C5 Auditor-General and Ombudsman Reports

Table C5.1: Implementation status of ACT Auditor-General reports

Nature of inquiry/report title	Recommendations/outcome of inquiry	Response to the outcome of inquiry
2012-13 Financial Audits Report number: 7/2013 Tabled: 16 December 2013	The Audit Office issued an unqualified audit report on the Directorate's 2012-13 Financial Report and an unqualified Report of Factual Findings on its 2012-13 Statement of Performance. The Audit Office reported unresolved findings and recommended the Directorate should: finalise and approve its information technology policies and have them reviewed on a regular basis; finalise and approve a change management policy and have this policy periodically reviewed; ensure that the change management policy includes: all key change management requirements relating to the MAZE system such as requirements for change scheduling, post-implementation review and reversing changes that did not operate as intended. The flowchart of the MAZE change management process and document outlining the MAZE change process roles and responsibilities could be included in this policy; and the purpose, scope, ownership, currency and approving authority of the policy; review all changes processed prior to the development of the policy and confirm that they are valid; document approved policies and procedures for establishing and removing users or their assigned roles and privileges; regularly review user access lists for MAZE; retain documentation of the review of access, including the name and position of the reviewing officer; develop and approve a formal policy for the review of audit logs for the MAZE system and data. This policy should address the scope of the audit logs, frequency of review and process for investigating and resolving discrepancies identified during the review; and implement regular reviews (e.g. monthly or quarterly) of audit logs for the MAZE system and data. The documentation supporting these reviews should include the name and position of the reviewing officer along with the date the review was performed. The review documentation should also include evidence that any errors or irregularities identified from the review have been investigated and resolved.	The Directorate responded as follows: Agreed and completed. Finalisation of the ICT policy aligns with the implementation of the new integrated student and teacher network SchoolsNET. Agreed and completed. The change management policy has been completed and a periodic review of the policy will be undertaken. Agreed and completed. The draft policy includes all key change management requirements. Partly agreed and completed. A sample of changes implemented prior to the development of the policy were reviewed. No invalid changes were found. Agreed and completed. Procedures for reviewing user access to MAZE has been developed and implemented and policy and procedures completed. Agreed and completed. A process for reviewing audit logs has been developed and implemented. Agreed and completed. The process for reviewing user access lists include the retention of review documentation. Review documentation includes the name and position of the reviewing officer and the date of the review, along with any irregularities identified and actions taken. Partially agreed and completed. A process for reviewing audit logs has been developed and implemented. The Directorate has investigated options for audit logs and determined that MAZE does not have the capability for logs. The specifications for an upgrade to MAZE will include a requirement for audit trails and transactional logs. It is not anticipated that this can be activated until full implantation of a new system in 2016. Agreed and completed. In addition to the above, to minimize potential risks it should be noted that the Directorate undertakes an annual audit of MAZE school census data, and all financial transactions in MAZE are locked and cannot be edited or deleted by the user. Each financial record is tagged with the MAZE user account and the date and time the transaction occurred.
Capital Works Reporting Tabled: 27 June 2014	The audit made eight recommendations to address the audit findings in this report. Directorates included in the audit were: Chief Minister and Treasury; Commerce and Works; Economic Development; Health; Territory and Municipal Services and Education and Training. The following recommendations were applicable to the Education and Training Directorate: The Commerce and Works Directorate's Shared Services Procurement and directorates should develop capital works service level agreements, or the equivalent, by 31 December 2014. These should specify reporting responsibilities. All Directorates should quality control information to be included in capital works reports to the Chief Minister and Treasury Directorate and the Budget Committee of Cabinet, and have documented quality control procedures.	The response to this audit has not yet been published.

Nature of inquiry/report title

Recommendations/outcome of inquiry

Response to the outcome of inquiry

2012-13 Financial Audits

Report number: 7/2013

Tabled: 16 December 2013

The Audit Office issued an unqualified audit report on the Directorate's 2012-13 Financial Report and an unqualified Report of Factual Findings on its 2012-13 Statement of Performance.

The Audit Office reported unresolved findings and recommended the Directorate should:

finalise and approve its information technology policies and have them reviewed on a regular basis;
finalise and approve a change management policy and have this policy periodically reviewed;
ensure that the change management policy includes:
- all key change management requirements relating to the MAZE system such as requirements for change scheduling, post-implementation review and reversing changes that did not operate as intended. The flowchart of the MAZE change management process and document outlining the MAZE change process roles and responsibilities could be included in this policy; and
- the purpose, scope, ownership, currency and approving authority of the policy;
review all changes processed prior to the development of the policy and confirm that they are valid;
document approved policies and procedures for establishing and removing users or their assigned roles and privileges;
regularly review user access lists for MAZE;
retain documentation of the review of access, including the name and position of the reviewing officer;
develop and approve a formal policy for the review of audit logs for the MAZE system and data. This policy should address the scope of the audit logs, frequency of review and process for investigating and resolving discrepancies identified during the review; and
implement regular reviews (e.g. monthly or quarterly) of audit logs for the MAZE system and data. The documentation supporting these reviews should include the name and position of the reviewing officer along with the date the review was performed. The review documentation should also include evidence that any errors or irregularities identified from the review have been investigated and resolved.

The Directorate responded as follows:

Agreed and completed. Finalisation of the ICT policy aligns with the implementation of the new integrated student and teacher network SchoolsNET.
Agreed and completed. The change management policy has been completed and a periodic review of the policy will be undertaken.
Agreed and completed. The draft policy includes all key change management requirements.
Partly agreed and completed. A sample of changes implemented prior to the development of the policy were reviewed. No invalid changes were found.
Agreed and completed. Procedures for reviewing user access to MAZE has been developed and implemented and policy and procedures completed.
Agreed and completed. A process for reviewing audit logs has been developed and implemented.
Agreed and completed. The process for reviewing user access lists include the retention of review documentation. Review documentation includes the name and position of the reviewing officer and the date of the review, along with any irregularities identified and actions taken.
Partially agreed and completed. A process for reviewing audit logs has been developed and implemented. The Directorate has investigated options for audit logs and determined that MAZE does not have the capability for logs. The specifications for an upgrade to MAZE will include a requirement for audit trails and transactional logs. It is not anticipated that this can be activated until full implantation of a new system in 2016.
Agreed and completed. In addition to the above, to minimize potential risks it should be noted that the Directorate undertakes an annual audit of MAZE school census data, and all financial transactions in MAZE are locked and cannot be edited or deleted by the user. Each financial record is tagged with the MAZE user account and the date and time the transaction occurred.

Capital Works Reporting

Tabled: 27 June 2014

The audit made eight recommendations to address the audit findings in this report. Directorates included in the audit were:

Chief Minister and Treasury; Commerce and Works; Economic Development; Health; Territory and Municipal Services and Education and Training.

The following recommendations were applicable to the Education and Training Directorate:

The Commerce and Works Directorate's Shared Services Procurement and directorates should develop capital works service level agreements, or the equivalent, by 31 December 2014. These should specify reporting responsibilities.
All Directorates should quality control information to be included in capital works reports to the Chief Minister and Treasury Directorate and the Budget Committee of Cabinet, and have documented quality control procedures.

The response to this audit has not yet been published.

For further information contact:
Director
Governance and Assurance
(02) 6205 9329

Schooling

Early Childhood

Public School Life

Support for Students and Families

Our Priorities

Working with Us

About Us

C5 Auditor-General and Ombudsman Reports