS acknowledged Audit's findings and advised of action planned and in progress to address those matters.

DAIS is responsible for monitoring EDS's performance under the contracting out arrangement. In respect of the development of a formal plan of review of EDS's performance, last year DAIS advised that detailed planning was under way to scope segments of the plan and to then tender for external services to carry out the first part of the review.

In June 1998, DAIS advised that achievements under the plan of review have been:

• an audit of the assets data base has been conducted by external contracted consultants;
• an audit of the EDSCAR report is currently in progress by external contracted consultants;
• there was an earlier review of the Change Request process carried out internally...;
• DAIS had requested and received a legal audit on the contract from the Crown Solicitor's Office;

Regarding certain 'legacy issues' relating to key contractual matters not fully resolved, DAIS has advised that it has established a Task Force with the Crown Solicitor's Office to focus on finalisation of these matters. Finalisation of these matters was in progress at the time of preparation of this Report.

Whilst Audit has undertaken comprehensive reviews of the security arrangements at the EDS Information Processing Centre, it should be pointed out that DAIS and government agencies have a responsibility to ensure that EDS meets its security obligations under the contract. Audits' independent assessment cannot be relied upon to discharge that responsibility.

A government focus on the development of an electronic trading or electronic services business environment has been the aim of a number of individual initiatives/projects over recent years. DAIS in its July 1998 draft Government Information Framework document recognises that existing electronic service delivery throughout government is fragmented and reinforces the perception of a diverse range of agencies rather than a cohesive whole. This conclusion reflects government attempts in 1996 through arrangements with a selected IT service provider, to develop an electronic services business (ESB) which did not progress to the envisaged state of finalisation.

In August 1998, Audit sought an update from DAIS in respect to any review reports that may have been completed subsequent to the 1996 developments, which would provide some insight into the learning outcomes and associated costs of those developments.

The Department advised in its response of September 1998, that:

There is a need with large IT developments of government, for a review of the experiences to be undertaken and the results, where applicable, applied to the Governments project initiation and project life cycle methodology and promulgated for the benefit of other agencies. This is particularly relevant where those developments do not reach the envisaged stage of finalisation or achievement of project aims.

In September 1997, DAIS determined the objectives of the ESB project would be met by a portfolio of projects including whole-of-government, bill paying; call centre; and Internet publishing and services. One example initiative, facilitated by DAIS, is commented on below. In addition ESB initiatives are to be pursued through the South Australian Government's Procurement Reform Strategy.

In December 1997 DAIS undertook to facilitate with the Department for Transport, Urban Planning and the Arts, a project utilising an Internet service for on-line payment of motor vehicle registration renewals. In August 1998, Audit sought advice from DAIS of any key risks identified and mitigation strategies emanating from the Government bill paying initiative and, advice of any specific matters on which DAIS sought comment from the Crown Solicitor's Office.

The Department advised that:

• a comprehensive learnings report covering the risks, the issues resolved and the testing mechanisms employed, is in the process of being finalised by DAIS staff and endorsed by Motor Registration Division.
• Within DAIS, and specifically within the Online Services Initiative, ... no legal advice has been sought or obtained from the Crown Solicitor's Office ·
• Motor Registration Division · have sought and obtained advice ·

Audit communicated with the Crown Solicitor's Office with respect to some general characteristics of government implementation of electronic commerce that relate to operating government and private sector network components. Matters raised included, the legislative basis for Internet services; right of access and review by the State or the Auditor-General; financial liability; and key risks in the introduction of electronic commerce.

In recognition of government initiatives to introduce electronic commerce in the State, Audit considers it would be prudent to initiate a comprehensive legal audit, including privacy matters, to establish the adequacy of the legislative basis for Internet services and to ascertain any potential legal liability or risks for the Government or its agencies.

As in other IT initiative areas, consideration needs to be given in contractual arrangements for electronic commerce to the requirements for the State and the Auditor-General to access and review both public and private sector components of these arrangements.

At the time of preparation of this Report, a response had not been received from the Crown Solicitor's Office.

RECAP ON OTHER IT INITIATIVES

Last year's Report contained a description of and, commentary in regard to, a number of specific initiatives which were further progressed by the Government in 1997-98. These initiatives, however, generally did not reach a stage of contract finalisation or effective implementation of contract arrangements. A brief summary status of these projects is provided below.

The telecommunications initiative relates to the management of the Government's telecommunications services to achieve cost reduction for both the Government and private industry. It also provides for a whole-of-government telecommunications network including mobile radio and a government telephone network service.

The TSM contract was signed in June 1996 and had a duration of two years from 1July1996. The scope of the telecommunications services under the TSM contract was significantly changed in March 1998. The contract was extended a further year from 1July1998.

At the time of preparation of this Report, developments under this initiative in regard to the fixed segment of the Government Network Contract were at an early stage of progress.

At the time of preparation of this Report, DAIS was in the final stages of considering responses to its request for proposals.

This initiative is directed at private and government sector participation in the development of a Spatial (land and location related information) Information Industry to be located in South Australia. The project includes aspects of the ÎLand Ownership and Tenure System' (LOTS) redevelopment project, and certain other projects considered to be economically viable.

At the time of preparation of this Report, a number of projects relating to the Spatial Industry Strategic Alliance were under consideration or development.

DAIS is in the process of establishing an Application Maintenance and Development Services Panel (AMDS) to provide services to the South Australian public sector. This initiative followed a proposal submitted by a private sector IT service provider to the Government for application maintenance and development services in mid 1996.

In December 1997 the Government accepted the private sector initiated IT service provider proposal and following Cabinet approval, the IT service provider was appointed to the Panel.

At the time of preparation of this Report, the process of consideration for appointment to the Panel of other suppliers had not been completed.

The Year 2000 compliance problem is now well publicised and relates to systems and other technology which may fail as a result of errors in calculations which involve dates before, on, or after 1January2000. The impact of such failures is recognised world wide and government and private sector organisations are addressing the problem with some urgency.

Last year Audit noted certain developments which had taken place in respect of preparing the Government for Year 2000 compliance. The Government implemented a staged program of inventory, assessment, correction and testing involving the predecessor to DAIS, and endorsed the Federal/State Year 2000 compliance plan for South Australian government agencies. That plan essentially defines a series of timeframes for the completion of important items, in particular for the:

• correction of critical items by the end December 1998;
• testing of critical items by the end June 1999.

During 1996-97, Audit monitored and communicated with DAIS and the Department of the Premier and Cabinet in respect of Year2000 developments. As part of that process, Audit indicated that it was desirable that the 'Agency Annual Reporting Requirements' directive promulgated by the Department of the Premier and Cabinet, be extended to include a specific requirement for agencies to report on their status and arrangements for Year 2000 readiness.

In 1997-98, the Government implemented revised Ministerial reporting arrangements for the monitoring of Year 2000 preparedness. Agencies have been directed to include statements of the status of their efforts in their annual reports. DAIS also undertook a number of activities to encourage, monitor and report on progress by key public and private sector organisations.

Arrangements have also been initiated by DAIS with EDS to ensure the State's IT infrastructure is Year 2000 compliant within the relevant timeframe.

Audit's responsibility requires it to monitor Year 2000 developments in both DAIS and individual government agencies. In this regard, Audit has communicated on certain Year2000 considerations with DAIS during 1997-98, and has sought updates on the Government's overall preparedness. In addition, Audit has undertaken a number of reviews at individual agencies with a specific focus on Year 2000 compliance arrangements.

Audit sought advice from DAIS during the year principally in respect of, inter alia:

• the status of critical government systems;
• costs of corrective action;
• identification of agencies and bodies monitored;
• risk management strategy/methodology for State's exposure;
• contingent liability for government;
• strategy for non-IT matters.

The Appendix to Part A.4 of this Report lists government agencies that were reviewed in respect to this matter.

The key findings from summary information provided by DAIS and from Audit's specific reviews of selected agencies are as follows.

In regard to agency compliance status, DAIS collates monthly updates from agencies in achieving Year 2000 compliance and summarises progress against the Cabinet endorsed Year 2000 compliance plan from a whole-of-government perspective. The summarised position at July 1998, reveals there are 39 portfolios or Agencies/Government Business Enterprises being monitored, of which 14 are assessed as behind schedule to complete the correction of critical items by December 1998.

In relation to the testing of critical items, 7 agencies indicated that they will not be able to complete testing by June 1999. As a general observation Audit notes that some agencies are slipping further behind the Year 2000 compliance plan and creating a higher risk of not being prepared.

The July 1998 summary also shows DAIS and the South Australian Health Commission to be at a high risk level. DAIS is at a high risk level in part because of the uncertainty of the completion date for the LOTS conversion project. The South Australian Health Commission high risk status is essentially because the timeframe for the Central Commission project to provide compliance information to Health Units has encountered delays. DAIS and the South Australian Health Commission have taken a number of steps to move the projects forward.

The summary indicates the total estimated cost to be in the vicinity of $82million (excluding some costs not yet assessed by agencies) and could have the potential to exceed $111million.

Audit's reviews of individual agencies confirmed there have been delays in achieving the task timeframes in the Cabinet endorsed Year 2000 compliance plan. It is apparent that without the substantial input of additional resources, not all government agencies will be ready in time.

The review findings indicated that government agencies need to make a strong commitment toward achieving the Cabinet endorsed Year 2000 compliance guidelines. Whilst the majority of agencies had developed compliance plans and were monitoring progress against the plans, a number of agencies reviewed lag behind the Cabinet endorsed timeframes. Main reasons advised for the delays related to a lack of provision of resources and some uncertainty regarding funding arrangements.

Other observations relate to a need to improve management and procedural controls over Year2000 projects, and for business continuity plans to specifically consider Year2000 risks. Given the delays in progress in certain agency areas, it is evident that contingency planning arrangements will be a critical aspect of agency Year 2000 compliance considerations.

Further, agencies must be cognisant that once rectification work has been completed in regard to Year 2000, an increased level of vigilance is required to ensure that rectification work remains Year 2000 compliant.

Embedded microprocessors are built into machinery from small devices such as consumer electronics, to dedicated processors controlling large industrial plants. These monitor, regulate or control the operation of devices, systems, networks or plants and are generally not designed to be easily changed. Any failure of these can also have implications for occupational health and safety matters relating to employees.

These embedded microprocessors need to be identified, evaluated, corrected where needed and tested.

The failure of medical equipment could have serious consequences for patients. The South Australian Health Commission and Health Units are responsible for ensuring Year 2000 compliance of IT systems and equipment across the Health sector.

The National Audit Office (UK), noted in its report 'Managing the Millennium Threat II', of May 1998, that:

The Year 2000 problem may involve legal risks to the Government, including litigation taken against the Government by clients and the public whose finances and investments have been damaged, and litigation associated with any deaths or injury derived from Year 2000 failures.

Audit considers the Government may need to consider legislation to protect the State and ensure its ability to continue essential services. In this context, it is also relevant to consider the Government's liability to third parties generally.

In response to Audit's communication, the Year 2000 SA Office of DAIS advised:

• In respect of the identification of all agencies and organisations to be monitored by DAIS It is estimated that this final list should be available by the end of September 1998.
• Year 2000 SA presently ranks reporting agencies by High, Medium and Low categories dependent on an assessment of the risk to government, based on several factors.
• The Office is also establishing a list of 'Essential Services' provided by the State which includes the status of exposures and the remediation efforts underway.
• · it is the domain of the agencies to develop an assessment of contingent liability for the exposures that they have identified.
• The Office is working with the portfolio coordinators via our account managers to ensure that the Non-IT area is properly addressed.
• The Year 2000 SA Office recognises that the area of Contingency planning is increasingly becoming more important for agencies. It will become a major part of the effort of agencies in 1999 and the Office is communicating to agencies the importance of developing contingency plans for major exposures.

It is mandatory for the Auditor-General to review the adequacy of controls associated with the operation of financial systems of government and its agencies.

Since late 1996, agency IT operations have for the most part been provided by the Government's contracted IT service provider, EDS, either at its Glenside Information Processing Centre or by its computing facilities located at individual agencies of government. The arrangements with EDS have important implications for the security and processing of government systems and information and, have been a specific focus of Audit's security reviews in 1997-98.

Audit's security review coverage for 1997-98 included specific reviews of:

• the EDS Information Processing Centre,
• security aspects of individual agency systems;
• government mandated financial systems;

The EDS Information Processing Centre is the Government's prime contracted bureau for processing of information. The bureau processing has important implications for the security, control and, continuity of operation of government systems and information.

A comprehensive review of the security arrangements in operation at the EDS Information Processing Centre (IPC) was undertaken by Audit in June 1997. This year, a further detailed review was undertaken of the EDS IPC security arrangements.

A key focus of the review was directed at the Masterpiece Financials system, and the Concept HRMS system. Specific consideration was given to the security requirements defined under the 'SA Government IT Security Standards in an Outsourced Environment'.

The scope of the review covered important control aspects of segregation of duties and the management and monitoring of user access to the system and the Statenet communications network. Consideration was also given to daily operational controls over processing and system enhancements and, arrangements in place to ensure the continued satisfactory operation of government systems.

The high concentration and complexity of government systems processing at the one site places increased importance on the provision of suitable business continuity planning arrangements for the uninterrupted processing of key government systems, the collection of government revenue, payment of accounts and the provision of important government services to the community.

The environment that supports the Masterpiece Financials system includes the MVS operating system, RACF access control software, CICS on-line processing software and the StateNet and EDS communications networks. Improvements in control have been made in several areas and this control environment is generally considered satisfactory, although certain control aspects require further improvement.

The environment that supports the CONCEPT HRMS system includes the UNIX operating system and the CONCEPT HRMS system database.

Last year's review found the environment unsatisfactory from a control perspective and although there have been significant improvements in 1997-98, there are still several matters to address in order to achieve a satisfactory level of control. This situation reflects the contracted arrangements with EDS which essentially require EDS to provide only the same level of security as existed at the time of transfer of government agencies to EDS operations; and some limitations in the control facilities available in the UNIX operating system.

There have been significant improvements in relation to business continuity planning since Audit's 1997 review and a plan is in place to continue to improve the level of preparedness for recovery of computer systems in the event of a disaster at the EDS Glenside site. There is still a need for improvement in the level of preparedness. (This is again partly reflective of the contracted arrangements with EDS).

The 1997-98 Audit coverage of key agency systems included system security arrangements. This included a follow-up review of security arrangements for key agency systems at eight selected agencies subject to review in 1996-97. Agencies subject to review are listed in the Appendix to Part A.4 of this Report.

Improvements were needed in:

• the development and implementation of security policies and procedures;
• system controls over passwords and information;
• processes for managing access to the system;
• control over user activity;
• user transfer and termination procedures;
• system network security arrangements;
• finalisation of business continuity/disaster recovery plans;
• provision of an audit trail.

All observations do not apply to individual agencies as some areas of agency operation were considered satisfactory.

In 1997-98 a review was undertaken of 'system change control' procedures in respect of the Masterpiece Financials system and CONCEPT HRMS system.

There was an identified need to improve management and procedural controls over system maintenance to ensure the integrity of system operation.

The Department of Treasury and Finance and the Department of the Premier and Cabinet have implemented a plan of action to address the matters raised by Audit.