Agencies have been advised to reconsider how they manage and keep data by the Western Australian Auditor general Colin Murphy, following an audit into payroll and other expenditure using data analytic procedures that indicated all tests at all agencies were not possible due to how data was kept.
The audit [PDF] used data analytics to analyse 4 million transactions totalling over AU$7.5 billion across 12 agencies to identify potential fraud, errors, and omissions.
The report outlined data analytics were used to search large volumes of transaction data for unusual items, patterns, and events that could indicate fraud. The specific data analytics techniques used included matching of data between agency systems and interrogating databases.
"Unfortunately we could not run all tests at all agencies due to how and what data is held," Murphy said.
The report said, for instance, some agencies held key information as manual records or in unsuitable formats which meant data matching was not feasible.
According to Murphy, while there was no evidence of fraud found during the tests, the audit identified errors and a need for improved controls at half the agencies tested, and that without improved controls, there is a heightened risk of fraud or error occurring.
The errors and inappropriate practices that were identified included paying one supplier twice for the same service, invoice splitting, use of government purchasing cards while the cardholder was on leave, inadequate explanations for payments, and failures to identify potential conflict of interest for payments.
There were also overpayments and the need for improved controls at six agencies, in particular, at the Department of Corrective Services, the report said.
"Encouragingly, two tests found no errors, indicating sound system controls around temporary salary allowance overpayment and payments approved by only one officer," Murphy said.
The report has recommended for all agencies to use data analytics as a technique to ensure the reliability of their data and efficiency of their operations. Some specific use cases could include when agencies want their internal auditors to provide assurance about agency functions that can be measured through interrogation of data, or when they are after a new system to be implemented and data can be used to detect potential errors and fraud.
Last November, a separate audit found seven government agencies failed to adequately protect sensitive data from being attacked or accessed by unauthorised personnel.
Murphy at the time highlighted several agencies did not have firewalls segregating databases and servers from the rest of the network or other agency networks, increasing the risk of compromising services running on the database or server itself.
"Particular areas of concern were around data access and logging, software patching and updates, and general security practices in agency IT environments," he said.
"These weaknesses increase the risk to the confidentiality, integrity and availability of sensitive information that is entrusted to agencies.
"All the agencies we audit understand the criticality of their IT systems to their operations; however, too many underestimate the risks that exist to those systems."