AGO Report: IT Controls, Procurement and Contract Management05 Oct 2020
Parliamentary Question by Mr Liang Eng Hwa:
To ask the Deputy Prime Minister and Minister for Finance in view of the recurring lapses in IT controls highlighted in the latest Auditor-General's Report, whether there are inherent systemic issues within the public service and what effective measures will be taken to address the weaknesses.
Parliamentary Question By Mr Alex Yam Ziming:
To ask the Deputy Prime Minister and Minister for Finance in view of the weak links highlighted annually in the Auditor-General's Reports (a) how does the Civil Service ensure that officers are adequately trained and supervised to meet the Government's procurement processes; and (b) whether officers handling tenders have to attend regular refresher courses to stay abreast with new regulations and processes.
Parliamentary Reply by Second Minister for Finance Ms Indranee Rajah:
Mr Speaker, Sir, may I have your permission to answer questions 25 and 26 together in my response?
Let me first assure Members that, as mentioned in the Auditor-General’s reports, all the agencies take the audit observations seriously and are committed to making improvements. Actions have been taken at the Whole-of-Government level to address the gaps identified.
Mr Speaker, the Auditor-General’s Report for FY 2019/20 highlighted weaknesses in IT controls, specifically in the areas of: (i) review of privileged users’ activities, and (ii) management of account and user access rights. These observations were raised in previous reports.
To provide some context, I should first explain that the government IT systems were built over time, beginning from when we first built IT systems in ministries back in 1980s and eventually extending to all ministries and also new ministries and programme offices. Since then, the IT systems have been upgraded, refreshed or replaced to be more effective and efficient to cater to the requirements over the years. Consequently, we have more than 2,000 Government IT systems built over the years, by different vendors, and using different technologies. Each system has its way of logging user activities, and of managing who can access the system. As the access controls are not linked across systems, when an officer moves to another portfolio, it requires a chain of manual adjustments to different systems, to remove obsolete access rights and create new access rights for the officer. The reliance on manual adjustments is prone to human errors.
The Smart Nation and Digital Government Group (SNDGG) is developing systems that will automate the processes involved and minimise errors. It will take some time to fully implement the solutions across the Whole-of-Government because we need to implement the automated process in the more than 2,000 IT systems.
First, we are automating the review of privileged users’ activities. SNDGG has started a pilot with some agencies and the tool will be progressively deployed from Jan 2021. This will be fully implemented for high-priority systems by Dec 2022 and all remaining systems by Dec 2023.
Second, we are automating the management of account and user access rights. SNDGG has made available a solution which can alert agencies to staff movements and role changes so that they can manually remove the user accounts that are no longer required. Five of the 38 agencies that have onboarded this system were audited by AGO, and no lapses pertaining to account and user access rights management were found. SNDGG is in the midst of enhancing this solution, so that it can trigger automatic removal of unneeded user accounts and review of user access rights, once the staff movement or role change is updated in the HR records. This system will be implemented for 800 high-priority systems by Dec 2023 and all remaining systems by Dec 2024.
When officers are freed up from manual tasks, they are better able to focus on aspects of cyber-security and data protection that cannot be replicated by a machine. SNDGG has stepped up efforts to educate public officers on the importance of strong ICT governance and security controls, and to have the right habits and instincts. All public officers are required to undergo annual cyber and data security awareness training.
Procurement and Contract Management
On procurement and contract management, the recurrent lapses tend to be for more complex types of procurement – such as IT and construction, and in less straightforward cases, such as assessing price reasonableness for single bids and managing urgent contract variations. Navigating these complexities require not only technical skills but experience and judgment which require long-term efforts to build up.
To address this, we have been stepping up efforts in recent years to strengthen the competencies and capabilities of Public Officers in managing the procurement process. First, we are stepping up training of officers in key areas such as evaluation and approval of tenders. The training covers learning points from audit observations and good practices. Second, we will be providing additional guidance to approving authorities, which will be available from early next year. Third, since 2018, we have required all officers who are involved in procurement processes to complete a compulsory e-learning module. These are supplemented with regular refreshers and updates on new policies and practices.
In addition, we are also stepping up efforts to strengthen construction and IT procurement and contract management capabilities, which are more specialised areas requiring deeper technical know-how. The Building and Construction Authority (BCA) is developing a competency framework to train public officers in managing construction contracts. MOF and BCA issued a good practice guide last year, containing practical advice on the management of variation orders and how to spot fraudulent quotes. To enhance governance, we will track agencies’ performance in contract management, based on a set of governance indicators. Similarly, GovTech is working on a competency framework for IT procurement and developing an e-learning module that will be ready next year.
To take these efforts forward further, MOF and the Civil Service College jointly established the Finance and Procurement Academy this year to better equip Public Officers with finance, procurement and contract management skills. The academy will work with technical agencies such as BCA and GovTech to not only conduct formal training, but also promote informal learning such as through practitioner sharing and mentorships. It will also support officers in continual learning to keep abreast of developments in finance, procurement and contract management policies and practices.
In the area of developing finance capabilities, finance officers are today required to attend induction courses that cover the fundamentals of government financial procedures, including on governance and internal controls. These are reinforced and refreshed at milestone programmes, forums and sharing sessions throughout the officers’ career. Similar efforts are also undertaken to raise awareness of these concepts more widely across the Public Service. For example, they are incorporated into finance courses targeted at non-finance officers. MOF also conducts regular briefings to agencies’ senior management to emphasise the importance of public accountability.
Civil Servants' Performance Reviews
Public officers are expected to be accountable for their actions and decisions, and this includes maintaining high standards of compliance with guidelines and procedures as they perform their duties. We place high expectations on the senior leadership of the Public Service, who are entrusted to be stewards of public resources. They must uphold strong governance and accountability in their organisations. These expectations are spelt out in the form of leadership competencies and responsibilities, which are conveyed to all senior Public Service leaders in Ministries and Statutory Boards. We evaluate our leaders against these expectations as part of their performance reviews, and those who fall short will be rated less favourably. Depending on the nature and cause of the incident, appropriate disciplinary action may be taken as well.
To conclude, let me assure Members that public accountability remains a top priority for the Government. Where warranted, agencies mentioned in the Auditor-General’s report are conducting further investigation into the lapses. The senior leadership of the Public Service is accountable and committed to addressing the lapses identified, resolving the problem at the root and preventing future recurrence.
 This refers to critical systems, systems with sensitive data and financial-related systems.