REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE ...OF+ENERGY.pdf0REPORT OF THE AUDITOR-GE NERAL ON...
Transcript of REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE ...OF+ENERGY.pdf0REPORT OF THE AUDITOR-GE NERAL ON...
Report of the Auditor-General on the Information Technology of the Ministry of Energy
REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE INFORMATION TECHNOLOGY SYSTEMS OF THE
MINISTRY OF ENERGY
TABLE OF CONTENTS
Pages
Transmittal letter.………………………………………… i-ii
Executive summary. ……………………………………… 1
Introduction ……………………………………………… 1
Background ……………………………………………… 1
Scope and objective of audit ……………………………… 2
Audit approach …………………………………………… 3
Overall conclusion ………………………………………… 3-6
Limitation of scope and responsibility…………………… 6
ANNEX A: Detailed findings and recommendations…… 7
A.1 Overall it policy and strategy ……………………… 7-11
A. 2 IT Asset management ……………………………… 12-15
A. 3 Service level agreement …………………………… 16-18
A. 4 IT security (including physical and logical access to the systems) …………………….. 19
A. 4.1 Physical access control …………………………… 19-22
A. 4.2 Logical access control ……...……………………. 23-26
A. 5 Business continuity planning …………………… 27-30
TRANSMITTAL LETTER
Ref. AG01/109/Vol.2
Office of the Auditor-General Ministries Block O
P. O. Box MB96 0Accra
Tel. (021)662493
Fax (021662493
30 December 2009
Dear Madam Speaker,
REPORT OF THE AUDITOR-GENERAL ON THE
INFORMATION TECHNOLOGY SYSTEMS OF THE MINISTRY OF ENERGY
I have the honour to submit to you for presentation to Parliament my audit report on the Information Technology (IT) systems of Ministry of Trade, Industry, Private Sector Development and President Special Initiatives, in accordance with Article 187(2) of the 1992 Constitution and Sections 11(1) and (3) and 16 of the Audit Service Act 2000, Act 584. My office is mandated, among other things, to review computerised financial and accounting systems including electronic transactions of public institutions and approve the form in which these are kept. I am also mandated to carry out in the public interest such special audits or reviews as I consider necessary and to submit reports on the audits or reviews undertaken by me to Parliament.
Report of the Auditor-General on the Information Technology Systems of the Ministry of Energy
2. This report has been prepared by staff who have been professionally trained under the European Union capacity building
i
project in conducting IT Audits to internationally recognised standards and best practice. The team that carried out the audit comprised Mr Charles Okutu (Leader) and Ms Kate Dangbe, Auditors, under the supervision of Ms Beatrice M. Akintomide, Financial and IT Audit Consultant of the UK National Audit Office and Mr. Augustine R. K. Boadu, Deputy Auditor-General.
3. The report reveals, among other things, weaknesses in managing the Ministry’s information systems, such as:
a) an antiquated IT system which was on the verge of collapsing;
b) poor controls over user access to data; c) risk of multiple passport issuance; and d) lack of arrangements for ensuring continuity of business
operations should the IT system fail or in the event of a disaster, and makes recommendations to address these lapses.
4. I would like to thank my staff for their assistance in the preparation of this report and the staff of Ministry of Energy for the assistance offered to my officers during the period of the audit. 5. I trust that this report will meet the approval of Parliament.
Yours faithfully
RICHARD Q. QUARTEY 1 Ag. AUDITOR-GENERAL
2THE RT. HON. SPEAKER 3OFFICE OF PARLIAMENT 4PARLIAMENT HOUSE 5 ACCRA
Report of the Auditor-General on the Information Technology Systems of the Ministry of Energy
ii
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
1
0REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE INFORMATION TECHNOLOGY SYSTEMS OF THE
MINISTRY OF ENERGY
3Executive summary 4Introduction
An IT audit of the Ministry of Energy’s business critical systems and
processes has been carried out in accordance with the statutory
requirement of section 11 (1) and (3) of the Audit Service Act, 2000,
Act 584 which requires that the Auditor-General review computerized
financial and accounting systems and approve the form in which these
are kept.
Background
2. The Ministry of Energy (MOEn) is a government institution
whose mission is to provide an enabling environment for all
stakeholders for the judicious exploration, exploitation, harnessing,
and management of energy in an efficient, cost effective and
sustainable manner.
3. Its vision is to enable Ghana become a net exporter of fuel and
power.
4. The Ministry of Energy has the responsibility for developing and
implementing energy sector policy in Ghana and also supervises the
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
2
operations of the Volta River Authority, Bulk Oil Storage and
Transportation Company Limited (BOST), Tema Oil Refinery (TOR)
Ltd, Ghana National Petroleum Corporation (GNPC), Ghana Cylinder
Manufacturing Company (GCMC) Ltd, Energy Commission, The
Ghana Energy Foundation (GEF), Electricity Company of Ghana
(ECG), Ghana Oil Company Limited (GOIL), National Petroleum
Authority (NPA), Ghana Grid Company and the Bui Power Authority.
Scope and objective of review
5. The objectives of the audit were to:
• review and appraise the controls and procedures operated by
management to ensure that information is reliable and the
continued integrity of the business critical systems is
safeguarded;
• assess the effectiveness of the overall management control
over the IT function of the organisation; and
• Provide a report highlighting any weaknesses and
recommending corrective action.
6. This audit evaluated the effectiveness of the general controls
surrounding the information systems of MOEn. Our planned audit
scope included review of business critical systems, but due to the
absence of a business critical system, the review focused on the IT
control environment and the IT service management arrangements.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
3
Our fieldwork was performed at MOEn’s premises located in the
Ministries, Accra. The audit covered the following key processes:
• overall IT policy and strategy;
• service level agreement;
• IT security (including physical and logical access to the
systems);
• IT Asset management; and
• business continuity planning
5Audit approach
7. The audit was undertaken in accordance with international
auditing standards issued by the International Auditing and Assurance
Standards Board (IAASB), International Organisation of Supreme
Audit Institutions (INTOSAI) and the Information Systems Audit and
Control Association (ISACA). We also took account of best practice
in IT Service Management. The audit covered the information systems
arrangements in place as of August, 2008 and was carried out by a
team of specialist IT auditors.
6Overall Conclusion
8. The audit concluded that the Ministry of Energy’s current IT
arrangements are inadequate and not capable of meeting the needs of
the organisation.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
4
9. The Ministry does not have IT Strategy, IT policies and
procedures in place. The absence of such policies and procedures
increases the risk of the acquisition or development of systems which
are unsuitable for business needs or not in line with corporate
objectives and priorities.
10. There are no formal arrangements in place for securing the
Ministry’s building and equipment. This increases the risks of damage
to expensive and vital equipment and unauthorised disclosure,
creation, alteration or deletion of data.
11. The Ministry did not maintain complete and accurate records of
its IT assets. The Ministry has not developed formal policies and
procedures to identify and ensure accountability of hardware.
12. The review identified a number of significant issues that
require management’s immediate attention. These relate to:
• the absence of an IS/IT strategy approved by senior
management (High priority),
• absence of an IT Department (High priority);
• the absence of an IT security policy (High priority);
• the lack of proper controls over user access to the internet
(Medium priority);
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
5
• absence of proper arrangements for backing up data (Medium
priority);
• the absence of an IT asset register (Medium priority);
• inadequate control over internet access and usage (Medium
priority); and
• The absence of a business continuity plan (High priority).
13. We invited senior management’s response to the issues raised and
on the factual accuracy of the contents of this report. Our observations
and detailed recommendations are set out in Annex A.
14. The weaknesses identified have been prioritised based on their
level of significance. The priority ratings applied in paragraph 12
above and in the Annexes are explained below:
• High (H): A business issue or control weakness of such
fundamental significance and/or financial materiality to the
organisation that it requires the immediate action of line and
senior management, with a priority for resolution.
• Medium (M): A business issue or control weakness of such
substantial importance to the organisation that it requires the
immediate attention of line management and an agreed action
plan for resolution.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
6
• Low (L): An administrative control issue of significance but of
relatively low financial materiality. Although this does not
warrant immediate attention, an agreed action plan should be
established.
1 2Limitation of scope and responsibility
15. As at the time of the audit there were no corporate IT systems
in place. Use of information technology was restricted to Microsoft
office applications. We were therefore unable to review application
controls and could not express an opinion.
16. We reviewed the management controls operated by the
Ministry of Energy only to the extent possible and necessary for the
effective performance of this audit. As a result, our review may not
have detected all weaknesses that exist or all improvements that could
be made. We have prepared this report solely for your use, and use
within your organisation. Its contents should not be disclosed to any
third parties without our consent. We would not accept any
responsibility for any reliance the third party might place upon it.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
7
ANNEX A: DETAILED FINDINGS AND RECOMMENDATIONS
7A.1 Overall IT policy and strategy
16. We sought assurance that the MOEn system under review is
consistent with MOEn current corporate and IT strategies, and is
subject to adequate levels of corporate governance.
17. We noted however that:
• the Ministry of Energy did not have appropriate policies and
procedures in place to facilitate its contribution to the
achievement of the Government of Ghana’s (GOG’s)
commitment to ICT development, as contained in the
Ministerial Policy Statement on ICT;
• the Ministry does not have an IT department; and
• the Ministry was unable to provide us with a business case
(The information required for an organisation to decide
whether a project should proceed or justification for setting
up and continuing a project) to support the Internet system
that was in place. We were therefore unable to gain assurance
that the Internet system was in line with corporate priorities.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
8
Risks
18. The absence of an IT department basically means that IT
activities will not function well and also issues concerning IT will be
handled less professionally.
19. The absence of an IT strategy could lead to the development of
systems that are unsuitable for business needs and also a directionless
IT unit.
Recommendation 1
20. Management should establish a formal IT department that should
be managed by well-trained and qualified personnel. Management
should also ensure that an Organisational chart which shows the
structure and designation of the various heads of departments/
directorate is drawn up.
Management’s response
21. Establishment of an IT department is yet to be done but a well
structured organogram has been put in place.
Ownership: HRD/M Directorate
Timescale: June 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
9
Recommendation 2
22. There should be an IT Committee appointed by senior
management and should include representatives from senior
management, user management and Information System department
(IS) to:
• review long and short range plans of the IS department to ensure
that they are in accordance with the corporate objectives;
• review and approve major acquisitions of hardware and software
within the limits approved by management;
• approve and monitor major projects and the status of IS plans and
budgets, establish priorities, approve standards and procedures
and monitor overall IS performance; and
• review and approve outsourcing strategies for selected IS
activities.
Management’s response
23. Due to transfers and resignation of staff, the IT committee
meetings have not been effective over the years and will be revamped
as soon as possible.
Ownership: Chief Director/Finance & Administration Directorate
Timescale: July 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
10
1 4Recommendation 3
24. There should be an IT strategy in place and should:
• follow the corporate business strategy;
• be reviewed annually to check that its assumptions and decisions
remain valid;
• be made known to staff. Staff should be kept informed of the main
issues in the IT strategy; and
• be approved by senior management
Management’s response
After the Ministry’s Policy Statement, management is yet to initiate a
process for an IT Strategy.
Ownership: PPME/Finance and Administration Directorate
Timescale: December 2009
Recommendation 4
25. The internal audit function should be strengthened and trained in
IT audits to be able to review IT systems to prevent, detect and correct
control weaknesses and errors.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
11
Management ‘s response
26. Management said that it would train personnel of the Internal
Audit Section in the IT related systems.
Ownership: HRM/D Directorate
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
12
8A2. IT Asset management
Introduction
27. IT asset management arrangements allow organisations to
optimise their use of IT assets to achieve business goals.
28. Maintaining and distributing assets across an organisation,
ensuring staff have the tools they need to do their jobs is difficult and
costly when the assets cannot be readily found. Knowing where the
assets are, how they are configured, and how they are used allows an
organisation to ensure that these assets are in the right place at the
right time, properly equipped and supported.
9Observation
29. We sought assurance that adequate records are maintained on all
components of the IT infrastructure. We also reviewed records held to
ensure that there is economy in the acquisition of computers and
peripherals; they are recorded in store records, their disbursements are
covered by the necessary documents with authorization from the
appropriate management quarters, and can be traced from acquisition
to disposal.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
13
30. We noted that:
• whilst some of the computers were indelibly marked to indicate
that the Ministry owns them, others, especially the new
computers, were not;
• some obsolete and unserviceable computers and their
accessories have been dumped under the staircase on the
ground floor of the ministry’s building, contrary to Section
83(1) of the Public Procurement Act 2003 (Act 663) states that
the Head of a procurement entity shall convene a Board of
Survey comprising representatives of departments with
unserviceable, obsolete or surplus stores, plant and equipment
which shall report on the items and subject to a technical report
on them, recommend the best method of disposal after the
officer in charge has completed a Board of Survey form;
• The Ministry does not have an asset register;
• The IT Head/Emetron is not consulted in the purchases of IT
equipment for the Ministry; and
• The Ministry did not undertake regular asset verification
exercises.
31. Risks
• Without a comprehensive IT asset management programme in
place, IT assets can cost far more than necessary through waste,
redundancy and expensive maintenance.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
14
• In the absence of an effective asset management control, fraud
could be perpetuated. Spurious pricing of IT equipment could
increase financial loss to both Ministry and the State.
Undeserving suppliers could be given contracts.
• The absence of an asset register detailing the quantities
bought, location, make, serial numbers, date of purchase, and
the failure of the Ministry to undertake regular asset
verification exercise could lead to loss of assets and high cost
of replacement.
Recommendation 5
32. The Ministry should consider developing an effective IT asset
management programme that will link asset management strategy to
both IT strategy and overall business strategy.
Management’s response
33. Management responded that it would ensure that an effective IT
asset management programme was implemented.
Ownership: Director Finance and Administration Directorate.
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
15
Recommendation 6
34. Management should ensure that an asset register is maintained
and promptly updated to reflect all additions and disposals. All IT
assets should be indelibly marked to indicate that the Ministry owns
them.
Management’s response
35. Management would ensure that the Estate Unit is provided with
the requisite materials to mark all the Ministry’s assets.
Ownership: Finance and Administration Directorate
Timescale: December 2009
Recommendation 7
36. Management should dispose of the obsolete and unserviceable
items dumped at the Ministry in accordance with the provisions made
in the Procurement Act 2003 (Act 663).
Management’s response
37. Management has set up a committee to address the above.
Ownership: Finance and Administration Directorate
Timescale: November 2008
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
16
A3. Service Level Agreement (SLA)
Introduction
38. An SLA is a formally negotiated agreement between two parties.
It is a contract that exists between customers and their service
providers. It records the common understanding about services,
priorities, responsibilities, guarantee, and the level of service. SLAs
allow users of services to specify and agree, preferably in writing,
what levels of service, in terms of quantity and quality, they should
receive. SLAs are in effect service delivery contracts.
39. The Ministry has no SLA with any of its Internet service
providers.
40. The Ministry of Energy entered into contract agreement with
Geosat Technologies also known as Emetron Technologies on 26
November 2003 for the installation of a two-way satellite internet
system and local area network for 115 workstations. The two Internet
service providers are Internet Ghana and Internet Solutions. Internet
Solution provides a Very Small Aperture Terminal (VSAT) for
management staff, and Internet Ghana is the provider of broadband
Internet service.
41. On 29 November 2004 the Ministry again entered into a contract
with Emetron Technologies for the maintenance of Services provided
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
17
in the first (above) contract. An addendum to the latter contract was
signed on 3 August 2006.
42. On 16 May 2007 a renewal of Maintenance Service Contract was
signed between Ministry of Energy and Emetron Technologies Ltd.
The parties agreed to extend the maintenance contract for a further
two-year period.
43. We however noted the following:
• the local area network at the time of the audit had increased to
over 200 workstations. There was no network diagram
available;
• Emetron was not able to periodically update the Ministry’s
website as stated in the contract. The Ministry pays for
quarterly website update services and hosting maintenance
services.
• the Contractor was not able to carry out training of staff to
enable them operate all equipment installed under the
contract; and
• as stated in the contract a staff of Emetron was to be present
in the server room during all working days and to provide
first line support involving operational, supervisory and
advance maintenance to ensure the desired status of operation
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
18
of the servers and networks. During the time of the audit the
representative was sometimes not available.
1 3Risk
44. In the absence of a Service level Agreement it will be difficult to
assess the effectiveness of the Internet Service provider over a period.
Recommendation 8
45. Management should ensure that a member of staff of Emetron is
present in the server room during working days to provide first line
support involving operational, supervisory and advance maintenance
to ensure the desired status of operation of equipment and networks.
Management’s response
46. Management would ensure that Emetron provides effective
supervision of the Ministry’s network.
Ownership: Finance and Administration Directorate
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
19
1 0A4. IT Security (including physical and logical access to the
systems)
1 1A4.1 Physical access control
Observation
47. We reviewed physical security to ensure that hardware, software,
data, processes, documentation, personnel, buildings and the computer
environment were physically safeguarded from damage, misuse or
unauthorised access.
48. We established that:
• the various offices where the computers were located had
security locks;
• most of the offices had air-conditioners and humidity was
controlled;
• each floor had fire extinguishers that were last serviced in
Nov. 2007. They are due for servicing in Nov. 2008; and
• there is a fire hydrant in place.
49. We noted however that:
• management had not established a documented physical
security policy;
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
20
• visitors were not issued with visitor passes and they are not
always asked to sign the visitors’ book;
• there were no smoke and water detectors;
• the Server room was located on the ground floor; and
• access to the Server room is currently not restricted to
unauthorised personnel.
50. Risks
• The absence of a physical security policy document increases
the risk of inappropriate working practices being adopted.
• The absence of appropriate physical security procedures
increases the risks of damage to expensive and vital
equipment and the unauthorised disclosure, alteration or
deletion of data.
• Unrestricted access to the server room will increase the risk
of damage to/loss of expensive IT equipment.
• Failure to issue visitors with visitor passes prevents easy
identification. This increases the risk of unauthorised access
to vital information and IT assets.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
21
• The location of the server room on the ground floor increases
the risk of water damage during flooding and other natural
disasters.
Recommendation 9
51. Management should establish a documented physical security
policy. Copies should be issued to all staff.
Management’s response
52. Management would develop and ensure that a physical IT
security policy is documented and distributed to all staff.
Ownership: Director Finance and Administration Directorate
Timescale: December 2009
Recommendation 10
53. Access to the Server room should be restricted to unauthorised
persons by placing an “out of bounds” note at the entrance.
Management Response
54. Management would ensure maximum security at the server
room.
Ownership: Director Finance and Administration Directorate
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
22
Recommendation 11
55. All visitors should be made to sign the visitors’ book on arrival
and when leaving the Ministry’s building. They should be issued with
visitors’ passes which should be worn at all times.
Management’s response
56. Management has already put in place measures to address these
issues.
Ownership: Director Finance and Administration Directorate
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
23
A4.2 Logical access control
Observation
57. The computers in the Ministry were networked for Internet and
intranet purposes. Internet Ghana and Internet Solution provide the
Internet service. There were three servers in use. The head of IT and
the representative of Emetron acted as system administrators. The two
system administrators are responsible for assigning user identification
(ID) and passwords.
58. We however noted that:
• access could be gained by simply switching on the computer.
This was revealed after a walkthrough test on some
computers;
• some computers do not have anti-virus software. Those with
anti-viruses are using unlicensed anti-virus software;
• the Ministry of Energy does not have a documented policy on
user access management;
• whilst users have been assigned user identifiers, they
generally do not set up their passwords;
• internet usage is not monitored for unauthorised activities
such as downloading pornographic materials, music and
videos during working hours;
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
24
• there were no controls over idle terminals; and
most staff members are not aware of the existence of the
intranet.
59. Risks
• The absence of a documented policy on user access
management could lead to unauthorised and inappropriate
access being gained to the network and client data. This
poses risks to the confidentiality, integrity and availability
of data;
• The absence of an identification and authentication process
before access is gained increases the risk of unauthorised
and inappropriate access to applications and data. This
poses a risk to the confidentiality and integrity of data and
prevents accountability should changes be made;
• The absence of a dedicated in-house system administrator
could lead to delay in handling security incidents;
• The use of pirate copies of software contravenes the
copyright Act 2005 (Act 690) and can cause embarrassment
to the Ministry should the breach be detected by the
copyright monitoring team or worst still, by the Federation
Against Software Theft or similar international
organisations enforcing anti-piracy regulation; and
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
25
• The failure to scan the contents of e-mails and monitor internet
access leaves the Ministry open to liability as it is responsible for
the activities of its staff whilst they are using corporate network.
Recommendation 12
60. Ministry of Energy should formally document its policy and
procedures for managing user access. The documented procedures
should cover how access to both the network and individual
applications will be restricted.
Management’s response
61. Management would ensure that all IT policies and procedures are
well documented to cover both network and individual applications.
Ownership: PPME/Finance and Administration Directorate
Timescale: December 2009
Recommendation 13
62. The Ministry should acquire anti- virus software to ensure that
the required number of licences is held and that software-licensing
agreements are not breached.
Management’s response
63. Management has already acquired licensed antivirus software.
Ownership: Director Finance and Administration Directorate
Timescale: November 2008
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
26
Recommendation 14
64. The Ministry should establish an IT department that incorporates
an IT help desk, and should transfer responsibility for system
administration to appropriate IT staff.
Management’s response
65. Management would establish an IT department with the requisite
staff.
Ownership: HRM/D Directorate
Timescale: December 2009
Recommendation 15
66. Management should ensure that access to known inappropriate
sites should be prevented. Regular reports should also be run on
websites accessed and those who spend unreasonable amount of time
accessing the internet or who visit non-work related/inappropriate
sites should be cautioned. Persistent offenders should be subjected to
disciplinary proceedings. Management should also consider the use of
firewall (software or hardware).
Management’s response
67. Management would procure e-mail content scanning/web
filtering tool.
Ownership: Director Finance and Administration
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
27
1A5. Business continuity planning and overall IT service
management
2Observation
68. We sought assurance that arrangements are in place to ensure
that all risks to business systems, infrastructure, applications, data and
personnel are identified and managed and that, systems and
applications can be recovered within specified time scales in the event
of a disaster or disruption of the IT service.
69. We noted that:
• the MOEn has not assessed the risks faced by all its IT systems.
This prevents proactive management of those risks. Should the
threats materialise, the impact on the organisation is likely to be
significant;
• there are no formal arrangements in place for ensuring that the
IT system is available to users in the event of a disaster such as
fire outbreak;
• there are no structured arrangements in place for managing
changes to the IT infrastructure;
• There is no help desk to handle software malfunctions and user
problems; and
• the MOEn has a backup server, but backup of data and
information is made on pen drives and other storage devices.
The server is most often idle.
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
28
70. Risks
• There could be loss of service to users, loss of credibility,
incomplete/inaccurate records and political embarrassment
in the event of a disaster;
• The absence of an adequate, up-to-date and regularly tested
business continuity plan means MOEn may not be able to
continue operation in the event of a disaster or failure of its
IT systems; and
• Where anti-virus software is not operated regularly, viruses
can be inadvertently downloaded to the network. This could
lead to infection, corruption and eventual destruction of
critical business data.
Recommendation 16
71. The MOEn should undertake a comprehensive assessment of the
risks faced by all its systems and business critical processes and the
likely impact of those risks on the organisation.
Management’s response
72. Management would ensure that comprehensive assessments of
all risks are undertaken.
Ownership: Director Finance and Administration
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
29
Recommendation 17
73. There should be a help-desk to handle software malfunctions and
user problems.
Management’s response
74. Management would establish a help-desk which will be
incorporated into the IT department to handle malfunctions and help
users.
Ownership: Director, Human Resource Directorate
Timescale: December 2009
Recommendation 18
75. Management should ensure that Business Continuity and
Disaster Recovery Plans are in place to enable business operations to
continue should the Ministry’s main buildings and IT Systems become
unavailable.
Management’s response
76. Management would establish an appropriate plan for its building
and IT systems.
Ownership: Director Finance and Administration
Timescale: December 2009
Report of the Auditor-General on the audit of the Information Technology Systems of the
Ministry of Energy
30
Recommendation 19
77. Management should ensure that an IT Disaster Recovery Plan is
compiled and approved by senior management. Once compiled, the
document should be reviewed, at least annually and updated to reflect:
• the correct description of IT equipment in use; and
• home and mobile contact numbers of key officers
78. The document should be dated, version controlled and copies
issued to key officers. Copies should be stored securely off-site.
Management’s response
79. Management would ensure that IT Disaster Recovery Plan is
prepared.
Ownership: Director Finance and Administration
Timescale: December 2009