Council exposed to cyber-attack risk: auditor

By Carmelo Amalfi
WHEN did you last change your computer password? At the City of Fremantle, it was November 1998.
According to a damning report by the Auditor General’s Office, the council’s IT and information systems (not to mention ratepayers) were exposed to unauthorised access and cyber-attack.
So serious are the failings that specific details of the audit were removed and provided in a separate confidential letter to the council.
“These additional details, if made public, could increase the risk of cyber-attacks,” the auditor found, having rated as ad hoc the management of IT risks and systems security.
Surprisingly, the auditor’s office wrote to the CEO on August 26 stating a copy of the letter had been sent to the Mayor and Minister for Local Government. It appears for the first time in the minutes of the November 10 meeting of council’s audit and risk management committee.
Why the three month delay in addressing such a critical issue? The committee includes Adin Lang (chair), Hannah Fitzhardinge, Frank Mofflin. Mayor Brad Pettitt and Doug Thompson were absent.
Some of the council responses to the auditor’s recommendations also make interesting reading. The auditor identified 33 TechOne staff positions delegated to approve expenditures of up to $500,000 while the CEO had a TechOne delegation of $100 million. The 33 staff positions no longer exist but were still on the TechOne delegations when the auditor visited the books.
“The limit of $100 million was established for approval of the Kings Square Project contracts,” the council’s procurement team leader responded. $100 million? “To improve controls this position’s delegation value will be reduced to a more appropriate spending pattern of the Council approved tenders.”
The auditor also identified a significant risk to council’s ‘supplier masterfile’ where, “unauthorised changes may be made resulting in errors or funds being inappropriately transferred. Duplicated supplier accounts may increase the risk of duplicate payments due to error or fraud”.
It found 45 active suppliers have duplicated records and 15 instances where changes to the masterful did not have evidence to support an independent review. Sixteen officers have access to changing masterfile details. Council promised to review the access and, “update security settings”.
The auditor noted a lack of any record of monthly fixed asset ‘reconciliations’ such as council rents and arrears from July 2019 to January this year. Council’s finance manager promised to review it.
Have the City’s assets returned any revenue to ratepayers since July last year? How much is the City (ratepayers) owed in arrears?
Serious questions arise over the financial governance and fiduciary duty of councillors and financial management by City staff.
However, council appears not to be in any hurry, the IT manager stating it will update and adopt its draft cyber security response plan in the 2021-2022 year.
Ratepayers can only hope councillors will discuss the auditor’s findings at the next full council meeting before their accounts are hacked.
The auditor’s findings at www.fremantle.wa.gov.au/sites/default/files/Attachments%20-%20ARMC%20-%2010%20November%202020.pdf.