ICT Authority, not Treasury, should oversee IFMIS
DAILY NATION By JOHN WALUBENGO
Tuesday January 17, 2017
IFMIS, the the software commissioned to manage national and county government public finances, has recently resurfaced in the press for all the wrong reasons.
Early last year, the public got to know about IFMIS (Integrated Financial Management System) as the system that suspects exploited to siphon billions of shillings from the National Youth Service.
More recently, the Auditor-General published a report on IFMIS that exposed many procedural and technical weakness.
Even before these weaknesses could be interrogated, the Ethics and Anti-Corruption Commission (EACC), which had decided to audit the auditor, published its own report, citing irregularities in the Auditor-General’s office with respect to IFMIS.
County governments have not been left behind, with most governors constantly complaining about the challenges IFMIS presents. Clearly, IFMIS seems to have its better days behind, rather than ahead of it.
That notwithstanding, the Treasury is planning to plough in Sh7.6 billion to upgrade and roll out the system into parastatals and other government agencies within the next financial year.
It’s really quite difficult to know whether the country is getting value for its money from all these IFMIS implementations, expansions or upgrades.
This is particularly true given that previous and current tender documents for IFMIS are not listed on the government e-Procurement portal, as is normally the practice.
Either way, projects of this magnitude are unlikely to be cheap. However, the bigger losses tend to be in poor project implementation, double invoicing for the same modules and deliberate negligence or poor controls.
CONTROLS ARE IGNORED
Poor implementation occurs when the supplier actually delivers the system, but the system is never commissioned or used. The government continues to renew licenses as per the contract terms, while usage of the system remains low.
Double invoicing occurs at two levels. The first level relates to government ministries budgeting and getting approvals to expand modules, including those that had been expanded the previous year.
The second level of double invoicing occurs during system use. This has been well documented by the Auditor-General's reports and involves system users making multiple account names for the same supplier in order to execute fraudulent claims.
Finally, poor controls refer to the failure to implement in-built checks and balances.
IFMIS is an Oracle-based system and blue-chip companies across the globe use Oracle. How come fraud levels are lower in those private companies, compared to government offices?
The simple answer is that controls in private companies are activated, while in government offices they are ignored, deliberately or otherwise.
Double payments are simple for IFMIS to pick out, through simple cross-checking between amounts invoiced and amounts paid out. Multiple payments with the same invoice can be electronically flagged out for further analysis.
Alternatively, cross-checking can be done electronically within the list of suppliers to flag out suppliers with similar names, ID numbers, pin numbers, or telephone numbers. These are flagged out as potential fraud cases and payments to these accounts made only after higher-level approvals.
SEGREGATION OF DUTIES
The sad news is that all these are basic and well-known standard procedures for the professionals running IFMIS. So the problem is not lack of knowledge, and may lie elsewhere.
The problem is actually structural. At the moment, the IFMIS director seems to have a stronger reporting line to the Treasury rather than to the ICT Authority.
This is similar to having the ICT director of a listed company report to the finance director rather than the CEO, which would reflect a total misunderstanding of the wider role of ICTs within the organisation.
It may also introduce conflict of interest between what the IFMIS director may technically wish to do vis-à-vis what his or her Treasury administrative head may wish to do.
Since the ICT Authority is mandated to oversee all ICT operations in government, the IFMIS director should have stronger, rather than weaker, reporting lines to the ICT Authority.
This would be in line with global practice, where segregation of duties helps in reducing or eliminating conflict of interest. Put more bluntly, the Treasury has no business designing, tendering, implementing or managing IFMIS.
The Treasury should have a client or user relationship with IFMIS, just like county governments have. The correct custodian of IFMIS systems is the ICT Authority and the sooner it rises up to claim it, the better.
If they do not, weak controls and poor implementation will likely bog down IFMIS for a long time to come.