SINGAPORE: Instances of overpayment for services and weaknesses in the management of IT accounts have been found at the Ministry of Defence (MINDEF), the Auditor-General’s Office (AGO) said.

In its annual audit report released on Tuesday (Jul 17), the AGO flagged lapses at several ministries and government agencies. Besides MINDEF, other cases singled out include the People's Association, the Ministry of Education, the Singapore Civil Defence Force and the Agency for Science, Technology and Research.



Its checks on MINDEF uncovered overpayments on grass-cutting fees for six years, amounting to a total of S$200,000.

The overpayments were mainly due to overstatements of grass-cutting areas, and were not detected by the ministry’s facilities management agent (FMA) and contract manager Defence Science and Technology Agency (DSTA), AGO said.

“The repeated failures to detect the errors made by the contractor cast doubts on whether the FMA and DSTA had carried out their duties diligently," the report said.

Further checks by the AGO found that DSTA would not check the accuracy of land areas declared by the contractor unless it was alerted by the FMA to disparities. No checks were conducted by DSTA from Oct 1, 2011, to Sep 30, 2017, and DSTA was unaware of the discrepancies until AGO's query.



Although the role of monitoring the contractor’s services was outsourced to the FMA, AGO said DSTA is still responsible for proper contract management and payments. MINDEF – which paid for the services – is responsible for the use of government funds and should have ensured that DSTA performed its roles effectively, it added.

The ministry has informed AGO that the overpayment will be recovered from the contractor after the amount has been determined. Contractual penalties will also be imposed on the contractor for over-claiming and the FMA for failing to check the claims.



SHARING OF USER ACCOUNTS FOR PROCUREMENT

The audit also found 197 instances involving procurement value totalling S$2.83 million, where 33 authorised users of the Electronic Procurement System (ePS) might have shared accounts with other users. This was based on checks from Apr 1, 2015, to Jul 31, 2017.

Nineteen of those instances involved four users who were on overseas leave, AGO said. The accounts of the four users were used by unauthorised persons for procurement activities, violating MINDEF's IT security policy, AGO added, noting that it was difficult to pinpoint who had performed a particular activity when accounts are shared.

MINDEF has informed AGO that disciplinary actions had been taken against three of the four users while the fourth user had left the service.

MINDEF also indicated to AGO that it would continue to educate and emphasise to users the importance of safeguarding IT accounts and take disciplinary actions for non-compliance. It would also enhance the system to prevent sharing of accounts, AGO said.

WEAKNESSES IN MANAGEMENT OF ACCESS RIGHTS

Following checks on MINDEF'S ePS, AGO also found that the system owner and all the five units audited "did not carry out the periodic reviews on user access rights as required”.

The required six-monthly reviews of accounts and associated access rights had not been done since April 2013. MINDEF also delayed the removal of unneeded access rights for 41 of 219 user roles checked, AGO said.

Fourteen of the roles had access rights to perform procurement activities such as raising purchase requisitions and approving fund commitments, while the remaining 27 had access rights to view information on transactions.

Following AGO’s queries, the ministry removed the unneeded access rights from September 2017 to January 2018, when they should have been removed 53 days to 10.7 years earlier.

"Such weaknesses would expose the system to unauthorised access, thereby increasing the risk of unauthorised procurement activities and risk of the integrity and confidentiality of the date in ePS being compromised," AGO said.

MINDEF said it will stress to its units on the importance of conducting regular reviews and maintain proper documentation of reviews conducted. It will also enhance its system to improve the review process.