The Second Report of the Public Accounts Committee of
Singapore was presented to Parliament yesterday. The Committee considered the
Report of the Auditor-General for the financial year 2016/17. One of the common
themes in the report was certain weaknesses in IT controls across public sector
agencies. The Committee sought written
explanations from three ministries: Ministry of Home Affairs (MHA), Ministry of
Manpower (MOM) and the Ministry of Social and Family Development (MSF). All three
have responded. They have taken multiple steps to close the gaps and strengthen
The Committee noted that the recently
formed Smart Nation and Digital Government Group (SNDGG) is taking actions
at the Whole-of-Government (WOG) level to strengthen IT governance within the
public sector. The Committee also reiterated that to eliminate recurring lapses
and strengthen governance, every public sector agency has to play its part and
be committed to implementing effective controls.
Actions taken by MHA
The Committee noted from the audit observations on the
Singapore Corporation of Rehabilitative Enterprises (SCORE) that there were
inadequate controls to detect unauthorised changes made to payroll records.
SCORE indicated that it would verify all salary payments made from April 2014
to January 2017 to ensure that no unauthorised changes were made to staff
MHA informed the Committee that the verification exercise
was completed and no anomalies were detected. MHA has also taken a number of
remedial actions to address the weaknesses in the payroll processing. SCORE had
started monthly reviews of user access rights and the activities of privileged
users since June 2017.
In July 2017, enhancements were made to tighten the payroll
process to prevent and detect tampering of payroll records.
Assisted Auditing Tool is being used since July 2017 to flag out anomalies
and suspicious transactions before each payroll run.
MHA has seconded an experienced Human Resource (HR) officer
to oversee SCORE’s HR department in October 2017.
Finally, SCORE will be migrating to the Public Service HR
and payroll systems which adhered to best practices in controls, by first
quarter of 2018.
Actions taken by
Ministry of Manpower (MOM)
The audit report noted that at the Central Provident Fund Board
(CPFB), that there might be a lack of management and oversight of the areas of change
management, security monitoring and access control for IT systems.
MOM informed the Committee that CPFB has in place a sound
system to oversee change management, monitor its IT systems and usage, and
manage system access rights to ensure that CPFB's systems and databases are
protected against IT security threats and unauthorised access at all times. The
lapses identified in the management of CPFB's two IT security monitoring
systems and controls for system access for temporary staff were the exceptions
rather than the norm.
On the management of the two IT security monitoring systems,
MOM has followed up and closed the gaps.
One of the steps taken is
the implementation of a change management process since January 2017 to ensure
that all changes made are formally authorised and tracked. It had also
completed a further round of checks of all other IT systems and confirmed that
there is a documented change management process specific to each system.
In addition, CPFB has since placed all its critical systems
(including the non-public facing ones) under monitoring in June 2017. CPFB has
also completed the review of the monitoring rules of the IT security monitoring
systems in March 2017, to ensure that the systems remain effective. A periodic
review process had also been implemented in May 2017.
Disciplinary action has been taken against the staff who
failed to properly configure the IT security monitoring system to provide
complete alert reports on IT security violations.
Moreover, CPFB has implemented an Identity Governance and
Administration (IGA) system to strengthen the access controls of CPFB’s
systems. This IGA system provides full visibility of who has access to which IT
systems, automates life-cycle management of accounts and account dormancy
checks, and facilitates periodic review of accounts and accesses. All CPFB’s
core systems have been placed under the IGA system in October 2017 while the
rest of the systems will be placed under the IGA system by December 2018.
Another observation by the Committee was that the system
access of some temporary staff accounts was not removed promptly after the
temporary staff left CPFB.
MOM explained that the lapses occurred due to an oversight
of a supervising officer and CPFB had taken disciplinary action against the
officer for not complying with the established procedures. CPFB had since
improved the process, including having a checklist of actions to be completed
when a temporary staff leaves. This checklist would be reviewed at three levels
to ensure that necessary actions have been taken.
Actions taken by MSF
The Committee noted that there were instances of inappropriate
access and breaches on rule on access control by MSF’s IT vendor staff to the
IT systems that support the Baby Bonus and Child Care/Infant Care subsidy
schemes. MSF has conducted and completed investigation of all 595 previous
instances of inappropriate access.
The investigation by MSF revealed that all instances of access were
for valid business purposes. The lapse lies in the use of different accounts by
IT vendor staff and failure to duly adopt segregation of roles in hope of
completing the assigned tasks quickly. Upon conclusion of the investigation,
MSF had issued a stern warning letter to the management of the IT vendor to
comply strictly with the existing Standard Operating Procedures (SOPs).
To prevent recurrence of similar incidents and strengthen oversight
of its IT vendors, MSF had taken the following actions which include: (1) a
one-time review of all system and database administrator accounts and the
access logs for the past 12 months; (2) reviewed and directed the IT vendors to
strengthen their procedures for the administration of IT systems and management
of accounts, (3) instituted independent monthly review of accounts and access
logs by MSF’s IT staff using data analytics, (4) required IT vendors to carry
out review of privileged accounts and activities, and to report their findings
to MSF’s IT project team on a monthly basis with key results to be reported to
MSF’s IT management team on a quarterly basis, and (5) tightened the processes
of IT vendors to ensure that appropriate processes and resources are available
for vendors to complete their tasks without compromising segregation of roles.
These actions taken by MSF illustrate the Ministry remains
accountable and is stepping up in its oversight to ensure proper compliance
with SOPs. Strengthened procedures will ensure appropriate level of access and
clearer segregation of roles.
WOG approach in strengthening
IT Governance within the Public Sector
Addressing the concerns over the weaknesses in IT controls found
across several public sector entities, MOF informed the Committee that
Singapore is taking a WOG approach in strengthening IT governance within the
public sector with the recently formed SNDGG under the Prime Minister’s Office.
The SNDGG is designated to be the central body that oversees
policies on IT management in the Government to safeguard the integrity of IT
systems and the data within. SNDGG has been continually refining IT management policies
to ensure proper controls. It also conducts independent audits to help agencies
identify and rectify any gaps in compliance with the policies, which is then
shared to various WOG and multi-agency platforms every year. For example, SNDGG
has shared key learning points from AGO’s findings on weakness in IT controls
at senior management forums.
The Government Technology Agency (GovTech) has also completed an
assessment of the feasibility and cost-worthiness of solutions to automatically
update account and access rights in IT systems when officers’ records are added
or removed in HR systems.
Given the cost and complexity of implementing the
solutions, GovTech would prioritise the agencies to work with to adopt the
automated solutions over the next few years, beginning with those with the
Featured image: TteckK.