In The Public Eye

Municipalities’ IT controls need vast improvement

Oupa Mbokodo Oupa Mbokodo

The Auditor-General recently released the General Report on Local Government Audit Outcomes for 2015-2016, which gives an insight into the health of municipal finances. The report makes for concerning reading on a number of fronts, including the still high levels of irregular and wasteful expenditure.

We are particularly concerned about the state of the IT departments in local government, as weak controls leave the environment vulnerable to manipulation and potential corruption. Of the 262 municipalities assessed in the period, only 18% were found to have controls that were deemed ‘good’.

While this represents a marginal improvement from the previous two years – when this number stood at 10% and 6%, in 2014/5 and 2013/14, respectively – it is still far from a desirable situation.

 

The quality of IT controls at 52% of municipalities were listed as ‘of concern’, while 30% were cited as ‘intervention required’. The latter figure has improved since the previous year – when 39% of municipalities were rated in this category – but there is still not enough positive momentum.

Why is this a problem?

Any organisation with reliable IT controls and good governance in this area can ensure the confidentiality, integrity and availability of data and information, which ultimately ensures better service delivery for the people that the local government serves. The recently reported incident of security and data privacy breaches should worry communities and municipal officials.

The root of problems with IT controls stem from a lack of proper corporate governance at the head of institutions and overall accountability. Only 56% of the municipalities reviewed had Chief Information Officers (CIO) or IT managers with the required qualifications and experience. The rest of the municipalities had either not filled these positions, or did not have approval for appointing managers in these roles. A CIO or head of IT develops a strategy and ensures delivery against the approved strategy.

Local governments have also suffered from the skills deficit in IT resources in the country, and they often find it challenging to attract managers to the public sector, especially for roles outside of the main metros.

Another problem that a great deal of municipalities face, is the effect of managers changing all too frequently, depending on changes in the local political make-up. These changes mean that the approval of key appointments and strategies are often delayed.

Can this be fixed? 

The National Treasury and Department of Cooperative Governance and Traditional Affairs have been offering training and skills development to those local governments with IT controls of an unacceptable standard. However, this is much more difficult to implement without the right leadership and appropriate corporate governance at institutions.

From the report it is evident that the picture can already improve significantly if municipalities immediately fix certain basic elements. User access management is the biggest area of concern within IT controls, with 35% of the assessed offices requiring intervention in this area.

If they can pay attention to the basic area, which includes creating and managing user profiles and assigning appropriate rights to users, this could have a major positive impact on the number of incidents involving unauthorised users that continue to have access to systems, or users having significantly advanced rights in the system than they should be entitled to.

Another basic function to address is the proper documentation of procedures and strategies, which will ensure continuity of the system if there are changes to the management of the IT division or municipality leadership. It is of crucial importance that systems and service delivery can continue to operate as usual regardless of who leads a government institution.

Think differently about solutions

Leaders in local government should familiarise themselves with the latest developments in IT management, and should perhaps consider using “managed services” as a form of complementing existing capability (outsource certain elements of their IT function), provided they get value for money.

Municipalities – especially where there are groups of three or four in close proximity and outside of the main metros – are good candidates for creating clusters and using shared services. This means that one IT professional could service several municipalities and so remove duplication and reduce unproductive time. District municipalities could play a role in effecting this approach.

Importantly, when municipalities use consultants to work within the local office, there must be an element of skills transfer in the service level agreement. It is simply not sustainable for municipalities to outsource large chunks of their functions, and not gain any skills over the longer term.

Conclusion

While certain municipalities have shown some improvement and the environment for IT controls is looking better compared to the recent past, there is still room for a lot of improvement in one of the most essential elements of local governments before we can eventually see more positive audit results for municipalities.