Applications are the software programs that facilitate an organisation’s key business processes. Typical administrative processes that are dependent on software applications include finance, human resource, licensing and billing. But applications also facilitate specialist functions that are peculiar and essential to individual entities.
Each year we review a selection of key applications that agencies rely on to deliver services to the general public. Our focus is on the application controls designed to ensure the complete and accurate processing of data from input to output. Failings or weaknesses in these controls have the potential to directly impact other organisations and members of the general public. Impacts range from delays in service to possible fraudulent activity and financial loss. This report describes the results of key application reviews at four agencies.
We reviewed key business applications at four agencies. Each application was selected on the basis of the sensitive information that it contains and the impact on the agency or the public if the application was not managed appropriately.
Our application reviews look at the step by step processing and handling of data to ensure that:
- Policies and Procedures – Appropriate policies and procedures are in place to support reliable processing of information.
- Data Preparation – Controls over the preparation, collection and processing of source documents are accurate, complete and timely before the data reaches the application.
- Data Input – Data entered into the application is accurate, complete and authorised.
- Data Processing – Is processed as intended in an acceptable time period.
- Data Output – Output including online or hardcopy reports are accurate and complete.
- Interface Controls – Controls are suitable to enforce completeness, accuracy, validity and timeliness of data transferred.
- Master File Maintenance – Controls over Master file integrity are effective which ensure changes are approved, accurate and complete.
- Audit Trail – Controls over transaction logs ensure transaction history is accurate and complete.
- Segregation of Duties – No staff performed or were capable of performing incompatible duties.
- Backup and Recovery – The system/application can be recovered in the event of a disaster.
The four agency applications we reviewed were:
- Integrated Court Management System – Department of the Attorney General
- LAW Office – Legal Aid Commission Western Australia
- WA Seniors Card Management System – Department of Local Government and Communities
- Services Information Management System 2 – Drug and Alcohol Office of WA.
Figure 11 shows the focus of our application reviews: people; process; technology and data. In considering these elements, we follow the data from input, processing and storage to outputs. We also looked at whether sensitive information was properly secured during each step of the process.
All four applications had some control weaknesses with the most common being poor access controls and monitoring of activity. These weaknesses compromised the security of sensitive information. We also found issues with operational, procedural and process controls that aim to ensure the applications function effectively. Correcting most of the issues we raised is relatively simple and inexpensive. Table 2 summarises our findings against each of the applications.