WORKING GROUP ON PUBLIC DEBT (JULY 2015, LIVINGSTONE, ZAMBIA ) The Audit of the Debt Management and Financial Analysis System - Zambia Presenter: Mr. Francis Mbewe Director – Public Debt and Investments
Presentation Overview Introduction Brief Background of DMFAS Audit Objectives and Audit Areas reviewed Significant Weaknesses and Irregularities Observed & Progress in Public Debt Management-IT Systems Challenges Encountered During Audit Impact of Audit on SAI Composition of Zambia Debt & Indicators Livingstone, Zambia 2
3 Introduction SAI Zambia took part in the International coordinated parallel audit of Public Debt Management Information System, coordinated by Ukraine. The audit was carried out in 2013, at the Ministry of Finance and National Planning.
Livingstone, Zambia4 Brief Background of DMFAS The Ministry of Finance (MOF) has been using the United Nations Conference on Trade and Development’s (UNCTAD) Debt Management and Financial Analysis System (DMFAS) since The system was upgraded to DMFAS version 5.3 in The version can be installed and accessed on a standalone PC or on a networked environment and supports Oracle 10g RDMS. At the time of audit, the DMFAS was managed by the Investment and Debt Management Department of the Ministry and contained only public external debt information. This was the first time that the DMFAS was being audited.
Audit Objective(s) Assess the adequacy of general and application controls. Assess Change Management procedures. Assess the interface with other Critical systems. Assess the adequacy, reliability and integrity of data from the system. Ascertain the existence and adequacy of the Business Continuity Plan (BCP) and Disaster Recovery Plan Livingstone,Zambia5.
6 Audit Scope The Public Debt Information System audit was conducted for the period January to December, Audit Areas reviewed: IT System Strategy and General Management; Security and Environmental Controls; Operational Controls and Documentation; Application Controls.
Livingstone,Zambia7 Significant Weaknesses and Irregularities Observed The weaknesses and irregularities highlighted in this presentation are not necessarily all the weaknesses or shortcomings in the management and operation of the DMFAS.
Livingstone, Zambia8 Lack of Designated Server Room: The Ministry did not have a designated server room for DFMAS. As a result the computer room was used to house the DMFAS server. It was also used as a pool office and for storage of ICT Equipment. Corrective Action : New servers for the Debt Management and Financial Analysis System have been relocated to the Data Centre which is managed separately.
Livingstone, Zambia9 Lack of Continuous System Upgrade -Delays in upgrading to DMFAS 6.0: The Ministry had not upgraded to the DMFAS 6.0 which was launched over three (3) years ago. Corrective Action: MOF has since implemented Debt Management and Financial Analysis System Version 6.0 and undertaken training of Staff in the use of the upgraded version.
Livigstone,Zambia10 Failure to Utilize DMFAS Grants Module – in house development of another system to manage grants: Despite the DMFAS having a grants module which can be used to record general and specific data relating to grants, the module remained unutilized. Corrective Action :The Ministry is now using the module in the upgraded DMFAS 6.0.
Livigstone,Zambia11 Failure to Perform Data Validation Checks: The MoF did not perform data validation checks. As a result, data validation reports were not generated. Corrective action: Data validation to be part of the routine checks and scripts to be run every month in the upgraded system
Lack of Segregation of Duties The DMFAS was operated and controlled by two (2) data entry operators’ one of whom was acting as the Programmer/Analyst for administrative convenience. The acting Programmer/Analyst performed the functions of Systems, Database, and Security Administrator on the system whereas the other Data Entry Operator was assigned user rights. Corrective measure: Additional Officers seconded to DMFAS to mitigate staff inadequacy. Livingstone, Zambia12
Lack of an Information Security Policy: The Ministry did not have a security policy in place for the DMFAS on which to base security related decisions on the management and administration of the system Corrective action: Process of implementing an ICT policy which includes the Information Security Policy began in May 2014 and has since been completed. Livingstone, Zambia13
Livingstone, Zambia14 Lack of Change Management Procedures: The Ministry did not have documented or formalized change management procedures in place to guide the system administrator and users on making changes on the system and database which included the adjustments to loan parameters. Corrective Action: Procedures to be developed and incorporated in the ICT policy which has since been completed.
Failure to maintain an ICT Asset Register: The IDM unit did not maintain an IT Asset Register. The IT Inventory listing availed for audit was incomplete as it did not have important details such as: Date of acquisition, Status and Location. Corrective action: MOF has implemented a Hardware Inventory Management system. Livingstone, Zambia15
Livingstone, Zambia16 Lack of Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP): MOF did not have an IT BCP and a DRP for the system during the period under review. Corrective Action: The process of implementing a BCP and DRP commenced in It is yet to be finalized.
Livingstone, Zambia17 Lack of Backup Policy: No Offsite Storage of backups or Testing Corrective Action: Back up to be part of the BCP and DRP implementation.
Livingstone, Zambia18 Poor User Account Management The password for the system administrator and user were not set with an expiration period Parameters, complexity, age and length of passwords were not defined on the Password security policy settings. The automatic account lock-out duration, threshold and lock-out counter on system were not defined. Corrective measure: Proper user account management to be done at Application and Database level.
Lack of an Updated Anti Virus: DMFAS operated without an up-to-date antivirus. The McAfee antivirus version 8.5.0i, 2008 version, which had been installed on the system, had the following shortcomings: It was not updated with nineteen (19) security patches that were released by the supplier between 2009 and It had reached its end of support (EOS) date in August 2010 and therefore the supplier would not offer any support for product from there on. Corrective action: MOF to ensure that an enterprise Anti Virus is deployed and checked regularly. Livingstone, Zambia19
Lack of Risk Assessment and Internal Audit of the System: The MOF neither carried out any risk assessment of the DMFAS nor was the system subjected to audit by internal auditors within the Ministry. As a result no risk register was maintained which would highlight the significant risks that the system was subject to and how those risks would be managed or mitigated. Corrective action: MOF is developing a Risk Management Policy through the Office of the Controller of Internal Audit and Internal Auditors will be incorporated in training schemes. Livingstone, Zambia20
Challenges Encountered during the Audit of Public Debt Management Information System Some of the challenges encountered during audits include: Poor Record keeping Delays/failure to respond to queries Delays to implement audit recommendations 21
Impact of the Audit on the SAI Our participation has had the following impact: Capacity building within the Office in Audit of PDMISs. Shared experiences and Networked with other participating SAIs. Livingstone, Zambia 22
23 Composition of Zambia’s Total Debt (in million USD) Source: Zambia Debt Sustainability Report June 2014 YearPublic Domestic Public External Public & Publicly Guarantee d Debt Private External Total Debt 20082, , , , , , , , , , , , , , , , , , , , , , , , , , , ,831.13
24 Composition of Zambia’s Total Debt Source: Zambia Debt Sustainability Report June 2014 YearDomesticPublic ExternalPrivate External %28.0 %21.5 % %27.4 %39.6 % %30.6 %31.5 % %31.2 %26.4 % %48.3 %12.8 % %40.3 %19.0 %
25 Indicators of Public and Publicly Guaranteed External Debt PV of Debt to GDP- Estimated at 22.3 percent in 2014 PV of Debt/exports-Estimated at 48.6 percent in 2014 PV of Debt/budget revenue-Estimated at percent in 2014 Debt Service/exports-Projected to be below 20 percent Debt service/budget revenue-Projected to increase from average of less than 11 percent in to 15.9 in 2022 Source: Zambia Debt Sustainability Analysis Report June 2014
Livingstone, Zambia26 SAI Zambia wishes to express its profound appreciation for being accorded an opportunity to share its experience of auditing its Country’s Debt Management Information System.
Victoria Falls, One of the seven natural wonders of the world in Livingstone, Zambia Thank You 27
Zambia28 Questions and Comments