During his recent visit to Ghana, President Cyril Ramaphosa emphasised the importance of African governments investing in adequate, new information technology (IT) and upskilling their people as the world readies itself for the Fourth Industrial Revolution.
As the national audit office, we are encouraged by the President’s latest call, as it bolsters our message that the government needs to improve its IT systems to adequately meet the needs of citizens. This is reflected in the 2020-21 Public Finance Management (PFMA) audit outcomes that the Auditor-General tabled in Parliament this month.
Government departments and entities use information systems to process critical business transactions and report on operational and financial performance.
Inadequate and failing IT systems often impede service delivery at key points, such as the South African Social Security Agency (Sassa), the Department of Home Affairs, the Post Office and health facilities, to name a few. These are sites that citizens often arrive at very early in the morning and leave late in the day – sometimes without even having received the required service.
The most notable recent incident of citizens being affected by weaknesses in government’s IT systems was when the Department of Justice and Constitutional Development was hacked in September 2021, which led to critical services to citizens being suspended and rendered the department ineffective.
Our role as the national audit office is to assess the control environment of hosting systems that process business and financial information and data, and to evaluate whether this information can be relied on for audit purposes and whether the government has derived value from the investments in IT.
Over the years, we have identified significant control weaknesses in the government’s information systems. Some of our most prevalent concerns include:
* Government systems are supplemented by manual processes, which makes them vulnerable to intentional and unintentional manual-based delinquency and manipulation. Automated controls are far more reliable and can be applied more consistently;
* Government systems are vulnerable to cybersecurity attacks; and
* In a number of cases, IT expenditure was not justifiable or the government did not receive the intended value or benefits from money spent on IT projects or contracts. In some cases, this has given rise to fruitless and wasteful expenditure.
The urgency to address these weaknesses has been lacking, resulting in continued system vulnerabilities, project failures and financial loss.
Our audits have revealed that the root cause of the prevailing weak IT control environment is poor IT governance processes.
The 2020-21 PFMA report on the audit outcomes of national and provincial government reveals that the impact of these weaknesses was:
* The government continues to spend money on new and advanced IT systems to streamline its processes. However, due to significant system weaknesses, we could not rely on the transactions and data processed by many of these systems. These systems are also vulnerable to misuse, abuse and fraud;
* Many of government systems have weak IT security, and some of these systems have been successfully exploited by hackers;
* If a significant IT incident causes major business disruptions, auditees with inadequate or ineffective disaster-recovery capabilities cannot resume normal business operations timeously, resulting in a loss of services or revenue;
* Poorly managed IT projects resulted in auditees incurring costs that could have been avoided. We selected 39 IT projects worth R1.7-billion to audit, and 56% of these projects did not meet business expectations; and
* Auditees paid for software licences they did not need, resulting in expenditure that could have been avoided.
In the year under review, we identified 128 auditees (63%) out of 202 with ineffective IT governance processes. At many of the auditees, we noted that although they had adequate (and in some cases, well-defined) IT governance frameworks, these were not implemented or operating as intended.
Where IT steering committees were defined, they were not operating effectively. Either they did not have the required level of representation or they did not meet regularly to carry out their oversight responsibilities.
It is also worrying that IT budgets and plans were not well defined or monitored to ensure that they deliver the expected business value and intended benefits.
Accountability for effective IT governance ultimately resides with the accounting officers and authorities of departments and entities, and the current weak state of the IT environment is particularly concerning, as it shows that these role-players have not fulfilled their responsibility in this area for a number of years.
By effectively managing and improving the poor IT governance processes that lie at the root of the current weak IT controls, these role-players can strengthen the control environment to improve the accuracy and credibility of data collected and stored on these systems; prevent significant downtime caused by security breaches; and reduce unnecessary spending on systems that do not meet business requirements.
Ultimately, improved IT governance and a strong control environment will not only help departments and entities to carry out their primary functions, they will also have a positive impact on their ability to deliver services to the citizens of South Africa.
It is through deliberate effort that we can have an impact on the lived experiences of citizens and make their next visit to the service delivery point run much more smoothly. Or, even better, improve their service access through mobile devices that have a high penetration in our society. DM
[hearken id="daily-maverick/8881"]