An Analysis of the Public Accounts Committee Report, February 2026
Singapore has long traded on a singular proposition: that its government works. Not merely adequately, but with a precision that other nations study and attempt to emulate. For decades, the city-state’s public institutions have been ranked among the world’s least corrupt, most efficient, and most digitally capable. The Public Accounts Committee’s February 2026 report does not shatter that reputation — but it puts several uncomfortable cracks in it on full display.
The report, produced by the parliamentary watchdog chaired by PAP MP Jessica Tan and including Workers’ Party MP Dennis Tan, reviews how public funds were managed in the 2024–2025 financial year. What it found, distilled to its essence, is a government wrestling with the compound interest on years of deferred modernisation — in its technology, its institutional culture, and its supervisory habits.
I. THE TECHNOLOGY PROBLEM: DEBT WITH INTEREST
The term “tech debt” is borrowed from software engineering. When developers take shortcuts to deliver code quickly, they accumulate a conceptual liability — future work that must be done to correct the shortcut. Left unaddressed, tech debt compounds: each new system layered atop the old one increases complexity, fragility, and cost. Singapore’s public sector is now paying significant interest on decades of accumulated debt.
The Ministry of Digital Development and Information and the Smart Nation Group told the PAC that legacy systems make it “prohibitively expensive and complex to implement basic modern security controls.” This is a remarkable admission. For a country that markets itself globally as a Smart Nation, the acknowledgement that basic security practices cannot be applied to existing infrastructure without extraordinary cost and disruption speaks to the depth of the structural problem.
Privileged Access Management: A Recurring Wound
Nowhere is the tech debt more dangerous than in what security professionals call privileged access management — the control of accounts that have elevated, often administrative, powers over IT systems. The PAC report notes that weaknesses in this domain have recurred over multiple years. This is not a new problem that has been discovered. It is a known problem that has not been solved.
The implications are serious. Privileged accounts represent the highest-value targets for malicious actors, whether external cybercriminals or insider threats. An attacker who gains control of a privileged account can potentially read, modify, exfiltrate, or destroy data on a scale far beyond what an ordinary user account would allow. For a government that manages everything from citizens’ health records to tax data to defence-related information, the persistence of this vulnerability is not merely an IT governance issue — it is a national security concern.
The reliance on manual processes for managing these accounts compounds the risk. Manual processes are inherently slower, less consistent, and more prone to error than automated systems. When access rights are reviewed manually — if they are reviewed at all — accounts may retain permissions long after they are needed, a condition known as “privilege creep.” The PAC noted that new tools have been introduced to automate account management but acknowledged limits to their coverage and effectiveness.
The Smart Nation Paradox
There is a sharp irony in Singapore’s position. The city-state has invested substantially in projecting a vision of digital governance leadership — the Smart Nation initiative, the GovTech agency, internationally recognised e-government services. Yet the infrastructure underpinning these initiatives is, in places, a patchwork of systems built over decades, some running on code that predates modern cybersecurity practices.
This is not unique to Singapore. Governments worldwide — including those of the United States, United Kingdom, and Australia — grapple with legacy IT. The US federal government alone has spent billions annually maintaining systems that are decades old. What makes Singapore’s position more pointed is the gap between its self-presentation and the reality described in the PAC report. The country’s reputation for governmental competence has been a form of soft power and an economic asset. That reputation now carries a quiet asterisk.
The committee’s finding that “longstanding policies and practices also need to change to enable effective digital transformation” hints at a problem deeper than any particular software version: the organisational culture and incentive structures of the public service may themselves be obstacles to the transformation nominally being pursued.
II. THE GOVERNANCE PROBLEM: SUPERVISION, NOT RULES
Perhaps the most intellectually significant finding in the PAC report is its diagnosis of why lapses occur. The committee’s conclusion is pointed: many failures were “not about lack of rules, but linked to inadequate supervision and oversight.” This is a finding that should prompt genuine institutional reflection, because it diagnoses a failure of management, not merely of compliance.
Rules-based governance — the publication of standard operating procedures, the conduct of training, the issuance of circulars — is the default response of bureaucratic institutions to discovered failures. It is also, the PAC implies, often insufficient. When officers prioritise operational delivery over documentation, when supervisors assume compliance without verifying it, when accountability chains are diffuse, the accumulation of rules simply creates more rules to be not followed.
PUB: A Case Study in Supervision Failure
The water agency PUB’s management of biocide and chemical supply contracts offers an illustrative case. The Auditor-General found lapses significant enough to prompt disciplinary action against responsible officers in September 2025, with others counselled for less serious mistakes. The PAC’s analysis attributed the failures in part to inadequate supervisory oversight — meaning that the problems either occurred without supervisors’ awareness, or occurred with their awareness but without corrective intervention.
The significance extends beyond PUB. Water infrastructure is critical national infrastructure. Biocides and chemicals used in water treatment are regulated precisely because their improper management poses public health risks. Contractual lapses in this domain are not merely administrative irregularities — they are potential vulnerabilities in systems that underpin public welfare.
The Procurement Recurrence Problem
The committee expressed concern about procurement, contract management, and grant administration lapses appearing repeatedly in Auditor-General reports. The Ministry of Finance’s diagnosis — a combination of knowledge gaps, the prioritisation of operations over process, inadequate documentation, and conflict-of-interest mismanagement — is telling.
Each of these factors reflects something about how the public service operates under pressure. Singapore’s civil service is lean relative to the scale of government activity it manages. Officers juggle operational responsibilities alongside compliance requirements. In that environment, process documentation can feel like overhead rather than protection. The result, year after year, is that the same categories of failure recur in AGO findings — not because officers are malicious, but because the system creates conditions in which shortcuts feel rational.
III. REVENUE ACCOUNTABILITY: THE MPA AND MFA CASES
Two specific cases illuminate how institutional blind spots can allow public funds to fall outside proper accountability frameworks.
At the Maritime and Port Authority, the AGO found that fees for dumping and monitoring services, as well as certain port dues concessions, had been charged or granted without legal prescription. This is a significant finding: MPA was operating outside its statutory authority in how it managed revenue — an authority that exists to ensure that the exercise of public power is grounded in law. The fees were real, the services were real, but the legal basis for collecting them in the manner applied was absent. MPA has since regularised its position through legislation and statutory waiver.
At the Ministry of Foreign Affairs, honorary consuls and consuls-general — diplomatic representatives who are typically private individuals given consular functions rather than career civil servants — were collecting visa fees that were not being tracked or remitted as government revenue. These are legally public monies. The failure to account for them is not merely a bookkeeping lapse; it creates opacity around funds handled by individuals who occupy a more ambiguous position within the government accountability framework than regular officers.
IV. IMPLICATIONS FOR SINGAPORE’S BROADER STANDING
It would be disproportionate to read the PAC report as evidence that Singapore’s governance model is failing. The existence of the PAC itself, its cross-party composition, its willingness to probe ministerial agencies, and the public release of its findings are all features of an accountability system functioning as designed. Many countries with far worse governance outcomes do not possess comparable oversight infrastructure.
But several intersecting dynamics give the 2026 PAC report a weight that is more than the sum of its specific cases.
The Cybersecurity Stakes Have Never Been Higher
Singapore’s posture as a global financial and digital hub means it is a persistent target for state-sponsored and criminal cyber actors. The 2025 compromise of Singapore’s four major telecommunications companies by the Chinese cyberespionage group UNC3886 demonstrated that sophisticated attackers are actively probing the country’s digital infrastructure. Against that backdrop, the persistence of privileged access management weaknesses in government systems is not a bureaucratic inconvenience. It is a live vulnerability in a contested landscape.
Trust as Infrastructure
Singapore’s social contract is distinctive. Citizens have historically accepted significant constraints on political pluralism in exchange for an implicit guarantee of governmental competence and incorruptibility. This compact depends on the continued credibility of that guarantee. When the public accounts watchdog finds, year after year, the same categories of procurement failure and oversight lapse, it chips — however incrementally — at the foundation of that compact.
The PAC itself acknowledged that “sustained improvements in governance systems and institutional capabilities are long-term endeavours.” This is true and important. But long-term endeavours require visible, measurable progress — not merely the repetition of commitment. Citizens and observers watching the same categories of finding appear in successive AGO reports may reasonably ask whether commitment is translating into change.
The Vendor Ecosystem Question
The PAC’s closing call for “responsible and capable consultants, contractors and vendors” to support public sector transformation raises a pointed question about Singapore’s technology supply chain. Much of the modernisation work required — replacing legacy systems, implementing privileged access management solutions, digitising procurement and compliance processes — will be delivered by private sector partners. The quality, integrity, and capability of those partners matters enormously. How the government selects, manages, and holds accountable its technology vendors is itself a governance question of the first order.
V. WHAT MEANINGFUL PROGRESS WOULD LOOK LIKE
The PAC report is, in intent, constructive rather than merely critical. It articulates a direction. The question is whether that direction translates into durable institutional change rather than a fresh round of procedure documents and training modules.
Meaningful progress in IT modernisation would look like a publicly committed, resourced, and time-bound programme for retiring the highest-risk legacy systems, with measurable milestones and accountability for delivery. Not a direction — a programme. Not aspiration — commitment. The government has the institutional capacity to deliver this; what has been missing, the PAC implies, is sufficient prioritisation.
Meaningful progress in supervisory culture would look like changes to how supervisors are evaluated and promoted. If managers are rewarded primarily for operational delivery rather than for ensuring compliance and catching lapses within their teams, then no amount of additional training will change the underlying dynamic. The incentive structure must change, not just the training calendar.
Meaningful progress in procurement governance would look like the AGO’s next report finding the same categories of lapse at significantly reduced frequency. That is the only real test. The PAC has repeatedly expressed concern; the MOF has repeatedly offered multi-pronged responses. The data will eventually speak plainly about whether those responses are working.
CONCLUSION: THE REPUTATION FOR COMPETENCE IS NOT SELF-SUSTAINING
Singapore’s governance brand has been built over decades through genuine achievement: effective economic management, low corruption, high-quality public services, and the demonstrated ability to execute complex national programmes. That brand is durable — but not indestructible.
The 2026 PAC report is a reminder that institutional quality is not a permanent state but an ongoing achievement. It requires sustained investment, candid diagnosis of failure, and the organisational courage to change cultures and incentive structures — not merely policies. The watchdog has done its job by producing a clear-eyed assessment. The harder work, as always, belongs to the agencies and the leadership responsible for acting on it.
Whether Singapore emerges from this governance reckoning with its institutions genuinely strengthened — or with another round of assurances that look different from the last but produce the same AGO findings — will say a great deal about the resilience of a governance model the world has long been watching.