SA agencies wasting money on legacy software

The South Australian Auditor General has identified a number of control deficiencies in its latest annual audit into the government’s IT systems and the status of selected IT projects.

The investigation identified 120 deficiencies across the 13 systems in use by 10 agencies evaluated during the audit. Of these, two issues were deemed high risk and 60 deemed medium risk.

According to the Auditor General's report, most of the control deficiencies identified in the 2019–20 ITGC reviews — representing 64% of total findings — related to the management of user access, passwords and audit logging.

The two high-risk deficiencies were related to segregation of duties conflicts and insufficient access to application source code respectively.

Other deficiencies identified include change and disaster recovery management processes, patch management and backup management processes.

The auditor has made recommendations including implementing and reviewing audit logging, developing and regularly reviewing formal disaster recovery plans and strengthening password management practices — complete with regular reviews of password setting policies.

Another area highlighted in the report is the challenge agencies are facing in maintaining legacy systems.

The audit found that it cost sampled agencies at least $20 million in additional vendor costs to maintain legacy systems.

There were 215 legacy applications in operation at the sampled agencies, with many of them over 10 years old.

Even more concerningly, only 59% of these systems were under vendor support arrangements, even though agencies considered many of them to be key business applications.

Of the full listings of operating systems and databases in use by the agencies, 1266 of the 5602 operating system instances and 219 of the 1928 databases were considered to be legacy.

Image credit: ©stock.adobe.com/au/reshoot