The Audit Office reported unresolved findings and recommended:

The Directorate partially resolved one audit finding by approving policies and procedures for establishing, removing and reviewing user access to Maze and performance of reviews of user access at the school level. However, these policies and procedures do not provide guidance on reviewing user access to Maze at the Directorate level and there was no evidence of such reviews being performed. This weakness presents a risk of unauthorised access to student and financial data, including sensitive student information.

• The Directorate has been unable to implement audit logs for the Maze application and data and there is no policy for monitoring the activity of users by the review of audit logs. This increases the risk that erroneous or fraudulent changes to the Maze application and data will not be promptly detected and rectified.

• The Directorate has advised that it will include guidance on review of user access at Directorate level in its procedures and ensure that these reviews are regularly performed.
• The Directorate has investigated options for audit logs and determined that Maze does not have the capability to produce system or data audit logs. The specifications for an upgrade to the Maze school administration system (the project is currently in a discovery phase) will include a requirement for audit trails and transactional log capability, it is not anticipated that this recommendation can be activated until full implementation of a new system in 2016. In addition, to minimise potential risks identified by the audit it should be noted that all financial transactions in Maze are locked and cannot be edited or deleted by the user. Each financial record is tagged with the Maze user account and the date and time the transaction occurred.

• In progress
• In progress

• Often no evidence that reviews of salary reports were being performed or performed in a timely manner. This increases the risk that incorrect or fraudulent employee payments will not be promptly detected and addressed.
• Sometimes no evidence of the satisfactory receipt of goods and services at schools prior to payments being made. While these payments were found to be properly related to the operations of the Directorate, there is a risk of payment errors, irregularities and fraud when payments can be made without clear evidence of the satisfactory receipt of goods and services marked on the payment documentation.

• The Directorate has amended its procedures to address these audit findings.
• The Directorate has amended its procedures to address these audit findings.

• Complete
• Complete

Directorates included in the audit were:

Chief Minister and Treasury, Commerce and Works; Economic Development; Health; Territory and Municipal Services and Education and Training.

The following recommendations were applicable to the Education and Training Directorate:

• The Commerce and Works Directorate's Shared Services Procurement and directorates should develop capital works service level agreements, or the equivalent, by 31 December 2014. These should specify reporting responsibilities.
• All Directorates should quality control information to be included in capital works reports to the Chief Minister and Treasury Directorate and the Budget Committee of Cabinet, and have documented quality control procedures.
• The Commerce and Works Directorate's Shared Services Procurement and directorates should develop capital works service level agreements, or the equivalent, by 31 December 2014. These should specify reporting responsibilities.
• All Directorates should quality control information to be included in capital works reports to the Chief Minister and Treasury Directorate and the Budget Committee of Cabinet, and have documented quality control procedures.

• Whole of Government response to this audit has not been tabled at the time of publication.