February 2008 report to the Legislative Assembly
Report to the Legislative Assembly; Reports; PublicationNT
Made available via the Publications (Legal Deposit) Act 2004 (NT).
Northern Territory. Auditor-General's Office -- Periodicals; Finance, Public -- Northern Territory -- Accounting -- Periodicals; Northern Territory -- Appropriations and expenditures -- Periodicals
Northern Territory Auditor-General's Office
Check within Publication or with content Publisher.
62 Auditor-General for the Northern Territory February 2008 Report Department of Health and Community Services cont Improvement in segregation of duties, including leveraging off the functionality of the newly implemented Ascribe system The audit observed that there are areas for improvement in segregation of duties, including leveraging off the functionality of the newly implemented Ascribe system. Inspection of the Ascribe System User Report found that: 60 of the 73 active accounts had the ability to both order and receive goods; 51 of the 73 active system accounts had level 8 access to the stock module. This allows users to update the approved customer list used for requisitions, update drug file minimum stock levels and update supplier details; and 60 of 73 active accounts had a level of access that allowed them to authorise purchase orders. It is acknowledged that the newer version of Ascribe (v9) provides greater system security and segregation of duties functionality. A lack of segregation of duties increases the risk that individuals could process inappropriate or fraudulent transactions in Ascribe and result in a breach of regulatory requirements. If an excessive number of users have the ability to update master file type details, there is a risk that details could be inappropriately altered in the system. The audit recommended to the agency that incompatible and sensitive functions within the Pharmacy department be identified, documented and appropriately addressed (e.g. compiling a segregation of duties matrix). Ascribe system access settings should be utilised to enforce these segregation of duties where possible. Where it is not practical to implement all segregation of duties controls at smaller sites, it is recommended that at least basic segregation of duties controls be implemented (including segregating ordering and receiving) and appropriate manual or IT compensating controls address the other main risks.