The Western Australia Corruption and Crime Commission's
Report into misconduct risks with access to confidential information in the Office of the Auditor General comments
The Auditor General is an independent officer of Parliament and the Auditor General Act 2006 gives the Auditor General independence in decision-making. The Office of the Auditor General (OAG) is a major integrity agency.
In carrying out its functions, necessarily the OAG must examine material within public authorities that is confidential and sensitive. For this reason, officers of the OAG are required to keep material they uncover during the course of their work as auditors confidential on pain of penalty.
On 27 February 2019, as required by law, OAG notified allegations of serious misconduct to the Commission. The misconduct risk in relation to data and information is one of the Commission's strategic themes informing its decisions on possible investigations. In view of the potential misconduct risk in the exposure of confidential information, the Commission commenced an investigation code named Operation Phoenix.
Although OAG had conducted a preliminary investigation, the seriousness of the allegations were best suited to a Commission investigation which could utilise digital forensic expertise and hold private examinations.
The outcome is startling. Two auditors, each a certified practicing accountant (CPA), had routinely accessed confidential information about other OAG officers, including payroll details and other private and confidential information.
They were able to access confidential information within OAG because it was not properly protected. Once an officer in OAG logged on using a password, that officer had access to all of the OAG systems, including access to TRIM, a record management system. Each primary file on TRIM had its own access controls set by OAG staff. The primary file was a dataset in that it contained numerous individual documents relating to that subject. If the officer's staff profile had access to a particular file, that access allowed the officer not only to browse or read the documents contained within that file, but to download the document or migrate it to a private device.
In its response to a draft of this report, OAG detailed the security requirements and the defect that enabled the breach:
OAG's systems and datasets have additional security requirements on a role-based or need-to-access basis.
The payroll system and the finance system for example have strong access controls that limit access only to specifically identified staff. These are not open to all staff.
Audit files are only accessible by audit staff in the relevant division, with sensitive audit files having restrictive access to only the relevant audit team.
Some (but not all) sensitive/confidential files in TRIM had lost their tight security
when new versions were created and the new files did not inherit the access restrictions of the parent folder. This was subsequently addressed with enduring monitoring controls in place.
The officers' conduct described in this report demonstrates that information on the systems such as payroll reports and credit card statements were open to all staff, albeit due to inadequate access controls on TRIM.
In most organisations, an officer is given access only to those matters required for their role. Access to payroll and personal details of staff is generally confined to members of human resources and finance teams.
The potential for others to acquire this information is a serious misconduct risk. It can be used for personal gain. It can be sold to criminals.
In the course of Operation Phoenix, the Commission uncovered a further misconduct risk.
Auditors from OAG working in teams routinely make site visits to public authorities to conduct audits.
Security of data provided by the public authority for the purpose of an audit is controlled by use of an encrypted USB flash drive, known as an IronKey. The IronKey is used with a laptop computer provided to each auditor by OAG.
OAG's policies require information received on an IronKey to be deleted after it is uploaded to the OAG audit program. OAG provides periodic reminders regarding the obligation for staff when information is particularly sensitive. However, if these policies are not followed, information may remain on a laptop for years, able to be copied and shared.
OAG, in its response to this paragraph said:
OAG has a policy that requires that information received from client agencies is deleted from the IronKey after it is loaded into the OAG's protected audit workpaper system.
Further, for the audit in question the Assistant Auditor General gave written instructions to all auditors, reminding them of this and other security requirements around data handling. This was supplemented by verbal advice. The officer in question was one of those given these reminder instructions ...
We have also undertaken periodic checks that staff do not retain copies of audited entity information on their laptops and IronKeys
Clearly, whatever policies and instructions were in place, did not work. This remains a serious misconduct risk.
An auditor obtained and retained access to the names and addresses of every serving police officer in WA, some years after completing an audit of the WA Police Force. The names of 8,800 officers, employees and contractors were stored on a spreadsheet on a laptop computer. OAG was unaware until the laptop was forensically examined as part of Operation Phoenix. There is no evidence the police data was shared with others. However, the misconduct risk is obvious. The information was less than five years old. Its value to criminal elements could be immense.
OAG has independence of action and is responsible for auditing the finances and actions of all departments of government, State and local. It should be trusted to keep information confidential. The misconduct risk exposed in this report shows, unless OAG has taken action to tighten its controls, that trust may be misplaced.
OAG, in its response said 'OAG took remedial action immediately following the incident. It is of high priority to the Office that audited entities can place trust in the OAG. Strong information security and continuous improvement is of upmost importance to the OAG'.
