Audit reveals security shortcomings for key SA tax system

Long-term fixes unable to be put in place until an upgrade project is completed in December

An audit of a key tax revenue management system used by South Australia’s Department of Treasury and Finance has uncovered a range of serious problems, with long-term fixes unable to be put in place until an upgrade project is completed in December.

A new report from the South Australian Auditor-General says that scrutiny of the department’s RevenueSA Information Online system (RIO) revealed “deficiencies in application controls, change management, system monitoring and maintenance, system security design and user access management”.

“We were advised that although many of these control deficiencies were previously known, RevenueSA resources have been focused on addressing other key activities,” the report states.

Some of the problems with RIO were originally identified in a 2012-13 review of the system by the auditor-general.

The SAP-based RIO was originally intended to replace all of the functionality in the state’s legacy tax revenue management system. Although payroll tax, land tax and the state’s Emergency Services levy have shifted to RIO, implementation problems saw a plan to move stamp duties and other taxes to the new system dropped.

(The original budget for the RIO implementation project — RISTEC — blew out from $45.5 million to $55.8 million.)

Problems identified during the audit included a number of problems with security control design: Insufficient formal processes to manage critical security access controls in the production environment, excessive access (“through the continuing use of generic accounts, unregulated user and role administration functions, and the ability to update key master data tables”), and poor configuration of default user accounts.

“Weaknesses in RIO system security design controls may result in the system being compromised which could lead to inappropriate modification of system settings, programs, data and master records,” the audit report warns.

Although the report notes that the department “has positively responded to all findings and recommendations” raised by the audit, in most cases it is unable to fully address the recommendations until a code freeze is applied to the system due to an ongoing upgrade project — which is expected to be completed in December.

“These RIO system control deficiencies could have a significant financial impact to the State by affecting revenues generated from specific taxes and levies,” the report states.

“Given the importance of this system to the State and the potential risks associated with these control deficiencies, prompt remediation of these matters is paramount,” it adds.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags securitygovernmentcyber securitySouth Australia

More about Department of TreasuryRevenueSA

Show Comments