Government audit finds lapses in IT controls, unchecked vendors
Auditor-General's Office report notes vendors had unrestricted access to sensitive data and servers
The Auditor-General's Office (AGO) will continue scrutinising IT controls in government bodies to highlight weaknesses and lapses.
An AGO spokesman stressed this in a reply to The New Paper's queries after new Auditor-General Goh Soon Poh found weaknesses in IT controls in the public sector, including Ministry of Defence (Mindef), Ministry of Manpower (MOM) and Singapore Customs.
Her first annual AGO report since she took office in February said the weak IT controls include inadequate monitoring and review of users of IT systems, such as giving external vendors access to sensitive or personal information, some of which had gone unchecked for years.
The spokesman told TNP: "The AGO had highlighted similar weaknesses in various public sector entities in its reports for the past few years, indicating that IT controls remain a key area for improvement.
"It is therefore critical that the public sector ensures that the IT controls put in place are sufficiently robust to prevent and detect unauthorised access and activities."
The latest report was submitted to the President on July 2 and made public yesterday.
Among the IT concerns were:
- Vendor staff having unrestricted read-access to personnel and payroll information in Mindef's Enterprise Human Resource system for more than two years. The log records of what they had accessed had also not been reviewed by Mindef since 2014. Mindef noted the AGO's concerns and has conducted a review and restricted the access rights of the staff accordingly.
- In MOM, 13 IT vendor staff had accounts that gave them unrestricted access to view and change data in the work permit and Employment/S Pass databases. They could also remove the audit trail of any unauthorised activity. MOM had not reviewed their activities since 2011 and reviewed the activity logs of these staff only this year to verify there was no unauthorised activity.
- The AGO also found seven IT vendor staff engaged by Customs had unrestricted access to some of its servers without password authentication. They had access to such data as customs licenses, collections of tax and excise duties.Customs enforced password authentication in April and said it would implement system enhancements by year-end.
AGO's checks on Mindef found it had overpaid a dozen Republic of Singapore Air Force pilots more than $270,000 in flying allowances.
One pilot was paid wrongly over a period of six years. The amount was not stated. Mindef has since recovered the erroneous payments from nine pilots. Two other pilots had been underpaid. Another key area highlighted was lapses in procurement and contract management.
Irregularities were found in quotation documents submitted by contractors to the Ministry of National Development (MND) and the Urban Redevelopment Authority (URA).
Acting on a complaint, AGO checked MND's procurement and contract management of works for building facilities and found irregularities for 49 out of 71 work orders. The work orders totalled about $320,000, which was paid from April 2016 to March last year. MND has made a police report.
The URA also made a police report after similar concerns were noted in the audit of one of its infrastructure projects.
MND and URA said they were unable to comment as the matters were now with the police.
Lapses were also found in the approval of 142 contract variations in the National Gallery development project, which is owned by the Ministry of Culture, Community and Youth (MCCY) and managed by National Gallery Singapore.
The total value involved amounted to $12.4 million.
MCCY said yesterday it is studying the AGO's findings and will seek to improve management of future development projects. The National Gallery said it is reviewing its processes and policies and has taken steps to recover the overpayments from the contractors.
FOR MORE, READ THE STRAITS TIMES