Department of Correctional Services Information Technology Unit briefing, Committee Report adoption

Meeting report

Department of Correctional Services: IT systems
Chairperson’s Opening Remarks
The Chairperson stated that the Department of Correctional Services (DCS or the Department) was in a crisis situation. It was inconceivable to think of something like a hospital, a hotel or a school running without an effective Information Technology (IT) system, yet the DCS was in exactly this position.

He noted that Department had had audit qualifications for the past seven years and had never had a clean audit, largely because of inadequacies in the IT Services. He stated that the Committee had made a commitment to ensure changes in the Department within its term of office. Two particular aspects under the IT division were highlighted amongst the 10 top high risks of the DCS.

The Annual Report of the DCS for 2010/11 indicated that the Department had been granted R270 million for Computer Services and R1,1billion consultancy fees. He thought that the majority of this money was probably used by the IT department, and this situation had to end. If, given the current security environment,  the IT unit did not work, and if the entire DCS was run by consultants, there was then a political rather than an administrative problem. He noted that there was almost a 100% vacancy rate in IT, with the majority of the posts occupied by consultants. He stated emphatically that this could not continue. The Auditor-General South Africa (AGSA) would have to intervene. All parties were in this situation together and they needed to all combine and find a solution to the problem. He noted that the IT Department was going to “make or break” the Committee’s efforts. It was essential that the DCS must move forward to getting an unqualified audit during this Fourth Parliament. He requested that the Department provide progress reports on the matter in the next Quarterly meetings.
  
Department of Correctional Services Presentation: Towards a Secured and Functional DCS Digital Nervous System
An apology was noted from the National Commissioner of Correctional Services.

Mr Jeff Moji, Acting Information Technology Officer, Department of Correctional Services, gave a presentation on the activities of the Information and Technology Unit of the DCS. He noted that the Department had faced a number of high-level challenges. Firstly, there were strategic challenges, due to the lack of effective governance and accountability for IT applications, and there were multiple security technology stakeholders at correctional centres. The infrastructure was not properly planned, deployed and managed. There was no effective management and strategic reporting. Furthermore, there was lack of application integration and development was taking place in silos, without any centralised policy, and therefore no adherence to standards. There were also no user application tools for management reporting and data interrogation, and there was a general lack of IT service management across the entire organisation.

The operational challenges included the fact that data islands had different types of data, and that data integrity was lacking. Also, there was reliance on “rickety relationships” with service providers and there were inefficient business processes in place. Furthermore, there was excessive manual intervention, and lack of hands-on training on Microsoft Windows, Microsoft Office and IT applications in general. IT human resources were not properly coordinated for the good of the entire department.  

The network was far too old to be efficient. It had not been upgraded for the current load. There was insufficient security in place, no management of network devices, no standardisation on equipment and the current network equipment was ailing. There was also no scope for controlled growth, which had resulted in a flat DCS network. This flatness implied that there was a large broadcast domain, which resulted in inefficient use of IP addressing, which made it difficult to find faults, contain viruses, and also resulted in a slow application response and a poor user experience. Also, Network cables were constantly being stolen, with the result that it was impossible to do automated backups so databases were not being updated.

There were also infrastructural challenges. About 800 servers across the Department were very old and needed to be replaced. There were about 360 Firewall servers across the country , but 200 of them were not operational, meaning that the entire network of the Department was open to sabotage. The Disaster Recovery Plan that was initially reported to the National Commissioner as being on track was actually not yet in place. Other challenges were that most of the server rooms across the country did not meet safety and security standards. Some IP cameras in server rooms did not have maintenance contracts. About R37 million had been spent on automated backup equipment yet most of it did not work due to the server rooms not being suitable for housing such delicate machines.

The email environment was highly unstable and regularly shut down, due to the Department’s infrastructure and SITA’s poor Wide Area Network (WAN) services. Consultants had proposed a "Basic Infrastructure Business Case" for replacing the old servers, at a cost of more than R3.2 billion over three years. A separate exercise was, however, done and showed that savings of R2 billion could be achieved on what had originally been proposed.

There were also human resources challenges. Head Office of the DCS in Pretoria had eighteen IT officials, comprising one director of Systems Development, and four deputy directors, but the rest were extremely junior officials and mostly administrators. The four deputy directors had limited experience in IT technical matters, and relied mostly on consultants. The Director of Systems Development and the Deputy Director of Information Security had been suspended. The Deputy Director for Networks had been dismissed and was currently being charged with child pornography. There could be about 200 network controllers across the rest of the country, and they too were mostly officials without IT experience. At the beginning of the financial year, Head Office had about 83 IT consultants and another 50 consultants doing systems development, on a special project. Some consultants were found by the Auditor-General (AG) to have been contravening procurement processes, and were dealt with accordingly.

Mr Moji noted that the DCS had to go back to basics. Firstly, it had to focus on infrastructure renewal, developing IT skills, structural improvements and establishment of secure IT systems. This would help create an efficient IT system from scratch. Secondly there was a need to work on IT as an enabler through Business Support. Thirdly work had to be done on IT as a strategic partnership, with a focus on  forecasting, offender management, cybercrime intervention and IT programmes for offender rehabilitation. He explained how this could be implemented (see attached presentation for full details).


Mr Moji set out some of the key needs for the future. The Department would have to design a new relevant IT structure that catered to the needs of the Department. There was a need to reduce the number of consultants while minimising the risk of sabotage to systems and services. It had to implement IT Governance. The DCS must also design and automate best-practice security processes on systems. There had to be redesign of a secured network and a consolidated, efficient and secure server environment. The DCS would have to rationalise the application environment, and consolidate more than 50 stand-alone applications. There was a need for improved delivery by external service providers, especially the State Information Technology Agency (SITA). There was a need also to establish enterprise architecture that would help to provide a single and correct version of data for management reporting.
Mr Moji provided  detailed information on each of the key issues. (see attached presentation for full details) In respect of IT governance, he noted that various positions had been advertised and hiring was already happening, for some of the posts. Thirty consultants had been released on 15 June 2011 and this resulted in annual savings of R25 million from August 2011. These savings were to be used to fund goods and services. Another 50 consultants were still on board, but because the DCS was heavily dependent on them, they could not be removed until new systems had been implemented. The Department’s target was to reduce by 10 more consultants by end of financial year, and further reductions once the new structure was implemented.

Mr Moji noted that the DCS had reviewed the Auditor General’s report, in which the AGSA encouraged DCS to establish an IT governance framework that supported and enabled the business, delivered value and improved performance, and to attend to IT governance issues across all regions as a matter of urgency.

Mr Moji noted that there were a number of “quick wins” that could be delivered in the next year. These included implementation of governance, security automation, improved connectivity, improved backup, business process management and Business Intelligence Software as a service. He provided various timelines for the implementation of the other key actions that were outlined earlier (see attached presentation for full details).

The Chairperson noted that the November 2012 deadline was not good enough for the Committee, as this was three months before the end of the financial year and 12 months before the Committee’s term ended. He requested that the Department find an earlier date.

Auditor-General South Africa (AGSA) input
The Chairperson then requested comments from the representatives of the Auditor-General South Africa (AGSA) on the presentation. In particular, he asked for input whether the proposals were achievable, affordable, viable and worth-while investments and whether the suggested programmes would enable the Department to achieve a clean audit.
 
Mr Musa Hlongwa, Business Executive, Auditor General South Africa, reported that an audit had been done on the systems used by the DCS to support financial audits, and AGSA had similar concern as far as governance, finance and securities were concerned, as well as the use of consultants.

Ms Anita Ferreira, Acting Business Executive, IT Auditor, AGSA, agreed that the situation was very difficult and noted that the Department was very optimistic. The dynamic nature of IT, and the constant changes, meant that DCS had a huge task ahead of it. Some of the key issues which had been noted in Mr Moji’s report had previously highlighted by AGSA to the DCS.

Ms Ferreira stated that the DCS had placed much focus, in this year, on IT and on building awareness and there had been some improvements in the Department. The Department should implement the COBIT system immediately, as this provided a baseline for all IT governance structures and processes. However, there was another framework also, which was awaiting Cabinet’s approval for all government departments, and it was important for the Department to consider this framework as well.

She said that the DCS operated a transversal financial system and that posed certain limitations, both because of the nature of the system and the fact that National Treasury directed the processes. In future, DCS should engage with other government structures in upgrading the system, because government as a whole was trying to build systems of governance that were more technologically advanced and integrated.
 
On the assets side, she suggested that the DCS should discuss this also with the National Treasury so that the Department could implement some of the National Treasury’s policies, such as the asset registry model which had been rolled out in Limpopo.

Ms Ferreira stressed that there were two important lines in DCS - the service delivery line and the financial line. There was little that the DCS could do on the financial side except to discuss further development of systems with National Treasury, particularly in light of the qualified audit. It needed to concentrate on the service delivery model, by strengthening IT governance, and getting the right skills. The key driver would be the business of the DCS. IT needed to support business and not be driven by it, as was currently the case. She noted that discussions between the AGSA and the DCS were ongoing around this issue.

Discussion
The Chairperson agreed that IT must support business and not the other way around.

Mr Moji agreed with  the point made that IT must support business and not be driven by it. He noted that one of the challenges was that business participation was low and there was need for more involvement. He stated that they were business projects in place and  noted that the Minister had  expressed concern about IT running away on its own and that there was now a  proper alignment with the Business Enterprise.

Mr J Selfe (DA)  noted that the presentation was  encouraging, if indeed what it set out could be achieved.

Mr Selfe noted that the documents provided were marked “Highly Confidential” and asked if this was an oversight.

Mr Moji apologised, noting that this was indeed an oversight. The documents were not confidential.

Mr Selfe said that the Department had highlighted the way forward, and its intentions. He asked what would happen to structures and equipment already in place. He noted that, during 2007, an amount of R20 million had been spent on back-up structures in the Department, whilst a lot of other money had been spent on access technology. He noted the references to Kimberley not being successful. If the new systems were embarked upon, then he asked how much would be written off, and further asked how much money the Department had wasted over the past years.

Mr Moji confirmed that the implementation in Kimberley, and the system, had been wrong, but the system was still usable.
 
Mr Selfe further requested clarity on the numbers on consultancies, saying that the figures did not add up.

Mr Selfe asked who controlled the intellectual property of the consultants when they left. He stated that that his main concern was that the consultants could take their computer programs with them when they left, and could implement them elsewhere. He asked if this had been a problem in the Department.

Mr Moji noted that the consultants were required to sign non-disclosure and confidentiality documents which prohibited them from disclosing the DCS information. There were plans in progress to get them to move their systems to the Department.
 
The Chairperson interjected and asked who owned what the Department currently had. He felt that the DCS might be far too exposed, given the amount of information that the consultants had at their disposal.

Mr Moji replied that the Department owned the current systems. However, it was true that there was nothing to stop anyone from copying information. There was a need to have some sort of exercise to ring-fence, and thereby secure the environment better.

The Chairperson stressed that there was need to make sure that no one could walk away from the Department with information that could potentially expose the Department to risk

Adv L Max (DA)  asked what was in place to deal with the work of the consultants that had left.

Adv Max asked if the Department had done any investigations as to the actual owners of these consultancy companies. It was possible that they were owned by the same person under different names.

Ms M Phaliso (ANC) stated that she was opposed to the use of consultants, and had raised concerns about the use of consultants for many years. She asked to whom the consultants were accountable, and whether the Committee could hold them accountable. She further asked what happened to the plans developed by the consultants, and whether these remained at the Department, or were taken by the consultants when they left. She wondered how efficient the Chief Financial Officer was, and whether it wasn’t a better option to hire people in-house and have them accountable, rather than using consultants for the long periods. She thought this current situation was a recipe for disaster. She thought that part of the risks around releasing the consultants was that the consultants had been running a business, rather than offering service delivery. She believed that the Committee had not received a true reflection of how the State’s funds were being used in the DCS. The DCS must take responsibility for implementing the future organogram shown with as few consultants as possible, and there was a need to create a far more  effective system.

Ms W Ngwenya (ANC) asked where the budget of the consultants was shown, and how much of the Department’s budget went on consultants.

Mr M Cele (ANC) noted that there was reference to one IT official who had been working as “a consultant” for 25 years. He wanted to know how much she earned and if there had been plans in place to advertise the position and formally employ her.

Mr Moji replied that, in relation to the comments about finance, the DCS was working to understand things holistically and noted that DCS would gladly engage with the National Treasury, as suggested.
 
In relation to the various questions around the consultants, he noted that very few people were going to be affected by the changes, and that several positions were going to be advertised soon. He did say that if the consultants all left immediately, the DCS would have no suitably-qualified people remaining.

The Chairperson interjected, asking whether the Department had a plan for skills transfer, and how it would equip people with the necessary skills. He asked what the Department was actually doing about the problem. The excuse by the Department that it was going to take time to find new people was not valid. He stressed that new IT officials had to be sought now, and said there were many unemployed graduates from whom the Department could choose.

Mr Moji replied that he was in agreement and also noted that he was confident that, on the programming side, a great foundation had been laid in the Department.

The Chairperson understood that it was impossible to run an IT system without consultants. However, it was equally undesirable to have a Department that was run only by consultants. He did not want the DCS to continue to run 25 year projects. He requested that a report must be drawn by the DCS, detailing how much it was paying the consultants, the duration of their contracts and the conditions of their engagement. He further noted that there was a need to set up an acceptable percentage of acceptable consultants within the Department.

Mr Selfe then noted that the allocation of consultants in the Department was not in good order. He asked how the Department selected consultants.
 
Ms Phaliso noted, with concern, that every time DCS appeared before the Committee, Members had to remind the representatives of the Professional Programme, whom the DCS could approach to  hire staff.  The Department should have been aware of this programme, and should have been implementing it. She further wanted the Department to do away with consultants, pointing out that there were indeed many unemployed but qualified graduates.

Mr S Abram (ANC) suggested that it seemed as if the document had been prepared by a consultant.

Mr Moji replied that he personally had prepared the presentation and had drawn on the vast experience he had had in the IT field.

Mr Abram then noted that the presentation showed that 30 consultants had been released, in various ways. He asked what form the releases actually took. He noted that litigation carried with it very high costs, and hoped that the releases would not result in further actions against the Department.

Mr Abram further asked how many of the consultants had been used more than once, and how many had been hired on recurring contracts.
 
The Chairperson requested a comprehensive report from the Department answering all the questions. The report needed to cover the entire IT process, including costs in future.
 
The Chairperson asked what the quantum of fruitless expenditure had been over the past couple of years. He also wanted to know if there had been checks done for fronting by contractors.

Mr Phiko Mbambo, Deputy Commissioner, DCS, replied that there had been no system in place to check for fronting by consultants. Some consultants were paid through goods and services, whilst others were described as contract workers and were paid as consultants. He noted, however, that consultants were not only found in the IT division, but also in other programmes.

The Chairperson injected and asked whether the Department was able to ring-fence the IT consultants’ costs.

It was confirmed that this could be done.

Dr Jenny Schreiner, Chief Deputy Commissioner, DCS, noted that in the past there was not much engagement on the business, but that the business involvement would be increased in future. Many of the projects were not going to be fulfilled unless the various systems had been put in place.

Mr Moji said that the DCS had budgeted about R20 million for integrated systems, that there were discussions to try to integrate, and that the DCS would be prioritising very soon.

The Chairperson requested that the Department report back honestly on how much money had been  truly fruitless, and noted that this was important in mapping the way forward.

Ms Phaliso noted that the Kimberley Correctional Centre was supposed to be a flagship and model, but it was plagued by issues of poor planning.

Ms Phaliso requested that there should also be an investigation into whether any DCS officials were also working as consultants. The contracts and planning of the Correctional Centres needed also to be investigated. She noted that, during an oversight visit, the Committee had noted that the security cameras were not operational. There was a need for an investigation into the matter. An amount of R400 million was budgeted for this Centre, but it ended up costing R900 million. She emphasised that she required a full report on all issues.

Mr Cele referred to the Annual Report, and asked the Department to clarify what the “other consumable materials” mentioned in that Report comprised, and how much had been used, if they were IT goods.

The Chairperson asked the Chief Financial Officer to respond to these questions in writing.

Adv Max noted that the Department had presented both the achievements and shortcomings. He asked when the Committee would get a proper implementation plan, pointing out that the Department would have to account for why it had failed to meet targets.  

Mr V Magagula (ANC) noted that members in Bethani had raised concerns about the Departmental officials asking ex-officials to work as IT consultants, and he asked that issues of corruption in the various centres and units must be investigated.

Dr Schreiner replied that the Department would respond to the Committee in due course, concerning all the matters raised. She assured Members that measures were in place to deal with the problem of corruption.
 
The Chairperson, in closing, noted that there was need for a clear plan, on which data and dates were specified. There were some problems that needed urgent attention, including the fact that the system did not have a firewall. This could not be left as it was; there was a need to bring this under control as soon as possible. He further noted that IT was a vital component, and that the Department, when hiring, should not be concentrating on fulfilling racial quotas, but should be working on producing quality. There was also a need for greater transparency in the Department.

The meeting was adjourned.