Page 1 APAC ANNUAL TRAINING 2011 “Integration of specialist skills into AGSA regularity audits for greater oversight impact” 2- 3 Aug 2011 Presenter: Ms C Mampuru and Ms Jabulile Nkosi

Reputation Promise The Auditor-General of South Africa has a constitutional mandate and, as the Supreme Audit Institution (SAI) of South Africa, it exists to strengthen our country’s democracy by enabling oversight, accountability and governance in the public sector through auditing, thereby building public confidence. 2

3 PRESENTATION OUTLINE Mandate of the Auditor General of South Africa Strategic Objectives of the AGSA Introducing Specialist skills in Regularity Audits –Why integration –Value and benefits of integration –Investigation inputs –ISA inputs –How to detect red flags within departmental and entity processes

T he AGSA’s key strategic thrust is to respond effectively to the need to influence the achievement of clean audit opinions. “Good governance is essentially about effective leadership… Leaders need to define strategy, provide directions and establish the ethics and values that would influence and guide practices and behaviour with regard to sustainability performance”. Source - King III “Clean administration” therefore is about the effectiveness of leadership in ensuring public resources are managed efficiently, for the purpose intended, in compliance with prescripts, therefore a pre- requisite for effective service delivery. THE STRATEGIC FOCUS OF THE AGSA

This presentation focuses on the collaboration of the various units within the AGSA, namely: –To strengthen governance and oversight within Public Entities. –To highlight the preventative measures that can put in place to avoid the factors that undermine service delivery. –Deals with what oversight structures can do in order to deal decisively with the factors that undermine service delivery. 5 THE STRATEGIC FOCUS OF THE AGSA

Procurement – supply chain management Human resources – governance and capacity Performance information and performance reporting IT management 6 KEY AUDIT FOCAL POINTS FOR THE ORGANISATION

Deploy specialised skills to simplify complex areas Focus on systemic and transversal areas Integrate into regularity audit through sharing of insights and assisting with the development of audit approaches and guidance Promote knowledge sharing through institutional co-operation activities Demonstrating the value and benefits of SAIs 7 SPECIALISED SERVICES PORTFOLIO STRATEGIC POSITIONING

INTRODUCTION OF SPECIALIST DURING REGULARITY AUDITS Why Integration –Integration ensures that there is no unnecessary duplication of effort. –Strengthens the assessment of risks of material misstatement of the financial statements due to fraud. –Empowers RA to identify potential high risk areas of fraud and irregularities, and ensures that those that are charged with governance and oversight, can to take timeous action (quarterly key control). –Investigations pro-actively test compliance with key legislative requirements and advises those that are charged with governance and oversight. 8

INTRODUCTION OF SPECIALIST DURING REGULARITY AUDITS Value and benefits of integration This approach allows for broader coverage of institutions. Minimises the impact of losses arising from misappropriation, fraud, theft and corruption. Evaluation of the measures instituted by management to ensure that resources have been procured economically and are used efficiently and effectively towards achieving the desired outcomes. 9

Regularity Audit BUs uses the red flags indentified by the investigations BU to strengthen their audit procedures to detect fraud and error in the financial statements of the organs of state, thereby contributing in the achievement of clean audit opinions. Regularity Audit BU’s will also monitor the Auditees to ensure that the necessary measures and steps to ensure effective accounting and internal control systems, and ensure proper risk management are implemented. INVESTIGATIONS

Regularity also monitors the development/implementation of policies & guidelines to strengthen governance, & ensure compliance with the law. Investigations BU conducts on-going data analytics of the Public Entities payment systems, using CAATS, to identify possible red flags, and to conduct verification of the identified red flags. 11

INFORMATION SYSTEMS AUDITING Provides quality information systems (IS) audit support to the regulatory auditing business units(ABUs) and specialised auditing business units as part of the AGSA’s integrated audit approach. Evaluates the controls within an organisation’s information technology (IT) infrastructure and information systems (IS), its IS practices and operations, the safeguarding of its IT assets, the maintenance of data integrity and the design and operating effectiveness of key IT controls ISA input empowers ABUs to identify potential high risk areas in the internal control of information systems and assists ABUs to efficiently and effectively discharge their responsibilities in the IS environment responsible for generating financial information.

INFORMATION SYSTEMS AUDITING Enhances auditing capacity by building decentralised specialist capacity in provinces to finalise audits timeously and respond to government’s increased use of information systems Outcomes of information systems audit are incorporated into the general and sector reports

IT governance IT governance consists of the leadership and organisational structures and processes that ensure that the organisation’s information technology sustains and extends the organisation’s strategies and objectives. Security management Security management ensures that security measures are in place to prevent unauthorised access to networks and operating systems that grant access to the application systems. INFORMATION SYSTEMS AUDIT FOCUS AREAS

User access controls User access control is the systematic process of managing the access of users to the application systems. Program change management Program change management ensures that any proposed changes to the existing information system environment are coordinated, scheduled, authorised and tested to prevent unnecessary disruptions, erroneous changes and unauthorised and inappropriate access. INFORMATION SYSTEMS AUDIT FOCUS AREAS

IT service continuity Information technology service continuity is the process of managing the availability of hardware, system software, application software and data to enable an organisation to recover/establish information system services in the event of a disaster. Facilities and environmental controls Facilities and environmental controls over information systems ensure the security, integrity, condition, performance and accessibility of the systems and the system information. INFORMATION SYSTEMS AUDIT FOCUS AREAS

Data Centre Data centre management relates to the management of scheduled processing, protecting sensitive output, monitoring infrastructure performance and ensuring preventive maintenance of hardware. INFORMATION SYSTEMS AUDIT FOCUS AREAS

The relevant Provincial Legislature or Parliament uses the identified risks as technical information to facilitate public accountability. The Legislature should focus on the corrective steps that the Auditee has taken to rectify the situation, since the issues were highlighted by the AGSA. Auditees should be required to provide proof of implementation plans in order to keep the Accounting Officers accountable. The Legislature should require of the Auditees to provide regular (quarterly) updates and progress reports on the implementation of corrective measures. THE USE OF SPECIALISED SERVICES REPORTS- PARLIAMENTARY COMMITEES