Performance Audit of Public Debt Management Information Systems Read full summary in English
The usage and development of the information technologies in public financial management is an important priority of the country at the phase of intensive implementation of electronic governance (E-Governance). The fact that information systems play crucial role in the business processes of the Ministry of Finance affects the state and the public in general.
Bearing in mind the role and importance of information systems in the public debt management process and having considered legal requirements to information security, State Audit Office of Georgia conducted Performance Audit of Public Debt Management of Georgia.
In the framework of the forehead mentioned audit, SAOG decided to initiate an IT audit of the MOF information systems used in Public Debt Management. The Audit was focused on Public Debt and External Financing Department – Ministry’s organizational unit responsible for public debt management. Audit team evaluated the activities of the IT service provider - LEPL Financial-Analytical Service, in terms of technical support and service of debt management information systems.
The main objectives of the audit were to evaluate the effectiveness of the General and Application Controls of the PDMIS implemented by the Public Debt and External Financing Department of the MOF. Hereby, the audit team also to assessed systems’ data integrity and security. In the course of the audit, the audit team also studied the compliance of electronic systems with legal requirements, associated with activities of the organization.
- There is no formal Service Level Agreement between the MOF and the FAS
- MOF does not perform regular monitoring of the audit logs
- MOF has not conducted an audit of the service provider to identify the risks and shortcomings associated with the information systems
- MOF is unable to evaluate the quality of service provided by the FAS
- MOF does not have an audit assurance that the necessary level of information security related to public debt management information systems is being provided
- There is a non-personified user account with the privileged administrator rights in DMFAS. The authorization data of this account are known for the representatives of the Department.
- Audit module is not activated
- Risk of abusing privileged account
- Risk of violation of data integrity
- - Audit log is not maintained - No traceability of executed operations/transactions
- MOF did not hire an information security manager
- There is no approved document of information security policy which is mandatory according to law
- Legal requirements are not fulfilled
- MOF has several systems with similar business objectives
- Management of the Ministry decided to deploy PDM systems by acquisition of DMFAS and development of the eDMS at the same time.
- Management of the Public Debt and External Financing Department (business users) is not following predefined strategic objectives when defining development requests.
- MOF spends financial resources on the maintenance and upgrade of DMFAS, while eDMS is being developed in-house
- External and domestic debts are managed in separate systems. It means that organizational objective – management of external and domestic debts in one system is not achieved
- Action Plan objectives of the Public Financial Management Strategy of Georgia (PFM) are not met. The development of eDMS modules are not aligned with the aforementioned strategic objectives.
- Lack of HR policy
- Lack of organizational policy
- Trained staff left MOF
- MOF does not conduct debt sustainability and sensitivity analysis