While technology is often touted as a transformative force, national and provincial governments continue to face significant challenges in ICT implementation.
A report by the Auditor-General of South Africa (AGSA) has identified barriers to achieving digital transformation goals, noting that many of government’s ICT projects failed to meet key objectives, such as time, cost, quality or business expectations.
The report reflects on the overall audit outcomes of national and provincial government and legislatures in the first year of the seventh administration.
Out of the 72 ICT projects reviewed across 44 auditees (state entities), AGSA reported findings on 41 projects worth a combined value of R12.1 billion, based on the 2024-25 Consolidated General Report on National and Provincial Audit Outcomes.
Additionally, significant control weaknesses persist in the national and provincial government IT environment.
The organisation exercising oversight of public money indicates the cyber security posture at more than half (64%) of the reviewed entities had notable weaknesses, with 11% exhibiting critical vulnerabilities that could be exploited if not addressed.
The report reads: “Our assessments covered governance, risk management, compliance, operational controls and incident response. Technical testing – including penetration testing and vulnerability scanning – revealed that many auditees lacked mature incident response capabilities and recovery procedures, placing systems and services at risk in the event of a breach.
“We also noted instances where significant investments in information technology systems were made, but the systems were never used. This points to a disconnect between procurement and operational readiness.
“More auditees experienced a regression in the strength of their IT control environments than those that improved. Weak security management controls continued to expose institutions to unauthorised system access, data breaches and disruption of business operations, which compromised financial and performance data integrity.”
Its audit also points to “persistent failures” in the State IT Agency’s (SITA’s) procurement and delivery of critical IT services.
ICT project issues were also identified in the Department of International Relations and Cooperation, Gauteng Department of Health and the Unemployment Insurance Fund.
Threatening environment
South African public entities have increasingly been targeted by cyber criminals. This week, Stats SA confirmed a hack on its systems, with the hacker group demanding $100 000 (R1.7 million) in ransom.
The AGSA report notes that cyber security remains a critical global concern for governments, transcending national borders and political systems.
Effective cyber security controls, including rigorous testing and validation, are essential for protecting auditees’ IT assets and services from malicious attacks, it notes.
As the cyber security attacks have become a widespread, the report notes that entities in SA’s national and provincial government have also been affected.
The auditor-general’s audits revealed shortcomings at 45 auditees (64%), of which 23 were high-impact auditees. Eight (11%) − four of which were high-impact auditees − exhibited significant vulnerabilities that could be exploited if not remedied, it reports.
According to AGSA, the most common findings within those entities was a lack of backup testing, recurring cyber security deficiencies, as well as compromised environments.
The report highlights that quality spending on ICT by national and provincial government is poor, with billions invested in systems, services and infrastructure that has not yielded the intended value.
A large part of ICT spending is on external service providers and money is being lost due to purchased software licences not being utilised because of poor demand planning. For example, in 2024-25, AGSA identified unused software licences at 14 public entities.
In addition, it notes that departments and public entities spent R5.48 billion on IT infrastructure in 2024-25, but the investment has “failed to support modernisation and resilience as many auditees still operate with ageing infrastructure”.
Thereport highlights that continued weaknesses in ICT environments were mainly caused by plans that were misaligned with organisational objectives, specialised skills limitations, inadequate planning, outdated government systems and insufficient governance structures.
The report also highlights that of the 191 established chief information officer (CIO) positions, 27 (14%) were vacant during 2024-25.
Furthermore, 18 of the CIO positions were vacant for more than six months. During the same period, 156 IT positions were vacant: 96 at departments and 60 at public entities.
“Fragmented ICT, risk and cyber security teams led to inconsistent capabilities, control failures and a lack of coordinated response planning, which impeded effective threat management.
“Auditees continued to rely extensively on third-party service providers, often without adequate oversight or accountability transfer, which exposed institutions to vendor-related control failures and service disruptions.”
On SITA, the 2024-25 report points to “persistent challenges” such as outdated and slow procurement processes and meeting basic service levels. For example, it notes SITA “failed to meet the service level agreements for virtual private networks in the North West”.
“Unmet targets peaked at 50.55% in December 2024 and remained consistently above 25% in several months. High bandwidth usage across provinces and significant monitoring gaps further strained network capacity and oversight.
“However, SITA subsequently committed to implement remedial action, such as including bandwidth performance monitoring in service level agreements.”
The report notes strategic misalignment remains a concern, exacerbated by the absence of a defined ICT structure and the lack of a CIO at SITA for over three years, which it says continues to weaken accountability and hinder ICT governance.
Share
