Singapore’s recent Public Accounts Committee report is a blunt, necessary wake-up call. Legacy systems, privileged-access lapses, and repeated procurement errors are not abstract audit points to be filed away. They are active risk vectors that can bring operations to a halt and expose public funds to exploitation. The language in the report was firm because the situation demands firmness: the public sector must modernise and govern its digital estate with urgency and discipline.
Where the rot starts — and how it spreads
Tech debt lives in untouched lines of code, in systems that have been folded into the fabric of operations for decades, and in processes that still rely on memory and spreadsheets. Privileged accounts — the keys to entire systems — are often managed manually. That creates single points of failure and invites human error. When an agency says a particular script has been running for 15 years because “no one touched it,” that is not nostalgia. That is risk.
Real-world chatter overheard during site visits confirms the pattern. One operations manager muttered, “We can’t keep band-aiding old platforms,” and then laughed, but the laugh was brittle. Another noted, “The cost to rewrite is insulting on paper; the cost to ignore it is existential.” These are not hypothetical tensions; they are decisions being deferred with consequences.
Privileged access management: recurring but fixable
The Committee’s spotlight on privileged access management (PAM) is long overdue. Agencies have introduced tools like Central Accounts Management and Automated Baseline Log Review. Good steps. Limited coverage and human-dependent processes remain the core problem. Without broad adoption of PAM controls, privileged accounts keep slipping through gaps—gaps where mistakes turn into incidents.
“Longstanding policies and practices also need to change to enable effective digital transformation.”
That line from the report is a battle cry, not a suggestion. The next steps are clear: prioritise high-risk systems for immediate PAM rollout, automate rotations and just-in-time access where possible, and apply continuous monitoring rather than episodic checks. Training helps, but training alone will not replace systemic control.
Procurement and oversight: rules are not enough
Procurement lapses keep cropping up not because rules do not exist, but because supervision is weak. Officers occasionally shortcut processes under operational pressure. Documentation becomes an afterthought. Contracts get executed without robust compliance checks. The consequence is that public money is exposed to mismanagement and conflict-of-interest situations that could have been prevented.
Mistakes at PUB over biocide and chemical supply management were not novel in character; they were familiar combinations of inadequate supervision and poor documentation. Disciplinary action followed, but the systemic lesson is this: corrective measures must strengthen supervisory oversight and not merely pile on stricter procedures that live in training slides and PDFs.
Revenue handling and accountability
The AGO’s findings on revenue management at the Maritime and Port Authority and the Ministry of Foreign Affairs revealed gaps where public monies were not properly prescribed or tracked. Charges and fees that should have been captured consistently were instead sitting in process blind spots. The response — legislative regularisation and tightened processes — is the right course. But regulatory fixes must be accompanied by audit-ready systems and clear ownership of revenue streams.
What modernisation must actually look like
Modernisation is more than refactoring code. It is governance, culture, and procurement reform thrown into one long, disciplined program. Prioritisation matters. Not all systems are equal; planners must triage: protect what’s critical, migrate what’s fragile, and sunset what’s obsolete. Vendors and consultants must be held to delivery standards that include security-by-design, testable outcomes, and post-delivery accountability.
During a workshop with agency technologists, one participant said plainly: “Appetite for change exists, but not the horsepower to execute.” That sentence captures the truth. Government can buy tools, but execution requires project discipline, vendor management, and the courage to retire beloved legacy applications.
Culture trumps technology
Technology without culture is theatre. Strong supervisory oversight, clear lines of accountability, and institutional incentives to follow process will matter more than another dashboard. The Committee’s push for sustained investment is vital. Transformation is not instant. It will take patience, resources, and consistent leadership across levels.
Direct, practical next steps
- Enforce PAM broadly, starting with systems holding the highest operational risk.
- Adopt just-in-time access and automated credential rotation to reduce human error.
- Prioritise modernisation projects by risk exposure, not by legacy sentiment.
- Strengthen supervisory checks; elevate documentation and audit trails to non-negotiables.
- Bind contractors and consultants to measurable security and delivery SLAs.
These are not optional extras. They are the minimum needed to prevent small lapses from becoming systemic failures.
Closing: demand courage, not comfort
The Committee recognised a multi-pronged approach and signalled confidence in ongoing corrective work. That confidence is conditional. Transformation needs persistent oversight and an industry ecosystem that can deliver responsibly. Expect hard conversations. Expect trade-offs. But also expect tangible improvements when policies, people, and products align around the imperative of protecting public assets.
Complacency is the true threat. Fixing legacy systems, tightening privileged access, and reforming procurement will be messy. Faced with that mess, the only responsible stance is decisive action. Anything less will store trouble for tomorrow and regret for everyone accountable today.