The L&R system has a number of control and functionality weaknesses around data input, logging and monitoring of data access, authorisation for approving licences, system access and reporting. These create a risk to the integrity, reliability and completeness of information in the system, and limit Police’s ability to measure, report and evaluate its regulatory performance.
As a result of these weaknesses, staff told us that they lack confidence in the L&R system and prefer to use their own spreadsheets to manage work such as licence applications, deceased estate firearms, and inspections. Manual workarounds increase the risk of errors.
We did a desktop review of the project management to establish the L&R system. We found the way the system was developed and implemented has likely contributed to existing deficiencies. The project started in 2014, has cost almost $9 million, and functionality concerns raised by staff during development still remain. The L&R system does not currently provide the functionality required to help Police effectively regulate firearms.
Weak data input controls and missing information
Data in the L&R system can be entered as free text in key fields such as firearm model, property locality, address and owner. Without controls on key fields, there is an increased risk of inaccurate, duplicate and incomplete information which may then compromise its integrity, and can impact regulatory decisions and actions.
We reviewed a sample of 38 licence records in the L&R system to see if they complied with regulatory requirements. We found all were missing at least 1 of the 21 requirements. For example, 10 records had no firearm barrel length, and 13 had no magazine size information. Police told us that the Firearm Reforms Ministerial Working Group is updating the Regulations to remove the requirement to record magazine size.
No logging and monitoring of system access
There is no logging of Police staff who access the L&R system database. The database is the backend of the system, where information is stored. There is logging of access to the L&R application, however that log is not monitored. Without effective system logging and proactive monitoring of access logs, there is a risk Police will not detect unauthorised or malicious access or changes to information in the system.
Weak controls over licence approval
The L&R system allows the same person to submit and approve licences. Staff who do not have authority under the Regulations to approve licences can do so in the system. Police advised us the system should not allow this to happen. Specifically, between July 2016 and April 2018:
- 24 of 26 dealer and repairer licence applications were approved and issued in the system by an officer below the rank of sergeant. While we sighted hard copy evidence of sergeant approval, which is required by the Regulations, this information is not available in the L&R system.
- 3 of 15,638 firearm licences were approved and issued by officers in the system below the rank of sergeant. A non-sworn officer approved one of these. Hard copy evidence of sergeant approval is not retained for these licences.
During the audit, Police told us that it intends to address these weaknesses by recording sergeant approval in the L&R system, and ensuring only an officer ranking sergeant or above can approve and issue licences in the system.
Excessive user privileges
We found 7 staff had been assigned excessive system privileges allowing them to approve licences. These staff were included in a senior supervisor administration group, which has the highest level of privileges in the L&R system, but should not have been. There may be inappropriate licence approvals or changes of information in the system.
There is limited reporting functionality
Police does not have timely access to information, and reporting from the L&R system is unreliable. Police told us it can take weeks to receive a report and the information may not be accurate. We confirmed this during the audit. We found there was limited ability to extract reliable information from the L&R system. For example, the system could not provide reliable information on the total number of firearms, or details of various types of licences and owners. We also found that the reporting function often failed to produce reports. Police needs access to timely and accurate information to effectively licence and regulate firearms.
During the audit we were told new staff receive informal on the job training on how to use the system. In our view, this increases the risk that the system will be used inconsistently, and potentially compromises the integrity and completeness of the information in the system. A comprehensive user guide for the L&R system was developed in 2016 when the system was deployed but has not been given to staff. Police told us this was due to ongoing work on the L&R system.