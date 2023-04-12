John Ryan (Auditor-General) Credit: Supplied

The Auditor-General is calling for major improvements as soon as possible in ICT controls at some of NZ's former District Health Boards (DHBs).

Audits of the IT control environment in Bay of Plenty DHB's financial reporting and payroll systems as well as its applications had identified deficiencies over several years.

"Until these are resolved, we are not able to rely on IT controls for our audit," the Auditor-General wrote in a mid-March briefing to Parliament's Health Committee.

Deficiencies identified included lack of appropriate monitoring processes for privileged accounts, the need to establish formal processes to manage and monitor segregation of duties and improvements needed for password and authentication settings for both the financial reporting and payroll systems.

All 20 DHBs were disestablished as of 1 July 2022 and their functions transferred to Te Whatu Ora - Health NZ, which last September tapped Microsoft to help lift security in the sector.



"However, we also note that for some of the more serious deficiencies in the Oracle (financial reporting) systems and applications, responsibility for controls sits with, or is shared with, the Oracle service team, a shared service provider that is part of New Zealand Health Partnerships (NZHP)," the audit report said.

"We recommend that the committee follow up with Te Whatu Ora, which now also has ownership of NZHP, on what actions are being taken to address these issues."

In response, Te Whatu Ora told the committee the results of all such reviews were taken into account when setting the cyber security work programme and the level of cyber security risk faced determined how that programme was delivered.

"Consequently, there will be situations where identified weaknesses may continue to exist, in some form, for greater than a 12-month period – and hence may be repeat findings in subsequent audits," the agency said.

"That does not indicate that cyber security is being ignored or its importance underestimated. The cyber security work programme is comprehensive and is regularly monitored at local, regional and national levels."

The five repeat findings in the recent audit were a mix of issues within either the internal environment or the shared service environment.

All five of the repeat findings had been the subject of work programmes to improve and the auditors noted improvements had been made while deficiencies were also ongoing.



The former DHB had worked with both NZ Health Partnerships and its sub-contracted auditor, Deloitte, to identify and understand the underlying issues giving rise to deficiencies found in the Oracle financial system and its delivery.

"NZ Health Partnerships has addressed aspects of their processes and, as has been noted by the auditors, some improvement in the shared service environment has resulted," Te Whatu Ora said.

"However, this remains an area of concern and will continue to be followed up with NZ Health Partnerships."

Improvements had occurred within the PSe payroll environment which was locally administered. Privileged user accounts, such as system administration accounts, had been locked down to reduce the risk of inappropriate use.

Work to strengthen operational processes to complement technical improvements in areas such as password complexity was ongoing. These impacted all systems, not just financial.

Mitigations put in place locally for the issues included locking down privileged user accounts, hardening of password requirements and strengthening control over vendor privileged accounts.

At Southern DHB's annual review hearing last month similar criticisms were raised, with National MP and shadow leader of the house Michael Woodhouse challenging management over their lack of progress on security controls.

After issues was raised in the 2021 review, the Auditor-General repeated criticisms in 2022 and called for major improvements at the earliest reasonable opportunity.

"Fourteen years after Southern DHB had the worst fraud in public sector history, we still have an internal control environment that by any measure is risky," Woodhouse said. "What confidence can we have that the words you gave us a year ago are being turned into actions?"

Nigel Trainor, the former DHBs CFO, said the region had also shifted to the new, shared Oracle finance, procurement and information system (FPIM).



"That national system has a set of its own internal controls that are strengthened," he said. "When I look at the internal controls around procurement, particularly, I believe they are very strong.

"We have an electronic system that routes—and it frustrates our staff, because it routes through a number of approval processes right up to, and is linked to, the delegation."

Every purchase orders had to go through that process,

However, Trainor conceded the DHB had been weak on asset management.

"And you can see the history of that just through, you know, we’re now building a new hospital," he said. "If that asset management had have been stronger, would we be building another hospital?

"I don’t know the answer to that, but there is now a national programme to lift that asset management. So that’s one of the benefits of Te Whatu Ora, is that we come together, do that really well, and ensure that is strong."