The Victorian Auditor-General has found that state agencies are under increasing risk from using IT systems that are past or approaching their end-of-life.

An analysis of financial systems at 45 government agencies found that “While software licensing was generally well controlled, controls to reduce the risk of inappropriate access to IT systems require significant improvement.”

“Disappointingly, IT security-related audit findings continue to be raised and again account for the majority of our audit findings. It is also disappointing that our recommendation for a whole-of-government disaster recovery framework has not been addressed since it was first made in 2012–13.”

“Of particular concern, in 2014–15, was the limited progress by entities in upgrading end-of-life systems. We found audit findings relating to IT systems approaching end-of-life or past their end-of-life at 53 per cent of our in-scope entities. The majority of these 34 end-of-life audit findings were related to key financial systems, including Oracle Financials. Findings also related to software on users' desktops computers, such as Windows XP.”

“Following the November 2014 change of government and subsequent January 2015 machinery-of-government changes, a project to review and implement a whole-of-Victorian-Government enterprise resource planning (ERP) system was suspended. As a result, the financial systems for many in-scope entities are either approaching end-of-life or are past their end-of-life.

Given the current situation and the time required to implement an ERP system, this issue is expected to remain unresolved for some time.

Cost of maintaining obsolete software.

“As an interim measure, a number of public sector entities have entered into customised contractual arrangements with vendors for the support of obsolete IT software. These arrangements typically come at a significant cost and some vendors increase the cost over time as the use of the program declines globally.

“As an example, a one-year custom support arrangement for Microsoft Windows XP was renewed by a department in April 2015 at a cost of $A2.37 million.”

The report also highlights the need for a continued focus on remediating IT security weaknesses. “While compliance with the Victorian Government's Identity and Access Management (IDAM) Standard 03 – Strength of Authentication Mechanism v1.0 is mandatory for all departments and 11 audited agencies, our IT audits found a large number of issues related to password controls. Typical audit findings include:

• entities which have not updated their password policies and procedures to reflect the standard's requirements

• password settings implemented on in-scope systems did not comply with the standards.

State Government Departments and central agencies were the major culprits when it came to found weaknesses in Policies & procedures and retention of evidence.

The full report is available at http://www.audit.vic.gov.au/publications/20151007-Financial-Systems-IT/20151007-Financial-Systems-IT.pdf