Text size: A A A

Victoria ‘well short’ on performance management, ICT security

Victoria’s public sector is failing to adequately measure performance and leaving the public in the dark on the government’s objectives, a damning assessment from the state’s Auditor-General has found. And he warns government technology systems are not as secure as they should be.

John Doyle’s report — Public Sector Performance Measurement and Reporting — finds the Department of Premier and Cabinet, the Department of Health and the Department of Transport, Planning and Local Infrastructure are “not effectively applying the performance measurement and reporting system” and are falling “well short of providing the information needed to understand departments’ effectiveness and efficiency in delivering outputs and intended outcomes for the community”.

And Doyle (pictured) says key documents from the government like budget papers and annual reports are “impenetrable to the reader” and fall “well short of providing the information needed to understand departments’ effectiveness and efficiency in delivering outputs and intended outcomes for the community”.

The report was tabled in Parliament today. Doyle said in a statement:

“The departments we examined are not effectively measuring and reporting their performance as government intended and this means that weaknesses, repeatedly raised over the past 13 years through VAGO [the Victorian Auditor-General’s Office] audits and other reviews, remain unresolved.

“Being transparent and accountable are not optional extras under our system of government and are undermined if departments do not accurately and clearly communicate their performance. Parliament and Victorians deserve no less.”

Victoria’s performance management framework was expanded in 2011 to capture both output and the impact of outputs on the community. It also enforced medium- and long-term planning to anticipate and prepare for future performance challenges.

But progress on meeting the framework “has been slow”, Doyle said:

“The latest draft plans for the three departments examined fall well short of the government’s minimum requirements and the rate of progress does not suggest that agencies are close to addressing this.”

He says the output measures “rarely provide sufficient information to understand the effectiveness and efficiency of output delivery”. There are weaknesses in “defining objectives and linking them to outputs, meaning they are not sufficient to measure and report on outcomes”. And “the absence of meaningful commentary on output metrics that are included means these documents are of minimal value in explaining performance”.

Oversight from the Department of Treasury and Finance of the performance measurement and reporting system “has been partly effective”. But:

“DTF needs to improve the quality and depth of its guidance material, the rigour of its reviews and clarity of its reporting. But above all it needs to identify and address the persistent barriers that are hampering progress, and to work with departments to overcome these. These barriers include constraints imposed by the current reporting structure and insufficient detailed guidance about how to apply government’s requirements.”

Doyle has ordered the departments to design a system that “fully meets the government’s requirements”. Plans for 2015-16 must be delivered “fit for purpose, by identifying deficiencies in current plans and agreeing how to overcome the barriers to addressing these”. He wants departments to work together to:

  • Understand the barriers that hinder departments from fully applying the government’s performance measurement and reporting system;
  • Assess the options for overcoming these barriers including whether performance against outcomes should complement and be reported separately from budget papers, annual reports and corporate plans; and
  • Agree and apply a strategy to transition departments to a performance measurement and reporting system that meets government’s requirements.

“My recommendations are designed to build on the momentum of the government’s reforms and help departments break the impasse that has prevented significant improvement.”

ICT systems need ‘urgent attention’

Meanwhile, the Auditor-General’s report into government technology systems — Information and Communications Technology Controls Report 2013–14 — says security controls are inadequate and disaster recovery planning requires “urgent attention”.

And he reports the government has failed to adopt some 45% of the recommendations from previous audits. Doyle said agencies are addressing low-risk ICT audit findings at a better rate than medium-risk and high-risk findings, but they must “accelerate” work to resolve deficiencies and improve underlying processes:

“This may be correlated with the degree of effort that is required in driving appropriate actions, but also raises questions about how audit recommendations are prioritised, tracked and monitored by management and key governance bodies such as audit committees. Consequently, I will be closely monitoring agencies’ progress in the implementation of audit recommendations in future iterations of this ICT controls report.”

Inadequate management of ICT security accounts for the largest proportion of the ICT audit findings. Software patch management and ICT disaster recovery planning are also areas which require “urgent attention”, along with the management of service organisation assurance activities.

Doyle also had a warning for departments outsourcing ICT functions and adopting cloud-based services:

“While there may be many potential benefits from these services, the risks associated with such an approach need to be understood and actively managed by entities that are taking up such arrangements.”

Doyle offered seven new recommendations on ICT:

  1. Enforce information and communication technology security policies and procedures, including improving user access management, authentication controls and patch management processes;
  2. Develop and implement appropriate policy and guidance on assurance activities surrounding outsourced information and communication technology arrangements;
  3. Enhance their understanding of the Assurance or Auditing Standards requirements for service assurance reports, ensure that reports received are fit for purpose and provide an accurate reflection of the control environment;
  4. Implement actions to address control weaknesses in outsourced information and communication technology arrangements;
  5. Implement sustainable process improvements to prevent re-occurring audit findings;
  6. Through audit committees, implement appropriate monitoring mechanisms to ensure audit findings are addressed by management; and
  7. Develop appropriate information and communication technology disaster recovery capabilities, involving information and communication technology service providers as necessary.

Author Bio

Jason Whittaker

Jason Whittaker is managing editor of The Mandarin based in Melbourne. He has written for and edited political, business and culture publications for a decade. He spent two years as editor of sister Private Media publication Crikey.