Queensland’s Auditor-General Glenn Poole has filed another damaging report (PDF) about the operations of troubled State Government shared services providers CITEC and CorpTech, stating the pair suffer “serious security and change management issues”.
Just last week Poole filed his extensive report into the state’s payroll disaster at Queensland Health, which is still dogging the Premiership of Anna Bligh due to a string of staff at the department not being paid on time or sometimes at all over the past few months. At the heart of the problem was the fact that CorpTech, the department and prime contractor IBM significantly underestimated the necessary scope of the project.
In his newest report, Poole examined the performance of the Government’s technology shared services initiatives established in 2003. Bligh last week broadly abandoned the centralisation policy, noting it would only be used where appropriate from now on.
Poole noted that although CorpTech had successfully consolidated a number of agency finance and human resource applications, there were still some fifteen legacy systems yet active.
“Consolidation of the remaining legacy environments is critical due to the high risks associated with the continued operation and support of legacy systems,” he wrote. “While CorpTech continues to actively manage the existing support arrangements, some of these systems are no longer covered by vendor support agreements, and more systems will become unsupported from 2013.”
In Poole’s opinion, this increased the risk of security failures and data integrity issues — problems which could impact on “the integrity of financial statements or the correct processing of payroll for public servants”.
In addition, the auditor noted problems regarding who could access which data in the Government — which he had reported annually in parliamentary reports since 2006. “In one case, changes to user access privileges resulted in excessive access granted to multiple users,” he wrote. “Monitoring controls to identify such occurrences were not operating effectively.”
Furthermore, there were also questions about how the Government would respond if it needed to resort to its disaster recovery strategy, with the report stating there was insufficient documentation of key disaster recovery processes — meaning it was unclear how services would be recovered in the event of a disaster, within what timeframes they would be recovered, and whether those timeframes would be acceptable to Government agencies serviced by the shared service groups.
“Consequently, there is a risk exposure to Government that in the event of a disaster, unacceptable delays may be experienced in the processing of financial transactions, including processing the payroll for Queensland Government public servants,” wrote Poole.
In the report, the Department of Public Works responded to Poole’s statements through the office of the Director-General, firstly pointing out that the Government’s shared services environment had undergone substantial change over the past six years — with everything being integrated into the department itself.
The department acknowledged the problems, but pointed out that the Auditor-General had not noted that the migration of many agency HR and finance platforms onto a centrally supported legacy environment had itself mitigated many risks.