A report from Western Australia’s Auditor-General has found that some former staff at state entities still had access to IT systems and equipment despite their employment being terminated.
The finding was made as part of the Office of the Auditor-General’s (OAG) probe into staff exit controls in place at three state government agencies. The audit [PDF] assessed if the Department of Planning, Lands and Heritage (DPLH), the Department of Finance, and the Department of Local Government, Sport and Cultural Industries (DLGSC) effectively and efficiently managed the exit of staff to minimise security, asset, and financial risks.
The audit covered the period 1 July 2019 to 31 December 2020 with a sample of 30 staff from DLGSC, 27 from DPLH, and 26 from Finance, including consultants and third-party contractors, that left during that period.
While the report found all entities cancelled exiting staff’s IT system access, it was not always done immediately. According to the report, it took between two and 161 days to deactivate or withdraw access to information systems after staff left the entity.
At Finance, OAG said it took between six and 161 days to cancel access to IT systems after the last day of employment. The case that took 161 days was related to a secondment arrangement where the former employee continued undertaking work on behalf of the entity, however.
Setting that case aside, Finance took, on average, seven days to cancel IT systems access, despite its security management framework noting that IT access for terminated staff is meant to be disabled on the last day of employment.
DPLH does not record specific dates when IT access is cancelled, but in probing system log information, where it was available, OAG found late cancellations ranged between one and 124 days after the individual had left.
Similarly, the OAG said DLGSC did not have sufficient information to determine when access to IT systems was cancelled for all 30 people in its audit sample.
“System logs showing the dates of when this occurred were not recorded. In the absence of this information, we checked whether any of the individuals had accessed the IT systems and found that 29 did not access the system after they left,” the report said.
“One person had accessed the system four days after their exit date.”
The report also found that DPLH and DLGSC both lacked adequate information to show that office access passes were returned or deactivated for 72% of the sampled former staff. OAG said staff at DLGSC were charged a AU$12 fee for any changes to the status of passes from the private operator that managed the building and were therefore disincentivised to undertake the process.
All access passes were cancelled or deactivated after staff left Finance, however for five out of the sample of 26, OAG said the cancellation of passes was not timely. For four people, OAG said it took between six and 44 days. The individual on secondment still had physical building access for the 116 days they continued to have systems access.
Also under scrutiny was the asset returns process at the three entities, with OAG finding none had a complete and easily accessible record of all assets, including IT equipment, provided to staff.
The report said OAG was unable to verify whether all IT assets had been returned to DPLH because there were insufficient records of what was issued to the 27 people in its sample. It said 15 staff had left with no evidence of laptop return. Only two of the 27 people were known to have had a phone issued, with evidence proving only one had been returned.
At DLGSC, the OAG found records of only six exited staff in its sample of 30 pertaining to laptop returns and Finance demonstrated that 19 of 26 staff in the sample returned their IT equipment.
To minimise the risk of unauthorised access to premises when staff leave, OAG recommended entities maintain an accurate register of all access passes including returns and cancellation/deactivation, conduct regular audits of all active passes, and ensure all access passes are returned when staff leave.
The OAG has also requested the entities to ensure access to IT systems are removed or disabled immediately when staff leave. It has also asked the entities to clearly record when the removal of IT system access occurred and maintain a register of all assets issued to staff at commencement, during employment, and what is returned at exit.
In addition, entities have been asked to minimise the risk of financial loss from overpayments to terminated employees, better manage the risks with different circumstances of employment termination, and improve communication between business functions responsible for staff exits.