← All insights
AUDIT OUTCOMES

AGSA's top ICT findings and how to fix them.

Every general report the Auditor-General publishes on local government audit outcomes lists the same handful of ICT control failures. The themes barely change year to year. Yet most municipalities respond to findings reactively, after the management letter has landed, rather than fixing the underlying causes between audit cycles. Five themes account for the majority of ICT material findings. Each is addressable in two to four months of disciplined work, and the work costs less than the audit risk it eliminates.

1. User access management

The most common ICT finding across municipal audits is the management of user access to financial and operational systems. AGSA looks for four things: a documented joiner-mover-leaver process, segregation of duties between requestor and approver, evidence that dormant accounts are disabled within a defined window, and an audit trail showing privileged-account access is reviewed quarterly.

What AGSA typically finds: leavers retain active accounts months after departure, often because HR doesn't notify ICT. Generic admin accounts shared between staff. No documented process for granting elevated privileges. Privileged-account reviews on paper but not actually performed.

The remediation is workflow, not technology. A monthly reconciliation between the HR active employee list and the system user list, automated where the systems allow it, catches the leaver problem. A request workflow with named approvers (different from the requestor and the implementer) catches the segregation problem. Quarterly privileged-access reviews with a written sign-off solve the audit trail.

2. Change management

The second most common finding is change management over the financial system and the supporting infrastructure. AGSA wants a change advisory board (or equivalent) approving changes before they go to production, a written change record for every modification, and post-implementation review for changes affecting financial reporting.

What AGSA finds: production changes deployed by whoever needs to fix the problem, no record of who approved what, vendor patches applied without internal review, and an inability to demonstrate that any specific change was authorised. The end-of-year audit then questions the integrity of the financial system because the controls around its change history are weak.

The remediation is a lightweight change-management practice. A weekly change advisory board meeting (30 minutes is enough), a ticket system that records the approval chain, and a discipline that production changes carry a ticket number into the deployment notes. Vendor patches go through the same flow with a different approval threshold.

3. Backup and disaster recovery

The third theme is the integrity of backups and the ability to recover after a serious incident. AGSA wants three things demonstrable: backups are happening on the documented schedule, backups are stored off-site or off-network in a way that survives a ransomware event, and recovery from backup has been tested within the audit period.

What AGSA finds: backups configured but no evidence they completed, backups stored on the same network as the production system (and therefore vulnerable to the same compromise), and no recent restoration test. The 2021 wave of ransomware attacks on SA municipalities was an expensive lesson in this finding for several entities.

The remediation is operational discipline. A backup monitoring report that lands in an inbox daily with red/green status. An off-site or cloud-stored copy of the last 30 days. A quarterly restoration test of one system, end-to-end, with a written sign-off. Total cost: usually less than R80,000 in software and R20,000 in operational time.

4. IT general controls over financial systems

ITGCs are the controls that protect the integrity of the financial system itself: access, change, backup, and configuration. AGSA's external auditors increasingly run technical procedures on the financial system to confirm that what the general ledger says reconciles to what the underlying database holds.

What AGSA finds: configurations that allow journal entries to be edited after posting, audit trails that can be disabled, integration interfaces with no reconciliation procedure, and database-level access in the hands of business users with the technical skill to alter data.

The remediation depends on the specific finding. Common fixes: harden the financial system configuration to the vendor's recommended baseline, build a monthly reconciliation between the financial system and a downstream report, and remove database-level access from anyone who doesn't need it for their role.

5. Disaster recovery and business continuity

The fifth theme is the existence and credibility of a disaster recovery plan. AGSA wants a documented plan, evidence of testing, and named recovery time and recovery point objectives that reconcile to the entity's tolerance for downtime.

What AGSA finds: a paper plan written four years ago by a vendor that has since left, no testing record, RTOs and RPOs that nobody on the entity's side could actually defend, and no integration with the broader business continuity plan.

The remediation is a credible plan written by the people who would actually execute it. Often it means a half-day workshop with the ICT team and the heads of the affected business functions to write down what they would actually do if the financial system went offline for a week. A 12-page plan that someone could pick up and execute beats a 60-page plan that has never been read.

AGSA's ICT findings rarely indicate sabotage or fraud. They indicate the absence of operational discipline. Adding the discipline is cheaper than defending the finding.

The audit defence file

The above five themes account for between 70 and 80 percent of ICT-related material findings each year. When AGSA's audit team arrives, they ask for evidence under each theme. The strongest defence is a single file (digital, ideally) containing: the monthly user-access reconciliation reports, the change advisory board minutes for the audit period, the backup monitoring reports, the most recent restoration test sign-off, the ITGC configuration baseline, and the disaster recovery plan with its last test record. Twelve documents, kept up to date, prevent most of the qualified-opinion risk that ICT controls otherwise carry.

The analysis above draws on the Auditor-General's published general reports on local government audit outcomes and on Sgananda Group's advisory work with public-sector clients. Specific findings vary by entity; this piece names the patterns, not the diagnoses for any single municipality.

ICT GOVERNANCE REVIEW

Pre-empt the next AGSA finding.

Sgananda Group provides independent ICT control reviews for public-sector entities, aligned to the controls AGSA tests against. A four-to-six week engagement, principal-led, written deliverables, sign-off by the Managing Director.

Request a meeting →