If the South African government is serious about stopping the rot, strict measures need to be introduced in state departments and safeguards against cyberattacks significantly improved.
Cape Town, 15 June 2021 – It is hardly breaking news that South Africa’s public sector is in dire straits.
While there was a slight improvement in audit outcomes for the 2019/20 financial year, auditor-general Tsakani Maluleke warned that there was little cause to break out the champagne and party hats.
Announcing the results in March, she revealed that 31% of auditees – or 118 entities – did not disclose irregular expenditure as they had doubts about the “completeness” of what they had declared.
Documentation required to support transactions worth billions of rand was missing, while departments’ supply chain systems – often cited as the root cause of corruption in South Africa – remained deeply problematic.
Manual filing systems are also wreaking havoc with accountability in the public sector.
In the Eastern Cape health department alone, it is anticipated that some R4.4-billion in medico-legal claims will be registered by the end of 2021 – a situation that as arisen out of fraudulent submissions by crooked lawyers who have taken advantage of a chaotic manual filing system that allows files to conveniently “disappear”.
The weaknesses within the public sector are being exacerbated by the external threat of cybercrime, estimated to cost South Africa R2.2-billion annually, according to the recently-released Accenture 2020 report.
Though the impact has been limited, the Institute for Security Studies says, the country has already seen attacks such as the one on the City of Johannesburg’s electricity system. More attacks can be expected as South Africa aligns with the 4th Industrial Revolution.
If South Africa hopes to turn things around, there is no choice but to bite the bullet and accept that the public sector will need a complete overhaul. And that will necessitate strict controls and compliance with local and international regulations.
It will be expensive, but making the investment now will save the country hundreds of billions of rand down the line, says Muhammad Ali, managing director and lead auditor of South African ISO standards training and implementation specialist WWISE.
“For any public sector entity employing more than 1,000 people, the implementation of a compliance system that meets the criteria for quality standards and safeguarding against cyberattacks can be US$50-million (R688-million) at a bare minimum,” he says.
“Costs can go up to US$100-million (R1.3-billion) depending on the complexity, technology and scope. However, the costs of cyberattacks, poor governance and fines issued for not meeting government legislation can far outweigh the costs of implementing these processes.”
By way of example, state capture has cost South Africa anywhere between R500-billion and R1.5-trillion, depending on who you ask, and that is without factoring in the cost of the Zondo Commission of Inquiry which is fast approaching the R1-billion mark.
For the public sector to instill good compliance practices, it should take a leaf out of the book of private sector companies which have become accredited by the International Organisation for Standardisation (ISO).
Each standard within the ISO range indicates the tools required – policies, process flows, procedures, work instructions, forms reports and statistical analysis, for example – to guide the organisation to fulfill its goals, targets and objectives.
Ali has identified several ISO standards he believes could prove extremely effective in government departments. These include:
• ISO 9001:2015 – An organisation-wide Quality Management System that focuses on each activity in the process and quality controls like verification, validation, monitoring and measuring;
• ISO/IEC 27001:2013 – An organisation-wide Information Security Management System that ensures systems are secure, with information being aligned with local information laws and general data protection regulation (GDPR).
• ISO 22301:2019 – Business Continuity Management, which tests and verifies contingency management systems, such as the ability for employees to work from home, and the effectiveness of the technologies they use;
• ISO 31000:2018 – Risk Management, which is the baseline of all the standards; and
• SharePoint online – This assists in securing the flow of information, data and records by using a secure intranet solution.
Ali points out that as the world places greater emphasis on reducing environmental impact, so public sector entities will need to step up their game to meet international requirements.
To this end, the ISO 14001 standard specifically addresses climate change developments and waste management programmes, while the ISO 50 001 standard focuses on energy management and how to reduce consumption through comprehensive data analysis.
Ali says the process for an effective ISO implementation can take up to between two and five years, depending on the scope, complexity of processes and commitment of top management.
“The most challenging aspect after implementation and certification is maintenance. The system needs to be installed in the fabric of the organisation, which means a shift in the culture of the organisation is required.”
The key milestones in the implementation process are:
* Phase 1: Gap assessment;
* Phase 2: Awareness and information gathering;
* Phase 3: Documentation and systems development;
* Phase 4: Implementation, risk assessments and on-the-job training;
* Phase 5: Certification; and
* Phase 6: Continuous support and maintenance
Of course, if government departments are to implement these strategies, there can be no short cuts, and that includes who is appointed to guide them through the process and get them up to the required standards.
“They should choose consultants who assist in the journey, not consultants who tell them what to do and then they have to do everything. They should be wary of consultants who say they are competent, have no experience with large organisations and are not credible themselves,” he says.
Consultants should be registered as lead auditors and linked to the Chartered Quality Institute and IRCA Global. They should also be able to call on the expertise of lawyers, engineers and IT network specialists.
“Public sector organisations should not be relying on one-man bands or consultants who adopt a one-size-fits-all approach. Each department is different, and accordingly requires tailor-made solutions.”