A preliminary financial audit into 26 federal government agencies has found sub-par business continuity plans in several human resources systems, showing little to no improvement from four years ago.
Audit documents reported that while continuity plans had improved for agencies' Financial Management Information System (FMIS), the same could not be said for the Human Resources Management Information System (HRMIS).
"Our assessment of FMIS and HRMIS business continuity arrangements has identified that the effectiveness of these arrangements had improved for FMIS, but that this improvement was not matched in the management of HRMIS business continuity.
"The effectiveness of [Human Resources Information Management System] business continuity arrangements has remained relatively constant over the past four years. In 2010/11, around 20 per cent (five agencies) did not have effective business continuity arrangements, which is similar to the situation in 2009/10," audit documents said.
The Australian National Audit Office (ANAO) said that if a disruption to normal business activities occurred, there was the possibility that human resources information may be unrecoverable.
The audit office said that it is set to keep a closer eye on the development and regular testing of business continuity plans in future.
The preliminary audit did, however, notice an improvement in user access controls around HR systems, yet it noted that the agencies still had too many users with high-level systems access.
"In 2010/11 there was a significant improvement in the administration of HRMIS privileged user accounts. In 2009/10, almost 35 per cent (nine agencies) needed to improve their controls in this area. In 2010/11, this has reduced to around 15 per cent (four agencies). As these users typically have full access to all HRMIS financial transactions and information, there remains a risk to the integrity of financial and other information in the HRMIS for these agencies.
"The management of user access, particularly the logging and monitoring of user activities for privileged users, remains an area that requires further attention in some agencies. The ongoing effectiveness of user access controls is an important element in maintaining the integrity of agencies' financial information," audit documents said.
The audit also pointed to issues with Defence, after it was revealed that the department's new inventory and asset management system, Military Integrated Logistics Information System (MILIS), has project governance issues.
"The audit identified significant weaknesses in MILIS project governance and management arrangements considered fundamental to the success of IT projects of this size, complexity and nature. These weaknesses included insufficient testing in an environment representative of MILIS's future operating environment; the failure to deliver critical functionality; underestimating the level of resources and problem resolution required for known defects; insufficient preparedness for the impact of the defects on the user environment and financial statements; and non-adherence with project management procedures."
In response to the findings of the audit, Defence has instituted a program to remedy the issues.