Unified online identity not just a luxury anymore, Victoria urged

article-body

Proof of identity requirements and legacy technology are holding back Victoria’s whole-of-government digital service delivery, warns a new audit. This would be an opportune time for Victoria and the Commonwealth to talk about MyGov.

In the Delivering Services to Citizens via Devices of Personal Choice: Phase 2 report, acting auditor-general Peter Frost noted that although “we found successes in digital service delivery … the transition is being hindered by pertinent issues such as proof of identity verification requirements, legacy and existing inefficient information technology systems and back-office process.”

The document deals with approaches departments and agencies use to determine which services will be, or have already been, delivered online, as well as the ongoing monitoring of the effectiveness and public utilisation of digital service delivery.

Echoing other audits that have found weakness in performance management in the VPS, Frost argued for improved services delivery performance monitoring and reporting, in particular the need for “baseline performance targets need to be set, with rigorous monitoring and reporting systems and processes in place”.

Only three of the five audited departments and agencies that provide services to citizens and consumers “have a complete list of service transactions and the costs attributable to delivering each transaction”, the report noted.

There is no integrated digital system for Victorians to efficiently and effectively prove their identity, with customers having to go through an identity proving process for each new service they sign up to.

To tackle the problem, the VAGO recommends the Victorian government implement an integrated identity system.

It also identifies legacy systems and out-dated back-office practices as barriers to the effective digitisation of services.

Further recommendations include:

• That the Department of Premier & Cabinet, through Service Victoria, works with departments and agencies to implement an integrated service delivery model that increases public usability and utilisation of digital service delivery across different digital devices;

And that other departments:

• identify and prioritise which service transactions should be transitioned to digital service delivery while also considering alternative, non-digital service delivery channels;
• enhance the end-to-end digital service delivery by resolving any legacy system issues and/or integrating supporting information technology systems with front-end digital technologies, and streamlining back-office processes to minimise manual processing interventions;
• develop baseline performance data targets for digital service delivery;
• develop digital service delivery performance monitoring and reporting systems and processes;
• identify and implement strategies, including using existing social media platforms, to promote digital service delivery.

But it’s not all bad news. The auditor-general provided three examples of “current successes” in digital service delivery:

• The Department of Justice & Regulation implemented the Working with Children Check digital service known as MyCheck recognising the need to increase operational efficiencies, and improve customer service and security;
• VicRoads’ registration and licensing division implemented a digital service platform which is used across different types of devices. The division also established effective systems and processes to monitor and report its digital service delivery performance;
• The State Revenue Office developed and launched the online application, Duties Online, to increase efficiencies and enhance customer experience for duties service transactions.

ICT systems control

In Financial Systems Controls Report: Information Technology, the VAGO identified “a large number of IT control deficiencies” with the potential to impact the confidentiality, integrity and availability of public sector financial data and IT systems.

The office found 462 issues at the 45 entities it audited, noting that “similar to last year, management at these entities continue to be slow to act on our findings, especially our high-risk findings.”

“This demonstrates the need for more focused attention and oversight of IT issues by accountable officers and governance bodies, including audit committees. As a result, we intend to increase the level of accountability over the recommendations that are raised with management, especially at those entities that are not addressing our findings adequately or on a timely basis.”

Security-related audit findings account for the majority of issues identified, along with a significant number of systems and software that are no longer supported or are at risk or being unsupported in the near future.

Many previous recommendations are going unaddressed, it stated, with 41% of IT audit findings from previous years, many of which were rated high-risk, having not been implemented. The VAGO argued it is “disappointing” that the recommendation for a whole-of-government disaster recovery framework has not been addressed since it was first made in 2012–13.

The report put forward a range of recommendations:

• That the Commissioner for Privacy and Data Protection provides education and training to relevant entities on the requirements of the Victorian Protective Data Security Standards—once issued.

That the Department of Premier & Cabinet:

• monitors and reports the status of information technology obsolescence risks at departments and public sector agencies;
• monitors and reports the status of the implementation of disaster recovery frameworks and plans by shared services boards. These frameworks and plans should: prioritise information technology systems recovery in the event of a disaster impacting a number of departments and agencies; and cover financial and non-financial systems.

That public sector entities’ governing bodies and management:

• enhance management’s understanding of their Financial Management Act 1994 and Standing Directions obligations, and ensure: assurance reports received for outsourced information technology environments are reliable and fit-for-purpose; and exceptions raised in assurance reports are assessed for the impact they may have on the entity’s control environment;
• manage the continuity of vendor support for systems approaching end-of-life, including its upgrade or migration to fully supported solutions. Where possible, entities should work collaboratively to address information technology obsolescence risk across the public sector;
• implement appropriate governance and monitoring mechanisms to ensure: information technology audit findings are addressed by management; and sustainable process improvements, to prevent future recurrence;
• align information technology control frameworks to relevant Victorian Government information technology security standards.

That public sector entities’ governing bodies and management:

• ensure that, where relevant, shared service providers implement disaster recovery frameworks which prioritise information technology systems recovery in the event of a disaster impacting a number of departments and agencies. The framework and plans should cover financial and non-financial systems;
• enhance identity and access management, and software licensing policies and procedures by addressing control weaknesses reported in management letters;
• implement processes to periodically monitor the effectiveness of identity and access management, and software licensing processes and controls.