Most provincial departments and entities have control deficiencies in key areas of IT management, because there is a lack of implementation of commitments, leading to questionable financial reports in the 2010/11 financial year.
There were issues with IT management at most of the 116 departments and 26 entities evaluated in the auditor-general's (AG) latest consolidated general report on provincial audit outcomes. According to the report, there are control deficiencies relating to IT governance, security management, user access management and IT service continuity.
Departments and public entities rely heavily on IT systems to perform statutory financial management, and reporting and administrative functions, notes the report. It adds that these systems enable automation, which contributes to effective internal control.
“The information processed and stored on IT systems is vital to the accuracy and reliability of the financial and performance information used by management for planning, monitoring and reporting.”
However, AG Terence Nombembe writes that the 37 entities that improved their financial status were negated by the 33 whose outcomes regressed in the 2010/11 audit. Only 19% of the entities subjected to scrutiny received clean audit reports.
Back to basics
The AG's report found that IT controls are generally not adequately designed by management. Implementation of controls should be monitored by management with the assistance of an internal audit on a continuous basis and reported to those charged with governance, it said.
According to the report, the “overall root cause” of deficiencies in IT management controls “is a lack of implementation of commitments by the leadership”. The document noted that management's commitments had yet to be fully implemented, based on management's responses from last year.
“Where audit findings had been raised previously and were still in the process of being addressed, the relevant departments were unable to fully implement their management's commitments. In addition, no system is in place to monitor the implementation of commitments,” the AG's report states.
“It is evident that the majority of issues have not yet been fully addressed.”
No accountability
Mark Walker, director of insights and vertical industries for IDC's Middle East, Africa and Turkey region, says the root cause is a lack of accountability as, regardless of how good systems are, if there is no will, garbage will go in and come out.
Technology represents a significant opportunity to address many issues, but there must be a willingness to spend correctly and use systems efficiently, says Walker. He notes that not all government entities are lagging.
Government needs to understand what it wants to do and manage projects, as well as hold service providers accountable, says Walker.
Lacking
The AG noted control deficiencies in IT governance at 88% of departments and 63% of public entities. While an improvement on the previous year, it states that the key root cause of findings within IT governance is the absence of an IT governance framework, which has not yet been developed and rolled out by the Department of Public Service and Administration (DPSA).
Several governance processes had not been implemented at all departments, such as IT steering committees not being established, IT strategic plans not being developed, inadequate risk management processes, and service level agreements not being formalised and monitored.
In terms of security management, control deficiencies were noted at 83% of departments and 61% of public entities. This is because the guide for software system Hardcat has not been implemented by departments, and there is a lack of formalised security parameter guidelines from the provincial treasuries for the Basic Accounting System.
The AG also found a lack of adequate implementation by the departments of the guidelines developed by the provincial treasuries and the offices of the premier when it comes to user access management. Some 96% of departments and 68% of public entities were found to have control deficiencies.
In terms of IT service continuity, 89% of departments and 61% of public entities had control deficiencies. The AG found that leadership had “failed” to take control of business continuity plans.
The DPSA indicated it was not able to respond to ITWeb's queries as the process is in the consultation stage before a framework is finalised. In February, National Treasury Estimates of National Expenditure indicated that an ICT management framework and draft implementation guidelines, as well as minimum information security standards framework, would be developed for the public service by March 2013.
Share