Report 20: 2018-19

Information Systems Audit Report 2019

Pensioner Rebate Scheme and Exchange

Introduction

The Office of State Revenue (State Revenue) process local government entities’ (LGs) claims for reimbursement of concessions they pay to eligible pensioners and seniors through the Pensioner Rebate Scheme (PRS) system and its Pensioner Rebate Exchange (PRX) interface.

LGs use PRX to exchange claims information with State Revenue.

PRS and PRX were developed and are maintained by State Revenue.

Conclusion

The PRS and PRX effectively support State Revenue and LGs to process reimbursement claims. The rebate calculation process works well. However, State Revenue has not performed land ownership and occupancy checks since 2005. This increases the risk of concessions being paid to ineligible individuals.

Weak access controls and a lack of disaster recovery planning may also compromise the confidentiality, integrity and availability of information in PRS and PRX. State Revenue also does not effectively protect its systems from the threat of cyber-attacks.

Background

The State Revenue is a business unit of the Department of Finance. It collects duties and taxes, and administers several grants and subsidies paid to the community.

It also manages LG claims in line with the Rates and Charges (Rebates and Deferments) Act 1992 (the Act). To be eligible for rebates and deferments on LG rates (sewerage, drainage and underground electricity) and emergency services levy charges, a person must:

  • register with the Water Corporation or relevant Local Government as a pensioner or senior under the Act
  • hold a pensioner or senior card. Pensioners receive up to 50% rebate and are allowed to defer payments; seniors receive up to 25% rebate
  • own and occupy a residential property on 1 July of the claim year.

Section 36 of the Act requires that ownership, occupancy and eligibility information supplied by pensioners and seniors be confirmed every 3 years. LGs did these checks until 2003, after which State Revenue took over the responsibility on behalf of LGs.

State Revenue and the Department of Treasury share responsibility to reimburse LGs for rates, rebates and interest on deferred rates that arise from pensioner and senior concessions. State Revenue processes LG claims for reimbursement, checks eligibility and validates payment amounts. Treasury pays the money to LGs.

Claims are managed through the PRS system and the PRX interface. LGs submit reimbursement claims to State Revenue through the internet accessible PRX, after pensioners and seniors have paid their portion. State Revenue uses the PRS system to process LG claims. PRS and PRX hold confidential information, such as concession card numbers and personal details.

Over the period of July 2015 to June 2018, PRS processed an average of 469,000 claims each year, paid an average of 443,000 claims each year, and rejected an average of 26,000 claims each year. In 2017-18, State Revenue paid $117.2 million to LGs in reimbursements.

Audit findings

State Revenue does not perform land ownership and occupancy checks, which increases the risk of payments being made to ineligible individuals

State Revenue does not perform land ownership and occupancy checks as required by the Act. State Revenue took over this responsibility from LGs in 2003 but stopped doing the checks in 2005. Appropriate validation processes reduce the risk of incorrect concessions being paid to pensioners and seniors.

We were told by State Revenue that the checks stopped because a high number of payment claims were falsely rejected due to inaccurate land occupancy and ownership information in LG claim files and State Revenue records. State Revenue did not inform LGs that the checks had stopped until June 2018.

In 2010, we made a similar finding that PRS did not perform land ownership and occupancy checks against land records[1]. Over 15 years later, the function has not been fixed. State Revenue told us that it will now fix this by June 2019.

Inadequate controls may lead to unauthorised use of information

State Revenue does not have appropriate user access or security controls despite storing personal and confidential information in PRS and PRX. We identified the following weaknesses, which may compromise the confidentiality and integrity of information in the system:

Inadequate user access controls and reviews – State Revenue does not regularly review PRS and PRX user accounts. We found an excessive number of user accounts with administrator privileges. Additionally, many PRX user accounts, including those with privileges, had not accessed the system for 12 months (Table 1). Administrator privileges allow high levels of access and are most targeted by attackers. Unused dormant accounts could be used for malicious activity. State Revenue started a review of PRX user accounts in August 2018, but it is limited to external LG users and does not cover internal State Revenue users.

System Privileged users Percent of user accounts that had not accessed the system for 12 months or more
PRX – State Revenue users 20 of 24 46%
PRX – LG users 194 of 294 7%
PRS 18 of 29 0%

Source: OAG based on State Revenue data
Table 1: Dormant user and privileged accounts

  • A large number of users have access to unprotected sensitive information – We identified 60 users, including software developers, with full access to read, modify and delete pensioner eligibility reports and payment files. This increases the risk of unauthorised access and changes to information, and of fraudulent payments. We found:
    • payment files are in plain-text
    • the payment verification process in place is not adequate. It cannot detect if the payee account details in the payment file have been changed
    • pensioner eligibility reports and payment files are stored on a shared network folder without appropriate restrictions.

Payment files are generated by State Revenue and contain the reimbursement amounts and LG payee bank account details. Pensioner and senior eligibility reports are provided to State Revenue by Centrelink, the Department of Veteran’s Affairs and Department of Communities to identify eligible pensioners. 

  • Easy to guess database passwords – We identified 10 database accounts with easy to guess passwords, and 70 accounts that had not changed their passwords for over 12 months, as required by State Revenue’s Password Policy. Seven of the 70 accounts had not changed their passwords for an extended period. Weak password controls increase the risk of unauthorised access to the system.
  • Segregation of duties – We found 17 users were able to perform end-to-end steps in the claims process as they have access to both PRS and PRX. These users can submit claims, process claims and submit payment requests. It is a basic security principle that a person who initiates a process should not be the one to authorise it. Without adequate segregation of duties, there is an increased risk of unauthorised or fraudulent payments.

18 of the 60 users with excessive privileges could also modify LG bank account details and email addresses in the PRS system without approval. The PRS system does not notify relevant LGs when sensitive information, such as bank account details, are amended. State Revenue and LGs may only become aware of unauthorised changes if LGs query non receipt of payments.

  • System activity is not adequately monitored or recorded – State Revenue does not have a policy or adequate procedures to proactively monitor user activity and log changes to information in PRS and PRX. Without appropriate monitoring, State Revenue may not detect inappropriate access or unauthorised changes. While user details and time of access are logged, there is no log of changes made to the information.
  • State Revenue has not developed an acceptable use policy – Ninety-two percent of PRX users are from LGs but State Revenue has not developed an acceptable use policy to guide their use. An ‘acceptable use policy’ is a set of guidelines that outline terms and conditions for system use. It is good practice to develop these guidelines and make sure all users are aware and understand them. Without appropriate guidance, there is increased potential for inappropriate access and use of system.

Security vulnerabilities are not well managed, leaving PRS and PRX exposed to attack

There is insufficient security vulnerability management. We found:

  • over 600 vulnerabilities on workstations due to unsupported third party applications and missing security updates (patches)
  • state Revenue has not installed anti-malware software on the PRS production (live) server
  • State Revenue does not have a process to identify vulnerabilities in PRS or PRX.

Vulnerabilities could be exploited by attackers to gain unauthorised access to sensitive data or interrupt State Revenue’s business. Timely patching of software reduces the footprint for potential attacks.

State Revenue may not be able to recover PRS and PRX following a major incident or disruption

State Revenue does not have an information technology Disaster Recovery Plan for PRS and PRX. This could compromise the availability of the system following a major incident or disruption. State Revenue told us that Disaster Recovery Plans for other systems may help recover PRS and PRX, but it has not tested recovery.

State Revenue technical support documentation for PRS and PRX is not up-to-date and does not describe the current system environments. We found some documentation had not been reviewed since 2001. The State Revenue may not have the technical documentation to recover the system in the event of a major incident or disruption.

Recommendations

State Revenue should:

  1. update its information security policy and processes to better manage user access
    State Revenue response: Agreed
    Implementation timeframe: by August 2019
  2. reinstate validation of identity processes and checks of land ownership and occupancy in accordance with the Act
    State Revenue response: Agreed
    Implementation timeframe: by July 2019
  3. establish processes to update system user support documentation
    State Revenue response: Agreed
    Implementation timeframe: by December 2019
  4. develop and implement an effective framework to log and monitor key changes to PRX and PRS
    State Revenue response: Agreed
    Implementation timeframe: by December 2019
  5. enhance the vulnerability management process to identify and address weaknesses
    State Revenue response: Agreed
    Implementation timeframe: by July 2019
  6. develop and regularly review information technology Disaster Recovery Plans for PRX and PRS.
    State Revenue response: Agreed
    Implementation timeframe: by December 2019

Response from the Office of State Revenue

The Office of State Revenue accepts the recommendations in the Summary of Findings and considers them achievable within the timeframes specified.

Progress has been made against all of the recommendations and it is expected that all of the implementation timeframes will be met.

The Office of State Revenue has been working to develop a system that will validate land ownership and occupancy information. This system has now been built and will be implemented by July 2019, with validations checks progressively rolled out to the 136 local government authorities.

 

[1] General Computer Controls Audit FY 2009-10

 

Back to Top