Board members should beware leaving IT projects to professionals
What you need to know:
- Wheeler-dealers can now enjoy the convenience of embezzling funds from their laptops, rather than having to walk to government offices with big brown envelopes in broad daylight.
- The risk does not just apply to IFMIS, but also to the many electronic financial and revenue systems rapidly popping up across the public sector.
- Organisations, both private and public, should be legally mandated to file two documents - their traditional Financial Audits and their IS Audits.
The recent fiasco surrounding allegations of compromised Integrated Financial Management Information System (IFMIS) passwords and attempts to embezzle funds from government coffers should serve as a wake-up call. The integrity of our information systems is an urgent priority.
To be fair, Kenya is not the first country to experience IFMIS challenges. In fact, in Malawi, Joyce Banda’s recent failure to win a second term as president has been attributed to IFMIS-related corruption scandals.
The objective of IFMIS is in line with most automation projects – to increase efficiency, transparency and accountability. What most people forget, though, is that automation by itself is not a magic bullet against corruption.
In fact, if a developer blindly – or deliberately – automates corrupt processes, the end result is the enhancement and increased efficiency of corrupt activities. Wheeler-dealers can now enjoy the convenience of embezzling funds from their laptops, rather than having to walk to government offices with big brown envelopes in broad daylight.
The risk does not just apply to IFMIS, but also to the many electronic financial and revenue systems rapidly popping up across the public sector, which brings us to the question: is our rapid automation faster than our capacity to ensure the integrity of implemented systems?
Do we have an ICT governance framework that works to continuously monitor, detect and report incidents related to information security breaches?
In the absence of such a framework, we are probably quietly losing more money than is noticed and reported in the press.
An ICT governance framework entails providing policies, processes, structures and personnel to ensure that ICT systems are properly acquired, implemented and secured according to globally-accepted best practices.
Mandatory requirements for annual, externally-done financial audits provide a key anchor for governance of financial operations in the financial sector, and perhaps annual Information System (IS) Audits are needed in the ICT sector as well.
KNOWLEDGE GAP
Organisations, both private and public, should be legally mandated to file two documents - their traditional financial audits and their IS audits.
The IS audit would seek to comprehensively evaluate the ICT environment of an organisation with a view to providing a professional opinion regarding the operational integrity, reliability and value-addition of the ICT system.
It would also demystify ICT operations, bridging the knowledge gap between technical wizards and their less savvy board-level counterparts. This gap is often exploited to execute massive electronic fraud, given that board or political-level executives are often ill-equipped to ask relevant questions about the ICT environment.
Senior executives learn too late, typically after being summoned by shareholders or parliamentary committees, that while the ICT function may have been delegated to the professionals, responsibility – and the blame – remain squarely at the top.
It is therefore high time we put together an ICT Governance framework spelling out roles and accompanying responsibilities to drive the rapidly emerging electronic landscape within our borders. Mandatory information systems audits could be the first step towards this objective.
Mr Walubengo is a lecturer at the Multimedia University of Kenya's Faculty of Computing and IT. Twitter:@jwalu email: [email protected]
