news Victoria’s acting Auditor-General has blasted the state’s departments and agencies for continuing to use IT systems which have reached their end of life state, as well as for ignoring its ongoing recommendation that the state put together a whole of government disaster recovery framework.
This week the state’s acting Auditor-General Peter Frost published an overarching report examining a series of audits which the Victorian Auditor-General’s Office (VAGO) has undertaken into the IT infrastructure operated by Victoria’s many departments and agencies.
In the report, Frost writes: “Alarmingly, each year VAGO is finding a large number of IT systems and software which are either no longer supported or fast approaching the end of support by the vendor. This poses IT security and operational risks to the entities IT environment, as well as unnecessary added costs.”
“Disappointingly, IT security-related audit findings continue to be raised and again account for the majority of our audit findings. It is also disappointing that our recommendation for a whole-of-government disaster recovery framework has not been addressed since it was first made in 2012–13.”
This year’s report examined two areas — identity and access management to IT systems, and software licensing.
In general, it found that that Victorian Government departments and agencies were broadly handling software licensing well. However, the state required “significant improvement” to the way it handled the risk of inappropriate access to IT systems.
One particular problem related to the difficulty of auditing outsourced IT service providers.
“While there have been positive developments in the governance of outsourced IT arrangements, more effort is required by entities to enhance their visibility and accountability over outsourced activities and to assess the impact these activities have on entities’ control environments,” wrote Frost.
In terms of the end of life software that the auditor found, some 53 percent of the agencies it examined suffered the problems. The report states: “The majority of these 34 end-of-life audit findings were related to key financial systems, including Oracle Financials. Findings also related to software on users’ desktops computers, such as Windows XP.”
In July, the Victorian Government revealed it had paid Microsoft a whopping $4.4 million for extended support for the now-defunct Windows Server 2003 operating system, in a move which sharply demonstrates the extreme cost of running operating systems which are no longer formally supported by their vendors.
In another example, the auditor noted that a one-year custom support arrangement for Microsoft Windows XP was renewed by a department in April 2015 at a cost of $2.37 million.
In addition, following the November 2014 change of government in Victoria, and subsequent January 2015 machinery-of-government changes, a project to review and implement a whole-of-Victorian-Government enterprise resource planning (ERP) system was suspended.
“As a result, the financial systems for many in-scope entities are either approaching end-of-life or are past their end-of-life,” wrote the auditor. “Given the current situation and the time required to implement an ERP system, this issue is expected to remain unresolved for some time.”
IT security is also an going issue.
“Through our interaction with management, we believe that there is a general lack of awareness of the Victorian Government IT security standards,” the auditor wrote. In one specific example — an unnamed agency which was holding very sensitive data — no password management policies were in place, meaning that passwords used by staff were not required to conform to any standard.
News of the IT problems within the Victorian Government are not likely to come as a surprise, given the state’s prior history of issues in this area.
In November 2011, for example, Victoria’s Ombudsman handed down one of the most damning assessments of public sector IT project governance in Australia’s history, noting total cost over-runs of $1.44 billion, extensive delays and a general failure to actually deliver on stated aims in 10 major IT projects carried out by the state over the past half-decade.