The primary goal of the billion-dollar, seven-year project to redevelop the tech system underpinning Australia’s welfare payments would likely not be achieved, while Services Australia had not appropriately managed the cyber risk or prepared to migrate the crucial data, the audit office has found.
The Australian National Audit Office (ANAO) delivered its report on Service Australia’s Welfare Payment Infrastructure Transformation Programme (WPIT) late last week.
The WPIT project is the redevelopment of Australia’s welfare payment system and associated business processes, running from 2015 to 2022 with an original estimated cost of $1.5 billion.
The scheme involves the enhancing of some elements of the existing IT system, the addition of new ones and the decommissioning of others.
The audit found that while Services Australia had “largely appropriate arrangements” in place to manage the risks associated with such a large-scale tech redevelopment, it had not adequately managed cybersecurity risk and did not have a plan in place to ensure the huge wealth of data in the system is effectively migrated.
The report also said that Services Australia also was not adequately monitoring operating costs and could not break down what the money was being spent on.
According to Services Australia itself, one of the key end goals of the program is the decommissioning of the current Income Security Integrated System (ISIS), which is 30 years old. But delays in doing this and other issues mean that by the end of the program in 2022, it’s likely that only half of this system will be decommissioned, the audit found.
“Delays to replacement and decommissioning have put at risk the ability to deliver on the original objectives of the WPIT Programme, and delay or negate realisation of all the expected benefits of the welfare payment system redevelopment,” the audit said.
The original plan was to replace ISIS with a single tech solution, and the department went to market for a suitable option, but later determined that the proposal did not represent value for money and scrapped the procurement.
This decision “invalidated one of the fundamental planning assumptions” of WPIT, the ANAO said. ISIS is now being replaced by two separate programs of work: the Entitlements Calculation Engine and the Payments Delivery Capability.
Despite the data being held on the current payments system being of “paramount importance” to government service delivery, the audit also found that Services Australia “has not established appropriate arrangements” to migrate this information to the new tech system.
Plans to establish these arrangements had commenced in 2018 but were later discontinued due to “funding shortfalls”, and the department told the audit office that “there is no significant data migration in the scope of WPIT Programme to date, nor in the currently planned Tranche 4 scope”.
The welfare payments system contains data on millions of Australians who have received payments over the last 30 years, and the lack of planning to migrate this “significantly increased the risk that Services Australia would not preserve the potential future use and value of social welfare information”.
“This information is valuable, and essential to Services Australia’s strategy to improve access to data and analytics to support improved welfare payment service delivery This strategy could allow policy agencies to obtain on-demand access to near-real time welfare delivery data, and allow citizens to view and download their information and transaction statements,” the report said.
The ANAO recommended that Services Australia plan, resource and risk manage data migration so it can preserve the use and value of existing info in the system. The department has agreed to this recommendation.
“Services Australia acknowledges and understands the need to preserve the use and value of existing information in the future welfare payment system and to govern, plan, resource and risk manage the migration of data from the ISIS system,” Services Australia said.
The audit also found that Services Australia did not properly manage the cybersecurity risks surrounding the program.
An internal audit of system accreditation under the Protective Security Policy Framework (PSPF) found that only six of the 118 systems across the agency had accreditation, despite it self-assessing as having “measures in place for the underpinning components including monitoring of vulnerabilities and privileged access, and penetration testing of outward facing systems”.
“Services Australia’s self-assessment of risk control effectiveness was inaccurate in light of the lack of cybersecurity risk assessment or accreditation for the welfare payment system, and internal audit findings that most systems across the agency did not have accreditation,” the report said.
By June this year, a number of elements of the tech system had still not been accredited, with only seven being fully accredited.
“Despite identifying strategic cybersecurity risks and assessing the generic operational cybersecurity risk context as ‘high’ in 2018, Services Australia did not cybersecurity risk assess, certify or accredit all elements of the welfare payment system as required by the PSPF,” the ANAO said.
In response to the audit, Services Australia said it would prioritise the accreditations based on risk and criticality to the agency’s core business, and these will align with the PSPF requirements.
The audit also found the department’s preparedness for an enterprise-level disaster, such as the loss of a data centre or a major outage was inadequate.
These events could result in the agency being unable to make payments, but the two critical backup data centres were found to be in close proximity to each other, which “increased the vulnerability of the system to location-specific or provider-specific risks”.
Do you know more? Contact James Riley via Email.