CAG uncovers rule breaches, weak controls in Himachal’s financial system

A performance audit by the Comptroller and Auditor General of India (CAG) has exposed serious financial lapses and structural deficiencies in Himachal Pradesh’s Integrated Financial Management System (IFMS). The report, covering the period from 2017 to March 2022, was tabled in the Vidhan Sabha on Friday by Chief Minister Sukhvinder Singh Sukhu, who also holds the finance portfolio. Its findings raise sharp concerns about the state’s ability to safeguard public money.

The audit paints a picture of a financial platform riddled with weak internal controls, rule violations, unreliable data and gaping security vulnerabilities. It reviewed key modules — including e-Budget, e-Vitran, e-Bills, e-Salary, HP-OLTIS and e-Challan — and verified records in four district treasuries. The conclusion was unambiguous: systemic weaknesses run through every layer, from conceptualisation to day-to-day operation.

At the governance level, the government had failed to sign a Service Level Agreement (SLA) with the National Informatics Centre (NIC), leaving no clear accountability structure. Audit scrutiny revealed that software changes were routinely pushed directly into the live environment without user acceptance testing, increasing the risk of errors. Legacy modules for pension, salary, treasury and budget were integrated without strengthening controls, resulting in incomplete voucher trails and continued reliance on manual processes in areas such as AC/DC bill tracking.

Rule violations were widespread. Bills were generated without mandatory approval from Drawing and Disbursing Officers (DDOs). Between April 2017 and March 2022, 10,938 bills worth Rs 2,467 crore were cleared even after the expiry of DDO validity. Controls meant to ensure segregation of duties were bypassed on a massive scale — over 9.58 lakh bills across 106 treasuries were processed end-to-end by the same employee.

Master data governance was equally poor. PAN numbers were missing for 36,212 employees. A total of 439 DDOs were mapped to multiple treasuries, some to as many as 105, running against financial rules. Pension data was inconsistent and unreliable; in many cases, Aadhaar numbers exceeded the number of pensioners. Public-facing modules such as e-Challan permitted deposits under incorrect Heads of Account.

The audit highlighted several instances of unauthorised payments and potential fraud. Duplicate leave-encashment payments worth Rs 67.33 lakh were detected in 14 cases. Excess DCRG payments totalling Rs 180.05 lakh were made to 32 beneficiaries by drawing bills beyond the permissible Rs 10-lakh limit. In District Treasury Kangra, a computer operator misappropriated Rs 68.11 lakh by generating 19 bills without original authorities. Duplicate commutation payments in 15 cases resulted in an additional loss of Rs 77.81 lakh.

Disturbing discrepancies were found in the pension module: in 10,599 family pension cases, multiple dates of birth were recorded for the same beneficiary, while in 1,204 cases, the system showed pension initiation dates preceding the pensioner’s date of death.

System security was found to be grossly inadequate. Mandatory digital signatures and multi-factor authentication were missing, role-based access was poorly enforced and manual interventions compromised data integrity. In 356 salary cases, the bill-passing date was recorded before token issuance. No post-change security audit had been conducted, nor were backup restoration tests carried out. Crucially, the State lacked a Disaster Recovery Plan, Business Continuity Plan and Data Retention Policy.

The CAG concluded that the IFMS suffers from fundamental design flaws and weak enforcement of controls, undermining transparency and accountability. It recommended strengthening governance structures, ensuring end-to-end digital bill processing, enforcing segregation of duties and establishing robust disaster recovery and data-backup mechanisms.