Internal Audit Report - Information Communication ... · PDF fileInternal Audit Report - Information Communication Technology (ICT ... Internal Audit Report - Information Communication

ABCD

Public Administration Leadership and

Management Academy

Internal Audit Report - Information Communication

Technology (ICT) Assets Review

January 2012 This report contains 40 pages

© 2012 KPMG International. KPMG International is a Swiss cooperative of which all KPMG firms are members. KPMG International provides no services to clients. Each member firm is a

separate and independent legal entity and each describes itself as such. All rights reserved.

ABCD Public Administration Leadership and Management Academy

Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012

i © 2012 KPMG . All rights reserved.

Distribution

To Take Action

For Information

Discussed Prior to Release

Director-General

Prof. L. Mollo

DDG: Governance and Strategic Support

Ms M Manjezi

Chief Financial Officer

Ms P Mkwanazi

Chief Director: Corporate Services

Mr J Mela

Audit Committee

Auditor-General SA



ii © 2012 KPMG . All rights reserved.

Contents

1 Introduction 1 1.1 Mandate 1 1.2 Objective and Scope 1 1.3 Management’s responsibilities 1 1.4 Purpose and restriction of distribution and use of this document 2 1.5 Disclaimer 2 1.6 Appreciation 2 1.7 Conclusion 3 1.8 Approval 3

2 Executive summary 4 2.1 Overall Report Rating – Conclusion 4 2.2 Summary of findings 6 2.2.1 Summary of detailed Findings 7 2.2.2 Summary of Performance Improvement Observations 12

3 Detailed findings 16 3.1 Updating the IT Asset Register with ICT asset movements 16 3.1.1 Procured ICT assets not captured on the IT Asset Register 16 3.2 Disposal of ICT assets 19 3.2.1 Timelines regarding recommendation for disposal and write-off 19 3.2.2 Movement of ICT assets not updated on the IT Asset Register 22

4 Performance Improvement Observations 26 4.1 Procurement of software 26 4.2 Submission of ICT assets for disposal 28 4.3 Loss cases for ICT assets pending since 2009 30 4.4 Reporting of investigation results to Asset Management 32 4.5 Management of the IT Storeroom and IT Server Room 33

5 Sampling 35



1 © 2012 KPMG . All rights reserved.

1 Introduction

1.1 Mandate KPMG Services (Pty) Ltd has been appointed as the outsourced internal auditors of the Public Administration Leadership and Management Academy (“Palama”) for the 2011 / 2012 financial year.

In accordance with the approved Annual Internal Audit Plan for the 2011 / 2012 financial year we performed a risk-based internal audit review on the process (es) in place to ensure adequate and effective procurement and management of Information Communication Technology (ICT) assets.

1.2 Objective and Scope In terms of the Palama Annual Internal Audit Plan for the 2011/ 2012 financial year, we were required to perform an internal audit review that entailed the evaluation and testing of the adequacy and effectiveness of controls in place relating to the procurement and management of Information Communication Technology (ICT) assets. Controls were identified in conjunction with the staff in the Information Technology (IT) Directorate to manage the following risks:

• Non-compliance to the normal ICT asset procurement procedures which may lead to irregular expenditure and/or fruitless and wasteful expenditure.

• Non-compliance to the normal ICT asset disposal procedures which may lead to the disposal of assets which are still usable or financial loss.

• ICT assets that are disposed of may not be removed from the asset register which may lead to overstatement of assets in the financial statements – the relevant controls could not be tested as no disposals were approved during the period under review.

• Non-compliance to the normal loss management procedures which may lead to financial loss and/or fruitless and wasteful expenditure.

• ICT assets that are lost may not be removed from the asset register which may lead to overstatement of assets in the financial statements - the relevant controls could not be tested as no investigations were finalised during the period under review.

The review covered the period 1 April 2011 to 30 September 2011 and only information and documentation for the aforementioned period was evaluated.

Refer to section 5 for sample sizes.

1.3 Management’s responsibilities Management is responsible for the establishment and maintenance of an effective system of governance to:

• Establish and communicate organisational goals and values;

• Monitor the accomplishment of goals; and




• Ensure accountability and values are preserved.

Management is further responsible for the establishment and maintenance of an effective system of internal control. The objectives of the system of internal control are, inter alia, to provide management with reasonable, but not absolute, assurance that:

• Risks are properly managed;

• Assets are safeguarded;

• Financial and operational information are reliable;

• Operations are effective and efficient; and

• Laws, regulations and contracts are complied with.

1.4 Purpose and restriction of distribution and use of this document The purpose of the report is to communicate the results of the review to management.

This report is intended solely for use by management of Palama. No party other than those to whom it is addressed may rely upon this report for any purpose whatsoever. It must not be made available or copied in whole or in part to any other party without Palama’s prior written consent.

1.5 Disclaimer Whilst our report details those errors and weaknesses, which came to our attention during our review, the responsibility for the prevention and detection of irregularities and fraud rests with management. We have planned our review so that we have a reasonable expectation of detecting weaknesses and deficiencies in the system of internal controls, however, our review should not be relied upon to disclose all irregularities and fraud, which may exist.

Management representations made are considered to form part of our audit evidence. Any management representations were accepted on face value and in good faith, with only limited evaluation to assess for reasonableness.

1.6 Appreciation We would like to thank the management and staff of Palama for their assistance during the review and for making time available for meetings, queries and preparation of requested documentation.




1.7 Conclusion Ratings awarded represent the conclusions of Internal Audit based on the results of the audit of a process or audit area. The control environment was rated using the following criteria:

Rating Definition

Inadequate

[Red]

Majority of our findings are serious and require immediate management intervention to achieve business objectives.

Needs Improvement

[Orange]

Majority of our findings are medium risks that require management focus to rectify.

Satisfactory

[Yellow]

Some control deficiencies were identified; however, these were mainly administrative in nature and can easily be rectified.

Good

[Green]

Internal controls are operating effectively (subject to the limitations of sample testing).

Based on our audit work performed and subject to our findings detailed in Section 3, we report that the Palama processes that are in place to ensure adequate and effective procurement and management of ICT assets needs improvement.

Please note that the conclusions as indicated below, are based on sample testing and only applies to the controls evaluated that relate to the key risks identified in our scope.

1.8 Approval

KPMG Services (Pty) Ltd takes responsibility for this report, which is prepared on the basis as set out above and which has been discussed and agreed with management. As from the date of this report, we take no responsibility for any changes or amendments that are subsequently made.

Paresh Lalla Director

Date: January 2012




2 Executive summary Our findings for this review are summarised in the table below. The summary of findings is referenced to the detailed findings in section 3.

2.1 Overall Report Rating – Conclusion

Tabled below is an overall conclusion on each of the areas within the scope of this review.

Non-compliance to the normal ICT asset procurement procedures which may lead to irregular expenditure and/or fruitless and wasteful expenditure

Conclusion Reference to detailed finding

Controls tested

• Procured ICT assets are captured on the IT Asset Register. Inadequate [Red]

3.1.1

• Adequate authorisation for the purchase of ICT assets within the Directorate: IT. Good [Green]

Not applicable

• Adherence to SCM procedures for obtaining quotations from the SITA database. Good [Green]

Not applicable

Non-compliance to the normal ICT asset disposal procedures which may lead to the disposal of assets which are still usable or financial loss.


Controls tested

• Assets set aside for disposal are approved by the relevant delegated authority. Inadequate [Red]

3.2.1

• The IT Asset Register is updated with assets set aside for disposal. Inadequate [Red]

3.2.2




Non-compliance to the normal loss management procedures which may lead to financial loss and/or fruitless and wasteful expenditure.


Controls tested

• All documentation (forms and registers) regarding losses is adequately completed. Good [Green]

Not applicable

Additional observations

• Software should be procured by the Directorate: IT. Needs Improvement [Orange]

4.1

• Processes should be established for the periodic evaluation and approval of assets for disposal. Needs Improvement [Orange]

4.2

• Investigations into losses should be finalised within two (2) months. Inadequate [Red]

4.3

• Results of investigations should be reported to Asset Management by email. Satisfactory [Yellow]

4.4

• The IT server room and storeroom should be kept neat and tidy. Satisfactory [Yellow]

4.5

Overall conclusion Needs Improvement [Orange]




2.2 Summary of findings

The section below sets out the detailed ratings allocated to each finding and represents the results of the audit testing performed and the findings identified.

Risk indicator Definition

Major [Red]

A fundamental and critical control weakness, which hampers operations, and therefore requires immediate management action.

Significant [Orange]

Control weakness considered to be of a serious nature that should receive management attention in the short term.

Housekeeping

[Yellow]

These weaknesses do not represent a risk to the environment and can usually be corrected at minimal cost. The resolution will lead to an improvement of the operations’ efficiency, and/or effectiveness. It is not considered a critical issue.

Performance Improvement Observation An opportunity for improvement (outside of the scope of this assignment) was identified and brought to the attention of management, as a value added service.

Note: The same rating system as above was used to rate performance improvement observations




2.2.1 Summary of detailed Findings We summarise herewith the results of the internal audit. The summary of findings is referenced to the detailed findings in section 3.

Management control Finding Finding rating Management comments and action plans

Procured ICT assets not captured on the ICT asset register

• The following is stated in paragraph 4.2.5 of the Information Technology Equipment Procurement Guideline approved on 1 September 2009:

“All procured items shall be placed on the relevant asset register by the Directorate: Supply Chain Management.”

• Furthermore, paragraph 4.2.6 states that:

“Once the IT Section has certified that the delivered equipment is according to specification the items will be bar coded by the Directorate: Supply Chain Management.”

The following discrepancies were noted with respect to the capturing of procured ICT assets:

• According to a list of ICT assets obtained from the IT Administrator five (5) ICT assets had been procured.

• According to the asset register only two (2) ICT assets had been procured.

[Refer to detailed finding 3.1.1 ]

Major [Red]

Management Comment

• In agreement with the finding. This is as a result of the backlog in asset administration caused by limited capacity during the current financial year which was exacerbated by subsequent resignation of the Deputy Director responsible. The assets received and bar-coded will be updated on the asset register.

• The asset recording process starts after assets have been certified as received and SCM barcodes the assets. The asset register is updated with the asset number, location, supplier, invoice and order number. A monthly reconciliation is conducted between asset register and general ledger. The asset verification is conducted on a quarterly basis whereby the asset register is reconciled with the assets on the floor.

Action Plan

After assets have been certified as received by IT, SCM will barcode the asset.





The barcode number will be recorded on the receipt voucher by SCM.

Responsible Individual

Director: SCM

Implementation date

Continuous 1 March 2012

Action Plan

After the asset has been bar-coded, the asset will be paid for by Finance – no asset should be paid for if the receipt voucher does not reflect a barcode number.


Director: SCM

Implementation date

1 March 2012

Action Plan

The asset register will be updated by SCM to reflect the purchase of the asset.


Director: SCM

Implementation date

1 January 2012





Timelines for recommendation for disposal and write-off

• After the Asset Disposal Committee has discussed the recommendation of ICT assets for disposal on a quarterly basis, a submission recommending the disposal and write-off of ICT assets from the asset register should be compiled and be submitted to the Director General for approval

• The draft minutes for the Asset Disposal Committee meeting of 7 October 2011 do not indicate whether the ICT assets recommended for disposal by the Directorate: IT were approved for disposal by the Committee as well as what method of disposal will be utilised, i.e. no decision had been taken at this meeting to dispose of the assets.

[Refer to detailed finding 3.2.2]

Major [Red]

Management Comment

• The process of disposal is that the asset controllers will identify the assets to be disposed and recommend to asset management. The asset manager will recommend to the Disposal Committee as and when assets have been identified. The committee will then recommend the way of disposal to the Director-General for approval. After the approval the assets will be disposed off.

• In agreement with the finding, the Disposal Committee did not make a final recommendation at the time of the audit review and therefore the disposal could not be recommended to the DG.

Action Plan

Standard operating procedures for asset disposal will be developed to support the Asset Management Policy.


Director: SCM

Implementation date

February 2012





Movement of ICT assets not updated on the IT Asset Register

• In accordance with best practice, the asset register should be updated with the location of assets when assets are acquired; disposed of and as assets are transferred (both internally and externally).

The following discrepancies were noted with respect to the location of ICT assets which had been set aside for disposal:

• The location of the entire sample of 15 ICT assets recommended for disposal which were selected from the IT asset register did not agree to the physical location.

• The location of three (3) out the sample of five (5) ICT assets selected from the floor and traced to the IT asset register did not agree to the register.

[Refer to detailed finding 3.2.2 ]

Major [Red]

Management Comment

• The process of asset movement commences when there is a need for movement. The user will complete the correct asset movement form signed off by the asset controller and asset manager. The movement is captured on BAUD asset management system. The asset physical location is confirmed or corrected through quarterly asset verification audits and assets location updated accordingly in the asset register.

• In agreement with the finding. After the resignation of the Deputy Director: Assets, no official was available to be assigned to asset administration and this lack of capacity has resulted into serious backlog in asset management. Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.

• Whilst awaiting the recruitment process to be finalised, the acquisition personnel is assisting with the general asset administration and verification on a periodic basis. The updating of the asset register will be completed once the





quarterly verification is finalized however, the location of the identified items will be corrected with immediate effect.

Action Plan

Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.


Corporate Services and Finance

Implementation date

1 April 2012

Action Plan

Updating of the asset register Responsible Individual

Director: SCM

Implementation date

31 January 2012




2.2.2 Summary of Performance Improvement Observations

Observation Finding rating Management comments and action plans

Procurement of software

There is currently no centralised procurement of Software. Individual branches purchase their own software without informing IT. IT is therefore uncertain of whether the software purchased by other branches was procured via the SITA supplier database.

[Refer to detailed observation 4.1]


Management Comment

• Refer to action plan below.

Action Plan

The draft Palama ICT Asset Acquisition Policy will be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.


Director: ICT

Implementation date

30 April 2012

Action Plan

The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.


Director: ICT





Implementation date

On-going

Submission of ICT assets for disposal

The following was noted with respect to the evaluation of ICT assets on 16 September 2010 which were recommended for disposal in the submission of 23 June 2011:

• It appears as though nine (9) months passed from when the evaluation took place to the compilation of the submission for disposal.

• It also appears as though these assets have remained on the asset register for at least two (2) years while it was known that they were obsolete / redundant / uneconomical to repair.



Management Comment

• See action plan below.

Action Plan

On a quarterly basis the Directorate: IT will recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.


Director: ICT

Implementation date

31 March 2012

Loss cases for ICT assets pending since 2009

The following was noted with respect to cases of loss with respect to ICT assets:

• There are currently 13 cases with respect to lost ICT assets for which investigations have not yet been concluded by the Labour Relations Unit.

• Four (4) of these cases relate to the period 1 April 2011 – 31 October 2011 and the other nine (9) relate to previous financial periods (some as far back as the 2009/10 financial year).


Management Comment

• The process for investigating lost assets sometimes takes a longer period due to the use of external Investigators. Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post





[Refer to detailed observation 4.3] investigation processes.

Action Plan

Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes.


Director: HRM&D

Implementation date

On-going

Reporting of investigation results to Asset Management

The Loss Control Officer informs Asset Management either telephonically or via email of the results of the investigation conducted by the Labour Relations Unit on the ICT asset reported lost and therefore documented evidence of the reporting is not maintained for future reference.


Housekeeping

[Yellow]

Management Comment


Action Plan

Results of the investigations shall be reported to the Asset Management by email. The emails shall be kept for future reference purposes.


Loss Control Officer

Implementation date

Immediately.





Management of the IT Storeroom and IT Server Room

The following was noted with respect to the IT Storeroom and IT Server Room:

IT Storeroom

• There are over 100 items in the IT Storeroom (this was confirmed through inspection of the ICT asset register as well). Some of these assets are obsolete / redundant as they are more than five (5) years old.

• The IT Storeroom does not appear to be spacious enough to accommodate all the assets.

IT Server Room

• The server room appeared to be untidy.

• Staff had been eating in the Server Room as there were apple leftovers on one of the tables.

• The cabinets in the Server Room do not close properly and therefore wires are exposed.

• There were wires on the floor creating a safety hazard as an individual could easily trip over the wires.


Housekeeping

[Yellow]

Management Comment


Action Plan

The following should be formally documented in the IT Policy / Procedures and adhered to:

• No individual must be allowed to enter the server room with food or drink in hand.

• The server room must be kept clean and neat and tidy at all times.


Director: ICT

Implementation date

1 April 2012

Action Plan

The broken cabinets in the Server Room should be fixed and should be kept closed.


Director: ICT

Implementation date

1 March 2012




3 Detailed findings Our detailed findings, based on the documents that were relevant to the scope of our review, are indicated below.

3.1 Updating the IT Asset Register with ICT asset movements

3.1.1 Procured ICT assets not captured on the IT Asset Register

Major [Red]

Criteria

The following is stated in paragraph 4.2.5 of the Information Technology Equipment Procurement Guideline approved on 1 September 2009:

“All procured items shall be placed on the relevant asset register by the Directorate: Supply Chain Management.”

Furthermore, paragraph 4.2.6 states that:

“Once the IT Section has certified that the delivered equipment is according to specification the items will be bar coded by the Directorate: Supply Chain Management.”

Finding

During our review of the Information and Communication Technology (ICT) assets procurement and management process we requested a list of ICT assets which was procured during the period under review (1 April 2011 – 31 October 2011) and the following was noted:

• We obtained the ICT asset register and according to the asset register only two (2) ICT assets had been procured as follows:

Asset no. Serial no. Description Purchase date Price (R)

11945 CZC10494P4 Computer laptop 1 April 2011 17 267.67

11663 None. Bag laptop 29 September 2011 478.80

• We then obtained a list of ICT assets procured from the IT Administrator and this list indicated that five (5) ICT assets had been procured as follows:

Date Order No. Description Amount (R)

19 May 2011 AE381468 Printer for the IT unit now used by Pumla from ODG

9 348.00

11 May 2011 AE381467 B&O Printer 8 048.00




Date Order No. Description Amount (R)

31 May 2011 AE381428 2530p notebook for Director: SCM 17 267.58

4 July 2011 AE383490 2530P notebook for Pumla Nhleko in the ODG

12 089.29

5 August 2011 AF264068 EPSON LQ Printer for finance in the supply chain unit

8 025.28

Through comparison of the above tables it appears as though the ICT asset register has not been updated with the ICT assets procured as only one (1) of the assets on the list from the IT Administrator (asset with serial number 11945) appears on the asset register.

Root cause

• There is no capacity within the Supply Chain Management (SCM) Directorate to update the ICT asset register – according to the current organogram all positions within the Asset Management Unit are currently vacant. This means that SCM officials have to take on the additional responsibility of updating the asset register when they have additional capacity.

Potential Impact

• Misstatement of PALAMA’s assets in the financial statements.

Recommendation

Management should consider the following:

• Once an ICT asset has been delivered and IT has certified the delivered assets, Supply Chain Management should bar code the asset and capture it onto the BAUD system immediately.

• A responsible official from the Directorate: IT should then obtain a copy of the ICT asset register and inspect the register to ensure that it has been accurately captured. Documented evidence of this process (copy of the asset register reflecting the captured asset) should be maintained for future reference purposes.

• Any discrepancies in capturing of the asset onto the asset register should be communicated to Supply Chain Management to ensure that the asset is captured accurately on the register. Documented evidence of all correspondence in this regard should be maintained for future reference purposes.




Management comments

• In agreement with the finding. This is as a result of the backlog in asset administration caused by limited capacity during the current financial year which was exacerbated by subsequent resignation of the Deputy Director responsible. The assets received and barcoded will be updated on the asset register.

• The asset recording process starts after assets have been certified as received and SCM barcodes the assets. The asset register is updated with the asset number, location, supplier, invoice and order number. A monthly reconciliation is conducted between asset register and general ledger. The asset verification is conducted on a quarterly basis whereby the asset register is reconciled with the assets on the floor.

Agreed management actions

# Action Responsible individual Implementation date(s)

1 After assets have been certified as received by IT, SCM will barcode the asset.

The barcode number will be recorded on the receipt voucher by SCM.

Director: SCM Continuous

1 March 2012

2 After the asset has been barcoded, the asset will be paid for by Finance – no asset should be paid for if the receipt voucher does not reflect a barcode number.

Director: SCM 1 March 2012

3 The asset register will be updated by SCM to reflect the purchase of the asset.

Director: SCM 31 January 2012




3.2 Disposal of ICT assets

3.2.1 Timelines regarding recommendation for disposal and write-off

Major [Red]

Criteria

After the Asset Disposal Committee has discussed the recommendation of ICT assets for disposal on a quarterly basis, a submission recommending the disposal and write-off of ICT assets from the asset register should be compiled and be submitted to the Director General for approval.

Finding

During our review of the disposal of ICT assets process, we noted the following with respect to the submission of 23 June 2011:

• This submission had been included in the meeting pack for the Asset Disposal Committee meeting of 7 October 2011.

• The following is documented in the draft minutes under paragraph 2.2 regarding the disposal of IT equipment:

“AK informed the committee that IT equipment identified for disposal will have to be disposed of in accordance to applicable guidelines for information security purposes. According to these guidelines the information on the equipment should be cleaned before disposal.”

• From the above it was noted that the draft minutes do not indicate whether the ICT assets recommended for disposal by the Directorate: IT were approved for disposal by the Committee as well as what method of disposal will be utilised, i.e. no decision had been taken at this meeting to dispose of the assets.

• Through discussions with Supply Chain Management it was explained that as no decision had been taken at the meeting, a submission to the Director General recommending the disposal of ICT assets could not be compiled.

Therefore, the decision regarding the disposal of the assets included in the submission of 23 June 2011 will have to stand over to the next meeting of the Asset Disposal Committee.

Currently the assets that have been recommended for disposal by the Directorate: IT are stored at an off-site storage room at the Rent-A-Store premises.

Root cause

• Lack of defined procedures and timelines for the asset disposal process.




Potential Impact

• Non-timely removal of obsolete / redundant / uneconomical to repair assets from the asset register may lead to overstatement of assets in the financial statements.

• Theft / loss of unused assets which may lead to unnecessary administrative procedures.

• Fruitless / wasteful expenditure due to the renting of a storage unit for obsolete / redundant / uneconomical to repair assets.

Recommendation


• Detailed procedures regarding the process for the disposal of assets need to be defined and documented to include, amongst others, the following:

- The frequency of evaluation of assets for disposal (i.e. quarterly, six monthly or annually);

- The process and frequency (i.e. quarterly, six monthly or annually) for recommending a submission to the Asset Disposal Committee meeting;

- The minutes of the Asset Disposal Committee meeting should clearly state the following:

The assets recommended for disposal have been discussed by the Committee;

The Committee approves the disposal and will compile a submission for approval by the Director General (including who will compile the submission and by when);

The method of disposal;

The person responsible for disposal; and

The due date for disposal.

- The process for recommending a submission to the Director General for approval – this submission should be submitted to the Director General within two (2) weeks of the Asset Disposal Committee meeting.

• As soon as approval has been received (from the Director General), Supply Chain Management should ensure that these assets are removed from the asset register and disposed of according to the method approved by the Asset Disposal Committee.

• Documented record of all actions regarding the disposal process should be maintained and retained for future reference purposes.

Management comments

• The process of disposal is that the asset controllers will identify the assets to be disposed and recommend to asset management. The asset manager will recommend to the Disposal Committee as and when assets have been identified. The committee will then recommend




the way of disposal to the Director-General for approval. After the approval the assets will be disposed off.

• In agreement with the finding, the Disposal Committee did not make a final recommendation at the time of the audit review and therefore the disposal could not be recommended to the DG. the



1 Standard operating procedures for asset disposal will be developed to support the Asset Management Policy.

Director: SCM February 2012




3.2.2 Movement of ICT assets not updated on the IT Asset Register

Major [Red]

Criteria

In accordance with best practice, the asset register should be updated with the location of assets when assets are acquired; disposed of and as assets are transferred (both internally and externally).

Finding

The following was noted during our review of ICT assets disposal process:

• From a sample of 15 assets recommended for disposal in the submission dated 23 June 2011, the location of all 15 assets per the register did not correlate with the physical location of these assets as follows:

Asset No.

Description Location as per the asset register

Location as per physical verification

03525 Computer Monitor LCD MECER R0442 – Disposal Room

Rent-A-Store Premises

03878 Computer Laptop ACER R0442 – Disposal Room


04578 Computer CPU ACER R0442 – Disposal Room


05028 Printer/Scanner/Fax/Copier Brother MFC-5440cn

R0442 – Disposal Room


05673 Computer Laptop IBM R0442 – Disposal Room


05833 Projector Data R0442 – Disposal Room




06052 Computer Printer Brother R0442 – Disposal Room





Asset No.


Location as per physical verification





07737 Computer CPU R0442 – Disposal Room


08163 Computer Printer Brother R0442 – Disposal Room




08274 Computer Laptop R0442 – Disposal Room


10479 Scanner R0442 – Disposal Room


• A sample of five (5) ICT assets whose location was indicated as the “IT Store” per the ICT asset register was selected and traced to the IT Store. Three (3) out of the five (5) assets were not found in the IT storeroom as follows:

Asset No.


Location as per physical verification and asset movement forms

11531 Computer Laptop R0389 - IT Store Thean Potgieter’s Office

11300 Computer Laptop R0389 - IT Store Nene Shibambu’s Office

14407 Computer Laptop R0389 - IT Store Craig Jansen’s Office

Asset movement forms were completed for these assets but the asset register was not updated.




• A sample of five (5) ICT assets was selected from the IT Store and traced back to the ICT asset register. The location on the asset register was incorrect for three (3) out of the five (5) assets as follows:

Asset No.

Description Location as per physical verification

Location as per the asset register

05903 Computer Printer Brother IT Store R0504 Open Plan ED

05737 Computer CPU Dell IT Store R0566 Open Plan TC

11038 Computer Laptop HP IT Store R0566 Open Plan TC

Root cause

• There is no capacity within the Supply Chain Management (SCM) Directorate to update the ICT asset register – according to the current organogram all positions within the Asset Management Unit are currently vacant. This means that SCM officials have to take on the additional responsibility of updating the asset register when they have additional capacity.

Potential Impact

• Difficulty in locating assets due to the incorrect specification of locations.

• Possible misappropriation of ICT assets.

Recommendation


• The relevant asset movement forms should be completed by Supply Chain Management for all ICT assets either leaving the Palama premises or being relocated internally.

• Supply Chain Management should update the ICT asset register to reflect the new location of the asset.

• As the Directorate IT is responsible for the IT Store, they should ensure that any relocation of ICT assets to or from the IT Store are updated on the ICT asset register immediately – documented evidence of this process should be maintained for future reference purposes.

Management comments

• The process of asset movement commences when there is a need for movement. The user will complete the correct asset movement form signed off by the asset controller and asset manager. The movement is captured on BAUD asset management system. The asset physical location is confirmed or corrected through quarterly asset verification audits and assets location updated accordingly in the asset register.




• In agreement with the finding. After the resignation of the Deputy Director: Assets, no official was available to be assigned to asset administration and this lack of capacity has resulted into serious backlog in asset management. Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.

• Whilst awaiting the recruitment process to be finalised, the acquisition personnel is assisting with the general asset administration and verification on a periodic basis. The updating of the asset register will be completed once the quarterly verification is finalized however, the location of the identified items will be corrected with immediate effect.



1 Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.

Corporate Services and Finance

1 April 2012

2 Updating of the asset register Director: SCM 31 January 2012




4 Performance Improvement Observations This section contains observations, which were not included in the scope of this review, that were reported to management as a value added service.

4.1 Procurement of software Significant

[Orange]

Observation

During our process to obtain an understanding of the ICT asset management process it was explained that currently there is no centralised procurement of Software. Individual branches purchase their own software without informing IT. IT is therefore uncertain of whether the software purchased by other branches was procured via the SITA supplier database.

The following in stated in paragraphs 4.2.1 and 4.2.2 of the approved Information Technology Equipment Procurement Guideline dated 1 September 2009:

“Branch Head shall first ensure sufficient funds exist before forwarding procurement request to D: IT.

On request to procure IT software or hardware , officials shall fill the IT procurement form in Annexure A.”

The following is stated in paragraph 7.1.1. of the draft Palama ICT Asset Management Policy dated 20 July 2011:

“The IT requisition form must be used in PALAMA to make request to D: ICT to procure any ICT related equipment or software.”

From the above it is clearly indicated in the draft Policy and the Guideline that the Directorate: IT is responsible for procurement of software through requests received from the different Branches.

Recommendation


• All ICT related procurement (including hardware and software) should be routed through the Directorate: IT in order to enable effective management of the procurement of these assets.

• All Palama employees should be made aware of the requirement that the procurement of all ICT hardware and software must be performed by the Directorate: IT.

• The draft Palama ICT Asset Management Policy should be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.

• The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply




with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.

Management comments

See action plan below.



1 The draft Palama ICT Asset Acquisition Policy will be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.

Director: ICT 30 April 2012

2 The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.

Director: ICT On-going




4.2 Submission of ICT assets for disposal Significant

[Orange]

Observation

We selected a sample of 15 ICT assets recommended for disposal from the submission dated 23 June 2011 and requested the records of evaluation of these assets as follows:

Asset No.

Description Serial No. Reason for disposal in submission

03525 Computer Monitor LCD MECER

3416T00020H0326 Obsolete – 8 years old

03878 Computer Laptop ACER LXT270E123405011C5 Obsolete – 9 years old

04578 Computer CPU ACER PSPF1E60541000979L00 Obsolete – 7 years old

05028 Printer/Scanner/Fax/Copier Brother MFC-5440cn

C5F626395 Obsolete – 7 years old

05673 Computer Laptop IBM L3XNEXM Obsolete – 5 years old

05833 Projector Data TWC6047218 Obsolete – 5 years old

05852 Computer Laptop IBM L3-WTNGE 06/01 Obsolete – 5 years old

06052 Computer Printer Brother M5J275898 Obsolete – 5 years old

07332 Computer Laptop IBM 1S637263GL3AA337 Uneconomical to repair – 4 years old

07517 Computer Laptop IBM 1S8744HCGL3AN610 Uneconomical to repair- 4 years old

07737 Computer CPU ZAB738004M Uneconomical to repair- 4 years old

08163 Computer Printer Brother E63659E7J990456 Uneconomical to repair- 4 years old

08231 Computer Laptop IBM 1S766927GL3A1156 Uneconomical to repair- 4 years old

08274 Computer Laptop 1S7767BAGL3A4110 Uneconomical to




Asset No.

Description Serial No. Reason for disposal in submission

repair- 4 years old

10479 Scanner 10479 Uneconomical to repair- 3 years old

Management explained the following to us:

• These assets had been dormant for more than two (2) years and Gijima only keeps records of incidents for the past 24 months.

• The Directorate IT had performed an evaluation of the assets (together with the assistance of Gijima) on 16 September 2010.

It therefore appears as though nine (9) months passed from when the evaluation took place to the compilation of the submission for disposal.

It also appears as though these assets have remained on the asset register for at least two (2) years while it was known that they were obsolete / redundant / uneconomical to repair.

Recommendation


• On an annual basis the Directorate: IT should recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.

Management comments

See below.



1 On a quarterly basis the Directorate: IT will recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.

Director: ICT 31 March 2012




4.3 Loss cases for ICT assets pending since 2009 Significant

[Orange]

Observation

During our process to obtain an understanding of the ICT asset management process it was explained that there are currently 13 cases with respect to lost ICT assets for which investigations have not yet been concluded by the Labour Relations Unit.

Four (4) of these cases relate to the period 1 April 2011 – 31 October 2011 and the other nine (9) relate to previous financial periods (some as far back as the 2009/10 financial year).

The following is stated in paragraph 11.7 of the draft Loss Control Policy with respect to the timelines for completion of investigations relating to losses:

“Losses or damages suffered due to acts or omission by an official and/or criminal acts must immediately be investigated internally. All internal investigations must be finalised within two months from the date of reporting to the investigation officer.”

Recommendation


• Investigations into cases of loss should be concluded as soon as possible by the Labour Relations Unit in order that the appropriate steps be taken to finalise the case and to write-off the asset.

Management comments

The process for investigating lost assets sometimes takes a longer period due to the use of external Investigators. Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes...






1 Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes.

Director: HRM & D On-going




4.4 Reporting of investigation results to Asset Management Housekeeping

[Yellow]

Observation

During our documentation of the management of ICT assets process, it was explained that the Loss Control Officer informs Asset Management either telephonically or via email of the results of the investigation conducted by the Labour Relations Unit on the ICT asset reported lost.

Recommendation


• The Loss Control Officer must inform Asset Management of the results of the investigation via email. This email should be retained by Loss Control for future reference purposes.

Management comments

See below.



1 Results of the investigations shall be reported to the Asset Management by email. The emails shall be kept for future reference purposes.

Loss Control Officer Immediately.




4.5 Management of the IT Storeroom and IT Server Room Housekeeping

[Yellow]

Observation

IT Storeroom

During our review of the ICT assets disposal process, it was noted through discussion with management that IT has its own storeroom (room R0389) where loan units, ICT equipment that needs to be repaired, ICT equipment recommended for disposal, newly delivered ICT equipment and non-owned ICT assets are stored.

Through observation the following was noted with respect to the IT Storeroom:

• There are over 100 items in the IT Storeroom (this was confirmed through inspection of the ICT asset register as well). Some of these assets are obsolete / redundant as they are more than five (5) years old.

• The IT Storeroom does not appear to be spacious enough to accommodate all the assets.

IT Server Room

Through observation the following was noted with respect to the IT Server Room:

• The server room appeared to be untidy.

• Staff had been eating in the Server Room as there were apple leftovers on one of the tables.

• The cabinets in the Server Room do not close properly and therefore wires are exposed.

• There were wires on the floor creating a safety hazard as an individual could easily trip over the wires.

Recommendation


• On a quarterly basis the Directorate: SCM should conduct an asset verification (stock take) of all assets in the IT Storeroom to ensure that all assets are accounted for. The number of assets in the IT Storeroom should be kept to a minimum where possible.

• The following should be formally documented in the IT Policy / Procedures and adhered to:

- No individual must be allowed to enter the server room with food or drink in hand. - The server room must be kept clean and neat and tidy at all times.

• The broken cabinets in the Server Room should be fixed and should be kept closed.




Management comments

See below.



1 The following should be formally documented in the IT Policy / Procedures and adhered to:

• No individual must be allowed to enter the server room with food or drink in hand.

• The server room must be kept clean and neat and tidy at all times.

Director: ICT 1 April 2012

2 The broken cabinets in the Server Room should be fixed and should be kept closed.

Director: ICT 1 March 2012




5 Sampling A maximum sample size of 15 transactions / items per control was reviewed during our audit testing.

Type of supporting evidence

Sample size Assertion tested for:

A maximum sample of 15 procured ICT assets will be selected for the period under review

IT Request Form. A maximum sample of 15. Existence

Authorisation

Quotations. A maximum of three (3) quotations expected for each sample of 15 ICT Assets procured.

Existence

Budget spreadsheet. A maximum sample 15 procured ICT assets agreed to one (1) budget spreadsheet.

Existence

Accuracy

SCM Procurement Request Form.

A maximum sample of 15. Existence

Authorisation

A maximum sample of 15 ICT assets recommended for disposal will be selected for the period under review

Evaluations conducted on the asset by Gijima.

A maximum sample of 15 ICT assets recommended for disposal.

Existence

List of ICT assets to be disposed of.

A maximum sample size of 15 ICT assets recommended for disposal.

Existence

Completeness

Submissions prepared for the Asset Disposal Committee.

Will depend on the number of ICT assets included on a submission - but a maximum sample size of 15 submissions.

Existence

Authorisation

Minutes of the relevant Asset Disposal Committee meeting.

A maximum sample of two (2) due to the Asset Disposal Committee meeting quarterly.

Existence






The Asset Register. A maximum sample size of 15 ICT assets recommended for disposal agreed to one (1) Asset Register.

Existence

Validity

Completeness

The submission to the DG in which the asset was recommended for disposal.

Depending on the number of ICT assets included in one (1) submission – a maximum sample size of 15 submissions.

Existence

Authorisation

A maximum sample of 15 ICT assets reported as lost will be selected for the period under review

Statement of Loss Form. A maximum sample size of 15. Existence

Completeness

Register for Loss Control. A maximum sample size of 15 ICT assets reported as loss agreed to one (1) Register for Loss Control.

Existence

Completeness

The submission to the Branch Head: Corporate Services which includes this loss.

Depending on the number of ICT assets included in one (1) submission – maximum sample size of 15 submissions.

Existence

Authorisation

Evidence of submission to the Labour Relations Unit.

Depending on the number of ICT assets included in one (1) submission – a maximum sample size of 15 submissions.

Existence

Register of Loss Control Submissions

A maximum sample size of 15 ICT assets reported as loss agreed to one (1) Register of Loss Control Submissions.

Existence

Follow-up of the 2010/11 Internal Audit Report on Asset Management

A maximum sample of two (2) procured ICT assets will be selected for the period under review

Asset register. Maximum sample size of two (2) ICT assets selected from the

Existence

Accuracy






asset register.

IT Request Form. A maximum sample of two (2). Existence

Authorisation

SCM Procurement Request Form.

A maximum sample of two (2). Existence

Authorisation

Documents

Internal Audit Report - Information Communication ... · PDF fileInternal Audit Report - Information Communication Technology (ICT ... Internal Audit Report - Information Communication