A recent report has found there are no guidelines in place to limit user access to financial systems in some agencies within the New South Wales (NSW) industry cluster.
Two high risk issues related to users' administration access over financial systems were found in the report released by the NSW Auditor-General Margaret Crawford.
Specifically, the issues relate to system administrator access provided to staff members at the New South Wales Institute of Sport that was not in accordance with their role description and absence of policies and processes to monitor the activities of privileged users at Water NSW.
The report, which analyses the results of audits of the industry cluster agencies for the year ended 30 June 2018, covers 50 agencies.
With the Department of Industry as the lead agency, the cluster includes Local Land Services, New South Wales Rural Assistance Authority, Technical and Further Education Commission (TAFE NSW), various sporting agencies, Forestry Corporation NSW and Water NSW.
"Our audits identified opportunities for agencies to improve controls in information technology (IT) processes," stated the report.
"We noted issues associated with: user access administration; password security policies and parameters; development, review and testing of system disaster recovery plans; system change management; lack of oversight regard controls operating within the service provider; absence of an IT governance framework, security risk assessments, and a penetration testing process."
Adding to the two high risk issues were 18 moderate risks, all identified across nine agencies.
The issues included users' accounts created either without adequate documentation or approvals, logging and review of privileged/super user account transactions not performed and user access reviews not performed or documented.
Also, users were given levels of access that was incompatible with their duties and terminated users not removed from the system in a timely manner.
"These weaknesses increase the risk of users with access to critical financial systems and information being able to make unauthorised or incorrect transactions, and increases the likelihood that those transactions will remain undetected," stated the report. "This can compromise the integrity and security of financial data residing in these systems."
The report recommends agencies' controls over administration of user access to critical systems should retain documentation of approvals to create, modify and deactivate user access; allocate appropriate access rights; perform and document regular user access reviews; log and monitor privileged/super user account activity and deactivate terminated user access on a timely basis.
According to findings, the issues faced by TAFE NSW have required additional processes and resources to verify the accuracy and completeness of revenue from student fees for the last three years.
TAFE NSW now expects to spend up to $89 million to replace its student administration and learning management (SALM) system, which they believe will address the issues. The organisation has yet to set a date that the new system will be implemented, the report stated.