Novopay security flaw exposed

A school's staff discovered Novopay allowed them to access and alter their own timesheet details, exposing another glitch in the pay system's security.

Two pay administrators at Sacred Heart College, in Lower Hutt, demanded immediate action from Novopay operator Talent2 yesterday after they came across the latest lapse.

By the end of the day they had been locked out of making changes, and the Education Ministry claimed the error never existed.

The latest case comes against a background of more than 8000 logged errors in teachers' pay since Novopay was introduced in August. They include overpayments, underpayments, and sometimes no payments at all.

Australian firm Talent2, which runs Novopay under a $100 million contract with the ministry, is facing penalties of $50,000 each time the system botches the fortnightly payroll cycle, and chief executive John Rawlinson flew to New Zealand last week to deal with the barrage of criticism.

Sacred Heart deputy principal Alison Spencer, who is also an accountant, said she could access her own pay details, and add and validate her own leave.

And although she could not change her salary, she could have added as much extra overtime as she wished, and so could executive officer Irene Newrick.

Mrs Spencer was so shocked that she walked straight out of her office and told an auditor who happened to be at the school.

"I just need to tell you what I have just done. I've just accessed my pay," she told the auditor, who replied: "I don't think I want to hear this."

"There's no way I should have access to my pay, and Irene have access to her pay," Mrs Spencer said. "I can go in and do whatever I want to do, which is not good."

Ms Newrick said the previous Datacom system always needed a strong audit trail. "I could never ever sign off anything on my own.

"We assumed, stupidly, [that Novopay] would be locked, and we had never checked it.

"There may be other schools out there who also have this problem and aren't aware of it. I suspect they're in there now frantically looking at all the others," she said after dis- covering they were finally locked out.

Sacred Heart principal Lisl Prendergast said her staff were "too honest for their own good", but the temptation should never be there.

"What they should have is access to do things they need to do, but they shouldn't have access to their own pay."

In February, David Don, who was executive officer of St Patrick's College, Wellington, admitted taking more than $126,000 from the school after an audit of its 2010 accounts. He was jailed for two years.

Post Primary Teachers' Association president Robin Duff said the latest glitch was alarming, and should be "filling the ministry and secretary with fear and trepidation".

"Given the assurance we've had that this is a secure system, pretty worryingly it blows it out of the water."

Education Ministry group manager Rebecca Elvy denied there was ever an error as claimed by the Sacred Heart staff, because they could not amend their own details without someone else submitting the changes.

Contact Jody O'Callaghan
Education reporter
Email: jody.o'
Twitter: @miss_jodyo

The Dominion Post