It is hoped that this Special Report will give rise to corrective steps, which will contribute to the establishment and implementation of improved IT strategic management, practices and controls and better value for money for the taxpayer.
(2) MODUS OPERANDI: The follow-up computer audit was conducted in accordance with Generally Accepted Government Auditing Standards, as well as the internal Guidelines of my Office pertaining to computer audits. The adopted modus operandi makes provision for, inter alia, the following:
(a) Steering committees: When the initial arrangements are made for a computer audit, the management of the institution concerned is informed in detail regarding the objectives and modus operandi of computer auditing. Arrangements are also made for the establishment of a steering committee. The main purpose of the steering committee is to secure and maintain co-operation between the management of the institution and the audit team. The steering committee is made up of the audit team and a number of senior officials of the institution. During a meeting of the steering committee, which is chaired by a senior official of the institution concerned, efforts are made to reach consensus on the factual correctness of the findings contained in the management report. This is done to ensure that the eventual report will not contain any surprises for the institution, as well as affording the institution an opportunity to make timely inputs. This approach should also lead to early corrective steps where weaknesses have been identified. It is, however. not the intention or practice that the steering committee provides the institution with a veto right in respect of the nature and scope of the computer audit or the reporting thereon.
(b) Management reports: Once consensus has been reached at a meeting of the steering committee regarding the factual correctness of the findings, these are brought to the attention of the accounting officer concerned in the form of a management report and he or she is then given a reasonable time to comment. Such comment on the report should focus mainly on what corrective steps have been taken and what actions are proposed to ensure that appropriate measures are instituted timeously. The comment received from the accounting officer is analysed, "hereafter the result of the computer audit is reported on publicly and a follow-up audit is conducted in due course.
(3) PERSPECTIVE: Although the methodology
of this follow-up audit focused on shortcomings in control over information systems, this does not mean that poor or no control exists throughout. It must, however, be emphasised that the shortcomings identified in this Special Report indicate that control over information systems can be considerably improved. The corrective steps referred to in paragraph 3 page 16 substantiate this. On the other hand, the corrective steps taken and the measures proposed, give an indication of the positive attitude of the Directors-General of the Department of State Expenditure (DSE)and the Department of Public Service and Administration (DPSA), and of how seriously they view this matter.
Overall management measures to create an awareness of the importance of IT, to ensure that it is understood, to create a commitment to comply with directives and to adequately address the risks, have thus to a varying degree still not been instituted or are not functioning effectively.
( 10/l/B/3/30/l)
Cape Town, 30/7/1997
H E Kleuver
Auditor-General
(2) The IT personnel of two other departments were also visited and discussions concerning systems development were held. In addition, a survey questionnaire on systems development in respect of non-transversal systems, was circulated to selected government departments.
(3) At the departments visited, certain systems development projects were selected and the project management and development methodologies of these projects were reviewed.
(4) The fundamental objectives were to review what substantive progress had been made to address the following:
(7) Various meetings were held with the DSE and the DPSA to discuss the factual correctness of the findings. Written inputs received from the departments on 15 November 1996 were also incorporated in this report.
During a meeting of the Technical Intergovernmental Committee on 14 November 1995, a task team under the leadership of the Director-General of the Department of Arts, Culture, Science and Technology, was established with the specific request to make recommendations on the following:
Part II of Chapter E of the Public Service Staff Code (PSSC), dealing with the key role players and their functions, had been withdrawn, leaving an amount of uncertainty in this regard. Once the national IT vision and strategy are made known, the IT policy for the Public Service, as contained in Chapter E of the PSSC, will have to be reviewed to ensure that it is in harmony with the national strategy.
(b) Policy framework: Chapter E of the PSSC established the policy framework for the general guidance of IT practices. In terms of the policy, the greatest measure of management autonomy was granted. Departments could, except where otherwise prescribed, decide autonomously about computerisation as well as the procurement and utilisation of IT. Since the directives of Chapter E had not always been adhered to, the goals were not always realised, as documented in the rest of this report.
(c) Guidelines: Pursuant to the resolution of the Joint Standing Committee on Public Accounts (JSCPA) on 17 March 1993, which stated that a clearly formulated policy and guidelines in respect of the operations of computer services in the central government should be formulated, the original Chapter J.II, Section C of the PSSC, was replaced with Chapter E.
During a meeting of the JSCPA on 14 March 1994, it was reported by the Director-General of the then Commission for Administration (CFA) that three sections, namely the General Policy Statement (Part b, the Key Role Players, their Functions and the Administrative Provisioning Process (pan II), and the Emergency Backup (Part VI), had been implemented. It was also indicated that the sections on Information Systems Engineering, Data Communications and Transversal Systems were in the process of being approved. The Director-General also indicated that the remaining guidelines to address the complete IT area, would be issued within six months to one year from March 1994. At the time of the follow-up audit, however, only the six sections referred to above had been incorporated in the PSSC. The other practices were reviewed and a management decision was taken that a requirement for policy development did not exist in respect of these and that new practices would be identified and attended to as the need arises.
In addition, the directives of Chapter E had largely still not been complied with.
(d) Vesting the responsibility for the development of transversal systems in a single service rendering institution: On 5 June 1991 the JSCPA recommended that the DSE, in consultation with the CFA, must investigate the possibility of vesting the responsibility for the development of systems and the rendering of a central computer service in a single service rendering institution. This should also benefit semi-state institutions and third-tier governments. At the time of the audit, the DPSA indicated that an investigation into a possible joint service organisation was reaching its final stage and that a decision in this regard should be taken soon.
(2) Long-term planning: (a) Master systems plan: The DPSA has the responsibility of co-ordinating
IT deployment in the Public Service and utilises departmental Master Systems Plans (MSPs) for this purpose. The Public Service Commission (PSC) has the function of monitoring the application of IT policy. This role was hampered by the fact that very few departments had MSPs.
Of the 35 national government departments, only eight (approx 23 per cent) had submitted MSPs. The following departments, who are pivotal role players and who operate significant IT systems did, for example, not submit MSPs:
(c) Systems register: Although the principle of a systems register was prescribed in Chapter E, Part III of the PSSC, a central systems register has not yet been established, since the technical platform for the development and deployment thereof had not yet been finalised. A workshop, involving the previous PSC, was convened on 14 November 1995, during which it was decided that a technical workgroup should be established to investigate the technical platform for the development and deployment of a systems register. On 1 July 1996 (the time of the follow-up audit), this had not yet been finalised.
(d) Central planning structure: A central structure for interaction and co-ordination has been established in the form of an IT Executive Steering Committee (ITEXCOM), which was convened on 16 October 1996. One of the aims of the committee was to obtain consensus regarding systems of transversal nature.
(e) Systems Development Life Cycle methodology: Limited use was made of formalised Systems Development Life Cycle (SDLC) methodologies.
Approximately 64 per cent of the respondents of the survey questionnaire on systems development indicated that they did not use any SDLC methodology.
(3) Control: (a) Cost budgeting, monitoring and reporting: The budgeting for, monitoring of and reporting on project costs for internal systems development, were not always adequately performed at a project level.
Two departments in which systems development had taken place, were selected randomly and visited. Cost budgets for the internal systems development projects could, however, not be provided. It could also not be assessed with any certainty how much the systems developed had actually cost, since the departments had not maintained records of the cost per project.
The results of the systems development questionnaire indicated that some respondents had not budgeted for the cost of systems development projects on an individual basis. Of the projects listed in the returned questionnaires, 32 per cent did not have a budgeted cost figure.
(b) Cost-benefit analysis: Cost-benefit analyses were not always performed prior to project initiation for the projects reviewed. There was also no post-implementation review of the benefits achieved.
(c) Monitoring of conformance to policy: On 17 March 1993 the JSCPA recommended, inter aria, that the CFA, in consultation with the DSE, forthwith - but not later than 30 June 1993 - determine where the responsibility for monitoring conformance to policy must rest and take the necessary steps in this regard.
Clarity was reached between the DPSA and the PSC regarding their respective monitoring roles. The defining of the roles regarding monitoring was attended to as part of the drafting of the Public Service Amendment Bill (phase 2), the Public Service Commission Bill and the Constitution. According to a Cabinet decision, the PSC would monitor, inspect, evaluate and advise on public administration practices. The DPSA would monitor policy and mechanisms to ensure that they were practical and enabled departments to deliver their required services.
Each department is responsible for its own information system. Provision had been made at the end of each part of Chapter E for reporting by departments. This, however, did not take place effectively. For example, according to Chapter E of the PSSC, information on emergency backup plans should be submitted before 3Q October of each year. At the time of the audit only one department had submitted the 1995 returns. The policies as prescribed in Chapter E, Part III of the PSSC, were also not always applied. Some of the concepts were also not well understood by staff within the various departments, which led to a lack of commitment in applying the policies.
(d) Control over assets: Policy did not require that fixed asset registers should be kept. However, in terms of Chapter N7 of the Financial Handbook, an inventory of assets should be kept. Complete and accurate inventories in respect of IT assets did not always exist. It was therefore not possible to determine whether all IT assets were being used efficiently and effectively. Computer audits at, for example, the South African Revenue Service, revealed that an inventory of IT assets had not been kept in respect of 54 of the 78 revenue offices.
(e) Staffing: Adequate measures to prevent over-dependence on consultants, did not always exist. A policy document on the management and utilisation of consultants, Chapter E VII of the PSSC, was issued on I July 1996. Computer audits conducted at various departments indicated that extensive use was being made of IT consultants and that the departments were still heavily dependent on them.
The position as on 29 August 1996 in respect of the Financial Systems
Section of the DSE for example, was as follows:
| Filled IT posts | 18 | 62% |
| Vacant IT posts | 11 | 38% |
| Total posts | 29 |
The 18 personnel members at the Financial Systems Section were, amongst others, responsible for controlling 221 consultants, which composed the following:
PERSAL 38, PAS 65, BAS 105 and FMS 13.
At the time of the audit, four persons that had resigned from the DSE were working as consultants for the DSE.
Adequate division of duties and control over the functions of the consultants were also not always ensured. A computer audit of the general controls at the Department of Public Works indicated that no division of duties existed within the CIS function (as between managers and programmers). The work was carried out by two programmers from a consultancy firm. Personnel at management level also did data editing by means of Terminal Control Language (TCL).The programmers had direct access to production programs and data libraries. Testing of program changes was also occasionally executed by the programmers in the production environment.
A computer audit of the general controls at the Department of Trade and Industry indicated that an adequate division of duties in respect of the CIS function at the Board for Regional Industrial Development did not exist. The CIS function comprised three consultants and a Director: Support. No formal policy for application programming, security administration, the maintenance of systems software, data control and protection, telecommunications and the CIS department management function, was documented in order to ensure accountability and to fix responsibility.
(f) General controls: As reported in the Report of the Auditor-General on the Accounts of the National Government for 1995-96 WARP 40/1997], computer audits of general controls carried out thus far by my Office, have revealed substantial shortcomings in organisational structure, operating procedures, program change controls, physical security, logical security and contingency planning. These general control weaknesses can in many instances be attributed to an inability to attract and retain experienced personnel and poor control over consultants. The lack of formal guidelines regarding general controls in the different computer environments also aggravated this unsatisfactory situation.
(4) Service and performance orientation and measurement: (a) Quality assurance: The policy on quality assurance is included in paragraph 8.1 of Chapter E III of the PSSC. This refers to the measurement and evaluation of processes and end products against functional standards as documented in departmental methodologies. It also specifies in paragraph8.2.3 that a department's quality assurance plan must conform to the standards as set out in the SABS ISO 9000 series. Owing to the limited use of SDLC methodologies and the fact that the policy was not always adequately enforced, measures regarding quality assurance were generally not applied.
(b) Computer aided systems engineering: Computer aided systems engineering (CASE) tools were generally not used in the development of projects.
(c) Service-orientation: Although certain steps had been taken, surveys indicated that the Central Computer Services (CCS) was still not sufficiently service oriented. The CCS issued a questionnaire to its users during November 1994. The survey indicated that 29 per cent of users were dissatisfied with certain services rendered. A performance audit survey conducted during 1995 confirmed that approximately 25 per cent of users were dissatisfied with services rendered by the CCS. The CCS subsequently indicated that a system of continuous evaluation was commenced with during May 1996. A component for user communication has also been established at Deputy Director level at the CCS.
(d) Service level agreements: Formal service level agreements between user departments and the CCS did not always exist, due to reluctance by departments to sign such agreements. This was, for example, confirmed during computer audits conducted during June 1996 at Bureau Oranje and Bureau Western Cape.
(e) Recovery of operating expenditure: Measures to ensure that operating expenditure at the bureaus was recovered optimally, were still inadequate.
A performance audit survey conducted during 1995, concluded that the follow-up and collection of long outstanding debtors at Bureau Nucleus, were inadequate.
With reference to paragraph 4 on page 397 of the Report of the Auditor-General on the Accounts of the National Government for 1994-95 [RP 22511995], it was indicated that the position relating to amounts owing by debtors for computer services rendered, had further deteriorated and the outstanding amount had increased to R69 million on 31 March 1996.
(a) Due to unique departmental requirements, no formal management information system has been developed yet. It is, however, foreseen that provision will be made for a data warehouse and/or integrated/co-ordinated management information once General Accepted Accounting Practices (GAAP) are incorporated in the financial systems.
(b) At the time of the development of PERSAL, EMS and PAS, the CASE methodology was still in the development phase and therefore not considered for these systems. The CASE methodology was, however, investigated and applied with the development of the BAS.
(c) Formal service level agreements will be negotiated with all users and suppliers once GAAP is implemented as an integrated part of financial systems.
(d) The CCS visited several institutions during the past year in order to investigate the establishment of an effective electronic emergency disaster recovery plan (EDRP). Various software packages were also investigated and tested at the CCS. The stage has been reached where a tender document is being prepared to address the risk analysis, disaster recovery planning, electronic vaulting, analysis and recovery.
The tender provides for the successful tenderer to assist the CCS with the compilation of an EDRP and provides for the transfer of skills in order for the CCS to eventually carry out the task independently. A request to proceed to tender will serve before the IT Committee on 4 March 1997.
(e) The expected target date for the finalisation of the CCS's IT asset inventories is 31 May 1997.
(f) A team of recently appointed officials is currently consolidating the various accounts and is following up current outstanding debts of approximately R45 million.
(2) In his comments on the key findings in paragraph 2, the Director-General of the DPSA refers to several corrective steps taken and measures proposed, the effectiveness of which will be investigated by Audit in due course. The following are examples of the steps taken and measures envisaged:
(a) The ITEXCOM was established and convened for the first time on 16 October 1996.
(b) A policy work group, consisting of representatives from a number of departments and provincial administrations, was assigned the task of revisiting the IT policy as contained in Chapter E of the PSSC. The work group will also make recommendations to the ITEXCOM meeting of 30 January 1997 regarding a vision for IT in the Public Service, as well as the mandate, scope and functioning of the ITEXCOM.
(c) It is envisaged that the functions of the ITEXCOM would be:
(e) One of the proposals of the policy work group to the ITEXCOM deals with the submission of annual IT business plans by departments to enable the work group to perform its co-ordinating role. This proposal should result in better planning within departments and co-ordination between departments.
(f) Development of policies will in future always be done in participation with the other stakeholders. This approach should address the current lack of commitment by departments by reaching consensus regarding policy issues and thus establishing ownership.
(g) Regarding the problem of concepts which are not well understood by departments, the intention is to place greater focus on the marketing of a new policy in future.
(h) The implementation of a systems register is still under investigation. The establishment of a home page on a web server to provide information to departments and other interested panics by means of the Internet, is envisaged. Information such as the systems register, new policy and best practices will be made available in this way.
(i) Questionnaires have been sent out to all departments to determine the current state of information management and to promote the realisation of sound information management. A draft policy on information management has been completed and workshops have been held with all departments and some provincial administrations. Tender specifications are being finalised to establish an information architecture framework for the Public Service.
(j) The DPSA also plays a leading proactive role regarding the Year 2000 problem. Departments and role players have been made aware of the seriousness of the situation, and a tender to make scarce skills available where needed, is also currently being finalised.
(10/1/B/3/30/1)
(a) Determine with whom the responsibility for the overall strategic management and monitoring of information technology should rest.
(b) Determine and allocate the responsibilities of the various role players in the information system value chain.
(c) Establish clearly formulated policy and guidelines in respect of the operation of computer services in the Central Government which address, inter alia, the following aspects:
(e) Determine guidelines for the co-ordination and communication between departments with regard to the acquisition and utilisation of information technology.
2. REPLY ON RESOLUTION NO. 1 OF THE FIRST REPORT, 1993: (1) Internal reporting criteria (paragraph C(iii)): (a) Provision has been made. at venous levels within directorates and the Central Computer Services (CCS), for a variety of report-back meetings. Meetings are scheduled to occur at regular predetermined intervals. Various business/parameters! indices are discussed, depending upon the particular meeting, for example:
During the weekly management meetings of the various directorates the availability of equipment/services during the previous week, user problems, operational planning for the following week, and project progress are discussed.
Monthly meetings are earmarked to discuss progress statistics, finance (operational income/expenditure, tariffs and capital measured against existing plans), personnel affairs (APCs), as well as reports on the position of IT equipment (occupation, problems and future plans). Meetings are also held with users (user group meeting) as well as report-backs to the Computer Advisory Committee.
(a) Personnel evaluation and budgetary planning meetings are held regularly according to a fixed schedule.
(b) Monthly progress statistics are provided and evaluated (GOVNET).
(c) Both textual and graphic technical reporting on the effectiveness of equipment and networks is being done and continuously reviewed by data technologists who are specifically responsible for this task. Performance criteria have been specified in respect of central processor utilisation, the utilisation of disk packs, monitoring of databases, monitoring of response time, and utilisation of non-impact printers. Monitoring is carried out at intervals specified by the guideline for the specific parameter.
(d) Automatic problem isolation, in respect of programs, equipment, facilities, networks and the operation of application systems, is being done with the help of products such as "Info Management System". These reports are usually compiled on a daily basis to enable senior and cost centre management to take the necessary corrective action.
(2) Operational policy and project management (paragraph C(iv)): (a) Operational policy:
(b) A guideline upon which computer tariffs are based, has been set in an attempt to restrict expenditure to a 2% annual growth.
(c) The cost analysis method through which information is obtained for use in the determination of computer tariffs has been improved. The CCS will endeavour to determine and recover the actual operational expenditure through the tariff structure. Work is being done to refine the cost analysis method further.
(d) Recovery of expenditure is done through monthly invoices. Invoices are sent out during the first two weeks of the month. A summary of all invoices sent is recorded in the EMS system. Reminders for outstanding monies are sent on a regular basis. Good progress has already! been made with the development of a debtors control system (for use by all cost centres). Automatic reminders will be generated by this system.
(4) Responsibility for and control over assets (paragraph C(vi)): (a) Inventories of equipment exist at present. A guideline in respect of the implementation of acceptable asset registers at each cost centre and other directorates within the CCS has been accepted. Basic asset registers already exist at a number of cost centres.
(b) Each cost centre and directorate within the CCS has been given the responsibility for the maintenance of its asset register.
(c) The manual Provisioning Administration System (PAS) has, to all intents, been implemented within the CCS. The conversion to the computerised system is receiving attention at present. Personnel of the Directorate: Information Technology are investigating methods which will allow asset registers to be coupled with the computerised.
(5) Performance measurement and liability (paragraph C(vi)): (a) All cost centres are required to have monthly user group meetings. Performance, as perceived by the cost centre users is reported and evaluated during these meetings. The performance of GOVNET has improved to such an extent that GOVNET users in the Transvaal have requested that meetings be held on an ad hoe basis, if and when necessary.
(b) Performance questionnaires are sent out at regular intervals, or when specifically required.
(c) Both verbal and formally documented service level agreements exist between users and bureaus.
(d) Technical performance measurement mechanisms, for computer equipment and networks in respect of their technical operating performance. have been implemented. Information froth these mechanisms is used in planning the optimal economic use of existing facilities.
(e) Personal visits are conducted to individual users during which their problems and perceptions of the service are discussed. The Sub-directorate: User Communication has been created in CCS to. among other duties. promote this action
(6) Disposition to service provision (paragraph C(viii)): (a) As a guideline to promote an appropriate disposition towards service provision. cost centres have been requested to provide active help desks. Man; help desks already exist in the CCS
(b) The managements of CCS cost centres are required to actively promote the concept of a positive disposition to service provision among their personnel. At central and more senior management level the same approach is emphasised during monthly management meetings and strategic planning sessions.
(c) Verbal and written service level agreements together with formal mechanisms are employed to highlight poor performance areas
(d) The provision of a regular information bulletin/ publication is
being investigated to provide users with
information about the CCS and promote the organisation's services.
(e) Many of the CCS bureaus have already introduced policy wherein the more senior officers the bureau provide their home telephone numbers to users, for assistance after official working hours.
(f) Emphasis is placed on training of CCS personnel to ensure that the service provided to users is based on in-depth expertise.
3. RESOLUTION NO. 3 OF THE FIRST REPORT, 1994: (1) The Committee, having heard and considered evidence on the Replies of the Department of State Expenditure to Resolution 1 of its First Report, 1993 and Resolution 4 of its Second Report, 1992, has taken note of the corrective steps already taken.