The Auditor-General's Office (AGO) has released its report for the financial year of 2019/20.

The AGO is an independent office that audits all of Singapore’s government entities’ books to make sure they adhere to robust and proper financial practices.

For this financial year, it audited the following:

• The government financial statements (incorporating the accounts of all 16 government ministries and eight organs of the state),
• One government fund,
• 13 statutory boards,
• Four government-owned companies, and
• Three other accounts.

And it has once again flagged various lapses across government bodies, consisting of lapses in procurement, contract and operations management, and weaknesses in IT controls, among others.

Here's what it found:

Lapses in procurement and contract management

The AGO found lapses in procurement and contract management in the Government Technology Agency (GovTech), Jurong Town Corporation (JTC), National Library Board (NLB) and Public Utilities Board.

GovTech

One of the most significant lapses highlighted for GovTech was the lack of a full evaluation for two optional categories of items under a tender that encompassed the entire government on providing servers and other IT equipment, and had an approved procurement value of S$634 million.

The two categories of optional items made up S$97.41 million or 15.4 per cent of the this value.

In addition, the reason for not conducting an evaluation was not disclosed to the approving authority.

In response, GovTech clarified that only "commonly procured optional items" were evaluated.

When a check was conducted on similar tenders, the AGO found that the procurement value of optional items that had not been evaluated for another tender amounted to S$12.92 million.

GovTech has since informed the AGO that it will document the reasons as to why it will not evaluate optional items in its evaluation report for such future tenders.

JTC

For JTC, the AGO noted that it had made a payment of S$0.89 million to a contractor a month after it had been terminated, even though the payment could have been withheld under contract, and used to offset the debt claimable from the contractor.

The contractor had been awarded a 27-month contract for refurbishment works in June 2017, at a sum of S$41 million.

Although work began upon award of the contract, it eventually fell behind schedule and "continued to worsen" despite repeated warnings.

The contractor was then terminated in Oct. 2018, after it went into liquidation and another contractor was hired by JTC to finish the job.

AGO pointed out that the payment had been made to the contractor had also been done before the total cost and to be incurred by JTC for completing the refurbishment works had been ascertained.

In August 2019, JTC filed a claim of S$24.4 million with the liquidator against the terminated contractor for the debt claimable under contract.

As of June 2020, it has not yet received any payment for the claim. JTC says it made the payment as it was certified before the company went into liquidation.

PUB

For PUB, the AGO detected multiple lapses in the management of a development project involving the construction of a water plant and the engagement of a consultant to manage the construction contract on its behalf.

These lapses consisted of:

• Weaknesses in management of contract variations and for the construction contract;
• Lapses in adjustments for price fluctuations under said contract, and
• The lack of an assessment of cost reasonableness for unskilled manpower under a contract for service maintenance

On the issue of contract variations, the AGO found that 13 contract variations, amounting to S$4.59 million, received approval only one to seven months after work had either commenced or been completed.

As for lapses in price fluctuations, this resulted in PUB overpaying for seven steel reinforcement structures by an estimated S$113,000.

No price adjustments were made for four structures, and the contractor was underpaid by S$8,600.

The lack of an assessment for cost reasonableness of unskilled manpower also resulted in an expenditure of S$607,000, 39.8 per cent higher than the value of S$365,400, had PUB used the average unskilled manpower price among all tenderers at the tender's close.

Lapses in operations management

MFA

Here, the AGO's audit of an overseas mission found that the Ministry of Foreign Affairs (MFA) had insufficient measures to enforce the terms in service agreements signed with Authorised Visa Agents (AVAs).

AVAs are companies appointed by overseas mission's to process visa applications and collect processing fees on their behalf.

As such, this resulted in three AVAs listing the fees for visa applications on their websites at a value 16 to 50 per cent higher than the fee fixed in the service agreements. The AVAs would also retain the excess fees if collected.

The three AVAs have since explained to MFA that the websites inspected by the AGO are not their official websites, but websites created by either their staff or department without the company's approval.

These "unofficial" websites have since been removed by the AVAs while MFA has also taken action to penalise the three AVAs.

Inadequate IT controls

One of the most significant issues highlighted by the AGO involved the most privileged operating system (OS) user accounts, which gives users full access to an operating system.

Here, three ministries, and the Prime Minister's Office (PMO), were singled out as having weak controls regarding access to such accounts.

PMO

There are six OS administrators for the Human Resource Management System (HRMS), all of whom were the staff of an IT vendor. The Public Service Division (PSD) uses the HRMS to handle personnel information.

The HRMS is used by civil servants for leave-related matters, payroll-related information and staff appraisal.

The AGO found that:

• There was no restriction on the usage of the most privileged OS account and two of the administrators had been using this account for daily activities to maximise operational efficiency,
• No review of all the activities carried out by the most privileged OS account had been conducted, and
• A security software had been wrongly configured to allow another two OS administrators to access the most privileged OS account without a password, even though they are not meant to use it.

In response, the PSD stated that it will ensure access to the most privileged OS account is "granted strictly on a needs basis."

MOF

A similar issue was also detected for MOF, involving the PaC@Gov system which is used by the Accountant-General's Department (AGD) for payroll and claims.

In this case, the six OS administrators for the PaC@Gov system were able to log into the most privileged OS account without the need of a password.

The AGD also did not have a "robust" log review, which meant that it could not detect unauthorised usage of the most privileged OS account.

MOF has since acknowledged the AGO's report, replying in a press release:

"We will implement technical systems to reliably automate the IT tasks relating to the review of privileged users’ activities and management of account and user access rights. This will minimise human error and focus attention on higher-order security tasks."

You can read the 93-page report in full here.

Totally unrelated but follow and listen to our podcast here

Screenshot from AGO, right image by Matthias Ang