report

Information Systems Audit Report 2018

First Home Owner Grant Online – Office of State Revenue

First Home Owner pie chart

Introduction

The First Home Owner Grant Online system (FHOG Online) is used by the Office of State Revenue (OSR) to provide a one-off payment for eligible first home owners who are buying or building a new home. The system contains confidential personal information about grant applicants, including bank account details.

Conclusion

The FHOG Online system stores and processes grant applications and payments as required. While we did not find any instances of inappropriate access or misuse, confidential information, including applicant bank details, is at risk of exposure due to inadequate information security and informal change management procedures. There are also extensive manual processes which has made OSR’s use of the system inefficient and increases the risk of errors.

Background

The OSR is a business unit of the Department of Finance. It administers revenue laws and grant and subsidy schemes, including the FHOG.

The FHOG assists eligible first home owners to buy or build a residential property as their principal place of residence. The grant process is a shared responsibility between the OSR and the Department of Treasury. OSR receives applications and assesses eligibility for grants. Treasury is responsible for paying the money to eligible grant applicants.

FHOG applications can be submitted through approved agents or directly with the OSR. Applications are recorded and managed in the FHOG Online system. The system was developed and is maintained by a third party vendor.

In 2016-17, almost 15,630 grant applications were recorded and managed in FHOG Online.

Audit findings

Confidential information is at risk of unauthorised access due to insufficient security controls

FHOG Online stores personal and sensitive information of applicants, much of which is confidential such as bank account details of grant recipients. The OSR’s security controls are not effective in protecting the confidentiality, integrity and availability of the information it stores. Weaknesses we found include:

  • Unprotected personal data in test environment – We found that confidential information is used and retained in the test environment even though the test environment does not have the same level of security. Processing and storing this information in the test environment without appropriate levels of protection increases the risk that it may be misused or compromised.
  • Passwords were easily guessed – We identified database user accounts, including highly privileged database administrator accounts, with easy to guess passwords. Examples include passwords that are the same as usernames and passwords 3 characters in length. We also found that users are not forced to change passwords on the database server after a period of time. The passwords for all privileged accounts had not been changed in over 2 years.

No segregation of duties increases the risk of grants being issued inappropriately

The Department of Treasury has not segregated its grant payment processes. We found the same person in Treasury processes grants payments and performs payment reconciliations. This lack of segregation of duties increases the risk of inappropriate grant payments.

The files used during the payment process contain bank account details, which are stored in plain-text format. These payment files can be amended before uploading to the bank for payment and there is no independent process to detect changes made to the original files. Although an independent check is performed to verify the summary of payment amounts and total transactions, it does not validate bank account details.

Manual processes are inefficient and increase the risk of errors

The OSR relies on a substantial amount of manual processing to collate information in the system. Manual workflows are inefficient and increase the risk of errors in determining the applicants’ eligibility.

Examples of manual processing include:

  • Grants officers in OSR manually check external systems to verify that applicants satisfy a number of criteria including criteria around property ownership, citizenship and residency. These include systems at the WA Land Information Authority, Water Corporation, Western Power and the WA Electoral Commission. There is no electronic interface between the government databases.
  • The FHOG system does not allow automated workflows to notify staff when applications require additional investigation. Instead, a manual spreadsheet is used to record tasks when grant officers cannot determine the eligibility of the applicant.

Automated workflows and links or interfaces with other government agency databases can significantly improve the integrity and efficiency of processing applications.

Poor IT controls make FHOG Online more vulnerable to unauthorised access

The FHOG Online system is vulnerable to external threats and inappropriate access. To ensure the system continues to be reliable and information secure, the OSR needs to improve its IT controls.

Some of the gaps we identified were:

  • Lack of regular vulnerability assessments – The OSR does not have an effective process in place to identify, assess and address known software vulnerabilities in a timely manner. We conducted scans on key FHOG Online servers and identified critical and high severity vulnerabilities due to missing third party software updates (patches). We were able to exploit these vulnerabilities to access confidential information and escalate our privileges for further access.
  • No process to manage changes to the system – The OSR sends ad hoc requests to a service provider to resolve system issues and make changes to the FHOG Online system. However, it does not have change management procedures in place to formally document, review and approve change requests. There is a risk that management will not know of these changes or appropriately manage associated risks.
  • User permissions are not reviewed – The OSR does not regularly review privileges and access to the FHOG Online system. We found that the system cannot produce a report to assist with verifying whether the roles of its users are appropriate. Without review of user access, there is an increased risk of unauthorised or inappropriate access going undetected. The OSR has an appropriate Monitoring Systems Use Policy that requires regular internal audits on all aspects of user access and use of the FHOG system. However, the policy is not followed.

Recommendations

The OSR should:

  1. review its information security policy to apply:
    1. appropriate controls to protect sensitive information
    2. system account passwords that comply with relevant industry good practice guidelines
  • OSR response: Agreed
  • Implementation timeframe: Completed
  1. review manual processes and if appropriate, automate them
  • OSR response: Agreed
  • Implementation timeframe: June 2020
  1. review the vulnerability management process, conduct regular vulnerability assessments and apply software updates recommended by vendors
  • OSR response: Agreed
  • Implementation timeframe: Completed
  1. define and follow a change management process
  • OSR response: Agreed
  • Implementation timeframe: Completed
  1. implement procedures and controls for user access management in line with the existing internal policy.
  • OSR response: Agreed
  • Implementation timeframe: Completed

The Department of Treasury should:

  1. address the risks associated with the segregation of duties in relation to the payment and reconciliation processes
  • Department of Treasury response: Agreed
  • Implementation timeframe: Completed.

Response from the Office of State Revenue

The Department of Finance, Office of State Revenue has agreed to all of the recommendations set down in the draft management letter received in November 2017 and the subsequent management letter received in February 2018.

The Department of Treasury has also agreed with the recommendation it was responsible for. Both Departments accept the findings will strengthen the operation of the FHOG system and its supporting operations and will mitigate risks within the current processes.

Since receiving the draft management letter, the Department of Finance and Department of Treasury implemented changes to address the risks that were identified in respect of all findings in the audit.

The finding to automate the manual processing of pre-compliance data checking on first home owner grant applications has been addressed and will be actioned on a best endeavours basis. To automate data checking requires system enhancements and which will be prioritised alongside future planned system upgrades to State Revenue’s systems

 

Back to Top