The Gauteng province has not taken a serious stance to drive its IT commitments, which has led to concerns over security and the integrity of key financial data at the bulk of its departments and entities, notes the auditor-general (AG).
Gauteng is SA's most populous province, accounting for 23.7% of all South Africans and home to 12.3 million people, according to the most recent census. It is also the country's economic hub.
The AG's general report on provincial audit outcomes covering Gauteng for the 2011/12 financial year found there is a lack of accountability in getting key systems and processes in place, leading to no improvement in IT systems and policies in the province.
In the recently-released report, AG Terence Nombembe wrote that the audit shows there has been a regression from previous years, with the exception of seven public entities that achieved clean audits, because their leadership consistently monitored monthly financial disciplines, such as reconciliations, through clearly defined processes.
Nombembe writes there has been a lack of progress in implementing and sustaining the key internal controls required to ensure the credibility of information and support improvements towards clean administration.
"The lack of credible financial and performance information compromises the ability of the province to effectively manage service delivery and cash flows," writes Nombembe.
Wide-spread issues
The AG's report notes that effective IT systems management leads to the security, integrity and availability of financial and performance information. It evaluated IT controls at 12 departments, four public entities and three sectoral departments: health and social development, education, and local government and housing.
Among the departments, the AG had findings at all 12 relating to IT governance, while there were findings at 75% of departments around security management. Some 92% of departments had findings related to user-access management and IT service continuity.
The report also shows that a provincial IT governance framework has not been implemented, leading to policies and procedures not being adequately developed. It also found some departments had not filled key vacancies.
According to the report, nine departments had findings regarding security management, six of which have not adopted policies for implementation, and three had not adequately implemented IT security policies.
As a result, says the AG, password settings were inadequate and security systems were not always updated. "These deficiencies could lead to unauthorised access to the network, operating systems and ultimately application systems, thereby jeopardising integrity of data."
Eleven departments had findings regarding user access management due to the non-implementation of policies by the Department of Finance for transversal systems, which led to users being created on the system without supporting evidence and terminated staff not being removed from the system quickly enough, notes the AG. There was also a lack of monitoring of powerful user access.
The AG also notes that, with the exception of the Department of Roads and Transport, all departments did not have disaster recovery plans. Of the 11 departments, seven had either not developed plans, or these were outdated, while four departments' plans were not tested and had no alternate recovery site data and system restoration in the event of a disaster.
"The deficiency noted could render departments unable to continue operations during disasters, which could negatively impact service delivery and financial reporting."
Questionable data
Turning to entities, the AG reported findings at all four units for IT governance, security management, user-access management and IT service continuity. It notes that prevalent findings include an IT governance framework not being developed, policies not being in place, a lack of formal user account management policies, and no formal disaster recovery plans.
These deficiencies could lead to IT goals that are not aligned with overall business objectives, which means IT functions that are not able to adequately support business activities such as financial and performance reporting.
In addition, notes the AG, there could be the risk of unauthorised access to the network, operating systems and application systems, which would jeopardise the integrity of financial and performance data.
The AG adds there could also be an inability to continue operations in the event of a disaster, which could significantly hamper service delivery and financial reporting.
Some progress
However, according to the report, the Department of Finance has developed and approved user account management policies and procedures for transversal systems for implementation, along with security baseline standards for adoption by departments.
These would minimise the risk of manipulation and unauthorised access to data and systems, says the AG.
The Department of Local Government and Housing had developed and implemented user account management procedures for debtors, which protects the integrity of data and systems.
In addition, the Department of Roads and Transport has developed a disaster recovery plan and is now in a position to recover and restore all financial and performance data and systems with limited disruption to operations.
Furthermore, in collaboration with the Department of Finance, the Department of Roads and Transport has implemented adequate IT controls such as IT continuity and security management, adds the AG.
ITWeb was unable to obtain comment from the province as to how it plans to rectify the situation.