Thursday, 20 July 2017

Auditor-General's Report FY 2016/17: Financial and IT lapses found in government agencies

Auditor-General raps government agencies for lapses
Government agencies taking action to fix lapses flagged by AGO
By Toh Yong Chuan, Manpower Correspondent, The Straits Times, 18 Jul 2017

Several government ministries and agencies have been rapped by the Auditor-General for weaknesses in controls over information technology (IT) systems, lack of financial controls and inadequate oversight over large-scale development projects.

These lapses were discovered by the Auditor-General's Office (AGO) in the latest annual audit of government accounts for Financial Year 2016/17.

In response, the Ministry of Finance (MOF) said the public sector's overall system of managing public funds remains sound, but acknowledged there are areas where agencies can do better by strengthening their financial governance.

"The Public Service is taking a concerted effort to address the issues identified," it said.

"Heads of the agencies responsible have reviewed each case and where warranted, appropriate actions have been or will be taken against those responsible."

In the report released on Tuesday (July 18), the AGO found that the Ministry of Social and Family Development (MSF) did not track how its staff and vendors use the IT systems that run the Baby Bonus, child care and infant care subsidy schemes. The systems were accessed 4,920 times over an 11-month period, but 595 of these were "inappropriate" logins that "would warrant further investigation". Among them, 560 logins were made by MSF's IT contractor who "had used a privileged system user account which did not belong to them"

The National Parks Board (NParks) did not remove the access rights of 104 accounts of staff who have quit, some as far back as 10 years, while the Singapore Corporation of Rehabilitative Enterprises (SCORE) had weak controls over its payroll system.



The agency with the most lapses in its IT systems was the Central Provident Fund (CPF) Board. It did not track its monitoring systems for unauthorised access to the computers. In one of its IT systems, nearly 89 per cent of changes made by the system administrator over a three-month period were not backed by proper approvals. In another IT system, the alerts meant to pop up when there was unauthorised access were incomplete.

"These lapses could affect the effectiveness of the two IT security-monitoring systems in detecting IT security violations," the AGO said. The CPF Board also did not revoke IT access granted to temporary staff and could not identify who used the accounts after they quit.

As for financial controls, the AGO found lapses in the Economic Development Board (EDB), Sport Singapore (formerly the Singapore Sports Council) and SCORE.

The EDB had given out grants totalling $2.59 million for eight projects even though information on these projects was inaccurate and incomplete. In six of these projects, EDB misrepresented them as being on track even though the grant recipients did not meet or faced difficulties in meeting the project conditions.

In SCORE, payments amounting to about $710,000 were made to contractors even though the invoices were not properly certified by its staff. A staff who was authorised to approve payments of up to only $1 million was found to have approved payment of up to $15.88 million.

Sport Singapore was found to have dragged its feet in paying contractors. It paid about $970,700 to vendors more than a year after the invoices were received. The longest it took to pay a contractor was more than three years and six months. The national sports body also could not account for how it used some of the sponsored items that it received, AGO noted.

On management of projects, the AGO singled out the Ministry of Health (MOH) for "irregularities" in many multi-million dollar contracts that it oversees. For example, the ministry paid $4.08 million for site supervisors for the building of the Ng Teng Fong General Hospital, but the ministry did not verify the need for the staff or the reasonableness of the cost, the AGO noted. It also did not get proper approvals and made the payment solely based on the agent's claims.

The MOH also made 40 changes to contracts amounting to $3.76 million without approval, including 32 changes for 10 projects valued at $2.17 million where the changes were made after the projects were completed or had started.

In response to the AGO report, MOH said it has worked to strengthen project oversight and management, as well as controls and checks on infrastructure projects to prevent lapses.

It will also train officers on public procurement procedures in a more structured way, and hold regular briefings on the contract variation process.

It noted AGO found "there was no indication of fraud or corrupt practices which warrant further investigation, or deliberate wrongdoing by the persons involved in the projects."

On the lapses of control over large scale projects, the AGO said: "Such lapses were found across different public sector entities over the last few years, indicating that more could be done to strengthen these areas."

MINISTRY OF FINANCE RESPONSE

In its response to the report, MOF noted that AGO had given an unmodified audit opinion on the Government Financial Statements for FY 2016/17. "This gives assurance that public funds have been independently verified to be properly accounted for, and the accounts are reliable and prepared in accordance with the law," the ministry said.

It also said the Public Service is taking steps to address issues raised in a systemic way.

On enhancing financial controls over grants, the Accountant-General's Department has been consulting government agencies and developing a guide that will help them put in place appropriate control procedures to ensure better accountability and efficiency. This guide will be given to agencies by the end of this year.

On better management of projects and contracts, a new Building & Infrastructure Centre of Excellence under JTC Corporation will advise government agencies and strengthen their capabilities in managing infrastructure projects. Project management training for public officers has also been enhanced, and MOF has worked with agencies on further guidelines on managing contract variations for development projects, which were issued last month.

On strengthening audits and policies for better IT governance, MOF said there are IT policies to ensure proper controls are in place so as to safeguard the integrity of public sector IT systems and the data within. "These policies have been continually strengthened over the years to improve the IT security posture of the public sector. Internal audits are also conducted from time to time against these policies to help agencies identify shortcomings for remediation," it said.

The newly-formed Smart Nation and Digital Government Group in the Prime Minister's Office will also strengthen the internal IT audit regime so that agencies can better identify and rectify any gaps in compliance. It will also continue to refine policies and share best practices to raise the governance and performance of public sector IT systems.

Said MOF: "Improving financial governance and accountability of government agencies... is a journey of continuous improvement."

















AGO report: MOH rapped over hospital in Jurong
By Salma Khalik, Senior Health Correspondent, The Straits Times, 19 Jul 2017

The Auditor-General's Office (AGO) has taken the Ministry of Health (MOH) to task for the way tens of millions of dollars were spent in the building of the $800 million Ng Teng Fong General Hospital.

The 700-bed hospital in Jurong was completed in 2015 - about half a year behind schedule.

The AGO's latest annual report criticised the ministry for "lack of controls and inadequate oversight" of the project.

The ministry said yesterday it will strengthen its project oversight processes and management controls.

But there was no wrongdoing, it added. "There was no indication of fraud or corrupt practices which warrant further investigation, or deliberate wrongdoing by the persons involved in the projects."

The AGO's report found that the ministry had paid $4.08 million for supervisory staff without ensuring that they were needed.

It was done although the ministry had already hired a contractor for $8.16 million to provide site supervisory services, it noted.

When asked about it by the AGO, the ministry said it was "not aware" its agent had separately hired site supervisory staff. It later told the AGO there was no duplication as the contractor's staff number fell by five, which corresponded with the five the ministry hired.

But this was incorrect. The AGO found that the contractor had cut only three, not five, workers. Also, it had hired six, not five, people, resulting in a net increase of three workers.

The ministry also paid one of the three people, who was "supposedly reduced" from the contract, for about two years.

In fact, the ministry was uncertain if it had to pay for the supervisory services after March 2015.



The AGO also flagged irregularities in seeking approvals when changes were made to the hospital contract. The changes involved $30.09 million. It said: "The lack of the required level of checks increased the risk of fraud."

There was "no assurance that MOH had exercised financial prudence in the use of public funds" or that the changes in the contract were scrutinised before approval was given, said the report.

The AGO also found lapses in approvals for 40 changes to contracts of 10 other projects that involve $3.76 million.

Approvals were either not obtained, sought after work had started or were submitted to the wrong authorities.

In some cases, approvals were obtained "before the relevant assessment and recommendations were made", the AGO said.

As a result, they cast doubts on whether the changes were properly assessed, it added.

The ministry said yesterday that it will work to "improve the competencies of our officers through more structured training on public procurement procedures".









CPF Board says data not compromised by security lapses
By Joanna Seow, The Straits Times, 19 Jul 2017

For 1-1/2 years, the Central Provident Fund (CPF) Board did not review the changes made to one of its systems that monitors IT security. As a result, there is no way to find out if unauthorised changes had been made during that time.

The Auditor-General's Office (AGO) flagged this in its audit of the board, which was found to have several lapses in IT security management.

A problem area discovered had to do with two of the board's IT security monitoring systems which track the activities of the CPF Board's databases and systems.

One of the systems was not configured properly and could not alert the board to IT security violations that happen on a particular day each week. For the other system, the AGO found that changes made to it were not supported by approved change requests.

"These lapses could affect the effectiveness of the two IT security monitoring systems in detecting IT security violations," the AGO said in its report.

The board said the lapses did not compromise CPF members' data, as there were no unauthorised activities or transactions in members' databases.

In its response yesterday, it said the various layers of IT defences in place mutually reinforce one another and protect against different types of security threats. There is also a clear segregation of duties between the administrators of the IT security monitoring system, the IT system and database.

"Together, these measures strengthen our prevention, detection, monitoring and response capabilities against cyber-security threats. CPF Board is committed to safeguarding the security and integrity of our IT systems and databases, and will continue to implement additional measures where necessary," the board said in a statement. It has done a thorough review and improved the management of the two systems.

Another concern of the AGO was lapses in the management of IT accounts of the board's temporary staff in the department that administers its GST Voucher scheme. Some accounts were used by unidentified users after the last working day of the temporary staff, or were not deleted within seven working days as required by the board.

The board said it did a thorough review and members' data was not compromised by the lapse.

It has also tightened access controls by putting in place a three-level check for all IT system access given to temporary staff. "This ensures that IT system access is granted on an as-needed basis and is promptly deleted when it is no longer required," said the board.











Lapses in checks and controls
By Joanna Seow, The Straits Times, 19 Jul 2017

In its annual report, the Auditor-General's Office (AGO) found weaknesses in IT controls at the Ministry of Social and Family Development (MSF), National Parks Board (NParks) and the Singapore Corporation of Rehabilitative Enterprises (SCORE).

This is worrying as IT is used extensively in public sector bodies to manage financial transactions and deliver services, as well as to hold vast amounts of personal and other sensitive data, the AGO said. IT security threats are also growing.

It also found inadequate financial controls by SCORE, Sport Singapore and the Economic Development Board (EDB).


MSF: LACK OF CHECKS ON ACTIVITIES BY IT VENDORS WORKING ON SYSTEMS FOR CHILDCARE/INFANTCARE SUBSIDY AND BABY BONUS SCHEMES

This meant data could be leaked, or bonuses or subsidies calculated wrongly. Vendors had accessed IT systems inappropriately nearly 600 times between April last year and February this year, using accounts belonging to others, the AGO found.

MSF also gave the CPF Board the wrong formula to calculate reimbursements to employers for paid paternity leave, resulting in 717 wrong payouts in 2014 and 2015.

In response, MSF said it is correcting the formula and has contacted affected employers. It has also tightened control over IT vendor user accounts and started reviewing user access and logs monthly.


NPARKS: IT USER ACCOUNTS NOT MANAGED PROPERLY

Almost all the user accounts in the human resource, finance and procurement system were not reviewed, and access rights for 104 accounts of former NParks staff were not removed, the AGO found.

NParks said the risk of unauthorised access to its systems was mitigated as staff who leave have to return their computer devices. Their user accounts and access to the NParks intranet are also suspended.

NParks will conduct annual reviews of all user accounts in the IT system, as well as monthly reviews of inactive user accounts and accounts of staff who have left NParks or changed their roles.


SCORE: PAYROLL PROCESSING, PROCUREMENT, PAYMENT PROBLEMS

Access to the Human Resource Information System was not properly managed and payroll records could be tampered with undetected.

There were also issues with SCORE's tender process, such as contracts worth $49.6 million in all being signed by an unauthorised person, and overpayment for additional manpower.

In response, SCORE said it has taken action to improve documentation of systems and staff training. It is also migrating to the Civil Service-wide HR and payroll system, which has better internal controls, and will complete the move by 2018.


SPORT SINGAPORE: LATE PAYMENTS TO SUPPLIERS; MISSING DEVICES

Some vendors were made to wait one to 3.6 years for payments from Sport Singapore, an "unfair business practice", said the AGO. This happened for 299 payments totalling $661,900, made between January 2014 and June last year.

The AGO also checked records for 2,790 sponsored electronic devices, such as mobile phones and smartwatches, given for two major sporting events in 2015. About half of them, worth $224,700, were unaccounted for.

Sport Singapore said it has no outstanding cases of late payments and is reviewing its processes to ensure the lapses do not recur. It has also started disciplinary inquiries where necessary.


EDB: GRANT PROJECTS AND TENDERS NOT EVALUATED PROPERLY

After giving out grants, EDB failed to adequately monitor project progress for some of them. This could lead to public funds being wasted if the objectives of the grant schemes are not achieved.

Three of the 14 tenders checked were not evaluated well, with inconsistencies in the way EDB scored or treated different parties. In one case where EDB gave the successful party a wrong score for the financial solvency criterion, the correct score would have changed the winner of the tender exercise.

EDB acknowledged the scoring process can be improved, and said it will review tender processes . It is also developing a new system that will enable grant recipients to submit timely progress reports.





Counting the cost of repeated public sector audit lapses
Public servants do not seem to be learning from the mistakes of others, and that needs addressing
By Toh Yong Chuan, Manpower Correspondent, The Straits Times, 20 Jul 2017

Once a year, the image of Singapore's ultra-efficient public service takes a hit when the Auditor-General publishes the findings of its annual audit of government accounts.

The exercise by the Auditor-General's Office (AGO) invariably throws up lapses in the processes of government ministries and statutory boards. The latest audit report released on Tuesday was no different.

The report found shortcomings in controls over information technology systems, lack of financial controls and inadequate oversight of large-scale development projects.

The government agencies named in the latest AGO report were the Ministry of Health, the Ministry of Social and Family Development (MSF), Sport Singapore (the former Singapore Sports Council), Singapore Corporation of Rehabilitative Enterprises, Central Provident Fund (CPF) Board, National Parks Board and Economic Development Board. They have acknowledged their lapses and promised to fix them, if they have not already done or started doing so.

Still, one can expect similar lapses in the future, perhaps not at these government bodies - the spotlight on them will surely motivate them to buck up and avoid repeating their mistakes - but possibly in other agencies. That is not speculation but a statement backed by past records.

The AGO posts on its website audit reports dating as far back as 2008/2009. These reports show some telling trends. For example, in the 2008/2009 report, then Auditor-General Lim Soo Ping said: "Every year, we see instances of lack of financial prudence in procurement and poor management of contracts."

Consider the latest report, which says: "The AGO found instances of inadequate financial controls over payments, management of assets and contracting in public sector entities."

If the two statements sound similar, that's because they are.

Another common theme in the AGO reports over the years is that despite proper procedures and systems of checks in place, public servants were found not to have followed them. In other words, lapses occurred due to human error.

One cannot help but wonder: Why do the same mistakes keep being made? One of the stated aims of the public release of the AGO report is for agencies to learn from one another's mistakes, so why have the lessons not sunk in?

REPEATED MISTAKES

The causes of repeated lapses may be many but here are three observations, based on my 18-year stint in the public sector, including seven years as a director, before I joined The Straits Times in 2011.

The first is that public policies and programmes have expanded and that means more scope for error.

Take as an example the Baby Bonus, a scheme that was named in this year's AGO report. The AGO found that the MSF, which is responsible for Baby Bonus payments, did not track how its staff and vendors use the IT systems that run the scheme, giving rise to the possibility that confidential information is leaked or data corrupted when subsidies are computed.

The Baby Bonus Scheme, which was first introduced in 2001, has grown substantially over the years. The latest update of March last year means qualifying babies now automatically receive $3,000 in their Child Development Accounts.

Workfare is another example. The AGO found in its 2013/2014 report that the CPF Board, which runs the Workfare Income Supplement Scheme, was given incomplete data by other government bodies, possibly leading to eligible workers not getting their payments. Workfare was introduced in 2007.

And the expansion of programmes is set to continue, especially in the social affairs sector, as the population ages.

My second observation is that even as policies and programmes have expanded, the number of public servants has not ballooned.

The Singapore Public Service is 145,000-strong, up from 124,000 in 2010, or about 17 per cent bigger. Over the same period, government expenditure - an indicator of what the Government spends on policies and programmes - grew 62 per cent from $46.39 billion in the 2010 financial year to an estimated $75.07 billion this financial year.

Essentially, public officials are now expected to do more or manage more resources. That means more room for error.

A third reason for mistakes by public servants is the sector's policy of rotating its staff. New staff coming through the doors are more prone to making mistakes.

In my 18 years in the civil service, I had seven different postings of between one and five years each. When I was first appointed to the equivalent of a director's post in 2004, I became nervous when I had to pay a contractor more than $100,000 for a project. I studied endless pages of what civil servants call the "instruction manual" before I mustered the confidence to sign the payment order.

In the end, apart from the manual, I also learnt from a veteran colleague who told me: "Do not do anything in private that you are not prepared to explain in public." In other words, expect to be scrutinised. That was what he meant. I benefited from his generous mentoring.

Apart from understanding the causes of the lapses, it is important to also put them in proper context. The latest AGO audit found no criminal wrongdoing. The lapses were silly, but not part of a larger criminal enterprise.

That said, some of the reactions of the agencies named in the latest audit bother me. While all of them acknowledged the lapses highlighted by the AGO and pledged to tighten their internal processes, none apologised for its mistakes. Only the MSF came close to an apology, saying it "regrets that some employers were incorrectly reimbursed".

Some agencies even issued qualified responses. For example, national sports body Sport Singapore, which dragged its feet in paying contractors for more than three years, said: "Where necessary, disciplinary inquiries have been initiated."

That suggests inquiries in some instances are not necessary.

Such half-hearted and even defensive attitudes will not do.

WAYS TO REDUCE LAPSES

There are at least three ways to reduce future lapses. For a start, government agencies can ditch defensiveness and say sorry for their mistakes. If they do not apologise for their shortcomings, sceptics will understandably doubt their desire to change.

Also, I found it shocking that some of the lapses took so long to come to light. For example, Sport Singapore took more than a year to pay nearly $1 million to contractors who did work for the 2015 28th SEA Games and the 8th Asean Para Games. One wonders why the contractors kept quiet for so long.

There ought to be more channels, including confidential hotlines, for contractors and the public to report lapses to the Ministry of Finance.

A third way to reduce mistakes is to use both carrot and stick. The annual expose by the AGO puts pressure on the agencies which have made mistakes to correct them, buck up and avoid future mistakes. In a similar vein, the AGO can consider highlighting those agencies that have done well in fixing their mistakes or in staying off the annual lists.

The public sector is such a huge body - it is the largest employer in Singapore - and one cannot expect it to be perfect. That said, while there may be mitigating factors for the lapses, the importance of audit findings cannot be overestimated. After all, public servants are essentially guardians of public money.

If public sector agencies cannot give the assurance that they can learn from past mistakes and avoid them in future, it is not just the image of the public sector that takes a hit, public confidence in the Government may take a beating too.

That is the real cost of such repeated mistakes, and it is not the path the public sector wants to go down.



No comments:

Post a Comment