Fiona Stanley Hospital IT Project to miss deadline: Audit

The Western Australian Auditor General has found that the Department of Health needs to reassess the Identity Access Management project for the Fiona Stanley Hospital if it intends to complete it.

The stalled Identity Access Management (IAM) project by the Department of Health is not expected to be completed when Fiona Stanley Hospital opens later this year, according to a report released by the Western Australian Auditor General, Colin Murphy.

The Information Systems Audit report (PDF) indicated the IAM project — which was intended to provide authorised users with access anywhere, anytime to the IT systems, and authorised admittance to hospital buildings — has cost AU$6 million date .

The audit found the common reasons that contributed to why IT projects by Health run significantly over budget, which was also evident in the IAM project, was due to deficient project planning, governance, and oversight including inadequate monitoring of progress, and the business mapping of staff roles for their required ICT access lagged behind the technical development of the solution.

Murphy said that while the IAM project was just one of several key information technology projects being carried out across Health, it would be a concern if it indicated a more widespread approach to IT project management.

"While I compliment the acting director general of Health for requesting this audit, I was concerned about the excessive delays and that the costs to date may realise no benefit," he said.

"As I have highlighted in the past, agencies often have difficulty in successfully delivering ICT projects, and this report contains some very important lessons for all agencies."

"Unless we get better at bringing in ICT projects on time and budget, the state will continue to spend millions more than necessary."

In the report, Murphy recommended that the Department of Health assess whether the IAM project is able to still deliver what it was had intended and whether it still matches current needs.

In a separate section of the report, the auditor general examined the use of cloud computing by five agencies as a sample indication of how effective cloud computing was being managed. These agencies included the Department of Fisheries, Department of Sport and Recreation, Metropolitan Redevelopment Authority, Public Sector Commission, and Public Transport Authority.

Consequently, the audit found none of the five agencies were effectively managing cloud and were therefore putting confidentiality, integrity, and availability of information at risk. Common weaknesses included not assessing business risks, costs, and benefits of shifting to the cloud, inadequate contractual arrangements where cloud service providers did not specify if agency data was being stored offshore or not, and weaknesses in the IT security and business continuity arrangements.

"With more government agencies investigating the use of cloud computing, this report ought to serve as a timely reminder that agencies should understand and address the risks and the costs and benefits associated," Murphy said.

The auditor general suggested agencies that engage in cloud services need to engage in risk management to assess all risks and vulnerabilities, as well as to ensure appropriate security controls are implemented, and monitor, evaluate, and report against projected costs, outcomes, and benefits.

The last item in the report contains the auditor general's findings on his annual general computer controls audits.

A total of 54 agencies were audited for general computer controls and 42 of them for capability assessments. As a result, 455 general computer control issues were reported, and only eight of the 42 agencies met the auditor general's expectations for managing their environments effectively.

According to the auditor general, these results were a slight improvement across agencies overall when compared with last year.

There was an improvement in four areas from the previous year including IT operations, management of IT risks, business continuity, and physical security. Information security declined by 4 percent and change control remained the same.

Murphy said there was a concern only around 40 per cent of agencies were achieving the benchmark for information security.

"It is disappointing to see that focusing on the fundamental controls is often overlooked, and
I encourage all agencies to consider the recommendations throughout my report to improve their ICT projects," he said.