Lapses in procurement, grants disbursements and IT systems in public agencies: Auditor-General's report
SINGAPORE: The Auditor-General’s Office (AGO) found issues with some public agencies’ IT systems, processes in procuring services and grant disbursement practices, according to its annual report released on Monday (Sep 7).
The report, which is an audit of government accounts for the financial year 2019/2020, covered all 16 government ministries and eight organs of state, one government fund, 13 statutory boards, four government-owned companies, three other accounts, and selected business grant programmes by Workforce Singapore (WSG) and Enterprise Singapore (ESG).
Ministries and agencies singled out in the AGO report for lapses include the Ministry of Foreign Affairs (MFA), Public Utilities Board (PUB), the National Library Board (NLB) and Jurong Town Corporation (JTC), among others.
PROBLEMS WITH IT CONTROLS
The AGO found that the Ministry of Finance's (MOF) Accountant-General’s department, the Prime Minister’s Office's Public Service Division, MFA, Ngee Ann Polytechnic, Republic Polytechnic, PUB, WSG and ESG had gaps in their IT controls.
This included access and review of “privileged” operating system (OS) accounts that give the user full access to the OS, such as the ability to make changes to activity logs, user access and security settings.
“Such privileged accounts have powerful access rights,” the AGO wrote.
“It is therefore generally considered a best practice to restrict access to the most privileged OS account and to monitor and review all activities carried out using this account," the AGO added.
The AGO also found some government entities had technical misconfigurations in the security software for their application and database servers, which led to OS administrators being able to access the most privileged OS accounts and other privileged OS accounts, without password authentication.
In its audit of PUB, the AGO discovered the board did not ensure that its private sector partner had implemented adequate controls on users’ access to the latter’s IT system. PUB was working with this private sector partner on a project.
The control lapses included excessive rights being granted to the partner's vendor, sharing of an administrator account among the staff of the partner, as well as no separate accounts for users with both privileged and non-privileged roles.
There also no automatic time-out implemented for user accounts, the AGO found.
LAPSES IN PROCUREMENT AND CONTRACT MANAGEMENT
The AGO found oversights in the way the Government Technology Agency, the Jurong Town Corporation (JTC), the National Library Board (NLB) and PUB handled their procurement processes and contracts.
These included not evaluating bids according to published criteria, carrying out variation works before getting approval, and not seeking approvals for a substantial increase in variation costs.
In the case of NLB, the AGO noted that its management of contract variations and overall project management for the revamp of the National Archives of Singapore building was "weak".
"There was a lack of scrutiny in the management of contract variations," said AGO.
READ: Revamp of National Archives ran S$1.72 million over budget, Auditor-General flags lapses by NLB
In-principle approvals (IPAs) were sought for variations without compelling reasons, and IPA requests were approved even though no ballpark cost estimates were provided.
In the end, the project exceeded the approved project cost by S$1.72 million, about 8.4 per cent of the approved project cost of S$20.53 million.
“Public officers who are appointed as approving authorities for procurement and contracts should take their role seriously. They should scrutinise requests, raise questions and exercise due diligence as approving authorities,” AGO said.
As for JTC, it had made a payment to a terminated contractor even though under the contract, it could have withheld the money and used it to offset against a debt claimable from the contractor.
JTC subsequently made a claim against the terminated contractor for the amount, but as of Jun 30 this year, it still had not received any payment for the claim.
The agency’s cash collection process was also problematic, the AGO said. For example, five receipts AGO saw contained signs that cast doubt on their authenticity.
Three quotations submitted by a JTC contractor for a star rate item - an item for which the rate is not listed in the contract - had possible irregularities and the AGO had concerns over the authenticity of the quotations.
Following the AGO's observations, JTC carried out an investigation and lodged a police report.
“In the area of procurement and contract management, public officers entrusted with responsibilities as approving authorities …can do more to scrutinise proposals submitted to them,” the AGO wrote.
"They should go through evaluation reports and proposals thoroughly, raise questions when proposals are not clear or justifications are not compelling, or when key information on costs and cost reasonableness is not included.
"Approving authorities play an important role in ensuring that Government procurement principles of transparency, open and fair competition, and value for money are upheld."
The AGO found lapses in operational processes at MFA, JTC and PUB.
MFA did not implement adequate measures to enforce terms stipulated in the service agreements signed with its authorised visa agents, AGO noted in its audit of an overseas mission.
The service agreements stipulated a fixed visa application fee and required agents to only use designated credit cards when transmitting visa processing fees to MFA.
But the AGO found that visa application fees stated on the websites of three agents were higher than the fixed fee stipulated in the service agreements.
The controls in the information and communication technology system were ineffective in detecting the use of non-designated credit cards by agents to transfer visa processing fees.
JTC’s leased and tenanted premises may have been sublet to about 26,000 entities without its approval, the AGO found, which led to JTC carrying out an investigation of about 2,800 of the 26,000 entities.
From the investigations, 2,010 entities were suspected cases of unauthorised subletting. AGO also noted instances of illegal storage and/or sale of diesel to the public at four of JTC's leased industrial premises.
"Such illegal activities could pose environmental and safety risks to the public," the report read.
The AGO observed that PUB had weak payment controls for a project a private sector partner was involved in.
The private sector company was able to modify real-time values of parameters in its IT system, which would affect the amounts to be paid by PUB.
PUB had also largely relied on information provided by the partner to make payments, without carrying out adequate independent verification, the AGO added.
INCONSISTENCIES IN BUSINESS GRANT PROGRAMMES
The AGO carried out an audit of six business grant programmes managed by WSG and ESG - three each - where a total of S$333.40 million was disbursed between Apr 1, 2018 and Jun 30, 2019.
Of these, the AGO checked 285 disbursements worth S$100.81 million made by WSG and ESG to programme partners and directly to grant recipients, and another 361 disbursements totalling S$7.83 million made by programme partners to companies awarded the grants.
While both agencies generally had procedures to manage the selected grant programmes, the AGO found inconsistent practices among WSG’s programme partners in stipulating requirements to grant recipients and analysing grant applications/
"For WSG, AGO found instances of double claims by companies and cases of double funding across different grants," said the report.
It also uncovered three cases where companies or individuals might have skirted around grant requirements and controls. The WSG has since made police reports on these cases.
The AGO observed inconsistent practices across different ESG officers when assessing companies' eligibility.
"There was also inadequate assurance that deviations from policy guidelines were monitored and approved."
The AGO noted cases of grants being disbursed by ESG that were not in line with grant guidelines, which resulted in too much or too little money being given out.
As for procedures in recovering unused funds, there were instances where WSG did not follow up with the programme partners to recover unutilised grants in a timely manner for programmes that had ended.
While ESG had a process to identify lapsed projects, the monitoring of its officers' follow up actions was inadequate, the report said.
RESPONSES FROM GOVERNMENT BODIES
In response to the lapses listed in the report, the Government has accepted all the recommendations made by the AGO, MOF said on Monday.
Agencies have confirmed that no confidential data has been compromised and no unauthorised activities have resulted from the lapses in IT controls, and they have also taken recovery actions for lapses involving overpayments, MOF said.
The Smart Nation and Digital Government Group is addressing weaknesses in IT controls, and will implement technical systems to reliably automate the IT tasks relating to the review of privileged users’ activities and management of account and user access rights. This will minimise human error and focus attention ono higher-order security tasks, MOF said.
To improve its contract management processes, MOF said it will “emphasise the roles and responsibilities of approving officers and staffing officers to scrutinise proposals carefully” and enhance data analytics capabilities that can better detect anomalies and lapses.
To address issues with grant management, MOF issued a new grants governance framework that covers the different stages of the grant life-cycle, and will help agencies to ensure that grant schemes are "effective and efficient" in achieving their objectives, the ministry noted.
Several public agencies released statements on improving their standards.
ESG said that it has given more training to employees to help them better understand policies and guidelines, as well as made grant assessment parameters and required documentations clearer.
WSG said it will conduct more regular sampling checks on applications being processed, and develop a more stringent framework to deter non-compliance by programme partners.
"The Public Service is committed to upholding high standards of governance," MOF said.
“We will continue to take active steps to strengthen our structures, processes and systems to serve Singaporeans effectively and efficiently,” it added.