news Victoria’s acting Auditor-General has blasted the state’s departments and agencies for continuing to use IT systems which have reached their end of life state, as well as for ignoring its ongoing recommendation that the state put together a whole of government disaster recovery framework.
This week the state’s acting Auditor-General Peter Frost published an overarching report examining a series of audits which the Victorian Auditor-General’s Office (VAGO) has undertaken into the IT infrastructure operated by Victoria’s many departments and agencies.
In the report, Frost writes: “Alarmingly, each year VAGO is finding a large number of IT systems and software which are either no longer supported or fast approaching the end of support by the vendor. This poses IT security and operational risks to the entities IT environment, as well as unnecessary added costs.”
“Disappointingly, IT security-related audit findings continue to be raised and again account for the majority of our audit findings. It is also disappointing that our recommendation for a whole-of-government disaster recovery framework has not been addressed since it was first made in 2012–13.”
This year’s report examined two areas — identity and access management to IT systems, and software licensing.
In general, it found that that Victorian Government departments and agencies were broadly handling software licensing well. However, the state required “significant improvement” to the way it handled the risk of inappropriate access to IT systems.
One particular problem related to the difficulty of auditing outsourced IT service providers.
“While there have been positive developments in the governance of outsourced IT arrangements, more effort is required by entities to enhance their visibility and accountability over outsourced activities and to assess the impact these activities have on entities’ control environments,” wrote Frost.
In terms of the end of life software that the auditor found, some 53 percent of the agencies it examined suffered the problems. The report states: “The majority of these 34 end-of-life audit findings were related to key financial systems, including Oracle Financials. Findings also related to software on users’ desktops computers, such as Windows XP.”
In July, the Victorian Government revealed it had paid Microsoft a whopping $4.4 million for extended support for the now-defunct Windows Server 2003 operating system, in a move which sharply demonstrates the extreme cost of running operating systems which are no longer formally supported by their vendors.
In another example, the auditor noted that a one-year custom support arrangement for Microsoft Windows XP was renewed by a department in April 2015 at a cost of $2.37 million.
In addition, following the November 2014 change of government in Victoria, and subsequent January 2015 machinery-of-government changes, a project to review and implement a whole-of-Victorian-Government enterprise resource planning (ERP) system was suspended.
“As a result, the financial systems for many in-scope entities are either approaching end-of-life or are past their end-of-life,” wrote the auditor. “Given the current situation and the time required to implement an ERP system, this issue is expected to remain unresolved for some time.”
IT security is also an going issue.
“Through our interaction with management, we believe that there is a general lack of awareness of the Victorian Government IT security standards,” the auditor wrote. In one specific example — an unnamed agency which was holding very sensitive data — no password management policies were in place, meaning that passwords used by staff were not required to conform to any standard.
News of the IT problems within the Victorian Government are not likely to come as a surprise, given the state’s prior history of issues in this area.
In November 2011, for example, Victoria’s Ombudsman handed down one of the most damning assessments of public sector IT project governance in Australia’s history, noting total cost over-runs of $1.44 billion, extensive delays and a general failure to actually deliver on stated aims in 10 major IT projects carried out by the state over the past half-decade.
well, when Microsoft keep making office harder to use and AND want to make it a subscription model, where you have to KEEP paying, and Office 2007/2010 still work fine, and have a far more usable interface, why WOULD you upgrade?
Same as Windows 7 vs Windows 10, why would you downgrade to a more inane and difficult to use O/S?. Windows 10 is worth what you pay for it, i.e. NOTHING.
“well, when Microsoft keep making office harder to use”
Really? Harder to use? If anything it has become vastly improved, easier, and cleaner to do what you want.. I Teach IT @ a university level to new student, many of them mature age, that have very little computer skills. They all manage to grasp it easily enough, and find it vastly improved over other “office” versions they know.
This government need to embrace IT, and change as a whole.. Tony Abbot is a perfect example on a government policy base level about the ignorance of IT, and the benefits it could have.
I disliked the new office, i use Win7, 8 and 10 at both home and at work. I think you missed the actual issue here. They are using Server 2003 and paying through the nose for extended support. They are using XP with extended support. Their financial systems are all extended EOL licenses in most cases. They have an outdated DR which is a major issue. Microsoft have nothing to do with why the Vic Government is having issues.
something something use linux
The problem is always lack of accountability. These organisations have mostly outsourced IT (which I have no problem with) but this means their project management is also outsourced and costs a fortune. They’ll fund a couple of upgrade projects, but there budgets won’t be good for much else.
Most of them struggle to keep the lights on, but what is really needed is stronger SLAs as part of government contractual agreements – which include rigorous penalties (for outsource providers) for those who don’t meet minimum security service level agreements.
The other option is more cloud adoption. But this can be a hard sell.
Comments are closed.