Upload
buiphuc
View
228
Download
3
Embed Size (px)
Citation preview
ABCD
Public Administration Leadership and
Management Academy
Internal Audit Report - Information Communication
Technology (ICT) Assets Review
January 2012 This report contains 40 pages
© 2012 KPMG International. KPMG International is a Swiss cooperative of which all KPMG firms are members. KPMG International provides no services to clients. Each member firm is a
separate and independent legal entity and each describes itself as such. All rights reserved.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
i © 2012 KPMG . All rights reserved.
Distribution
To Take Action
For Information
Discussed Prior to Release
Director-General
Prof. L. Mollo
DDG: Governance and Strategic Support
Ms M Manjezi
Chief Financial Officer
Ms P Mkwanazi
Chief Director: Corporate Services
Mr J Mela
Audit Committee
Auditor-General SA
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
ii © 2012 KPMG . All rights reserved.
Contents
1 Introduction 1 1.1 Mandate 1 1.2 Objective and Scope 1 1.3 Management’s responsibilities 1 1.4 Purpose and restriction of distribution and use of this document 2 1.5 Disclaimer 2 1.6 Appreciation 2 1.7 Conclusion 3 1.8 Approval 3
2 Executive summary 4 2.1 Overall Report Rating – Conclusion 4 2.2 Summary of findings 6 2.2.1 Summary of detailed Findings 7 2.2.2 Summary of Performance Improvement Observations 12
3 Detailed findings 16 3.1 Updating the IT Asset Register with ICT asset movements 16 3.1.1 Procured ICT assets not captured on the IT Asset Register 16 3.2 Disposal of ICT assets 19 3.2.1 Timelines regarding recommendation for disposal and write-off 19 3.2.2 Movement of ICT assets not updated on the IT Asset Register 22
4 Performance Improvement Observations 26 4.1 Procurement of software 26 4.2 Submission of ICT assets for disposal 28 4.3 Loss cases for ICT assets pending since 2009 30 4.4 Reporting of investigation results to Asset Management 32 4.5 Management of the IT Storeroom and IT Server Room 33
5 Sampling 35
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
1 © 2012 KPMG . All rights reserved.
1 Introduction
1.1 Mandate KPMG Services (Pty) Ltd has been appointed as the outsourced internal auditors of the Public Administration Leadership and Management Academy (“Palama”) for the 2011 / 2012 financial year.
In accordance with the approved Annual Internal Audit Plan for the 2011 / 2012 financial year we performed a risk-based internal audit review on the process (es) in place to ensure adequate and effective procurement and management of Information Communication Technology (ICT) assets.
1.2 Objective and Scope In terms of the Palama Annual Internal Audit Plan for the 2011/ 2012 financial year, we were required to perform an internal audit review that entailed the evaluation and testing of the adequacy and effectiveness of controls in place relating to the procurement and management of Information Communication Technology (ICT) assets. Controls were identified in conjunction with the staff in the Information Technology (IT) Directorate to manage the following risks:
• Non-compliance to the normal ICT asset procurement procedures which may lead to irregular expenditure and/or fruitless and wasteful expenditure.
• Non-compliance to the normal ICT asset disposal procedures which may lead to the disposal of assets which are still usable or financial loss.
• ICT assets that are disposed of may not be removed from the asset register which may lead to overstatement of assets in the financial statements – the relevant controls could not be tested as no disposals were approved during the period under review.
• Non-compliance to the normal loss management procedures which may lead to financial loss and/or fruitless and wasteful expenditure.
• ICT assets that are lost may not be removed from the asset register which may lead to overstatement of assets in the financial statements - the relevant controls could not be tested as no investigations were finalised during the period under review.
The review covered the period 1 April 2011 to 30 September 2011 and only information and documentation for the aforementioned period was evaluated.
Refer to section 5 for sample sizes.
1.3 Management’s responsibilities Management is responsible for the establishment and maintenance of an effective system of governance to:
• Establish and communicate organisational goals and values;
• Monitor the accomplishment of goals; and
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
2 © 2012 KPMG . All rights reserved.
• Ensure accountability and values are preserved.
Management is further responsible for the establishment and maintenance of an effective system of internal control. The objectives of the system of internal control are, inter alia, to provide management with reasonable, but not absolute, assurance that:
• Risks are properly managed;
• Assets are safeguarded;
• Financial and operational information are reliable;
• Operations are effective and efficient; and
• Laws, regulations and contracts are complied with.
1.4 Purpose and restriction of distribution and use of this document The purpose of the report is to communicate the results of the review to management.
This report is intended solely for use by management of Palama. No party other than those to whom it is addressed may rely upon this report for any purpose whatsoever. It must not be made available or copied in whole or in part to any other party without Palama’s prior written consent.
1.5 Disclaimer Whilst our report details those errors and weaknesses, which came to our attention during our review, the responsibility for the prevention and detection of irregularities and fraud rests with management. We have planned our review so that we have a reasonable expectation of detecting weaknesses and deficiencies in the system of internal controls, however, our review should not be relied upon to disclose all irregularities and fraud, which may exist.
Management representations made are considered to form part of our audit evidence. Any management representations were accepted on face value and in good faith, with only limited evaluation to assess for reasonableness.
1.6 Appreciation We would like to thank the management and staff of Palama for their assistance during the review and for making time available for meetings, queries and preparation of requested documentation.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
3 © 2012 KPMG . All rights reserved.
1.7 Conclusion Ratings awarded represent the conclusions of Internal Audit based on the results of the audit of a process or audit area. The control environment was rated using the following criteria:
Rating Definition
Inadequate
[Red]
Majority of our findings are serious and require immediate management intervention to achieve business objectives.
Needs Improvement
[Orange]
Majority of our findings are medium risks that require management focus to rectify.
Satisfactory
[Yellow]
Some control deficiencies were identified; however, these were mainly administrative in nature and can easily be rectified.
Good
[Green]
Internal controls are operating effectively (subject to the limitations of sample testing).
Based on our audit work performed and subject to our findings detailed in Section 3, we report that the Palama processes that are in place to ensure adequate and effective procurement and management of ICT assets needs improvement.
Please note that the conclusions as indicated below, are based on sample testing and only applies to the controls evaluated that relate to the key risks identified in our scope.
1.8 Approval
KPMG Services (Pty) Ltd takes responsibility for this report, which is prepared on the basis as set out above and which has been discussed and agreed with management. As from the date of this report, we take no responsibility for any changes or amendments that are subsequently made.
Paresh Lalla Director
Date: January 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
4 © 2012 KPMG . All rights reserved.
2 Executive summary Our findings for this review are summarised in the table below. The summary of findings is referenced to the detailed findings in section 3.
2.1 Overall Report Rating – Conclusion
Tabled below is an overall conclusion on each of the areas within the scope of this review.
Non-compliance to the normal ICT asset procurement procedures which may lead to irregular expenditure and/or fruitless and wasteful expenditure
Conclusion Reference to detailed finding
Controls tested
• Procured ICT assets are captured on the IT Asset Register. Inadequate [Red]
3.1.1
• Adequate authorisation for the purchase of ICT assets within the Directorate: IT. Good [Green]
Not applicable
• Adherence to SCM procedures for obtaining quotations from the SITA database. Good [Green]
Not applicable
Non-compliance to the normal ICT asset disposal procedures which may lead to the disposal of assets which are still usable or financial loss.
Conclusion Reference to detailed finding
Controls tested
• Assets set aside for disposal are approved by the relevant delegated authority. Inadequate [Red]
3.2.1
• The IT Asset Register is updated with assets set aside for disposal. Inadequate [Red]
3.2.2
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
5 © 2012 KPMG . All rights reserved.
Non-compliance to the normal loss management procedures which may lead to financial loss and/or fruitless and wasteful expenditure.
Conclusion Reference to detailed finding
Controls tested
• All documentation (forms and registers) regarding losses is adequately completed. Good [Green]
Not applicable
Additional observations
• Software should be procured by the Directorate: IT. Needs Improvement [Orange]
4.1
• Processes should be established for the periodic evaluation and approval of assets for disposal. Needs Improvement [Orange]
4.2
• Investigations into losses should be finalised within two (2) months. Inadequate [Red]
4.3
• Results of investigations should be reported to Asset Management by email. Satisfactory [Yellow]
4.4
• The IT server room and storeroom should be kept neat and tidy. Satisfactory [Yellow]
4.5
Overall conclusion Needs Improvement [Orange]
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
6 © 2012 KPMG . All rights reserved.
2.2 Summary of findings
The section below sets out the detailed ratings allocated to each finding and represents the results of the audit testing performed and the findings identified.
Risk indicator Definition
Major [Red]
A fundamental and critical control weakness, which hampers operations, and therefore requires immediate management action.
Significant [Orange]
Control weakness considered to be of a serious nature that should receive management attention in the short term.
Housekeeping
[Yellow]
These weaknesses do not represent a risk to the environment and can usually be corrected at minimal cost. The resolution will lead to an improvement of the operations’ efficiency, and/or effectiveness. It is not considered a critical issue.
Performance Improvement Observation An opportunity for improvement (outside of the scope of this assignment) was identified and brought to the attention of management, as a value added service.
Note: The same rating system as above was used to rate performance improvement observations
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
7 © 2012 KPMG . All rights reserved.
2.2.1 Summary of detailed Findings We summarise herewith the results of the internal audit. The summary of findings is referenced to the detailed findings in section 3.
Management control Finding Finding rating Management comments and action plans
Procured ICT assets not captured on the ICT asset register
• The following is stated in paragraph 4.2.5 of the Information Technology Equipment Procurement Guideline approved on 1 September 2009:
“All procured items shall be placed on the relevant asset register by the Directorate: Supply Chain Management.”
• Furthermore, paragraph 4.2.6 states that:
“Once the IT Section has certified that the delivered equipment is according to specification the items will be bar coded by the Directorate: Supply Chain Management.”
The following discrepancies were noted with respect to the capturing of procured ICT assets:
• According to a list of ICT assets obtained from the IT Administrator five (5) ICT assets had been procured.
• According to the asset register only two (2) ICT assets had been procured.
[Refer to detailed finding 3.1.1 ]
Major [Red]
Management Comment
• In agreement with the finding. This is as a result of the backlog in asset administration caused by limited capacity during the current financial year which was exacerbated by subsequent resignation of the Deputy Director responsible. The assets received and bar-coded will be updated on the asset register.
• The asset recording process starts after assets have been certified as received and SCM barcodes the assets. The asset register is updated with the asset number, location, supplier, invoice and order number. A monthly reconciliation is conducted between asset register and general ledger. The asset verification is conducted on a quarterly basis whereby the asset register is reconciled with the assets on the floor.
Action Plan
After assets have been certified as received by IT, SCM will barcode the asset.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
8 © 2012 KPMG . All rights reserved.
Management control Finding Finding rating Management comments and action plans
The barcode number will be recorded on the receipt voucher by SCM.
Responsible Individual
Director: SCM
Implementation date
Continuous 1 March 2012
Action Plan
After the asset has been bar-coded, the asset will be paid for by Finance – no asset should be paid for if the receipt voucher does not reflect a barcode number.
Responsible Individual
Director: SCM
Implementation date
1 March 2012
Action Plan
The asset register will be updated by SCM to reflect the purchase of the asset.
Responsible Individual
Director: SCM
Implementation date
1 January 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
9 © 2012 KPMG . All rights reserved.
Management control Finding Finding rating Management comments and action plans
Timelines for recommendation for disposal and write-off
• After the Asset Disposal Committee has discussed the recommendation of ICT assets for disposal on a quarterly basis, a submission recommending the disposal and write-off of ICT assets from the asset register should be compiled and be submitted to the Director General for approval
• The draft minutes for the Asset Disposal Committee meeting of 7 October 2011 do not indicate whether the ICT assets recommended for disposal by the Directorate: IT were approved for disposal by the Committee as well as what method of disposal will be utilised, i.e. no decision had been taken at this meeting to dispose of the assets.
[Refer to detailed finding 3.2.2]
Major [Red]
Management Comment
• The process of disposal is that the asset controllers will identify the assets to be disposed and recommend to asset management. The asset manager will recommend to the Disposal Committee as and when assets have been identified. The committee will then recommend the way of disposal to the Director-General for approval. After the approval the assets will be disposed off.
• In agreement with the finding, the Disposal Committee did not make a final recommendation at the time of the audit review and therefore the disposal could not be recommended to the DG.
Action Plan
Standard operating procedures for asset disposal will be developed to support the Asset Management Policy.
Responsible Individual
Director: SCM
Implementation date
February 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
10 © 2012 KPMG . All rights reserved.
Management control Finding Finding rating Management comments and action plans
Movement of ICT assets not updated on the IT Asset Register
• In accordance with best practice, the asset register should be updated with the location of assets when assets are acquired; disposed of and as assets are transferred (both internally and externally).
The following discrepancies were noted with respect to the location of ICT assets which had been set aside for disposal:
• The location of the entire sample of 15 ICT assets recommended for disposal which were selected from the IT asset register did not agree to the physical location.
• The location of three (3) out the sample of five (5) ICT assets selected from the floor and traced to the IT asset register did not agree to the register.
[Refer to detailed finding 3.2.2 ]
Major [Red]
Management Comment
• The process of asset movement commences when there is a need for movement. The user will complete the correct asset movement form signed off by the asset controller and asset manager. The movement is captured on BAUD asset management system. The asset physical location is confirmed or corrected through quarterly asset verification audits and assets location updated accordingly in the asset register.
• In agreement with the finding. After the resignation of the Deputy Director: Assets, no official was available to be assigned to asset administration and this lack of capacity has resulted into serious backlog in asset management. Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.
• Whilst awaiting the recruitment process to be finalised, the acquisition personnel is assisting with the general asset administration and verification on a periodic basis. The updating of the asset register will be completed once the
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
11 © 2012 KPMG . All rights reserved.
Management control Finding Finding rating Management comments and action plans
quarterly verification is finalized however, the location of the identified items will be corrected with immediate effect.
Action Plan
Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.
Responsible Individual
Corporate Services and Finance
Implementation date
1 April 2012
Action Plan
Updating of the asset register Responsible Individual
Director: SCM
Implementation date
31 January 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
12 © 2012 KPMG . All rights reserved.
2.2.2 Summary of Performance Improvement Observations
Observation Finding rating Management comments and action plans
Procurement of software
There is currently no centralised procurement of Software. Individual branches purchase their own software without informing IT. IT is therefore uncertain of whether the software purchased by other branches was procured via the SITA supplier database.
[Refer to detailed observation 4.1]
Significant [Orange]
Management Comment
• Refer to action plan below.
Action Plan
The draft Palama ICT Asset Acquisition Policy will be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.
Responsible Individual
Director: ICT
Implementation date
30 April 2012
Action Plan
The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.
Responsible Individual
Director: ICT
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
13 © 2012 KPMG . All rights reserved.
Observation Finding rating Management comments and action plans
Implementation date
On-going
Submission of ICT assets for disposal
The following was noted with respect to the evaluation of ICT assets on 16 September 2010 which were recommended for disposal in the submission of 23 June 2011:
• It appears as though nine (9) months passed from when the evaluation took place to the compilation of the submission for disposal.
• It also appears as though these assets have remained on the asset register for at least two (2) years while it was known that they were obsolete / redundant / uneconomical to repair.
[Refer to detailed observation 4.2]
Significant [Orange]
Management Comment
• See action plan below.
Action Plan
On a quarterly basis the Directorate: IT will recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.
Responsible Individual
Director: ICT
Implementation date
31 March 2012
Loss cases for ICT assets pending since 2009
The following was noted with respect to cases of loss with respect to ICT assets:
• There are currently 13 cases with respect to lost ICT assets for which investigations have not yet been concluded by the Labour Relations Unit.
• Four (4) of these cases relate to the period 1 April 2011 – 31 October 2011 and the other nine (9) relate to previous financial periods (some as far back as the 2009/10 financial year).
Significant [Orange]
Management Comment
• The process for investigating lost assets sometimes takes a longer period due to the use of external Investigators. Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
14 © 2012 KPMG . All rights reserved.
Observation Finding rating Management comments and action plans
[Refer to detailed observation 4.3] investigation processes.
Action Plan
Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes.
Responsible Individual
Director: HRM&D
Implementation date
On-going
Reporting of investigation results to Asset Management
The Loss Control Officer informs Asset Management either telephonically or via email of the results of the investigation conducted by the Labour Relations Unit on the ICT asset reported lost and therefore documented evidence of the reporting is not maintained for future reference.
[Refer to detailed observation 4.4]
Housekeeping
[Yellow]
Management Comment
• See action plan below.
Action Plan
Results of the investigations shall be reported to the Asset Management by email. The emails shall be kept for future reference purposes.
Responsible Individual
Loss Control Officer
Implementation date
Immediately.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
15 © 2012 KPMG . All rights reserved.
Observation Finding rating Management comments and action plans
Management of the IT Storeroom and IT Server Room
The following was noted with respect to the IT Storeroom and IT Server Room:
IT Storeroom
• There are over 100 items in the IT Storeroom (this was confirmed through inspection of the ICT asset register as well). Some of these assets are obsolete / redundant as they are more than five (5) years old.
• The IT Storeroom does not appear to be spacious enough to accommodate all the assets.
IT Server Room
• The server room appeared to be untidy.
• Staff had been eating in the Server Room as there were apple leftovers on one of the tables.
• The cabinets in the Server Room do not close properly and therefore wires are exposed.
• There were wires on the floor creating a safety hazard as an individual could easily trip over the wires.
[Refer to detailed observation 4.5]
Housekeeping
[Yellow]
Management Comment
• See action plan below.
Action Plan
The following should be formally documented in the IT Policy / Procedures and adhered to:
• No individual must be allowed to enter the server room with food or drink in hand.
• The server room must be kept clean and neat and tidy at all times.
Responsible Individual
Director: ICT
Implementation date
1 April 2012
Action Plan
The broken cabinets in the Server Room should be fixed and should be kept closed.
Responsible Individual
Director: ICT
Implementation date
1 March 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
16 © 2012 KPMG . All rights reserved.
3 Detailed findings Our detailed findings, based on the documents that were relevant to the scope of our review, are indicated below.
3.1 Updating the IT Asset Register with ICT asset movements
3.1.1 Procured ICT assets not captured on the IT Asset Register
Major [Red]
Criteria
The following is stated in paragraph 4.2.5 of the Information Technology Equipment Procurement Guideline approved on 1 September 2009:
“All procured items shall be placed on the relevant asset register by the Directorate: Supply Chain Management.”
Furthermore, paragraph 4.2.6 states that:
“Once the IT Section has certified that the delivered equipment is according to specification the items will be bar coded by the Directorate: Supply Chain Management.”
Finding
During our review of the Information and Communication Technology (ICT) assets procurement and management process we requested a list of ICT assets which was procured during the period under review (1 April 2011 – 31 October 2011) and the following was noted:
• We obtained the ICT asset register and according to the asset register only two (2) ICT assets had been procured as follows:
Asset no. Serial no. Description Purchase date Price (R)
11945 CZC10494P4 Computer laptop 1 April 2011 17 267.67
11663 None. Bag laptop 29 September 2011 478.80
• We then obtained a list of ICT assets procured from the IT Administrator and this list indicated that five (5) ICT assets had been procured as follows:
Date Order No. Description Amount (R)
19 May 2011 AE381468 Printer for the IT unit now used by Pumla from ODG
9 348.00
11 May 2011 AE381467 B&O Printer 8 048.00
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
17 © 2012 KPMG . All rights reserved.
Date Order No. Description Amount (R)
31 May 2011 AE381428 2530p notebook for Director: SCM 17 267.58
4 July 2011 AE383490 2530P notebook for Pumla Nhleko in the ODG
12 089.29
5 August 2011 AF264068 EPSON LQ Printer for finance in the supply chain unit
8 025.28
Through comparison of the above tables it appears as though the ICT asset register has not been updated with the ICT assets procured as only one (1) of the assets on the list from the IT Administrator (asset with serial number 11945) appears on the asset register.
Root cause
• There is no capacity within the Supply Chain Management (SCM) Directorate to update the ICT asset register – according to the current organogram all positions within the Asset Management Unit are currently vacant. This means that SCM officials have to take on the additional responsibility of updating the asset register when they have additional capacity.
Potential Impact
• Misstatement of PALAMA’s assets in the financial statements.
Recommendation
Management should consider the following:
• Once an ICT asset has been delivered and IT has certified the delivered assets, Supply Chain Management should bar code the asset and capture it onto the BAUD system immediately.
• A responsible official from the Directorate: IT should then obtain a copy of the ICT asset register and inspect the register to ensure that it has been accurately captured. Documented evidence of this process (copy of the asset register reflecting the captured asset) should be maintained for future reference purposes.
• Any discrepancies in capturing of the asset onto the asset register should be communicated to Supply Chain Management to ensure that the asset is captured accurately on the register. Documented evidence of all correspondence in this regard should be maintained for future reference purposes.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
18 © 2012 KPMG . All rights reserved.
Management comments
• In agreement with the finding. This is as a result of the backlog in asset administration caused by limited capacity during the current financial year which was exacerbated by subsequent resignation of the Deputy Director responsible. The assets received and barcoded will be updated on the asset register.
• The asset recording process starts after assets have been certified as received and SCM barcodes the assets. The asset register is updated with the asset number, location, supplier, invoice and order number. A monthly reconciliation is conducted between asset register and general ledger. The asset verification is conducted on a quarterly basis whereby the asset register is reconciled with the assets on the floor.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 After assets have been certified as received by IT, SCM will barcode the asset.
The barcode number will be recorded on the receipt voucher by SCM.
Director: SCM Continuous
1 March 2012
2 After the asset has been barcoded, the asset will be paid for by Finance – no asset should be paid for if the receipt voucher does not reflect a barcode number.
Director: SCM 1 March 2012
3 The asset register will be updated by SCM to reflect the purchase of the asset.
Director: SCM 31 January 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
19 © 2012 KPMG . All rights reserved.
3.2 Disposal of ICT assets
3.2.1 Timelines regarding recommendation for disposal and write-off
Major [Red]
Criteria
After the Asset Disposal Committee has discussed the recommendation of ICT assets for disposal on a quarterly basis, a submission recommending the disposal and write-off of ICT assets from the asset register should be compiled and be submitted to the Director General for approval.
Finding
During our review of the disposal of ICT assets process, we noted the following with respect to the submission of 23 June 2011:
• This submission had been included in the meeting pack for the Asset Disposal Committee meeting of 7 October 2011.
• The following is documented in the draft minutes under paragraph 2.2 regarding the disposal of IT equipment:
“AK informed the committee that IT equipment identified for disposal will have to be disposed of in accordance to applicable guidelines for information security purposes. According to these guidelines the information on the equipment should be cleaned before disposal.”
• From the above it was noted that the draft minutes do not indicate whether the ICT assets recommended for disposal by the Directorate: IT were approved for disposal by the Committee as well as what method of disposal will be utilised, i.e. no decision had been taken at this meeting to dispose of the assets.
• Through discussions with Supply Chain Management it was explained that as no decision had been taken at the meeting, a submission to the Director General recommending the disposal of ICT assets could not be compiled.
Therefore, the decision regarding the disposal of the assets included in the submission of 23 June 2011 will have to stand over to the next meeting of the Asset Disposal Committee.
Currently the assets that have been recommended for disposal by the Directorate: IT are stored at an off-site storage room at the Rent-A-Store premises.
Root cause
• Lack of defined procedures and timelines for the asset disposal process.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
20 © 2012 KPMG . All rights reserved.
Potential Impact
• Non-timely removal of obsolete / redundant / uneconomical to repair assets from the asset register may lead to overstatement of assets in the financial statements.
• Theft / loss of unused assets which may lead to unnecessary administrative procedures.
• Fruitless / wasteful expenditure due to the renting of a storage unit for obsolete / redundant / uneconomical to repair assets.
Recommendation
Management should consider the following:
• Detailed procedures regarding the process for the disposal of assets need to be defined and documented to include, amongst others, the following:
- The frequency of evaluation of assets for disposal (i.e. quarterly, six monthly or annually);
- The process and frequency (i.e. quarterly, six monthly or annually) for recommending a submission to the Asset Disposal Committee meeting;
- The minutes of the Asset Disposal Committee meeting should clearly state the following:
The assets recommended for disposal have been discussed by the Committee;
The Committee approves the disposal and will compile a submission for approval by the Director General (including who will compile the submission and by when);
The method of disposal;
The person responsible for disposal; and
The due date for disposal.
- The process for recommending a submission to the Director General for approval – this submission should be submitted to the Director General within two (2) weeks of the Asset Disposal Committee meeting.
• As soon as approval has been received (from the Director General), Supply Chain Management should ensure that these assets are removed from the asset register and disposed of according to the method approved by the Asset Disposal Committee.
• Documented record of all actions regarding the disposal process should be maintained and retained for future reference purposes.
Management comments
• The process of disposal is that the asset controllers will identify the assets to be disposed and recommend to asset management. The asset manager will recommend to the Disposal Committee as and when assets have been identified. The committee will then recommend
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
21 © 2012 KPMG . All rights reserved.
the way of disposal to the Director-General for approval. After the approval the assets will be disposed off.
• In agreement with the finding, the Disposal Committee did not make a final recommendation at the time of the audit review and therefore the disposal could not be recommended to the DG. the
Agreed management actions
# Action Responsible individual Implementation date(s)
1 Standard operating procedures for asset disposal will be developed to support the Asset Management Policy.
Director: SCM February 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
22 © 2012 KPMG . All rights reserved.
3.2.2 Movement of ICT assets not updated on the IT Asset Register
Major [Red]
Criteria
In accordance with best practice, the asset register should be updated with the location of assets when assets are acquired; disposed of and as assets are transferred (both internally and externally).
Finding
The following was noted during our review of ICT assets disposal process:
• From a sample of 15 assets recommended for disposal in the submission dated 23 June 2011, the location of all 15 assets per the register did not correlate with the physical location of these assets as follows:
Asset No.
Description Location as per the asset register
Location as per physical verification
03525 Computer Monitor LCD MECER R0442 – Disposal Room
Rent-A-Store Premises
03878 Computer Laptop ACER R0442 – Disposal Room
Rent-A-Store Premises
04578 Computer CPU ACER R0442 – Disposal Room
Rent-A-Store Premises
05028 Printer/Scanner/Fax/Copier Brother MFC-5440cn
R0442 – Disposal Room
Rent-A-Store Premises
05673 Computer Laptop IBM R0442 – Disposal Room
Rent-A-Store Premises
05833 Projector Data R0442 – Disposal Room
Rent-A-Store Premises
05852 Computer Laptop IBM R0442 – Disposal Room
Rent-A-Store Premises
06052 Computer Printer Brother R0442 – Disposal Room
Rent-A-Store Premises
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
23 © 2012 KPMG . All rights reserved.
Asset No.
Description Location as per the asset register
Location as per physical verification
07332 Computer Laptop IBM R0442 – Disposal Room
Rent-A-Store Premises
07517 Computer Laptop IBM R0442 – Disposal Room
Rent-A-Store Premises
07737 Computer CPU R0442 – Disposal Room
Rent-A-Store Premises
08163 Computer Printer Brother R0442 – Disposal Room
Rent-A-Store Premises
08231 Computer Laptop IBM R0442 – Disposal Room
Rent-A-Store Premises
08274 Computer Laptop R0442 – Disposal Room
Rent-A-Store Premises
10479 Scanner R0442 – Disposal Room
Rent-A-Store Premises
• A sample of five (5) ICT assets whose location was indicated as the “IT Store” per the ICT asset register was selected and traced to the IT Store. Three (3) out of the five (5) assets were not found in the IT storeroom as follows:
Asset No.
Description Location as per the asset register
Location as per physical verification and asset movement forms
11531 Computer Laptop R0389 - IT Store Thean Potgieter’s Office
11300 Computer Laptop R0389 - IT Store Nene Shibambu’s Office
14407 Computer Laptop R0389 - IT Store Craig Jansen’s Office
Asset movement forms were completed for these assets but the asset register was not updated.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
24 © 2012 KPMG . All rights reserved.
• A sample of five (5) ICT assets was selected from the IT Store and traced back to the ICT asset register. The location on the asset register was incorrect for three (3) out of the five (5) assets as follows:
Asset No.
Description Location as per physical verification
Location as per the asset register
05903 Computer Printer Brother IT Store R0504 Open Plan ED
05737 Computer CPU Dell IT Store R0566 Open Plan TC
11038 Computer Laptop HP IT Store R0566 Open Plan TC
Root cause
• There is no capacity within the Supply Chain Management (SCM) Directorate to update the ICT asset register – according to the current organogram all positions within the Asset Management Unit are currently vacant. This means that SCM officials have to take on the additional responsibility of updating the asset register when they have additional capacity.
Potential Impact
• Difficulty in locating assets due to the incorrect specification of locations.
• Possible misappropriation of ICT assets.
Recommendation
Management should consider the following:
• The relevant asset movement forms should be completed by Supply Chain Management for all ICT assets either leaving the Palama premises or being relocated internally.
• Supply Chain Management should update the ICT asset register to reflect the new location of the asset.
• As the Directorate IT is responsible for the IT Store, they should ensure that any relocation of ICT assets to or from the IT Store are updated on the ICT asset register immediately – documented evidence of this process should be maintained for future reference purposes.
Management comments
• The process of asset movement commences when there is a need for movement. The user will complete the correct asset movement form signed off by the asset controller and asset manager. The movement is captured on BAUD asset management system. The asset physical location is confirmed or corrected through quarterly asset verification audits and assets location updated accordingly in the asset register.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
25 © 2012 KPMG . All rights reserved.
• In agreement with the finding. After the resignation of the Deputy Director: Assets, no official was available to be assigned to asset administration and this lack of capacity has resulted into serious backlog in asset management. Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.
• Whilst awaiting the recruitment process to be finalised, the acquisition personnel is assisting with the general asset administration and verification on a periodic basis. The updating of the asset register will be completed once the quarterly verification is finalized however, the location of the identified items will be corrected with immediate effect.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 Recruitment process is currently underway for the appointment of both the Deputy Director and Administrator: Assets.
Corporate Services and Finance
1 April 2012
2 Updating of the asset register Director: SCM 31 January 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
26 © 2012 KPMG . All rights reserved.
4 Performance Improvement Observations This section contains observations, which were not included in the scope of this review, that were reported to management as a value added service.
4.1 Procurement of software Significant
[Orange]
Observation
During our process to obtain an understanding of the ICT asset management process it was explained that currently there is no centralised procurement of Software. Individual branches purchase their own software without informing IT. IT is therefore uncertain of whether the software purchased by other branches was procured via the SITA supplier database.
The following in stated in paragraphs 4.2.1 and 4.2.2 of the approved Information Technology Equipment Procurement Guideline dated 1 September 2009:
“Branch Head shall first ensure sufficient funds exist before forwarding procurement request to D: IT.
On request to procure IT software or hardware , officials shall fill the IT procurement form in Annexure A.”
The following is stated in paragraph 7.1.1. of the draft Palama ICT Asset Management Policy dated 20 July 2011:
“The IT requisition form must be used in PALAMA to make request to D: ICT to procure any ICT related equipment or software.”
From the above it is clearly indicated in the draft Policy and the Guideline that the Directorate: IT is responsible for procurement of software through requests received from the different Branches.
Recommendation
Management should consider the following:
• All ICT related procurement (including hardware and software) should be routed through the Directorate: IT in order to enable effective management of the procurement of these assets.
• All Palama employees should be made aware of the requirement that the procurement of all ICT hardware and software must be performed by the Directorate: IT.
• The draft Palama ICT Asset Management Policy should be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.
• The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
27 © 2012 KPMG . All rights reserved.
with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.
Management comments
See action plan below.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 The draft Palama ICT Asset Acquisition Policy will be finalised and approved by the relevant delegated authority as soon as possible and then communicated to all employees.
Director: ICT 30 April 2012
2 The Directorate: IT should install the software on the relevant user’s computers and should control the number of computers on which software has been installed in order to comply with license agreements. The Directorate: IT should be the custodian of all relevant software material relating to the installation of software.
Director: ICT On-going
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
28 © 2012 KPMG . All rights reserved.
4.2 Submission of ICT assets for disposal Significant
[Orange]
Observation
We selected a sample of 15 ICT assets recommended for disposal from the submission dated 23 June 2011 and requested the records of evaluation of these assets as follows:
Asset No.
Description Serial No. Reason for disposal in submission
03525 Computer Monitor LCD MECER
3416T00020H0326 Obsolete – 8 years old
03878 Computer Laptop ACER LXT270E123405011C5 Obsolete – 9 years old
04578 Computer CPU ACER PSPF1E60541000979L00 Obsolete – 7 years old
05028 Printer/Scanner/Fax/Copier Brother MFC-5440cn
C5F626395 Obsolete – 7 years old
05673 Computer Laptop IBM L3XNEXM Obsolete – 5 years old
05833 Projector Data TWC6047218 Obsolete – 5 years old
05852 Computer Laptop IBM L3-WTNGE 06/01 Obsolete – 5 years old
06052 Computer Printer Brother M5J275898 Obsolete – 5 years old
07332 Computer Laptop IBM 1S637263GL3AA337 Uneconomical to repair – 4 years old
07517 Computer Laptop IBM 1S8744HCGL3AN610 Uneconomical to repair- 4 years old
07737 Computer CPU ZAB738004M Uneconomical to repair- 4 years old
08163 Computer Printer Brother E63659E7J990456 Uneconomical to repair- 4 years old
08231 Computer Laptop IBM 1S766927GL3A1156 Uneconomical to repair- 4 years old
08274 Computer Laptop 1S7767BAGL3A4110 Uneconomical to
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
29 © 2012 KPMG . All rights reserved.
Asset No.
Description Serial No. Reason for disposal in submission
repair- 4 years old
10479 Scanner 10479 Uneconomical to repair- 3 years old
Management explained the following to us:
• These assets had been dormant for more than two (2) years and Gijima only keeps records of incidents for the past 24 months.
• The Directorate IT had performed an evaluation of the assets (together with the assistance of Gijima) on 16 September 2010.
It therefore appears as though nine (9) months passed from when the evaluation took place to the compilation of the submission for disposal.
It also appears as though these assets have remained on the asset register for at least two (2) years while it was known that they were obsolete / redundant / uneconomical to repair.
Recommendation
Management should consider the following:
• On an annual basis the Directorate: IT should recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.
Management comments
See below.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 On a quarterly basis the Directorate: IT will recommend a submission of all ICT assets recommended for disposal (following a process of evaluation of the assets) and submit the approved submission to the Asset Disposal Committee for approval.
Director: ICT 31 March 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
30 © 2012 KPMG . All rights reserved.
4.3 Loss cases for ICT assets pending since 2009 Significant
[Orange]
Observation
During our process to obtain an understanding of the ICT asset management process it was explained that there are currently 13 cases with respect to lost ICT assets for which investigations have not yet been concluded by the Labour Relations Unit.
Four (4) of these cases relate to the period 1 April 2011 – 31 October 2011 and the other nine (9) relate to previous financial periods (some as far back as the 2009/10 financial year).
The following is stated in paragraph 11.7 of the draft Loss Control Policy with respect to the timelines for completion of investigations relating to losses:
“Losses or damages suffered due to acts or omission by an official and/or criminal acts must immediately be investigated internally. All internal investigations must be finalised within two months from the date of reporting to the investigation officer.”
Recommendation
Management should consider the following:
• Investigations into cases of loss should be concluded as soon as possible by the Labour Relations Unit in order that the appropriate steps be taken to finalise the case and to write-off the asset.
Management comments
The process for investigating lost assets sometimes takes a longer period due to the use of external Investigators. Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes...
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
31 © 2012 KPMG . All rights reserved.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 Where possible, the department will consider using internal Investigators in order to expedite investigations and facilitate post investigation processes.
Director: HRM & D On-going
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
32 © 2012 KPMG . All rights reserved.
4.4 Reporting of investigation results to Asset Management Housekeeping
[Yellow]
Observation
During our documentation of the management of ICT assets process, it was explained that the Loss Control Officer informs Asset Management either telephonically or via email of the results of the investigation conducted by the Labour Relations Unit on the ICT asset reported lost.
Recommendation
Management should consider the following:
• The Loss Control Officer must inform Asset Management of the results of the investigation via email. This email should be retained by Loss Control for future reference purposes.
Management comments
See below.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 Results of the investigations shall be reported to the Asset Management by email. The emails shall be kept for future reference purposes.
Loss Control Officer Immediately.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
33 © 2012 KPMG . All rights reserved.
4.5 Management of the IT Storeroom and IT Server Room Housekeeping
[Yellow]
Observation
IT Storeroom
During our review of the ICT assets disposal process, it was noted through discussion with management that IT has its own storeroom (room R0389) where loan units, ICT equipment that needs to be repaired, ICT equipment recommended for disposal, newly delivered ICT equipment and non-owned ICT assets are stored.
Through observation the following was noted with respect to the IT Storeroom:
• There are over 100 items in the IT Storeroom (this was confirmed through inspection of the ICT asset register as well). Some of these assets are obsolete / redundant as they are more than five (5) years old.
• The IT Storeroom does not appear to be spacious enough to accommodate all the assets.
IT Server Room
Through observation the following was noted with respect to the IT Server Room:
• The server room appeared to be untidy.
• Staff had been eating in the Server Room as there were apple leftovers on one of the tables.
• The cabinets in the Server Room do not close properly and therefore wires are exposed.
• There were wires on the floor creating a safety hazard as an individual could easily trip over the wires.
Recommendation
Management should consider the following:
• On a quarterly basis the Directorate: SCM should conduct an asset verification (stock take) of all assets in the IT Storeroom to ensure that all assets are accounted for. The number of assets in the IT Storeroom should be kept to a minimum where possible.
• The following should be formally documented in the IT Policy / Procedures and adhered to:
- No individual must be allowed to enter the server room with food or drink in hand. - The server room must be kept clean and neat and tidy at all times.
• The broken cabinets in the Server Room should be fixed and should be kept closed.
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
34 © 2012 KPMG . All rights reserved.
Management comments
See below.
Agreed management actions
# Action Responsible individual Implementation date(s)
1 The following should be formally documented in the IT Policy / Procedures and adhered to:
• No individual must be allowed to enter the server room with food or drink in hand.
• The server room must be kept clean and neat and tidy at all times.
Director: ICT 1 April 2012
2 The broken cabinets in the Server Room should be fixed and should be kept closed.
Director: ICT 1 March 2012
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
35 © 2012 KPMG . All rights reserved.
5 Sampling A maximum sample size of 15 transactions / items per control was reviewed during our audit testing.
Type of supporting evidence
Sample size Assertion tested for:
A maximum sample of 15 procured ICT assets will be selected for the period under review
IT Request Form. A maximum sample of 15. Existence
Authorisation
Quotations. A maximum of three (3) quotations expected for each sample of 15 ICT Assets procured.
Existence
Budget spreadsheet. A maximum sample 15 procured ICT assets agreed to one (1) budget spreadsheet.
Existence
Accuracy
SCM Procurement Request Form.
A maximum sample of 15. Existence
Authorisation
A maximum sample of 15 ICT assets recommended for disposal will be selected for the period under review
Evaluations conducted on the asset by Gijima.
A maximum sample of 15 ICT assets recommended for disposal.
Existence
List of ICT assets to be disposed of.
A maximum sample size of 15 ICT assets recommended for disposal.
Existence
Completeness
Submissions prepared for the Asset Disposal Committee.
Will depend on the number of ICT assets included on a submission - but a maximum sample size of 15 submissions.
Existence
Authorisation
Minutes of the relevant Asset Disposal Committee meeting.
A maximum sample of two (2) due to the Asset Disposal Committee meeting quarterly.
Existence
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
36 © 2012 KPMG . All rights reserved.
Type of supporting evidence
Sample size Assertion tested for:
The Asset Register. A maximum sample size of 15 ICT assets recommended for disposal agreed to one (1) Asset Register.
Existence
Validity
Completeness
The submission to the DG in which the asset was recommended for disposal.
Depending on the number of ICT assets included in one (1) submission – a maximum sample size of 15 submissions.
Existence
Authorisation
A maximum sample of 15 ICT assets reported as lost will be selected for the period under review
Statement of Loss Form. A maximum sample size of 15. Existence
Completeness
Register for Loss Control. A maximum sample size of 15 ICT assets reported as loss agreed to one (1) Register for Loss Control.
Existence
Completeness
The submission to the Branch Head: Corporate Services which includes this loss.
Depending on the number of ICT assets included in one (1) submission – maximum sample size of 15 submissions.
Existence
Authorisation
Evidence of submission to the Labour Relations Unit.
Depending on the number of ICT assets included in one (1) submission – a maximum sample size of 15 submissions.
Existence
Register of Loss Control Submissions
A maximum sample size of 15 ICT assets reported as loss agreed to one (1) Register of Loss Control Submissions.
Existence
Follow-up of the 2010/11 Internal Audit Report on Asset Management
A maximum sample of two (2) procured ICT assets will be selected for the period under review
Asset register. Maximum sample size of two (2) ICT assets selected from the
Existence
Accuracy
ABCD Public Administration Leadership and Management Academy
Internal Audit Report - Information Communication Technology (ICT) Assets Review January 2012
37 © 2012 KPMG . All rights reserved.
Type of supporting evidence
Sample size Assertion tested for:
asset register.
IT Request Form. A maximum sample of two (2). Existence
Authorisation
SCM Procurement Request Form.
A maximum sample of two (2). Existence
Authorisation