2016 Report - Volume 1: Backgrounder for News Release June 7, 2016

Health and Safety

Ministry of Justice – Leading the Building Partnerships to Reduce Crime Initiative (Chapter 10)

Provincial Auditor Judy Ferguson reports that the Ministry of Justice (Ministry) is not doing enough to effectively lead the Building Partnerships to Reduce Crime (Building Partnerships) initiative – a community safety-focused initiative. Through coordinated efforts of local policing, health, education, and human service agencies, this initiative targets and attempts to mitigate the root cause of crime. At February 2016, agencies in 12 different communities have agreed to participate. Ferguson reports that the Ministry needs to clarify the roles of participating agencies and give them more support (e.g., training and networking). This will help ensure they are appropriately engaged and understand their role in the initiative. Also, actively supporting participating agencies will help to achieve the initiative’s overall objective of proactively mitigating risks to individuals, families, and the community.

Saskatchewan Cancer Agency – Delivering the Screening Program for Breast Cancer (Chapter 14)

Breast cancer is the most common form of cancer and the second leading cause of death in Canadian women. Participation in Saskatchewan’s systematic population-based Screening Program for breast cancer is dropping. Provincial Auditor Judy Ferguson found the Saskatchewan Cancer Agency (SCA) was doing a good job delivering screening, but needs to do more to make sure the Program is successful. SCA needs to assess whether its promotion activities sufficiently educate the public about its Screening Program and the importance of early detection of breast cancer. SCA had limited interactions with physicians about its Program; it needs to better engage them in encouraging participation of their patients in the Screening Program. Increasing Program participation may provide a more cost-effective approach in that the cost per test outside of the Program is $201 as compared to $99 in the Program.

Saskatchewan Government Insurance – Confirming Only Qualified Drivers Remain Licensed (Chapter 15)

At December 2015, approximately 790,000 people had Saskatchewan driver’s licences. Saskatchewan Government Insurance (SGI) is responsible for issuing driver’s licences to those who are eligible and confirming that only qualified drivers remain licensed to operate motor vehicles. Provincial Auditor Judy Ferguson reports that SGI did a good job of making sure only qualified drivers remain licensed citing a few areas needing improvement.

She notes that SGI needs to provide staff with expected timeframes for entering driver information into the computer system used to administer driver’s licenses. Also, it needs to enter all out-of-province traffic offenses using similar timeframes as traffic offences that occur in Saskatchewan, instead of as-time-permits. Having up-to-date driver records is key to SGI protecting the public from poor or unfit drivers.
 

Protecting Children in Care

Ministry of Social Services – Protection of Children Follow up (Chapter 33)

Provincial Auditor Judy Ferguson notes that while the Ministry of Social Services (Ministry) continues to work on improving compliance with key child protection standards­, compliance remains low in a number of key areas. The Ministry has implemented two of five recommendations from previous audits related to the protection of children in care. It has recently decided to take a new approach. The Ministry and First Nation agencies with children in care have agreed to increase compliance rates by stated percentages each year until they achieve a compliance rate of 85% for key child protection standards. Following child protection standards helps to ensure that children are safe and accounted for.


Increasing Percentage of Grade 3 Reading Levels

North East School Division No. 200 – Increasing Grade 3 Students Reading at Grade Level (Chapter 11)

Grade 3 students who do not make the transition to comprehending what they read can fall behind, affecting their future success. At June 2015, 66% of North East School Division No. 200’s (North East) Grade 3 students were reading at or above grade level, compared to 73% provincially. The education sector has a goal of 80% of Grade 3 students reading at grade level by 2020.

Provincial Auditor Judy Ferguson recognizes that North East is doing many positive things to increase reading levels and notes a few areas for improvement.

North East assesses the reading level of individual grade 3 students at least five times in a school year using four tools. North East needs to periodically evaluate these tools. Periodic assessment would help it determine whether teachers receive key information to help them increase individual student reading levels, and whether the frequency of assessments make sense.

Also, North East needs to work with other school divisions to develop guidelines for when it is appropriate to exempt a child from a reading assessment. Clear guidance would help school divisions make consistent decisions on exempting students from provincially-directed assessments.
 

Keeping Government IT Systems and Data Secure

About one-third of organizations self-reported that they had experienced one or more IT security breaches in a 2014 SANS security survey – the Government is not immune to threats of security breaches. The Government relies extensively on IT systems to deliver its services and collects significant amounts of confidential and sensitive personal information. Provincial Auditor Judy Ferguson examined three areas of IT security; she reports that government agencies must continue efforts to keep their IT systems and data secure.

Ministry of Central Services – Data Centre Security (Chapter 5)

Central Services is responsible for providing a secure data centre to house IT applications and data for its clients. Its clients include 15 ministries and 10 agencies. For data centres, a security weakness involving one or more clients may pose a risk to all applications and data within the data centre.

Provincial Auditor Judy Ferguson noted that during 2015, Central Services made some improvements in data centre security. It introduced a new information security policy, used more secure methods to access systems and data, and gave its clients relevant and timely security reports to facilitate their decisions about the adequacy of security of their IT applications and data.

However, more work remains on recommendations made three to nine years ago. At December 2015, Central Services was still working on properly configuring and updating its server and network equipment to protect them from security threats. It continued to collect information about the sensitivity of client data to inform decisions on network configuration. Not all updates for known vulnerabilities were done. Many of its clients continued to use old applications that no longer received security updates. Each of these issues increases the risk of security breaches. Also, Central Services did not have a complete and tested disaster recovery plan for the data centre.

Ministry of Central Services – Web Application Security Requirements (Chapter 6)

Provincial Auditor Judy Ferguson found the Ministry of Central Services did not have sufficiently robust security procedures and guidelines to help ensure ministry web applications are appropriately designed and kept secure, as its policy expects. Also, after web applications were put into use, routine analysis of web application vulnerabilities was not required to identify new or evolving security weaknesses.

Central Services is responsible for setting IT security policies and standards for most ministries. It also develops and operates many ministry web applications.

Provincial Auditor Judy Ferguson reports her Office’s testing of 18 ministry web applications found most of the 18 applications were not sufficiently secure. Weaknesses were found in both newer (e.g., 2013) and older (e.g., 2000) websites. Central Services needs to develop and maintain procedures and guidelines that will support the development and operation of secure web applications. Central Services also needs to work with the ministries to promptly identify and address identified higher-risk vulnerabilities.

Because web applications are accessible to the public, insufficiently secure web applications may allow attackers to access or corrupt confidential government information or interrupt government services.

Ministry of Social Services – Protection of Children-in-Care Information in Linkin (Chapter 17)

Provincial Auditor Judy Ferguson reports that the Ministry of Social Services (Ministry) needs to do a better job of keeping sensitive and personal information in its relatively new case management IT system (Linkin) secure. The Ministry uses Linkin to help caseworkers provide services to children in care and their families.

While it did a good job of building security features into the design of Linkin, it must keep Linkin sufficiently secure. The Ministry was not removing unneeded user access to Linkin promptly. Updates for known systems weaknesses were done annually instead of quarterly. At December 2015, the Ministry was not aware that the database upon which Linkin operates stopped receiving security updates from its vendor in August 2015. These increase Linkin’s susceptibility to breaches.


Monitoring the Fuel Tax Exemption Program

Ministry of Finance – Monitoring the Fuel Tax Exemption Program (Chapter 8)

Since 1987, farmers, primary producers, and consumers of heating fuel can purchase certain fuel tax free in Saskatchewan under the Fuel Tax Exemption Program. Under this Program, for 2015-16, Saskatchewan expected to collect about $156 million less fuel tax revenue. Provincial Auditor Judy Ferguson found that, while the Ministry of Finance (Ministry) did a good job of administering the Program, it had not specifically determined what the Program was to achieve (other than reducing taxes). As a result, it did not know whether the Program was successful or continued to be needed. The Provincial Auditor recommends the Ministry specifically set out how it plans to measure the success of the Program.

Also, the information published on the Government’s major tax expenditure programs was limited. The Ministry needs to give the Legislative Assembly and the public more information on what each major tax expenditure program is designed to achieve, and its achievements. This would help the public understand the purpose and intent of these programs and their success. 


For More Information

The full Provincial Auditor’s 2016 Report – Volume 1, which includes details on all of the Provincial Auditor’s recommendations, is available online at www.auditor.sk.ca.


Contact

Judy Ferguson, FCPA, FCA
Provincial Auditor of Saskatchewan
1500-1920 Broad Street
Regina, Saskatchewan S4P 3V2
Telephone: 306-787-6372

Mindy Calder
Communications Specialist
1500-1920 Broad Street
Regina, Saskatchewan S4P 3V2
Telephone: 306-787-6374

2016 Report - Volume 1: Backgrounder for News Release (PDF)

View All News Releases