Ex-NIS workers still had password access

The Auditor General has uncovered cases of people who were no longer employed by the multi-billion dollar National Insurance Scheme (NIS) but their access to the NIS’ computer system had not been deactivated.

In a follow-up audit of the NIS, Auditor General Leigh Trotman also found cases where the same persons who processed some NIS benefits were also approving the same benefits.

In his annual audit of government departments and state-owned entities, the auditor general said the NIS was responsible for the management of a massive portfolio valued at over $4 billion dollars.

These funds included the main NIS Fund, the Unemployment, Severance, Catastrophe, Sugar Workers and Retraining Funds. Trotman zeroed in on the NIS computer system called SAP, and the security controls of the computer system.

His office identified several areas of concern, which opened the door for errors and fraud.

Describing SAP computer system as being “at the core” of management of the NIS portfolios, the Auditor General said access to SAP by former employees had not been deactivated.

“This contravened cybersecurity best practices and potentially exposed the entity to security breaches,” he said.

In addition, the audit also turned up inconsistent enforcement of password rules. He advised the NIS that “changing passwords regularly would limit access gained by any unauthorised users and lessens the vulnerability to data leaks”.

The NIS was also advised to take a serious look at its computer system for its level of efficiency as well as the level of internal controls after the Auditor General discovered worrying aspects in its audit of the social security scheme.

Trotman wrote in his latest report: “Instances were identified where benefits transactions were processed and approved by the same individual. After officers process transactions, senior personnel should review and authorise them to provide oversight and identify errors. Security should therefore be configured to support separation of functions and reduce the probability of error or fraud.”

In response, the NIS said the issue was identified and communicated to the Information Technology (IT) section and the necessary changes were made. The NIS said the IT section would continue to monitor this internal control.  (IMC1)