Novopay security flaw exposed

Last updated 05:00 27/11/2012

Relevant offers


David Bain's new life under new name To frame anti-vaccine rhetoric as 'debate' is dangerous and wrong Trump's Nato pushiness shows he's got 'no mana' Vintage bus gets stuck in the sand after beach drive Puhoi Valley Cafe has sweet sweep at Ice Cream Awards Moving out after seven years as notorious Bridge St Backpackers is sold Government tops up Southern Response funding to $1.5b Police search for 'dangerous' man Vincent Clayton after he escaped Dunedin hospital Woman who defrauded Wellington Airport and ACC has sentence reduced The passion and scandal of a loose-lipped Stratford councillor

A school's staff discovered Novopay allowed them to access and alter their own timesheet details, exposing another glitch in the pay system's security.

Two pay administrators at Sacred Heart College, in Lower Hutt, demanded immediate action from Novopay operator Talent2 yesterday after they came across the latest lapse.

By the end of the day they had been locked out of making changes, and the Education Ministry claimed the error never existed.

The latest case comes against a background of more than 8000 logged errors in teachers' pay since Novopay was introduced in August. They include overpayments, underpayments, and sometimes no payments at all.

Australian firm Talent2, which runs Novopay under a $100 million contract with the ministry, is facing penalties of $50,000 each time the system botches the fortnightly payroll cycle, and chief executive John Rawlinson flew to New Zealand last week to deal with the barrage of criticism.

Sacred Heart deputy principal Alison Spencer, who is also an accountant, said she could access her own pay details, and add and validate her own leave.

And although she could not change her salary, she could have added as much extra overtime as she wished, and so could executive officer Irene Newrick.

Mrs Spencer was so shocked that she walked straight out of her office and told an auditor who happened to be at the school.

"I just need to tell you what I have just done. I've just accessed my pay," she told the auditor, who replied: "I don't think I want to hear this."

"There's no way I should have access to my pay, and Irene have access to her pay," Mrs Spencer said. "I can go in and do whatever I want to do, which is not good."

Ms Newrick said the previous Datacom system always needed a strong audit trail. "I could never ever sign off anything on my own.

"We assumed, stupidly, [that Novopay] would be locked, and we had never checked it.

"There may be other schools out there who also have this problem and aren't aware of it. I suspect they're in there now frantically looking at all the others," she said after dis- covering they were finally locked out.

Sacred Heart principal Lisl Prendergast said her staff were "too honest for their own good", but the temptation should never be there.

"What they should have is access to do things they need to do, but they shouldn't have access to their own pay."

In February, David Don, who was executive officer of St Patrick's College, Wellington, admitted taking more than $126,000 from the school after an audit of its 2010 accounts. He was jailed for two years.

Ad Feedback

Post Primary Teachers' Association president Robin Duff said the latest glitch was alarming, and should be "filling the ministry and secretary with fear and trepidation".

"Given the assurance we've had that this is a secure system, pretty worryingly it blows it out of the water."

Education Ministry group manager Rebecca Elvy denied there was ever an error as claimed by the Sacred Heart staff, because they could not amend their own details without someone else submitting the changes.

- The Dominion Post

Special offers

Featured Promotions

Sponsored Content