Report 11

Information Systems Audit Report

Controlled Waste Tracking System – Department of Environment Regulation

Department of Environment Regulation

Background

Controlled waste is defined under the Environmental Protection (Controlled Waste) Regulations 2004. It includes substances like acids, arsenic, asbestos, clinical waste, heavy metals, organic compounds, tyres, sewage, food processing and grease trap wastes and waste pharmaceuticals and medicines. The overarching aim of the regulations is to minimise the risk to the public and the environment of inappropriate or illegal transport and disposal of controlled waste.

The Department of Environment Regulation (DER) is responsible for monitoring and controlling the transport of controlled waste in Western Australia. Transportation of controlled waste is divided into 2 categories: bulk and packaged. Bulk controlled waste is liquid and is transported in a dedicated tank. Packaged controlled waste refers to waste that is transported loose, for example, tyres and soil, or waste in containers like drums and skip bins. The regulatory requirements differ between bulk and packaged waste.

Under the regulations, controlled waste carriers must be licensed. Any drivers who transport bulk controlled waste, and the vehicle and tanks they use, require additional licences. Facilities that receive controlled waste, known as waste facilities, must be registered with DER. Businesses that generate or possess controlled waste can only use licensed carriers to collect and transport waste for disposal.

Licensed carriers are required to record transported waste using individually numbered controlled waste tracking forms. DER issues these forms either electronically, or in a hard copy book. Carriers must use the forms for any movement of bulk controlled waste, or if they are transporting 200kg or 200L or more of packaged waste. The waste carrier and the facility receiving the waste must each lodge a copy of the tracking form with DER. Required details in the form range from the licence of the carrier to the amount and type of waste transported or received.

DER’s Controlled Waste Tracking System (CWTS) analyses the details contained in the forms and triggers alerts if it detects inconsistencies with a condition of licence or mismatches between the data submitted by the carrier and the waste facility.

The CWTS records the licence details of the 440 controlled waste carriers and lists 370 disposal facilities. Between 90,000 and 100,000 transport events move about 925,000 tonnes of liquid controlled waste each year.

Conclusion

The CWTS is fit for purpose. However, DER makes no adjustments for thousands of flagged data entry discrepancies thereby rendering the information on amounts and types of controlled waste unreliable. Unreliable information makes it difficult for DER to monitor compliance and to target its compliance and enforcement activities at areas of highest risk.

A range of weaknesses with the management of CWTS puts the data integrity and continuity of operation at unnecessary risk. These include excessive numbers of staff with administrator access and a lack of agreement between the CWTS software developer and the state agency that runs the IT infrastructure regarding roles and responsibilities.

Audit Findings

Uncorrected data errors result in unreliable information and poorly targeted compliance effort

DER does not consistently investigate or correct data discrepancies or entry errors in CWTS. As a result, DER is unable to rely on the data for monitoring compliance by controlled waste disposal facilities and carriers.

DER tracks waste transportation using a controlled waste tracking form that contains information on:

  • type and amount of controlled waste
  • date and time when it was picked up
  • date and time delivered to the waste facility
  • the driver’s licence number
  • the vehicle registration number and/or waste tank used to carry the waste.

The CWTS generates an alert when mismatches occur between the tracking form lodged by the carrier and the form lodged by the waste facility that takes delivery of the waste as well as mismatches with licence conditions.

The system generated around 20,000 alerts from the approximately 100,000 transport events that occurred in 2015.

Mismatches can relate to procedural issues, such as drivers or the waste facility not completing the tracking form within 14 days of the waste being unloaded, or the driver not having a valid controlled waste licence or a vehicle or tank not licensed to carry the type of waste collected. However, they can also be of potentially more serious matter.

About 20% of mismatches (4% of transport events) are between the type or amount of controlled waste unloaded by a waste carrier and that received by the waste facility. These are arguably high-risk alerts as they potentially indicate incorrect disposal of controlled waste and harm to the environment and public health.

However, DER advised us that preliminary analysis it did in 2015 showed that about 81% of alerts were due to data entry errors.

Nevertheless, we expected that when alerts occur, DER would establish the reason for the mismatch. If due to a data entry error, then it would be corrected and if due to some other reason, then it would be investigated. Analysis of alert data could also identify carriers and waste facilities that repeatedly input incorrect information. Repeated under reporting of waste amounts by waste facilities could indicate an attempt to avoid exceeding licence conditions.

However, DER does only limited follow-up of individual alerts, resulting in data errors remaining in the system and investigations of potentially incorrect disposals not occurring.

Instead, it focuses its effort and resources on attempting to process alerts and prioritise and select those alerts it will follow-up. DER analyses the data in the CWTS and produces a quarterly management report of unusual trends, or more significant high-risk data mismatches. This quarterly report informs DER’s compliance follow-up work.

However, the uncorrected errors in the CWTS are so extensive that these reports carry a warning that the data should not be relied on. The effect in one case that we reviewed was DER investigating waste facilities suspected of exceeding their licensed controlled waste amounts only to find the data was wrong.

Effective operation, development and maintenance of CWTS is at greater risk because of a lack of formal arrangements with service providers

CWTS is vendor-developed software. The vendor is responsible for maintenance and changes to the CWTS application.

However, there is no contract between DER and the vendor. Without a contract, roles, responsibilities and remuneration for services are potentially open to negotiation or dispute. It also places at risk DER’s ability to manage effectively its ongoing development and maintenance of the CWTS.

DER also has no formal agreement between itself and another state government agency that manages the IT infrastructure (servers, network, supporting software) that runs the CWTS.

As a result, key IT management processes are not defined or agreed, including roles and responsibilities for system security, priorities for system recovery in the event of a disaster, backup of data, and management of changes to the system. Without these formal obligations in place, DER may find that it cannot quickly recover CWTS in the event of a disruption or incident.

High numbers of people with administrator access puts data integrity at risk

DER does not have any formalised policies in place that govern the management and use of CWTS. Policies help ensure that roles, responsibility, conditions of use, and system management are understood. We identified the following issues relating to DER’s management of CWTS users and activities:

  • 24 DER staff members, or 40% of all internal users, have administrator level access to the CWTS. Administrator access gives users the ability to edit or delete waste tracking events and associated data. Administrators can also create, modify, and remove other user accounts. Having several users with this level of privileged access increases the risk that data may be wrongly changed or deleted.
  • DER does not periodically review who has access to the system and if their level of access is appropriate. These reviews ensure that any person that has left DER has their account removed and that the level of access for persons whose role has changed remains appropriate.
  • The system logs actions and changes made by all users, including administrators. However, these logs are not reviewed to ensure administrator and other actions are appropriate. Without this review, any unauthorised changes or access to sensitive information may go undetected.
  • While CWTS allows all administrator user accounts to read system logs, not all users have the in-depth technical knowledge to access the logs. CWTS does not have an easy to use logging interface that contains all user actions. Logs are disparate; they are stored in different areas of the application and underlying database. As a result, DER must rely on the software vendor to support any investigations that require analysis of the logs. The same contractors also have the ability to delete or modify these logs. DER may be unable to rely on or access logging data if there is a dispute with the contractor. It would also not be able to identify inappropriate changes to the logs or link these to the relevant user.

Recommendations

  1. By August 2016, the Department of Environment Regulation should:

a. Establish appropriate formal agreements with relevant service providers for the CWTS.

 2. By June 2017, the Department of Environment Regulation should:

a. establish a process to regularly review and correct mismatched data

b. develop and implement supporting policies and procedures for the CWTS including: management and review of user accounts and access privileges; and management and review of system logs.

Response from the Department of Environment Regulation

The Department of Environment Regulation fully accepts Recommendation 1.

Management fully accept the responsibility to implement a contract between DER and any successful tenderer with respect to the services currently being provided by the current vendor.

The Department of Environment Regulation accepts, in part, Recommendation 2.

Analysis will be undertaken of the system to identify mismatch system warnings, using Corporate Policy Statement No 7 – Operational Risk Management, to identify the warnings that may indicate a potential risk to the environment or public health.

An operational procedure may be prepared, documenting the procedure for the routine review and investigation of the identified mismatch system warnings by appropriate Controlled Waste staff.

Analysis of the current DER CWTS users against their DER role has commenced. This will clarify the access permissions required for role-based access control of the CWTS. The system will be reviewed ensuring the required changes can be made and whether the system source coding can be amended. If so, new role-based user access profiles will be applied to the system and across each current DER user account.

An operational procedure will be prepared, documenting the procedure for the routine reviews of the current user access profiles.

Analysis will be undertaken of the system audit logs, based on the administrator privilege actions, to identify the issues at high risk from potential malicious behaviour.

A review of the system will determine if:

  • the required changes can be made; and
  • resources are available to develop a system audit log report that will display those actions deemed a high risk.

If so, an operational procedure will be prepared, documenting the procedure for routine review and investigation of the audit log report by appropriate Controlled Waste staff.

Back to Top