Audit of information technology

Government departments and entities use information systems to process critical business transactions and report on operational and financial performance.

 

Our role is to assess the control environment of hosting systems that process business and financial information and data, and to evaluate whether this information can be relied on for audit purposes and whether government has derived value from the investments in information technology (IT).

Over the years, we have identified significant control weaknesses in government’s information systems. Some of our most prevalent concerns include the following:

  • Government systems are supplemented by manual processes, which makes them vulnerable to intentional and unintentional manual-based delinquency and manipulation. Automated controls are far more reliable and can be applied more consistently than manual controls. Manual interference makes it difficult to prevent or detect unauthorised access to systems and activities performed on these systems, and, as a result, diminishes the reliability of these systems.
  • Government systems are vulnerable to cybersecurity attacks and, in some cases, hackers have exploited these security vulnerabilities successfully. There were a number of cases where systems were unavailable as a result of cyberattacks and/or other major incidents, which resulted in key government services not being available for a prolonged period. Affected areas include ports of entry, the Department of Justice and Constitutional Development and the South African Police Service.
  • In a number of cases, IT expenditure was not justifiable or government did not receive the intended value or benefits from money spent on IT projects or contracts. In some cases, this has given rise to fruitless and wasteful expenditure.

The root cause of the prevailing weak IT control environment is poor IT governance processes. Accountability for effective IT governance resides with the accounting officers and authorities of departments and entities, and the current weak state of the IT environment implies that they have not fulfilled their responsibility to effectively manage and implement IT governance processes over a number of years.

IT governance
IT governance is an element of corporate governance aimed at improving the overall management of IT and deriving value from investment in information and technology. This enables auditees to manage their IT risks effectively and ensure that the activities associated with information and technology are aligned with their overall business objectives.

We identified 128 auditees (63%) out of 202 with ineffective IT governance processes. We noted the following at many of the auditees:

  • Although auditees had adequate IT governance frameworks (and in some cases, well-defined IT governance frameworks), these were not implemented or operating as intended.
  • Where IT steering committees had been established, they were not operating effectively. Either they did not have the required level of representation or they did not meet regularly to carry out their oversight responsibilities.
  • IT budgets and plans were not well defined or monitored to ensure that they deliver the expected business value and intended benefits.
  • IT risks were not well articulated or managed and, in some cases, internal auditors did not perform required IT risk assessments, especially around key processes and significant projects.

 

Impact

Ineffective IT governance processes have led to control environments that are vulnerable to abuse or misuse, IT expenditure that cannot be justified and/or runaway IT projects.

 

Root cause

Accounting officers and authorities have not fulfilled their responsibilities to ensure effective IT governance processes and oversight.

BACK TO TOP

 

System-related controls
IT governance is an element of corporate governance aimed at improving the overall management of IT and deriving value from investment in information and technology. This enables auditees to manage their IT risks effectively and ensure that the activities associated with information and technology are aligned with their overall business objectives.

We identified 128 auditees (63%) out of 202 with ineffective IT governance processes. We noted the following at many of the auditees:

  • Although auditees had adequate IT governance frameworks (and in some cases, well-defined IT governance frameworks), these were not implemented or operating as intended.
  • Where IT steering committees had been established, they were not operating effectively. Either they did not have the required level of representation or they did not meet regularly to carry out their oversight responsibilities.
  • IT budgets and plans were not well defined or monitored to ensure that they deliver the expected business value and intended benefits.
  • IT risks were not well articulated or managed and, in some cases, internal auditors did not perform required IT risk assessments, especially around key processes and significant projects.

 

Impact

Ineffective IT governance processes have led to control environments that are vulnerable to abuse or misuse, IT expenditure that cannot be justified and/or runaway IT projects.

 

Root cause

Accounting officers and authorities have not fulfilled their responsibilities to ensure effective IT governance processes and oversight.

The following auditees had significantly invested in IT systems that support their core business and financial management processes, but their control environment was not reliable for audit purposes:

  • The Department of Police spent R2 billion on IT and the status of IT controls remained concerning.
  • The Department of Defence spent R744 million on IT and the status of IT controls still required intervention.
  • The Department of Justice and Constitutional Development spent R683 million on IT and the status of IT controls remained concerning.
  • The Department of Home Affairs spent R660 million on IT and the status of IT controls still required intervention from the previous year.
  • The North West Office of the Premier spent R465 million on IT and the status of IT controls regressed from concerning to now requiring intervention.

 

BACK TO TOP

IT security

Information security measures are critical to ensure that government information systems are not vulnerable to cyberattacks and to prevent internal staff from performing system activities for which they are not authorised.

In the last year, government departments and entities experienced a drastic increase in cyberattacks, which had an adverse impact on these auditees. We identified 164 auditees (81%) out of 201 with ineffective security controls. At some of these auditees, the security controls had regressed over the past year. The following concerns were widespread at most of the auditees:

  • Inadequate settings on the network components facing the external environment or that could be accessed from the internet
  • Systems that were running on outdated operating systems that were no longer supported by their respective suppliers – this means that the latest security updates were not applied
  • Systems that were running on aging infrastructure or hardware that was vulnerable to known security flaws and could not be upgraded with the latest software
  • Systems where the latest software patches were not applied as soon as they became available to resolve known security flaws, making the environment vulnerable to attacks

Hackers do not require complex techniques to take advantage of these security weaknesses.

 

Impact

Hackers were successful in exploiting the security weaknesses at some of the auditees that we rated as weak. This resulted in some key government services not being available for a prolonged period and, in some cases, hackers using ransomware for financial gain.

Root cause

Information security governance is a component of IT governance, and accounting officers and authorities have not fulfilled their responsibility in this regard.

For security reasons, we cannot name the government departments and entities that are most vulnerable to this threat. At the following auditees, the security weaknesses were successfully exploited during the last two years and the information is already in the public domain:

  • The IT systems of the Department of Justice and Constitutional Development were hacked in September 2021.
  • The Ithala Development Finance Corporation and Ithala SOC Limited experienced ransomware attacks in February 2021, affecting public-facing online platforms.
  • Transnet suffered a security intrusion cyberattack in July 2021. According to Transnet, the Port Terminals division was among those severely hit.
  • The South African Police Service and National Treasury networks were disrupted, caused by cable vandalism in September 2021.
  • The website of the Department of Higher Education was hacked in March 2020.
  • The Mpumalanga Department of Economic Development and Tourism was hit by ransomware.
  • The South African Civil Aviation Authority experienced a security breach in February 2020, targeting email systems and accounts.

 

BACK TO TOP

 

Disaster recovery

IT continuity, commonly known as disaster recovery, is required to ensure that there will be minimal disruptions to business operations if there is a disaster or major incident that would affect the availability and functionality of IT systems and infrastructure.

We identified 125 auditees (62%) out of 202 where disaster recovery capabilities were either inadequate or ineffective. Some of the auditees experienced technology-related incidents that caused major disruptions to business operations and their disaster recovery capabilities were not effective to restore business operations timeously.

Impact

 

When significant IT incidents causing major business disruptions did occur, auditees were unable to resume normal business operations timeously,
which resulted in a loss of services or revenue.
In addition, auditees may need to spend money to recapture some of the lost business transactions and, in some cases, business partners can
impose penalties.

Root cause

 

Inadequate disaster recovery capabilities can be attributed to ineffective IT risk management practices. The responsibility for effective risk management resides with the accounting officers and authorities.

Government spent R15 billion on IT-related systems and services at 202 auditees, but the control environments were not improved. The two sections that follow detail the extent of the spending while also calling to action the responsible accounting officers and authorities.

 

IT continuity risks materialised at the following auditees:

  • The Eastern Cape Department of Education lost its 2020 learner database when it crashed, and could not successfully retrieve the changed information. This resulted in the incorrect transfer of learner data.
  • The Ithala Development Finance Corporation and Ithala SOC Limited experienced a ransomware attack. The disaster recovery site link failed, leaving the auditees unable to meet the recovery point and time objectives. This had a negative impact on the entities’ business activities due to systems being offline.
  • The South African Post Office experienced interruptions at its Midrand branch for up to five days.The integrated grants payment system, which was used to pay grants, was sometimes offline for unknown reasons and the WebRiposte – an offline system – was also not available. This had a negative impact on the entity’s operations.
  • Transnet experienced a ransomware attack in July 2021 that forced the company to declare force majeure at container terminals and switch to manual processing. This slowed down the company’s operations.
  • The Department of Justice and Constitutional Development experienced a ransomware attack on
  • 6 September 2021 that left all the IT systems encrypted and not available for use. This had a negative impact on the department’s operations.

 

BACK TO TOP

 

IT projects
IT projects, especially system implementation projects, are renowned for not meeting time, cost and/or business expectations.

We reviewed 36 IT implementation or system acquisition projects from a sample of 35 auditees’ projects. We found that 20 of these projects did not meet time, cost, quality or business expectations. The following shortcomings were common to
these projects:

  • Projects were initiated and implemented without valid or feasible business cases.
  • Projects were implemented without business users being adequately involved, even though the primary objectives of system implementation projects were to improve business efficiencies.
  • There was inadequate project governance and oversight, resulting in significant time or cost overruns.
  • There was a high dependency on external consultants and service providers, who were not adequately supervised or monitored.

Impact

 

Poorly managed projects resulted in auditees incurring avoidable costs. We identified that
R1,7 billion had been spent on system implementation projects that did not meet
business expectations.

Root cause

 

In many cases, system implementation projects are delegated to IT management without adequate project governance and oversight. This is a result of poor IT governance, where accounting officers and authorities did not fulfil their responsibilities.

 

The following are some of the most significant examples of auditees at which implemented systems did not meet business expectations:

  • The Gauteng Department of Infrastructure Development spent R161 million on new systems that are not fully utilised and do not meet user requirements.
  • The Department of Correctional Services implemented the Integrated Inmate Management System; R260 million has been spent to date without the department realising the intended benefits.
  • The Department of Home Affairs implemented the ABIS project in 2017-18 to replace the Home Affairs National Identification System. The department has spent R281 million to date and the project is two years behind schedule.
  • The South African Weather Service spent R3,9 million on implementing a human resources system and the project was cancelled because it did not meet user requirements.
  • The Department of Employment and Labour spent R68 million on SAP HANA Roadmap implementation and there have been significant delays in the implementation.

 

BACK TO TOP

 

Contracts and licences
We identified a number of contracts that were not concluded in the best interest of government departments or entities. We reviewed 37 contracts, and in nine cases (25%) found that auditees did not derive the intended value.

The following are some of the common weaknesses across the contracts selected for auditing:

  • Auditees contracted for more software licences than they actually need.
  • Auditees contracted for professional licences (which are more expensive) instead of limited licences that would be sufficient for users to perform their job functions.
  • Auditees paid for software licences that have not been used due to delayed system implementation projects. This is on top of the system implementation and consulting costs associated with those projects.

Impact

 

Auditees paid for software licences they did not need, resulting in expenditure that could have been avoided. We identified R46 million in such avoidable expenses.

 

Root cause

 

IT management contracted on terms that were not favourable to the auditees. In some cases, IT management did not have adequate systems in place to monitor how licensed software was actually used.

The following are some examples of auditees with contract and licensing weaknesses:

  • The Eastern Cape Department of Health spent R46 million on Microsoft, Nintex and Signiflow, and there was no software licence agreement in place.
  • The National Treasury spent R67 million on support and maintenance of its Integrated Financial Management System (IFMS), but the system is not in use.
  • Transnet overpaid an amount of
    R37 million on a contract not rendered and an additional R11 million was paid to the same supplier for services not contracted.
  • The South African Broadcasting Corporation spent R27 million on software licences and does not have a process to track allocation and usage of these licences.
  • The Department of Employment and Labour spent R422 million on SAP HANA software licences over four years and the system is still not fully utilised.

 

Conclusion

 

Accounting officers and authorities are responsible for ensuring effective IT governance. By effectively managing and improving the poor IT governance processes that lie at the root of the current weak IT controls, these role-players can strengthen the control environment, which will:

  • improve the accuracy and credibility of data collected and stored on these systems
  • prevent significant downtime caused by security breaches
  • reduce unnecessary spending on systems that do not meet business requirements.

Ultimately, improved IT governance and a strong control environment will not only assist departments and entities with carrying out their primary functions, it will also have a positive effect on their ability to deliver services to the citizens of South Africa.

 

BACK TO TOP