Records at risk
Auditor general cites security weaknesses in gov’t software
Published:Wednesday | November 9, 2022 | 12:12 AM
Auditor General Pamela Monroe Ellis has flagged security vulnerabilities in an information technology (IT) software system used by government agencies that handle building and development applications.
In an information and technology audit of the Application Management and Data Automation (AMANDA) system, the auditor general said she identified security weaknesses that may result in cyberattacks and the unauthorised disclosure of confidential information if exploited.
With increasing reliance on digital data and technology systems, Monroe Ellis said there was a need to deploy cybersecurity and risk management strategies to prevent and detect unauthorised access.
She said that at the time of her report, which was tabled in Parliament on Tuesday, the stakeholders were in the process of implementing controls that are expected to reduce the risks identified.
The auditor general noted that an organisation’s information assets are constantly under attack from cybercriminals, hackers, viruses, malware, and fraudsters.
She said that common vulnerabilities in the IT environment such as outdated/unsupported software, unpatched system and poorly designed network perimeter facilitate various types of cyberattacks.
Monroe Ellis argued that failure to implement adequate cybersecurity measures may result in operational disruption.
“This often leads to the shutdown of an organisation’s IT infrastructure and critical systems to isolate the damage, investigate, and recover to a working state,” she said.
In addition, Monroe Ellis said that the actions of cybercriminals affect an organisation’s finances, owing to loss of business, legal fees, fines, and efforts in containing an attack or breach.
The AMANDA software was implemented to provide a national system for the management of development applications by municipal corporations, the National Environment and Planning Agency, and other agencies that comment on building and development applications.
The system, which forms a part of a wider initiative to improve the Development Approval Review Process (DARP), was expected to enhance efficiency through the control and monitoring of workflows, automation of repetitive tasks, and information sharing among the entities.
According to Monroe Ellis, these improvements would facilitate a 90-day response time for building and subdivision applications, reduce bottlenecks within the processes, and create an investment-friendly business environment.
However, the audit revealed that the AMANDA application controls were lacking, as key data inputted were not validated to ensure the accuracy and completeness of system records.
“We also determined from our analysis that the AMANDA software was not fully utilised in the processing of development applications,” the report said.
Additionally, Monroe Ellis reported that general IT controls related to backup, logical access, and cybersecurity were designed, but, in some instances, were inadequate or operated ineffectively.
Key audit question
Does the AMANDA software have an effective system of IT controls to ensure information security, efficiency and accurate information processing to meet user requirements and achieve business objectives?
What we found:
• Weak input controls
• AMANDA software not fully utilised
• Disaster recovery planning improvements needed
• Access-control deficiencies
• Inadequate cybersecurity measures