Held to account
Auditor general Jane MacAdam blunt in assessments of AAS, cybersecurity practices
The release of auditor general Jane MacAdam’s latest report, a key document for political watchers in P.E.I., came on the same day the Island’s first positive case of the coronavirus was announced.
At any other time, the yearly report from MacAdam would have been a headline news story in P.E.I. But MacAdam, who will be retiring this year after serving as auditor general since 2013, says she is not concerned the findings of her latest audit will be overshadowed by the pandemic.
“We will be following up to find out if those recommendations have been implemented. So, it's not like they're going to be fully dropped," MacAdam said of the timing of the report’s release.
"Government should be held accountable for the use of financial resources."
This year’s report includes detailed audits of the AccessAbility Supports (AAS) program, which provides financial assistance for individuals with a mental, physical, intellectual, neurological or sensory disability. The report also details audits of government information technology security practices and Health P.E.I.’s Laboratory Services.
The 2020 report begins its assessment of the AccessAbility Supports Program by bluntly stating the program’s implementation was “not well managed”.
The audit found the AAS program was implemented before policies were approved. An electronic case management system, known as ISM, was also not updated to incorporate a capability assessment tool, leading to some individuals not receiving the proper benefits.
The AAS program was announced in the summer of 2018 by the previous Liberal government. The scope for benefits was expanded in 2018, making P.E.I. the last province in Canada to offer disability supports to individuals with mental illness.
The program was a replacement of the Disability Support Program and is currently overseen by the Department of Social Development and Housing.
A key component of the program was a new capability assessment tool. The tool was intended to provide the appropriate support based on how a disability might affect an individual’s daily life.
But MacAdam’s audit found that, 18 months after the program was implemented, not all individuals who had received support under the old program had been reassessed using this critical assessment tool.
Management was unable to even provide auditors with the number of people who have yet to be assessed under the new AAS program.
“That was concerning,” MacAdam told The Guardian.
“It’s just the way the data is organized and the information that’s available. They couldn’t easily come up with the numbers.”
Other accounting irregularities were noted. In a sample of 30 individual cases, auditors found that 20 per cent, or six cases, had no documentation on file to support some payments to individuals.
The report’s examination of cybersecurity practices also determined key information technology access controls were lacking. The audit was focused on practices of employees in the Department of Social Development and Housing.
The report found there was a lack of compliance with IT security policies and that assessment of compliance with these policies was not done regularly.
“Lack of compliance with security and control requirements introduces significant risk to government information assets and information systems,” the report states.
The findings of the auditor general report were released weeks after provincial IT staff admitted to a data breach of confidential information involving more than 300 individuals. The province has said the breach followed a ransomware attack.
The audit examined password controls, control of generic user accounts, monitoring of privileged accounts and security administration.
The audit of Health P.E.I. laboratory services found the department has effective processes in place for analyzing surgical specimens and returning results in a timely manner. But the audit also found 28 of 30 pathology reports examined were distributed through regular mail, despite the availability of encrypted email accounts for staff.
“Mailing of reports is inefficient and increases the risk of misplacement and mix-up,” the report said.
The report also examined the status of recommendations from 2016 and 2017. As of Oct. 31, 2019, 64 per cent of recommendations from 2016 had been implemented while only 43 per cent of 2017 recommendations had been implemented.
Most of the outstanding 2016 recommendations related to the Maintenance Enforcement Program and to Health P.E.I.’s payments to private nursing homes, while most of the outstanding 2017 recommendations related to the Office of the Public Trustee and the Seniors Housing Program.
Several of these departments have indicated that their inability to implement the recommendations is due to IT system limitations. Management with the Maintenance Enforcement Program, which administers child support payments, have said an out-of-date case management software has kept them from implementing the four-year old recommendations.
MacAdam did not believe these system upgrades were an excuse for the slow pace of implementation.
“These recommendations for improvement are pretty basic,” MacAdam said.
“The fact that it’s taking so long to do that is concerning because these are basic internal controls.”