Public officers to be trained, held accountable: Indranee

Published Mon, Oct 5, 2020 · 08:02 AM

THE government is upgrading IT systems and procurement capabilities to address lapses, said Second Minister for Finance Indranee Rajah in Parliament on Monday. Public officers are expected to be accountable for their actions and decisions, and training initiatives will be stepped up in key areas, she added.

This year's Auditor-General Office's (AGO) report had highlighted deficiencies in IT controls and procurement in multiple agencies.

For instance, technical misconfigurations allowed administrators of operating systems to access privileged accounts without password authentication. In one case, the Republic Polytechnic's inadequate security measures exposed the polytechnic to the risk of unauthorised changes to its electronic payment files. This could have exposed the polytechnic to the risk of unauthorised payments.(see amendment note)

In another case, the Public Utilities Board (PUB) failed to ensure its project partner's compliance with relevant policies on IT controls. The partner's vendor was granted excessive rights, including the rights to create and delete user accounts. The vendor's staff also shared a single administrator account, making it difficult to identify users performing particular activities.

Lapses in contract management were similarly found in PUB's dealings with a private sector partner. The partner was able to modify real-time values of parameters in its IT system, which would affect the amounts to be paid by the agency. The agency was also reported to have largely relied on information provided by its partner to make payments, without carrying out adequate independent verification.

The lapses partly stem from a labyrinth of legacy IT systems in place today, each with its own idiosyncrasies. Ms Indranee said there were over 2,000 such IT systems, built progressively over time, by different vendors and using different technologies. Access controls are not linked across systems, requiring manual adjustments to be made when staff movements occur, she explained.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

VIEW ALL

The Smart Nation and Digital Government Group (SNDGG) is developing systems to automate the processes involved and minimise errors, Ms Indranee said. The management of user accounts, privileges and access rights will be progressively automated and implemented across all systems by December 2024.

While it will take time to fully implement the solutions across over 2,000 IT systems, Ms Indranee said pilots and interim fixes have already begun. For example, SNDGG has made available a solution to alert agencies to staff movements so that they can manually remove the user accounts that are no longer required. Five of the 38 agencies that have on-boarded the system were audited by AGO, and no lapses were found in this area, according to Ms Indranee.

A slew of training initiatives will also be rolled out to address the lapses in procurement. Ms Indranee cited specialised competency frameworks and courses to be introduced in specific areas such as construction and IT procurement, where deeper technical know-how is needed.

Ms Indranee also had firm words to offer on the standards to which senior public officers will be held, in maintaining compliance with guidelines and procedures. "We place high expectations on the senior leadership of the public service, who are entrusted to be stewards of public resources," she said.

"These expectations are spelt out in the form of leadership competencies and responsibilities, which are conveyed to all senior public service leaders in ministries and statutory boards," she added. "We evaluate our leaders against these expectations as part of their performance reviews, and those who fall short will be rated less favourably. Depending on the nature and cause of the incident, appropriate disciplinary action may be taken as well."

Amendment note: An earlier version of this article incorrectly stated that the inadequacy of Republic Polytechnic's (RP) security measures resulted in unauthorised changes to its electronic payment files, exposing the polytechnic to the risk of unauthorised payments. In fact, the AGO's report found that RP's inadequate security measures exposed the polytechnic to the risk of unauthorised changes, which could have exposed them to the risk of unauthorised payments. The report did not state that unauthorised changes or unauthorised payments were made. The article has been amended to reflect this change.

KEYWORDS IN THIS ARTICLE

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to  t.me/BizTimes

International

SUPPORT SOUTH-EAST ASIA'S LEADING FINANCIAL DAILY

Get the latest coverage and full access to all BT premium content.

SUBSCRIBE NOW

Browse corporate subscription here