Information Technology Audits: Western Cape Widaad Solomons (Senior Manager – Information Systems Audit) 06 Sep 2013
Jan 19, 2016
Information Technology Audits: Western Cape
Widaad Solomons (Senior Manager – Information Systems Audit)
06 Sep 2013
Reputation promise/mission
The Auditor-General of South Africa has a constitutional mandate and, as the Supreme Audit Institution (SAI) of South Africa, it exists to strengthen ourcountry’s democracy by enabling oversight, accountability and governance in the public sector through auditing, thereby building public confidence.
Audit Objective
Assess IT Controls
International Standards on Auditing
(ISA 315 & ISA330)Support RA
Regulations(PFMA, MFMA, Public Service Regulations)
Types of IT Audits
IT Audits
General Controls Review
Application Controls Review
Data Analytics
Network SecurityERP Reviews
Project Assurance
(SDLC)
IT Audit of Predetermined
Objectives (AOPO)
2011-12: Municipalities Audited
2011-121. Beaufort West 2. Bergriver *3. Bitou 4. Breede Valley 5. Cape Agulhas *6. Cape Winelands District 7. Cederberg *8. Central Karoo District 9. City of Cape Town10. Drakenstein 11. Eden District 12. George 13. Hessequa 14. Kannaland *15. Knysna
* Not included in 2011-12 GR
16. Laingsburg 17. Langeberg 18. Matzikama 19. Mossel Bay 20. Oudtshoorn *21. Overberg District *22. Overstrand 23. Prince Albert 24. Saldanha Bay 25. Stellenbosch 26. Swartland 27. Swellendam *28. Theewaterskloof 29. West Coast District 30. Witzenberg *
2011-12: General Controls Review Focus Areas
IT Governance Security Management
User Access Control IT Service Continuity
TEST OF CONTROLS:Design
ImplementationOperating Effectiveness
2011-12: IT Governance (SLAs, monitoring, IT Gov Framework, IT Risk Mgmt)
Auditee Province Design ImplementationOperating
EffectivenessNo Findings
Beaufort West Municipality Western Cape 1
Bitou Municipality Western Cape 3
Breede Valley Municipality Western Cape 3
Cape Winelands District Municipality Western Cape 3
Central Karoo District Municipality Western Cape 3
City of Cape Town Western Cape 3
Drakenstein Municipality Western Cape 3
Eden District Municipality Western Cape 3
George Municipality Western Cape 3
Hessequa Municipality Western Cape 3
Knysna Municipality Western Cape 3
Laingsburg Municipality Western Cape 3
Langeberg Western Cape 3
Matzikama Local Municipality Western Cape 3
Mossel Bay Municipality Western Cape 3
Overstrand Municipality Western Cape 3
Prince Albert Municipality Western Cape 3
Saldanha Bay Municipality Western Cape 3
Stellenbosch Municipality Western Cape 3
Swartland Municipality Western Cape 3
Theewaterskloof Municipality Western Cape 3
West Coast District Municipality Western Cape 3
2011-12: Security Management (IT security policy, password settings)
Auditee Province Design ImplementationOperating
EffectivenessNo Findings
Beaufort West Municipality Western Cape 3
Bitou Municipality Western Cape 3
Breede Valley Municipality Western Cape 3
Cape Winelands District Municipality
Western Cape 3
Central Karoo District Municipality Western Cape 3
City of Cape Town Western Cape 3
Drakenstein Municipality Western Cape 3
Eden District Municipality Western Cape 1
George Municipality Western Cape 3
Hessequa Municipality Western Cape 3
Knysna Municipality Western Cape 1
Laingsburg Municipality Western Cape 3
Langeberg Western Cape 3
Matzikama Local Municipality Western Cape 3
Mossel Bay Municipality Western Cape 3
Overstrand Municipality Western Cape 1
Prince Albert Municipality Western Cape 3
Saldanha Bay Municipality Western Cape 3
Stellenbosch Municipality Western Cape 3
Swartland Municipality Western Cape 3
Theewaterskloof Municipality Western Cape 3
West Coast District Municipality Western Cape 3
2011-12: User Access Control (Policy, access requests, monitoring)
Auditee Province Design ImplementationOperating
EffectivenessNo Findings
Beaufort West Municipality Western Cape 3
Bitou Municipality Western Cape 3
Breede Valley Municipality Western Cape 3
Cape Winelands District Municipality
Western Cape 3
Central Karoo District Municipality Western Cape 3
City of Cape Town Western Cape 2
Drakenstein Municipality Western Cape 3
Eden District Municipality Western Cape 3
George Municipality Western Cape 3
Hessequa Municipality Western Cape 3
Knysna Municipality Western Cape 3
Laingsburg Municipality Western Cape 3
Langeberg Western Cape 3
Matzikama Local Municipality Western Cape 3
Mossel Bay Municipality Western Cape 3
Overstrand Municipality Western Cape 3
Prince Albert Municipality Western Cape 3
Saldanha Bay Municipality Western Cape 3
Stellenbosch Municipality Western Cape 3
Swartland Municipality Western Cape 3
Theewaterskloof Municipality Western Cape 3
West Coast District Municipality Western Cape 3
2011-12: IT Service Continuity (DRP, policy, backups, testing)
Auditee Province Design ImplementationOperating
EffectivenessNo Findings
Beaufort West Municipality Western Cape 3
Bitou Municipality Western Cape 3
Breede Valley Municipality Western Cape 3
Cape Winelands District Municipality Western Cape 3
Central Karoo District Municipality Western Cape 3
City of Cape Town Western Cape 2
Drakenstein Municipality Western Cape 3
Eden District Municipality Western Cape 3
George Municipality Western Cape 3
Hessequa Municipality Western Cape 3
Knysna Municipality Western Cape 3
Laingsburg Municipality Western Cape 3
Langeberg Western Cape 3
Matzikama Local Municipality Western Cape 3
Mossel Bay Municipality Western Cape 1
Overstrand Municipality Western Cape 3
Prince Albert Municipality Western Cape 3
Saldanha Bay Municipality Western Cape 3
Stellenbosch Municipality Western Cape 3
Swartland Municipality Western Cape 3
Theewaterskloof Municipality Western Cape 3
West Coast District Municipality Western Cape 3
Root Causes
People
•Existing IT personnel not sufficiently skilled and vacancies not filled.
•Overreliance on IT vendors / 3rd party service providers – no skills transfer.
•Municipalities receive minimal support from key role players regarding IT matters e.g. OTP, SALGA, Department of Local Gov
•Department of Local Government currently not focused on fulfilling mandate regarding support to local government
Accountability
•Lack of ownership of commitments as progress in addressing previous year‘s IT findings has been minimal.
•No consequences in place for not honouring commitments to resolve IT findings.
Sustainability
•IT is not viewed as a strategic priority, rather as an operational activity
•Inadequate discipline in terms of tracking the progress made in addressing IT audit findings by oversight committees, management and Internal Audit
Key Role Players
Dept
Local
Govt
•Liaise with National COGTA to provide legal framework for local government by launching the Municipal Structures Act and the Municipal Systems Act
•However the above is not fully effective and functional for IT at local government
PGITO/OTP
•Provide coherent strategic leadership and coordination in provincial policy formulation and review, planning and overseeing service delivery planning
•Ensure Integrated Development Plans (IDPs) are also harmonised with provincial growth and development strategies and reflect national priorities
•However the above is not fully effective and functional for IT at local government
District
Municipalities
•Municipal executive and legislative authority over a large area
•Primary responsibility being district-wide planning and capacity-building.
•Within a district council individual local councils share their municipal authority with the district council under which they fall
•However the above is not fully effective and functional for IT at local government
Quick Wins
IT Governance - All municipalities to ensure proper SLA’s are entered into with IT service providers including district municipalities as well as the monitoring thereof. Alignment / adoption of IT Governance framework that was approved by DPSA
Security Management - IT security policy to be developed and implemented by all municipalities and Information Security Officer can be shared by all municipalities within a district
User access management - User access policies and procedures to be developed at all municipalities and period review of user access.
IT service continuity planning - Backup and retention procedures to be developed and implemented to ensure critical data backup occurs, data is taken off-site and it’s recoverability is tested
2012-13 Audit Scope2012-131. Beaufort West 2. Bergriver3. Bitou 4. Breede Valley 5. Cape Agulhas6. Cape Winelands District 7. Cederberg8. Central Karoo District 9. City of Cape Town10. Drakenstein 11. Eden District 12. George 13. Hessequa 14. Kannaland 15. Knysna 16. Laingsburg 17. Langeberg 18. Matzikama 19. Mossel Bay 20. Oudtshoorn21. Overberg District22. Overstrand 23. Prince Albert 24. Saldanha Bay 25. Stellenbosch 26. Swartland 27. Swellendam 28. Theewaterskloof 29. West Coast District 30. Witzenberg
Full coverage (30 Municipalities):• ISA Audit
• RA Checklist
2012-13 Audit Scope
All Municipalities
• GCR• IT Governance• Security Management• User Access Management• IT Service Continuity
• Data Analytics
Key Municipalities
• GCR• IT Governance• Security Management• User Access Control• IT Service Continuity
• Data Analytics• Audit of Predetermined
Objectives (AOPO)• Network Security• ERP Security (if applicable)
2012-13 Audit Approach
1Follow up on
2011-12 findings
2If progress, perform full
audit
3If no progress, NO EXECUTION
4Reporting
QUESTIONS?