Applications are software programs that facilitate an organisation’s key business processes including finance, human resources, case management, licensing and billing. Applications also facilitate specialist functions that are unique and essential to individual entities.
Each year we review a selection of important applications that agencies rely on to deliver services. We focus on the key controls that ensure data is completely and accurately captured, processed and maintained. Failings or weaknesses in these controls have the potential to affect other organisations and the public. Impacts range from delays in service and loss of information, to possible fraudulent activity and financial loss.
We reviewed key business applications at 5 agencies. Each application is important to the operations of the agency and may affect stakeholders, including the public, if the application and related processes are not managed appropriately.
The 5 agency applications we reviewed were:
- Patient Medical Record System – Department of Health
- Tenancy Bonds Management System – Department of Mines, Industry Regulation and Safety
- First Home Owner Grant Online System – Office of State Revenue
- Election Management System WA – Western Australian Electoral Commission
- Keysmart System – Keystart Housing Scheme Trust
Our application reviews look at the systematic processing and handling of data in the following categories:
- Policies and procedures – are appropriate and support reliable processing of information
- Security of sensitive information – controls exist to ensure integrity, confidentiality and availability of information at all times
- Data input – information entered is accurate, complete and authorised
- Backup and recovery – is appropriate and in place in the event of a disaster
- Data output – online or hard copy reports are accurate and complete
- Data processing – information is processed as intended, in an acceptable time
- Segregation of duties – no staff perform or can perform incompatible duties
- Audit trail – controls over transaction logs ensure history is accurate and complete
- Masterfile maintenance, interface controls, data preparation – controls over data preparation, collection and processing of source documents ensure information is accurate, complete and timely before the data reaches the application.
Our testing of the above categories of controls is a point in time assessment. It is based on a sample of key controls and processes that are designed to obtain reasonable assurance about whether an application works as intended and that the information it contains and reports is reliable, accessible and secured. Our testing of some of those controls may highlight weaknesses in their design or implementation that increases the risk that an application’s information may be susceptible to compromise. However, we do not design our tests to specifically determine whether information has been compromised.
All 5 applications had control weaknesses with most related to poor information security and policies and procedures. We also found issues with controls that aim to ensure the applications function efficiently, effectively and remain available. We reported 49 findings across the 5 applications with 9 of these rated as significant, 29 moderate and 11 minor.
Correcting most of the issues we raised is relatively simple and inexpensive. Figure 1 shows the findings for each of the areas and Figure 2 shows the findings for each of the 5 applications reviewed.