A mission critical system such as the Integrated Financial and Human Resource Management System (IFHRMS) in Tamil Nadu did not have robust security measures like biometric access, machine-based access rights and protection of user credentials. Transactions by anonymous usershave indicated vulnerabilities in the system and inadequate security management. Non-conducting of periodic disaster recovery trials exposes the entire system to likely higher downtime and loss of confidential data, the Comptroller and Auditor General of India (CAG) has said in a report.

The State government in January said that due complexity such as capturing, storing and authenticating of thumb impression and the huge task process of purchasing biometric devices to all; higher secured digital signature certificate has been implemented at the approver level. It was further stated that the government was in the process of adopting Aadhar-based e-Sign for further higher secured environment. The Audit noted that this reply is not acceptable as failure to procure biometric devices till now had resulted in security gap in envisaged authorisation procedures.

Data analysis revealed that out of the 2.66 lakh tickets raised by the IFHRMS departmental users during 2021-22, password change/reset request was made in 6,514 cases by logging in to the system with another user’s login. The help desk while resetting the password shared the new password with other users despite the availability of ‘forgot password’ mechanism for resetting a user’s password. This shows lack of awareness among the users of IFHRMS and the help desk personnel about the risks of sharing login passwords, the Audit noted.

The audit recommended that the government strengthen user access controls and create awareness about the risks of sharing of user credentials. Government should also conduct periodic disaster recovery drill in a real time environment.

The audit also observed that delay in achieving project Go Live has resulted in cost overrun of ₹79.91 crore in IFHRMS through the Finance Department. This was due to hardware maintenance, application resources, field level technical support and bandwidth charges during the period of delay, the report tabled in the Tamil Nadu Assembly on Wednesday said.

The IFHRMS went live from January 2021. Of the envisaged 14 modules, six were fully functional and eight were yet to become operational. The Audit found that the Monitoring Committee which had to ensure that the project met its goals, milestones and suggested necessary modifications and course corrections, did not manage the project as envisaged. This led to continued dependence on System Integrator (Wipro Ltd).

Budget operations module allowed transfer of funds between Grants, incurring of expenditure without budget provision and withdrawal of entire budget allocation after expenditure had been incurred in violation of the budget manual provisions. Further, provision/withdrawal of funds during last week of the financial year to arrive at final modified appropriation shows that re-appropriation is a mere year-end adjustment exercise, the audit observed.

Bill processing module is a critical module of IFHRMS as it handles the entire government disbursement. However, even after two years of IFHRMS rollout, it allowed double payment for same claims, and could not process bills within the stipulated timeline. The Pay and Accounts Office/Treasury had to rely on physical copies of sanction orders for the vouchers.

The Audit has recommended that the State government should redraw the project timelines and ensure that IFHRMS is completed in all aspects without further delays. While responding to the Audit observations raised the government assured that necessary corrective action will be taken.

comment COMMENT NOW