IT Control Objectives for Implementing the Public Finance Management Act in South Africa

Luyinda, R., Herselman, M. E., Botha, G. H. K., Issues in Informing Science & Information Technology

Introduction

The interests of organisations in the public sector differ from those of the private sector. While the private sector is driven by business survival, the public sector is driven by political survival. However the mechanisms that are used to enhance business goals in both sectors do not significantly differ. While an issue like profit is not a main stream government concern, another issue like governance and its attendant appendages like accountability, efficiency, effectiveness and value for money are cross-sector concerns, catching the attention of both the private and the public sector. While the private sector is concerned about the newly proposed Companies Bill that will implement more stringent Corporate Governance in South Africa, the public sector is concerned with the Public Finance Management Act (PFMA). The requirements of these two are not that different. The issues that arise in both regulations are governance based referring to efficiency, effectiveness, transparency, financial reporting and high standards of corporate governance. Both legislations necessitate the design and implementation of IT mechanisms for internal control. The concern of this paper is the design and implementation of IT mechanisms for internal control to enhance South African government departments' compliance with the provisions of the PFMA.

The propositions of this paper resulted from a research study that used a two pronged approach. The first part included a literature study to establish whether COBIT could be used to guide the implementation of the PFMA. The second phase included in-depth interviews to identify those aspects of the PFMA that are considered important for IT's intervention as an enabler of the design and implementation of internal control over financial reporting for the PFMA.

This paper will present a brief background of the PFMA. Then a similar regulation, the Sarbanes-Oxley, will be presented to set a background for illustrating how COBIT has met the IT control needs in another regulated environment. Internal control and IT governance are discussed as a prelude to the exploration of COBIT's potential for implementing the PFMA. After the exploration of this potential, then the IT controls for PFMA will be presented. Compliance oriented architecture as a result of optimised PFMA implementation using COBIT will be presented before concluding.

Background

The PFMA is a legislation that was passed by the first democratic government in South Africa. The Act aims at proper financial management in order to ensure effective service delivery through the effective and efficient use of available national resources (Department of Public Enterprises, 2002, p. 21). The PFMA consists of the following components:

* Risk management.

* Asset management.

* Financial management and Budgeting.

* Performance management.

* Procurement, provisioning and Third Party Services.

* Legal compliance.

* Financial Reporting and Record Management.

* Medium Term Expenditure Framework.

* Strategic & business planning.

The main objective of the PFMA is to secure transparency, accountability, and sound management of the revenue, expenditure, assets and liabilities of the institutions to which this Act applies (PFMA, 1999, section 2).

Dickovick (2004, p. 33) explains this object clearly that the South African government aimed at curbing the over-expenditure of the provinces and public entities, which includes the national departments. He asserts that central government efforts to limit overspending culminated in the PFMA of 1999, which was, inter alia, designed to improve expenditure management by requiring provincial governments to submit periodic reports to the central government.

The stages of expenditure leading to the PFMA have been analysed by Dickovick (2004, p. 134). These stages are presented in Table 1.

Dickovick (2004, p. 128) also points out that management systems in the national executive closely monitor Sub-national Government (SNG) spending. Provinces and public entities are mandated to meet specific service standards and fixed output targets. National government has also constantly increased its monitoring of SNG expenditure. The government has therefore consistently monitored the expenditure of the provinces and public entities. To ensure that the departments meet the objectives set for them by the government. This is regarded as the only way the public service goals of the government can be achieved within the available budgets.

Against this background of trying to achieve public service goals with the available resources, the PFMA was formulated. It is worth mentioning that many of the goals of the PFMA are also in line with the 1998 Report of the Presidential Review Commission on the Reform and Transformation of the Public Service in South Africa. While the PFMA is a 1999 regulation, it has similarities with the 2002 Sarbanes-Oxley. The next section will exemplify this view.

Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley (SOX) Act is a United States law that was signed on July 30, 2002, as a response to corporate and accounting scandals in United States. These scandals included companies like Enron, Tyco International, Peregrine Systems and WorldCom. Dietrich (2004, p. 2) noted that "the scandals resulted in a loss of public trust in financial reporting and accounting practices and required attention from legislators who recognized that, if left unaddressed, the loss of trust could have deepened to a system wide malaise. The Act, therefore, was meant to prevent future accounting scandals and rebuild the trust of the investing public."

Though the PFMA may not seem that rigorous and certainly not for the private companies, it has similar concerns with the Sarbanes-Oxley, especially where financial crime is concerned. The major concern of this paper, however, is the role of IT in ensuring internal control over financial reporting. Dietrich (2004, p. 2) observed that the two sections of the Sarbanes-Oxley that should concern IT executives the most are 302 and 404(a) because they deal with the internal controls that a company has in place to ensure the accuracy of their data. It relates directly to the software systems that a company uses to control, transmit and calculate the data that is used in their financial reports. The PFMA similarly deals with internal control with elaborate detail in the Treasury Regulations of the PFMA in Part 2 Section 3.

The reporting requirements of the PFMA are no different from those of Sarbanes-Oxley. These requirements need a clear system of internal control for IT as well as other assets with in the organisation to ensure transparent reporting. This next section addresses this concern.

Internal Control

Internal control includes the policies, plans and procedures, and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected (IT Governance Institute, 2007, p. 206).

According to the Committee of Sponsoring Organizations (COSO) of the Institute of Internal Auditors (IIA, 2005, p. 3) internal control is a process, effected by an organisation's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories of effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.

The PFMA hands over the responsibility of internal control to the officials in the various departments who are not necessarily the accounting officials for reporting to the audit committee for external oversight. This is stipulated in Section 45 of the PFMA which deals with the responsibilities of other officials other than the accounting officers.

In the case of the PFMA, the following reference applies under the heading Treasury Regulations and Instructions (PFMA, 1999, p. 40) which states that the National Treasury may make regulations or issue instructions applicable to all institutions to which the Act applies concerning financial management and internal control. About the responsibilities of other officials, the PFMA (1999, p. 33) states that an official in a public entity must ensure that the system of financial management and internal control is established for that public entity and that it is carried out within the area of responsibility of that official.

It was noted by Finkelstein (2005, p. 1), which observation suits the South African government context, that internal controls vary from enterprise to enterprise, and in this context from department to department and are therefore determined by the different business processes and activities of the enterprise (departmental) financial controls. These controls are "closely related to the IT systems and databases used for financial and other reporting". The significance for the South African context is what has been suggested in this paper that the IT control objectives suggested in this work are broad so that departments can draw their specific objectives by answering specific questions again suggested by the Finkelstein (2005, p. 2) (from the Zachman Framework) which include: What? How? Where? Who? When? Why?

In the context of the PFMA if two issues, that is, data and processes, proposed by Finkelstein are considered, these questions would be:

* For Data: What does the data represent? How is the data processed? Where is it used? Who is responsible for the data? When is the data used? Why is the data needed? Does this data support the strategic and tactical business plans?

* For Processes: How do we execute them? What data do they use? Where are they processed? Who is responsible for the processes? When are these processes used? Why are the processes needed? Do they support strategic and tactical business plans?

The answers to the above questions would be a start to the customisation of both internal controls and the IT control objectives for the PFMA in the different government departments.

Having shown the need for internal control for the PFMA, the next section will justify the need for IT to be involved in implementing the PFMA.

The Need for IT in Internal Control over Financial Reporting

The institute of Chartered Accountants in England and Wales (ICAEW) and Delloite and Touche (2005, p. 4) concur that most regulations are concerned with information and the way it is handled, stored and protected, and therefore IT systems are inevitably the core focus of most compliance activity (ICAEW, 2005:17). This highlights the sensitivity of IT in financial reporting and control.

Worthen (2003) adds, while remarking about the Sarbanes-Oxley, that while Sarbanes-Oxley is financial legislation, at its heart it is about ensuring that internal controls or rules are in place to govern the creation and documentation of information in financial statements and this is similar to the PFMA. Therefore, since IT systems are used to generate, change, house and transport data, CIOs have to build the controls which ensure that information stands up to audit scrutiny.

KPMG (2005, p. 17) also encourages IT representation in agency processes. It notes that since a major portion of an agency's control activities is likely to be IT controls, and the integration of the IT function into the agency's business processes is important, the agency is encouraged to include team members from the chief information officer's organization in review teams. Their participation would go a long way towards ensuring that key technology risks and controls are fully considered during the assessment process.

The above is a good guideline for executives that have to face the rigorous processes of compliance to the PFMA. While the PFMA stipulates that the accounting officer is responsible for compliance to the PFMA, such work is enormous for only one individual. It would be made simpler and more effective results would be achieved if the IT departments formed part of the compliance committee. This would allow IT to provide inputs while the compliance plans are being made thus enabling alignment of available IT resources to offer a platform for complying with the PFMA. It is therefore pertinent that IT must itself be governed …

Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: IT Control Objectives for Implementing the Public Finance Management Act in South Africa. Contributors: Luyinda, R. - Author, Herselman, M. E. - Author, Botha, G. H. K. - Author. Journal title: Issues in Informing Science & Information Technology. Volume: 5. Publication date: Annual 2008. Page number: 29+. © 2008 Informing Science Institute. COPYRIGHT 2008 Gale Group.

This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.