The focus of our audit was the Department of Commerce’s (Commerce) Complaints and Licensing System (CALS) which holds information on approximately 760,000 clients and processes over 10,000 licences and 1,000 complaints every month. It also generates key performance indicator (KPI) information for annual reports.
Commerce has a critical role in safeguarding the interests of consumers and in regulating various professions. The 4 divisions at Commerce that provide licensing services (EnergySafety, Consumer Protection, Work Safe and the Building Commission) issue 47 different types of licences covering a range of professions such as builders, electricians, motor vehicle repairers, real estate agents and employment agents.
Commerce developed CALS in-house to process licences. Consumer Protection and the Building Commission also use CALS to record and investigate complaints made against licence holders and others.
To process licence applications, Commerce collects information from applicants using paper-based forms. The forms are checked for completeness then entered into CALS. Applicants for some types of licence may also need to submit supporting documentation such as proof of identity, qualifications, certifications, and criminal history checks. Building Commission scan these documents into CALS.
Once all the required information is in the system, workflows guide staff through the process of reviewing the eligibility of applications and issuing licences. Commerce uses a third party to print some licences, though this requires the sharing of some applicant information.
The CALS application is largely effective at enabling Commerce to manage licences and complaints.
However, a weakness in functionality has seen licences issued for a length of time that exceeds the regulatory period of licence. As well, sensitive personal information collected in CALS is at some risk due to the use of insecure transfers of information over the internet to a third party and database vulnerabilities that increase the risk of unauthorised access.
Licences are issued for longer than the correct periods
A fundamental purpose of CALS is to issue licences to eligible persons for periods stipulated by regulations. However, we identified a functionality weakness with CALS that can result in the issuing of licences for incorrect periods.
While our sample identified only a small number of these errors, it is sufficient to raise concerns. Our analytics-based review of about 8,000 licences identified 22 errors including:
- licences issued with the start date set well in the future, in one instance up to 5 years in the future
- a high risk (forklift, scaffolding, cranes and hoists) licence issued in August 2015 with an expiry date of 2025. Regulations limit this type of licence to 5 years
- a plumber’s licence issued in June 2015 with an expiry date of 2021. Regulations limit this type of licence to 3 years.
We also identified 74 licences created for testing purposes. These appeared as valid licences on Commerce’s website and are present in published licence registers.
Data integrity is a fundamental requirement of a licensing system with potential ramifications for business operations and staff efficiency. One potential consequence of incorrect licence periods is that Commerce will not conduct the required regular checks on licence holders to verify that they continue to comply with licence conditions.
Security of electronic records
Protection of sensitive personal information is an important requirement of a licensing system. In our view, there is inadequate protection in CALS of sensitive information such as full name, address, date of birth, applicant photo, licences, investigation papers and decisions, credit reports and complaint details of individuals and organisations.
Some of the weaknesses we noted were:
- Sensitive information is insecure – there are inadequate security controls for the CALS working data files. These files are stored on open network files, outside of CALS. The security restrictions in CALS do not apply to these network files, and no other controls restrict access. All staff connected to the network have full access to view, modify and delete these files. This may result in data being accidentally or deliberately modified, copied or deleted.
- Sharing data with third parties – WorkSafe shares sensitive information with a third party using an insecure file sharing portal. The portal does not require a username or password to download files and sent data is not secured through encryption. We also found that the Building Commission emails renewal notices to a third party for printing and dissemination. This information includes names, date of birth, email addresses, contact numbers, addresses and/or applicant pictures. Email is not encrypted or secured and is vulnerable to interception. Although Commerce has access to a secure data sharing system, not all staff and divisions are aware of this facility. Sharing sensitive information with third parties without adequate security controls increases the risk of data theft.
- Credit card information may be at risk – Commerce’s branch offices scan and email hard copy licence applications to Head Office for processing. These email messages often include the full credit card number and payment details of the applicant. We found many of these email messages archived into Commerce’s recordkeeping system without the credit card details removed or redacted.
Processing and storing credit card information without appropriate levels of protection significantly increases the risk to Commerce and the individuals concerned and is in breach of Payment Card Industry Data Storage Standards (PCI-DSS). Unprotected credit card information may be misused or compromised.
- Passwords were easily guessed – we identified multiple database accounts with very easy to guess passwords. Examples include passwords that were same as the username and passwords such as ‘welcome1’ and ‘password1’. We also found that password aging was not enforced, the password of an unrestricted administrator account was unchanged for over a year and a large number of inactive system accounts have not had their default passwords changed. Easy to guess passwords are inconsistent with good practices and lead to unauthorised access.
- Software updates not applied – the CALS database was not ‘patched’ with critical software updates released by the vendor to fix known security vulnerabilities. Attackers can exploit known vulnerabilities and potentially gain access to the system and to sensitive information.
- Database activities not logged – Commerce has not established database logging and auditing to monitor and record system changes made at the database level. As a result, changes to the database cannot be traced back to individuals and any suspicious modification or access to data will go unnoticed.
Segregation of duties
We found inadequate controls around the processing of licences within the EnergySafety division. A licensing officer performs the complete licensing process. This involves entering the licence application, approving the licence and printing out the licence card. Standard control procedures usually involve a segregation of duties to prevent or detect any inappropriate issuing of licences.
Manual data entry and processing
On average Commerce will process over 10,000 licence applications and renewals, and 1,000 complaints every month. All new licence applications, and the majority of renewals, are manually entered into CALS. Manual data entry compared to automated entry is inefficient and the completed data set is more likely to be inaccurate and/or incomplete.
Commerce currently has an online facility for lodging some renewal applications, but there is no facility to lodge new applications electronically or online. However, Commerce has a project to move all licence applications online by 2018.
Commerce does not have a formal policy to govern software development standards and processes. A comprehensive policy better enables entities to control the risks that affect the costs, timescales and quality of projects. The need for a policy is raised given that CALS is an in-house developed system and Commerce does not have an enterprise level diagram to show business processes supported by the CALS application. Detailing key business processes identifies opportunities and efficiencies which is particularly important given the size and complexity of CALS.
The CALS application and associated processes has not undergone a risk assessment. Without an adequate risk assessment, senior management are less likely to understand and plan for risks related to the information they are responsible for managing.
Commerce does not have an access control policy and supporting procedures for CALS. In the absence of this, we found:
- A number of staff using one administrator account, decreasing the capacity to identify individuals (if necessary) that modified data either deliberately or unintentionally. Accepted good practice is for administrators to have their own accounts rather than a shared account.
- An account with administrator access without any formal approval. Administrators can change security settings, install software and hardware, and access all files. For this reason, administrator access should be authorised.
- Testing of a sample of 18 CALS users showed that the accounts of 3 former employees were still open. The failure to terminate access of former employees represents a fundamental breakdown in control.
By December 2016 Commerce should:
- review the information security policy to ensure
a. access management for systems is defined
b. appropriate controls are in place to protect sensitive information
2. establish appropriate controls to ensure accurate data entry of licence expiry and renewal dates
3. undertake a risk assessment of CALS
4. review the licensing process within the EnergySafety division
5. develop and implement an IT software development policy
6. consider automated processes for capturing and managing licence data.
Response from the Department of Commerce
The Department of Commerce (Commerce) welcomed the performance review of application controls for the Complaints and Licensing System (CALS). CALS was originally developed as an information system to underpin regulation of the real estate industry and over time has been applied as the default licensing tool across four divisions of Commerce.
The audit analytic tool was especially useful in identifying two data integrity issues that had not previously been detected. These were immediately rectified and no known detriment or misuse is believed to have occurred.
Commerce accepts recommendations (2) and (5) regarding accurate data entry and IT development policy, and has taken steps to implement both. Recommendations (1) and (6) regarding information security and automation of processes are accepted and will be implemented in the move to an online licensing environment by 30 December 2017. Recommendations (3) and (4) regarding a risk assessment of CALS and review of EnergySafety licensing processes are accepted and will be implemented by 30 September and 30 December 2016 respectively.
Commerce has commenced a significant initiative to move all of its major licensing activities to a new Commerce Online Occupational Licensing system to be rolled out during the period 1 July 2016 to 30 December 2017. With this impending change, the opportunity to address any underlying issues is appreciated.