performance audit on utilization of document …

OFFICE OF THE AUDITOR GENERAL

OF STATE FINANCES, RWANDA

PERFORMANCE AUDIT ON

UTILIZATION OF DOCUMENT TRACKING AND WORKFLOW

MANAGEMENT SYSTEM (DTWMS) / E-MBONI

&

REVIEW OF RDB IT GENERAL CONTROLS

April 2016

PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB

IT GENERAL CONTROLS

i

Office of the Auditor General of State Finances

REPORT STRUCTURE

This audit report provides detailed information relating to the performance audit conducted on the

utilization of Document Tracking and Workflow Management System (DTWMS) in public

institutions of which Rwanda Development Board (RDB) is the implementing and coordinating

agency, and a review of the IT controls within Rwanda Development Board.

The report is divided in two sections;

a.) The first section focuses on the utilization of the Document Tracking and Workflow

Management System and provides detailed information on how the system otherwise

known as e-mboni functions, weaknesses/audit findings that were noted in its planning and

implementation to which recommendations have been provided to address those

weaknesses.

b.) The second section focuses on RDB’s IT controls and provides weaknesses that were

specifically noted within RDB relating to its IT governance and management.


IT GENERAL CONTROLS

ii


Table of Contents SECTION 1: UTILIZATION OF DOCUMENT TRACKING AND WORKFLOW MANAGEMENT SYSTEM ................ 1

ACRONYMS AND ABBREVIATIONS ................................................................................................................. 2

1. EXECUTIVE SUMMARY ....................................................................................................................... 3

2. INTRODUCTION ................................................................................................................................. 6

2.1. Terms of reference ............................................................................................................................ 6

2.2. Background ....................................................................................................................................... 6

2.3. Necessity of the Audit ....................................................................................................................... 7

3. AUDIT DESIGN ................................................................................................................................... 8

4. DESCRIPTION OF DTWMS, THE PROCESS AND SYSTEMS ................................................................... 9

5. FINDINGS ......................................................................................................................................... 14

5.1. PLANNING ....................................................................................................................................... 15

5.2. DTWMS PROJECT IMPLEMENTATION .............................................................................................. 17

5.3. USAGE OF DTWMS IN PUBLIC INSTITUTIONS .................................................................................. 19

SECTION 2: REVIEW OF RDB IT GENERAL CONTROLS .................................................................................. 21

5.4. WEAKNESSES NOTED IN IT GENERAL CONTROLS OF RDB ............................................................... 22

6. CONCLUSION ................................................................................................................................... 28

7. RECOMMENDATIONS ...................................................................................................................... 30

8. APPENDICES .................................................................................................................................... 32

Appendix 1: NICI III projects ........................................................................................................................ 32

Appendix 2: Sampled institutions ................................................................................................................ 33

Appendix 3: Documents Reviewed .............................................................................................................. 34

Appendix 4: Responsibilities of RDB ............................................................................................................ 34

Appendix 5: Relevant costs that have been incurred as of April 2016 ........................................................ 34

Appendix 6: DTWMS deployment in institutions ......................................................................................... 35

Appendix 7: Details on levels of support in the maintenance contract ....................................................... 37

Appendix 8: Institutions without user licenses ............................................................................................ 37

Appendix 9: Public institutions that minimally use the software ................................................................ 38


IT GENERAL CONTROLS

1


SECTION 1: UTILIZATION OF DOCUMENT TRACKING AND

WORKFLOW MANAGEMENT SYSTEM


IT GENERAL CONTROLS

2


ACRONYMS AND ABBREVIATIONS

BAM Business Activity Monitor

DTWMS Document Tracking & Work-flow Management System

EDPRS Economic Development and Poverty Reduction Strategy

GoR Government of Rwanda

ICT Information, Communication & Technology

ISO International Organisation for Standardisation

KPI Key Performance Indicators

LAN Local Area Network

NICI National Information and Communication Infrastructure Plan

RDB Rwanda Development Board

S.A.R.L Société À Responsabilité Limitée (Limited company)

SRS Software Requirement Specifications

UAT User Acceptance Test


IT GENERAL CONTROLS

3


1. EXECUTIVE SUMMARY

Global ICT policies have become more mainstream in the last decade underpinning growth, job

creation, increasing productivity, enhancing service delivery and achieving broad socio-economic

objectives in the areas of health care, education, climate change, energy, employment and social

development.

As such, the global ICT industry is fast changing as a result of emerging technologies, economic,

social and business trends. As ICT applications and services are increasingly essential for ensuring

sustainable economic development, Rwanda is not an exception.1

The Government of Rwanda has made ICT one of the priority areas and essential for reaching the

Vision 2020 goal of transforming Rwanda into a knowledge-based economy.2

The National ICT Strategy and Plans (NICI) I, II and III were developed to realize the national

vision of developing the sector. The third plan, NICI III focused on the development of services by

leveraging ICTs to improve service delivery to citizens.3

NICI III (2011-2015) had 59 projects which include ‘Document Tracking and Work-flow

Management System (DTWMS)’

This was initiated to cater for government processes being largely paper-based and numerous

systems not integrated causing duplication and hindering efficient service delivery.

The purpose of the Document Tracking and Work-flow Management System is to reduce costs and

increase efficiency of service delivery in government institutions. The system does so by providing

scanning and secure archiving of all incoming and outgoing mail documents while also enabling

tracking the progress of those documents through their life cycles.

I conducted a performance audit of DTWMS, in order to assess the extent of its utilization and to

identify causes of low rate of usage as well as providing recommendation for its improvement. The

project has been running since 2010, and money invested in it as of April 2016 is USD

2,681,112.62. Data was collected through interviews with the RDB coordinator of the project and

IT administrators of the project within 39 sampled institutions. It was also collected though

physical verification, observation and documentary review in the sampled institutions to confirm

its implementation status.

Below I highlight the key findings:

● Absence of concept document

DTWMS is being implemented without a concept document. The document considered as concept,

is an initial draft project definition that was drafted in 2009. At the time of audit (April 2016), it

was not yet approved to guide the implementation of the project. See details in section 5.1.1

1 National ICT Strategy and Plan NICI-2015 2 Rwanda Vision 2020, pg. 9&20 3 National ICT Strategy and Plan NICI-2015


IT GENERAL CONTROLS

4


● Lack of awareness in public institutions before deployment of the system

There has not been an awareness program in public institutions before launching the system. This

was raised during the interview with the IT administrators of the system in 39 sampled institutions,

where the main challenge reported was that the institution's top management are not being involved

in enforcement and implementation of the project, which affects the use and success of the system.

See details in section 5.1.2

● Absence of Key Performance Indicators to check the progress of DTWMS

RDB has not put in place key performance indicators that will be used to track progress in the

implementation of the project in public institutions. Consequently, when performance indicators

are not set, management will not be able to know whether the project is on the right track for

success. See details in section 5.1.3

● Acquiring the system without cost-benefit assessment

When an entity intends to automate its business processes so as to improve on their productivity it

considers either to buy or build the application system bearing in mind cost, suitability of the

system (needs match software features) and time to deploy for use. RDB acquired the system

without a cost-benefit assessment, to justify the choice of buying instead of its development. See

details in section 5.1.4

● Delay in implementation of the system by RDB

From the National ICT Strategy and Plan (NICI 2010-2015), one of outcome indicators of the

DTWMS was that 50% of government institutions would be installed with mail management

system by 2013. This includes incoming mails and outgoing mails. However, during the audit in

April 2016, I noted the following delays:

(a) All elements of the mail management system were not launched, only incoming mail was

launched.

(b) All features were not customized, it was only done for 3 institutions (WDA, MINAFFET

and NAEB) out of 39 sampled public institutions that were visited. The remaining 36 insti-

tutions with the system have the basic features of Omni scan and Omni flow, which could

be the case with the other 77 public institutions that also have the system but were not

sampled. See details in section 5.2.1

● Multiple software that perform similar functions (Duplication)

The project was acquired to serve all public institutions, however, I noted 12 public institutions

with different software which provide similar service as the rolled-out DTWMS (E-mboni) See

details in section 5.2.2

● Low utilization of DTWMS in public institutions

RDB deployed the system in 116 public institutions (ministries, provinces, districts and other

public institutions). However, 28 institutions out of 116 institutions (24.1%) had not acquired

licenses, to be able to use the system. In addition to this, I noted that 53 public institutions out of

84, equivalent to 63% have installed the system and acquired licenses but have not scanned, or

scanned a less number of documents over a period of 3 months. See details in section 5.3.1


IT GENERAL CONTROLS

5


Overall conclusion

Government is not realising value for money from funds which have been invested in acquiring

the system and licenses.This was mainly caused by the fact that there was no involvement of public

institutions (the stakeholders) to ensure their ownership over the project. There was no awareness

in public institutions and involvement of managers in the utilization of the system. This resulted in

low utilization of the system and duplication of the project by other institutions which purchased

similar programme. Consequently there is a wastage of government funds (through the budgets of

RDB and public institutions) which have invested USD 2,681,112.62 in acquiring the system and

licenses yet not being used. The institutions are continuing to spend a lot of money for paper,

printers, stationary and transportation expenses for couriers.

Overall recommendation

To make DTWMS project achieve its intended objectives, RDB should put in place a clear

implementation strategy, involve the stakeholders (users) and carry out continuous monitoring and

evaluation. In addition, RDB should raise awareness of the system especially with top managers

of participating institutions and put in place means of ensuring value for money utilization. Finally,

going forward, MYICT in collaboration with RDB, should ensure that ICT projects are properly

conceptualized, stakeholders are defined, their role and responsibilities are defined and timely

communicated, key performance indicators (KPI) are defined and monitored, and awareness is

raised to get the ownership of users. This will enable Rwandan people to benefit from value for

money envisaged in government investments into ICT.

Obadiah R. BIRARO

Auditor General

Kigali

........................... 2016


IT GENERAL CONTROLS

6


2. INTRODUCTION

2.1. Terms of reference

In accordance with Article 165 of the Constitution of the Republic of Rwanda of 2003 revised in

2015, and Articles 6 and 14 of Law n° 79/2013 of 11/09/2013 determining the mission,

organization and functioning of the Office of the Auditor General of State Finances, I carried out

a performance audit of the Document Tracking and Workflow Management System.

2.2. Background

Global ICT policies have become more mainstream in the last decade underpinning growth, jobs,

increasing productivity, enhancing the delivery of public and private services, and achieving broad

socio-economic objectives in the areas of health care, education, climate change, energy,

employment and social development. As such, the global ICT industry is fast changing as a result

of emerging technologies, economic, social and business trends. As ICT applications and services

are increasingly essential for ensuring sustainable economic development, Rwanda is not an

exception.4

Adopted in 2000, Vision 2020 aims to transform Rwanda into a middle-income country, and

transforming from an agrarian to a knowledge-based economy. Through communication & ICT,

the objective of the vision is that efficiency of public services is increased through the application

of e-government principles.5

From the priorities of EDPRS II, ICT sector has a key cross-cutting role to play in supporting

businesses, skills development and public service delivery. Development of ICT capacity is

essential for reaching the Vision 2020 goals.6

To achieve the objectives of vision 2020 in ICT sector, the National ICT Strategy and Plan (NICI)

process started. It begun with the first of four five-year rolling plans, NICI I (NICI-2005 Plan) that

focused on creating the necessary enabling environment that would enable the establishment and

growth of Rwanda’s ICT sector. The second plan NICI II (NICI-2010 Plan), focused on providing

world-class communications infrastructure that would serve as the backbone for current and future

communications requirements. The third plan, NICI III (NICI-2015 Plan) focused on the

development of services by leveraging ICTs to improve service delivery to citizens as Rwanda

approached the fourth and final phase of the NICI process which would propel Rwanda to achieve

Vision 2020 goals.7

NICI III (2011-2015) had 48 projects grouped into 6 clusters to which 13 key new projects were

added as a result of revising EDPRS II planning and the dynamic nature of ICT sector. See details

of projects in appendix 1.

4 National ICT Strategy and Plan NICI-2015 5 Rwanda Vision 2020, pg. 9&20 6 EDPRS II, Pg65 7 National ICT Strategy and Plan NICI-2015


IT GENERAL CONTROLS

7


Due to government processes being largely paper-based and numerous systems not integrated

causing duplication and hindering efficient service delivery, the project of Document Tracking and

Work-flow Management System (DTWMS) was rolled over from NICI II and put among projects

to be implemented during the period of NICI III.8 The main purpose was to provide a system that

can be used in any ministry or public agency to scan, archive and track the progress of all incoming

and outgoing mail documents through their life cycles. The system would also enable secure and

consistent storage of documents while increasing efficiency and reducing costs in service delivery.9

2.3. Necessity of the Audit

The Document Tracking and Work-flow Management System project was put in place, with the

purpose of improving information, sharing and management thereby reducing bureaucracy in

government processes. The planned activities were analysis and design of institutional processes

for all government entities then implementing the system in all government entities.

Through area watching of the public ICT sector, I noted that the system is being utilized at a low

level and is not being implemented in all public institutions, yet the government has heavily

invested public funds to acquire it.

It is against this background, that I planned to conduct a performance audit of the Document

Tracking and Work-flow Management System, in order to assess its utilization and to identify the

causes of low rate of usage by public institutions.

8 National ICT Strategy And Plan NICI-2015, pg50 9 Integrated ICT-Led Socio-Economic Development Plan For Rwanda (NICI-2010 Plan)


IT GENERAL CONTROLS

8


3. AUDIT DESIGN

The audit was conducted in accordance with the International Organization of Supreme Audit

Institutions auditing standards and guidelines documented in the Office of the Auditor General’s

Performance Audit manual. The standards require that the audit is planned in a manner which

ensures that an audit of high quality is carried out.

3.1. Audit Scope

Audit period: The period audited is from 2010 up to April 2016.

Geographical coverage:

The audit focused on the institutions located in the City of Kigali. This included districts, ministries

and other public institutions.

3.2. Audit objective

The overall objective of the audit was to assess utilization of Document Tracking and Workflow

Management System, in order to assess whether the project is enabling to reduce the use paper-

based processing in public organizations; automate, accelerate and simplify administrative

processes.

3.3. Audit questions

a.) How adequate was the implementation planning of the Document Tracking and Workflow

Management System project?

b.) To what extent is RDB implementing the project and how does it monitor its utilization by

users?

c.) To what extent is DTWMS utilized by public institutions?

3.4. Methods of data collection

a.) Interviews: Face to face interviews carried out with administrators of the system in 39

public institutions visited.

b.) Physical verification and observation: Field visit was undertaken in 39 public institutions

to confirm the existence and utilization of the system in public institutions. See appendix

2

c.) Documentary review: Secondary data was mainly collected through review of various

documents related to DTWMS project. See appendix 3


IT GENERAL CONTROLS

9


4. DESCRIPTION OF DTWMS, THE PROCESS AND SYSTEMS

4.1. Rwanda Development Board

4.1.1 Legislation

Rwanda Development Board is a public institution with administrative and financial autonomy that

was established in 2008 by organic law n°53/2008 of 02/09/2008 which was later repealed by law

nº06/2013/OL of 16/06/2013 and amended by law nº46/2013 of 16/06/2013 which set its

responsibilities, organization and functioning.

4.1.2 Mission and responsibility of RDB

RDB is tasked with fast tracking development activities in Rwanda, including ICT projects. For

the main responsibilities see appendix 4 for details

RDB is organized into several departments that have different responsibilities. Among them the

ICT department which has five (5) divisions that include the new project development division

which is the project management unit of the department and is responsible for centralized and

coordinated management of projects in the department.

4.1.3 DTWMS Project Funding

The government has through RDB invested in acquiring the system and licenses to make it

functional. RDB procured the servers, user licenses and omniscan licenses on behalf of all

ministries and districts with the other public institutions required pay the user and omniscan

licenses on their own. As of April 2016 the government has spent USD 2,681,112.62. See appendix

5 for details

(a) Acquisition and deployment of the system

DTWMS was acquired through a contract dated November 2010, signed between RDB and CAL

Rwanda S.A.R.L in joint venture with NEWGEN Software Technologies limited, India, to supply

and install DTWMS for $1,080,406.47 (see details in appendix 5). The system was deployed in 3

pilot institutions (RDB, Office of The President and MINAFFET) and the staff were trained on

workflows development and system deployment.

After the pilot phase, RDB deployed the system in 116 public institutions (ministries, provinces,

districts and other public institutions) and procured user licenses (omniflow licenses) and omniscan

licenses on behalf of all ministries and districts. Other public institutions had to pay the user and

omniscan licenses on their own. (See details of deployment in appendix 6)

(b) Provision of trainings to the users

As the DTWMS was a new initiative in most public institutions, for its success, user training was

one of the most important and integral components. Training was imparted at various levels,

namely the Pre-Software Requirement Specifications Training (SRS), End User Training,

Technical Training and User Acceptance Test Training (UAT). The Supplier provided hands-on-

training to the designated personnel of the Software Development Division of RDB/IT to enable

them to effectively operate the whole system so that they would train other users of public

institutions.


IT GENERAL CONTROLS

10


The users from public institutions were exposed to the live product during training sessions by the

RDB team. The coverage included introduction to the product modules, basic operations, scope of

operation and variations in each of the modules. The users were taken through various business

cases that comprehensively cover the functionality of the system.

(c) Maintenance of the software

In April 2015, RDB on behalf of all Rwandan public entities that use DTWMS signed a contract

with Symphony Rwanda Ltd for the annual maintenance of DTWMS amounting to Frw

125,817,872 with the option of being renewed annually for 3 years. As part of maintenance,

Newgen Software Ltd and Symphony Rwanda Ltd (the joint venture software suppliers) agreed to:

● Provide RDB with all new software upgrades and patches of Omniflow, Omnidocs, Om-

niScan and Omni Records Server released before or during the agreement to ensure the

system’s continuous improvement and compatibility with emerging technologies.

● Train RDB resources at Newgen office in Delhi at the cost of Symphony in case of major

upgrade (e.g. upgrading Omniflow 8.0 or Omnidocs 7.0 to latest version)

● Provide documentation of API's (application program interface) which are required for in-

tegration with third party applications

● Provide RDB with the necessary support required to ensure integration with third party

applications is successfully done.

The software’s maintenance is provided at 3 levels of escalation based on the nature of support

required by RDB. See details in appendix 7

4.2. DTWMS PROCESS AND SYSTEM DESCRIPTION

4.2.1. Document Tracking and Workflow Management System/E-

mboni

E-mboni or DTWMS is the official document management, workflow and archival system used by

the Government of Rwanda. It is meant to improve transparency and efficiency in the public service

delivery.

The primary objective of DTWMS is to improve overall efficiency, accountability and

transparency through using technology to harmonize document and records life-cycle

management. DTWMS’s mandate is to create a centralized system that can be used in any public

institution to improve information sharing and management thereby reducing bureaucracy in all

government processes.

4.2.2. Components of the DTWMS (E-mboni/Omnisuite)

The fundamental components of Document Tracking and Workflow Management System

(DTWMS) are the following:

● Omniscan: A document scanning system with built-in document recognition and separa-

tion capabilities. It can scan various types of documents with different scanning properties

without human intervention by using powerful scripts. This application is locally installed

on the Central Secretariat's Computer.


IT GENERAL CONTROLS

11


● Omniflow: A workflow system defining how a document is transferred from one user to

another for a required action.

● Omnidoc: An Enterprise Document Management (EDM) platform for creating, capturing,

managing, delivering and archiving large volumes of documents and contents. It integrates

seamlessly with other external applications. OmniDoc handles Scanned Document Images,

Electronic Documents, Emails and Electronic Data Output from other applications with

equal efficiency and ease. It effectively manages document centric work-flows from the

point of content origination to the final delivery of output across multiple enterprise appli-

cations.

● Business Activity Monitor (BAM) an enterprise solution to provide a real-time summary

of business activities to operations managers and the top management.

● Process manager: is a system administration tool through which system administration

tasks are performed. It provides the functionality to configure an application, application’s

various components and component’s several instances within the user system panel, de-

pending upon the roles and needs of a user. It creates a single window for business users to

perform, manage and monitor all their tasks, taking their productivity up by several notches.

● Master Data Management (MDM)/Classificator: is a tool to simplify, plan, build, deploy

and manage master data tables for a centralized source of accurate business intelligence.

With configurable Maker-Checker10 functionality, it enforces the data governance by mak-

ing sure that all actions performed in the module can be approved, before they are commit-

ted to the server. Users are not permitted to perform any operation on tables that are not

created through this module.

4.2.3. Key elements of DTWMS (E-mboni)

Incoming mails: DTWMS makes document and information processing and archiving easier than

ever, whether it's physical incoming mail, internal mail, agreements, e-mails or social media

information. For all documents, letters, entering a public institution requesting service or

information about something in the institution are scanned at the central secretariat, entered in the

system and dispatched to the concerned staff to handle them.

Outgoing mails: Outgoing mail in DTWMS consists of all the correspondence types that you use

to communicate with other parties. This can include memos, emails, instructions, requests for

information, advice notes – in fact any correspondence types used in each customers business.

After handling documents in the institutions, the concerned staff is supposed to send responses

electronically through the system to other institutions or clients via email without taking more time

to send them by post or service’s cars.

10 Maker-Checker is a feature made to provide dual factor authentication in users, groups and role level operations. Maker has the

supervisory control to create user/s whereas checker finalizes all the decisions made by the maker. Maker's actions are not valid till

the time they have been approved by the checker. All Maker- Checker operations are tracked in the audit log.


IT GENERAL CONTROLS

12


4.2.4. Use of DTWMS in public institutions

Each public institution is assigned an Internet protocol (IP) address which they use to access the

web-based software (requires internet), after which a user logs in using his\her user name and

password. Users are able to scan and upload the documents to the system using Omniscan, fill in

relevant metadata with the scanned images and give only rights based access to the users over work

steps/folders/documents to be able to perform their designated tasks as per the defined roles/rights.

The system is also able to define custom check-lists, auto-generate acknowledgement letter as per

a pre-defined template and defining turn-around times for each step in the process flow. Users are

able to view the workflow history of any particular work item, search for any transaction/document

based on the defined parameters and the system can also generate regular MIS reports as well as

show a real time view of the process using a dashboard.

For archiving process, folder hierarchy for storage of documents is defined as per customer’s

requirement. The System allows creation of users / user groups, Access rights for the users / groups

are defined in the system and Users are able to search and retrieve the required documents.

Storage, retention and disposition policies are defined in the system and it allows defining the

storage locations for the physical documents as well and also allows for tracking the movement of

the same.

4.2.5. Monitoring and evaluation of the software and project

For monitoring the status of work items and work steps a web-based tool called Business Activity

Monitor (BAM) is used. BAM provides real-time information about the status and results of

various operations, processes and transactions through user defined reports so that a user can

address the problem areas and resolve the issues within his/her business process. Various reports

can be generated in BAM, they include:

● Incoming mails tracker; displays a report of all incoming mails in the institution for a se-

lected period of time, by department

● Due incoming mails tracker; displays all the documents that were not processed before the

set deadline.

4.2.6. Key stakeholders and their responsibilities

The following table outlines responsibilities of the system’s stakeholders

Table 2.DTWMS project stakeholders and their responsibilities

Stakeholder Roles & Responsibilities

RDB a) Implementation of ICT applications/systems as well as harmonizing all

ICT related procurement needs across government institutions

b) Facilitate and support development of Rwanda’s ICT sector towards

transforming into an ICT hub for the region

MYICT a) Coordinate and monitor the management of ICT projects in RDB

Public institutions a) Overall responsibility for management of the documents and records in

the DTWMS, ensuring adherence to the document management procedures

and protection of the confidentiality, integrity and availability of the

information


IT GENERAL CONTROLS

13


ICT department in

each institution

a) The ICT department is responsible for the technical aspects and

functioning of DTMWS including administration of passwords and system

security, backups and disaster management


IT GENERAL CONTROLS

14


5. FINDINGS


IT GENERAL CONTROLS

15


5.1. PLANNING

5.4.1. Absence of concept document

For a programme to be successful, it requires a plan documenting the implementation strategy

(concept document) that elaborates objectives of the programme, activities to be undertaken, key

performance indicators, infrastructure and resources required (financial and human resources),

stakeholders, their roles and responsibilities. The implementation and roll out plan illustrates when

the programme would start, when it will reach its maturity level and serves as guidance to all

implementers of the programme to enable them keep checking whether they are on the right track.

However during the audit I noted that, the DTWMS is being implemented without a concept

document. The document considered as concept document, is an initial draft project definition that

was drafted in 2009. At the time of audit April 2016, it was not yet approved to guide the

implementation of the project.

Implementing the project without a concept document hinders management’s ability to track the

progress, success or failures of the programme. Subsequently, valid corrective actions cannot be

undertaken as well as mitigating factors against specific risks of the programme.

Recommendation

A concept document that elaborates what will be done, who will do it, and how and when it will

be done should be developed. Key stakeholders should be determined, their role and

responsibilities should be elaborated and communicated to them. Resources (infrastructure, human

and financial) needed for the programme should be determined to enable its implementation.

Management comments

The recommendation has been noted and proper documentation of the project will be elaborated.

5.4.2. Lack of awareness in public institutions before deployment of the system

Managing change means making changes in a planned and systemic fashion. With reference to the

IT projects we can say the change in the versions of a project and managing these versions properly.

In this way Change Management focuses on how people and teams are affected by integration of

new ICT project in the institutions.

However, during the audit I noted that there has not been an awareness program in public

institutions before launching the system. In addition, this was raised during the interview with the

IT administrators of the system in 39 sampled institutions, where the main challenge reported was

that the institution's top management are not being involved in enforcement and implementation

of the project, which affects the use of the system.

Apart from the challenges highlighted by the users of the system, there was no consultation done

in public institutions before launching the system. Consequently, this has caused a resistance in its

usage, while participation is critical in the success of the project.


IT GENERAL CONTROLS

16


Recommendation

As the new ICT initiatives impact how individual people do their work: their processes, work-

flows, reporting structures, behaviors within the organization, RDB should put more emphasis on

the awareness program before any launch of new technology in public institutions.

Management comments

Recommendation is noted. We agree that awareness will go a long way in getting the system fully

adopted and we will putting more efforts.

5.4.3. Absence of Key Performance Indicators to check the progress of DTWMS

Key Performance Indicators define factors the institution needs to benchmark and monitor. In an

electronic documents and records management project, KPIs could be used to measure user uptake

as the system rolls out. Another example is to measure the timeliness and quality of service delivery

– in this case, KPIs may be used to measure that records services meet agreed delivery times.

However, RDB has not put in place key performance indicators that will be used to track progress

in the implementation of the project in public institutions. Consequently, when performance

indicators are not set, management will not be able to know whether the project is on the right track

for success.

Recommendation

RDB should set performance indicators for DTWMS project. It will help to understand whether

the project is on the right track for success or not more easily and identify where to make

improvements and focus more attention.

Management comments

Recommendation is noted. In the past years, the indicators were mainly about the system

development, deployment and adoption. But now that the basic deployment has been done, RDB is

going to add more specific indicators to measure the real impact of the system

5.4.4. No buy or build assessment was conducted

When an entity intends to automate its business processes so as to improve on their productivity it

considers either to buy or build the application system bearing in mind cost, suitability of the

system (needs match software features) and time to deploy for use. Based on an entity’s current

situation, the choice is to buy if the system is a fundamental requirement for the entity to operate

and it is difficult to find a qualified and able developer that can design the system that meets the

requirements. Or build if the development can be handled in house with permanent resources, the

time of development is not a constraint and the system will provide competitive advantage.

However during the audit, I noted that there was no build or buy assessment report that justified

RDB’s choice, to buy off-the-shelf software from a commercial vendor over developing a custom

made software that addressed user’s needs.

Absence of a cost-benefit assessment to justify build over buy (or vice-versa), results in RDB

making a choice that results in lower return on investment.


IT GENERAL CONTROLS

17


Recommendation

In future, RDB needs to undertake a thorough initial cost-benefit analysis to ensure that IT

investments are made at the most economical cost and they deliver optimally on functionality. RDB

should seek the most appropriate software development approach, whether to buy or to build and

adopt it after assessing cost, suitability and time to deployment. Local software development

companies or individuals should also be considered as was the case of the Integrated Payroll and

Personnel Information System (IPPIS) which MIFOTRA (Ministry of public service and labour)

used a local software developer to build and incurred lower cost compared to procuring off-the-

shelf.

Management comments

Developing the platform would have been out of focus for RDB, as it was just a tool to help work

on the core functionalities.

5.2. DTWMS PROJECT IMPLEMENTATION

5.2.1. Delay in implementation of the system by RDB

From the National ICT Strategy and Plan (NICI 2010-2015), one of the outcome indicators of

DTWMS was that 50 % of government institutions will be installed with mail management system

by 2013.This includes incoming mails and outgoing mails. However, during the audit in April

2016, I noted the following delays:

(a) All components of the mail management system not launched: Only incoming mails

was launched in public institutions by RDB (receiving mails and processing internally in

the institutions). The component of outgoing mails has not yet been launched in public

institutions (this refers to sending and receiving documents externally between public in-

stitutions). Consequently, the objective of improving information sharing in government

processes was not achieved at the planned time.

(b) All features are not customized: With the system it is possible to customize it according

to the process flow of documents in the institution. It can also include several features like

Leave Request, Out of Office Request, Transport Request, Stock Request and internal

Memo. However during the field visit in 39 sampled public institutions I noted a delay in

customization of all features. It was done only for WDA, MINAFET and NAEB, while the

remaining 36 institutions with the system, have the basic features of Omni scan and Omni

flow, which could be the case with the other 77 public institutions that also have the system

but were not sampled. Consequently, a big part of work in the institutions is still being done

with papers while there is an option to use the system.

Recommendation

As RDB is the implementing institution, it should speed up the customization of all features and

the launching of outgoing mails component. This will facilitate the sharing of documents in all

public institutions.


IT GENERAL CONTROLS

18


Management comments

Noted. The biggest challenge was a high rate of employees turnover (employees leaving and not

getting replaced); the staff working on DTWMS are on short contracts, which caused RDB to loose

many (and the best) of them, when they get more stable jobs. Moreover, we were not allowed to

immediately replace them in the middle of RDB restructuring. We believe this will be solved by the

establishment of RISA.

Also, outgoing Mails deployment was delayed by efforts to do it together with Digital Signatures

to avoid any printing. The integration to the National PKI added more burden to the already

overloaded team, as these were new skills to learn. However, there is a plan to deploy the workflow

in phases (starting with Ministries by the end of this financial year), to reach the objective of

sharing documents and add improvements when ready.

5.2.2. Multiple software that perform similar functions (Duplication)

The NICI 3 plan designates to RDB the role of lead implementing and coordination agency for

GoR-ICT initiatives such as E-Government (e-GOV). Which aims at improving government

operational efficiency and service delivery by encouraging a paperless public administration. To

be able to perform this task RDB is required to adopt working partnerships with other public

institutions to ease the roll-out of the program and its coordination.

During the audit from RDB’s report, I noted the following public institutions running different

software which perform a similar function to the rolled-out DTWMS (E-mboni):

● Capital Markets Authority

● Ministry of finance and economic planning

● Ministry of Health

● National Capacity Building Secretariat

● National Institute of Statistics Rwanda

● Office of the Ombudsman

● Rwanda Biomedical Centre

● Rwanda Housing Authority

● Rwanda Public Procurement Authority

● Rwanda Revenue Authority

● Rwanda Social Security Board

● Special Guarantee Fund

Running different software that perform a similar function raises the risk that those different

software cannot easily integrate to enable easy inter-agency communication and sharing of

electronic documents. When the DTWMS outgoing mail starts to work and creates duplication of

effort and resources.

Recommendation

RDB in collaboration with other public institutions need to work together and share information

regularly and consistently relating to acquisition of ICT equipment.


IT GENERAL CONTROLS

19


Management comments

The Documents Tracking System project was clearly highlighted in NICI II, which was well known

to all institutions. Also, in 2008, a preliminary study was made, and some of the said institutions

(like the Ministry of Finance and Economic Planning) were visited and contributed to the study in

preparation to the DTWMS implementation. Despite this, the ministry separately acquired another

Documents Management System without consulting RDB. An Enterprise Architecture Board will

be put in place in collaboration with MYICT with the legal framework to oversee and formally

authorize acquisition of ICT equipment by all public institutions.

5.3. USAGE OF DTWMS IN PUBLIC INSTITUTIONS

5.4.1. Low utilization of DTWMS in public institutions

The Document Tracking and Work-flow Management System project was put in place, with the

purpose of improving information sharing and management thereby reducing bureaucracy in

government processes. The government has invested in acquiring the system and licenses to make

it functional. RDB as an institution implementing the project deployed the system in 116 public

institutions (ministries, provinces, districts and other public institutions) and procured the user

licenses and omniscan licenses to all ministries and districts. Other public institutions had to pay

the user and omniscan licenses on their own.

However during the physical verification, interviews done in 39 sampled public institutions and

review of reports. I noted the following:

(a) Public institutions with the system but no licenses acquired

The system to be functional at institution level, it requires to be equipped with user licenses and

omniscan licenses. However, during the review of reports provided by RDB, I noted that 17 public

institutions with the system have not acquired the user licenses and omniscan licenses. In addition,

during the field visit in 39 sampled public institutions, I noted that 11 institutions don’t have user

and omniscan licenses. Consequently they are not using the Document Tracking System in their

daily work, while the government has invested more funds in acquiring it. See details in appendix

8

Table 3: Institutions with the system but no licenses acquired

Status No. of entities

Installed the system but are yet to acquire licenses (Field Visit) 11

Installed the system but are yet to acquire licenses (Documentary review) 17

Total 28

(b) Public institutions using the scanning option only

With the system deployed in public institutions, the component of incoming mails includes

scanning documents and sharing them internally through the system (workflow). However, during

the physical verification in the public institutions, I noted that REMA, MINAFFET and MINICOM

are using scanning option only without sharing them through the workflow. Documents are

scanned only and the sharing is done by using hard copies. Consequently, the objective of sharing

documents through the system is not being achieved.


IT GENERAL CONTROLS

20


(c) Public institutions with licenses but not using the system

During the audit field visit I noted 4 public institutions that have installed the system, acquired

licenses but are not using the system. See the table below for details:

Table 4: Institutions not using the system

No. Entity

1 Ministry of Gender & Family Promotion (MIGEPROF)

2 Ministry of East African Community (MINEAC)

3 Rwanda Biomedical Center (RBC)

4 Rwanda Demobilization & Reintegration Commission (RDRC)

(d) Public institutions that minimally use the software (Low utilization)

Apart from the work to be done though the system, the scanning option shows how institution use

the system. During the audit I reviewed DTWMS’s monitoring reports generated by BAM,

showing the scanned documents per each institution that has installed the system and acquired user

licenses. The analysis done was comparing the number of scanned documents, from 10/12/2015

up to 15/03/2016.

I noted that 53 public institutions out of 84, equivalent to 63% which have installed the system and

acquired licenses have not or scanned a less number of documents during the period of 3 months.

Consequently, they are minimally using the system. See details in appendix 9 (a).

Among the 53 public institutions, 19 institutions are not using the system at all while 23 institutions

have scanned very little quantity ranging between 1 and 60 documents for a period of 3 months.

See details in appendix 9 (b) and (c).

There is a wastage of government funds (through the budgets of RDB and public institutions)

which have invested USD 2,681,112.62 in acquiring the system and licenses yet not being used.

The institutions will continue spending a lot of money for paper, printers, stationary and

transportation expenses for couriers. Consequently the objective of improving overall efficiency,

accountability and transparency will not be achieved.

Recommendation

RDB should work closely with the concerned entities to put in place an enforcement on the usage

of DTWMS and regularly monitor the system utilization.

Management comments

Recommendation Noted. RDB is working with MIFOTRA, with regards to improving service

delivery in public institutions, to enforce the system usage in all institutions (at least those having

user licenses) by June 2016. Concerning institutions that have the system but no licenses, it is an

issue of budget where support is needed from MINECOFIN.


IT GENERAL CONTROLS

21


SECTION 2: REVIEW OF RDB IT GENERAL CONTROLS


IT GENERAL CONTROLS

22


5.4. WEAKNESSES NOTED IN IT GENERAL CONTROLS OF RDB

5.4.1. Weak IT Governance Structure

IT best practice through the COBIT 5 IT Governance framework and its mechanism recommends

that an institution whose activities are significantly IT based should have an IT Steering committee

that should work in close partnership with the management to guide management decisions

especially those pertaining to IT investments to ensure that they are aligned to IT strategies and

overall Strategy. The implementation of the IT strategy is the responsibility of the executive

management assisted by an IT steering committee.

The COBIT 5 framework states that an ICT steering committee should be composed of executive,

business and IT management to represent every department and unit in the institution. However,

during the audit of the general controls of RDB’s IT, I noted the following:

a) Lack of IT strategic plan: Even though there is an action plan for the period starting July

2014 to June 2015 and an overall strategic plan, there should be an IT strategic plan (not a part

or another strategic plan) where the action plan would be used as an implementation tool of the

strategic plan.

b) Lack of a steering committee: The committee is not in place yet RDB continues to acquire,

develop and implement new IT systems and invest in new technologies.

Due to the above IT Governance gaps, the ICT related projects are given less attention and this

may result in sub-optimal decisions on IT investments and lack of value for money on IT

investments and implemented IT systems. RDB could lack better information during decision

making due to absence of designated persons at the strategic level to evaluate appropriateness of

IT investment decisions as well as monitor implementation of those adopted. As there is no IT

strategic plan that could help RDB management to evaluate ICT performance and monitor

implementation of aligning IT to RDB core objectives.

Recommendations

a) IT strategic plan: RDB management should develop, approve, implement and monitor an IT

strategy that is aligned to the overall RDB strategy. This document should be a platform for

which future plans would be derived. The implementation of this plan should be monitored and

reported to ensure achievement and performance of IT in terms of supporting the overall strat-

egy and should be evaluated based on implementation of the activities stated by this document.

b) IT steering committee: RDB management should appoint staff members to the IT steering

committee to work with RDB management in evaluating and monitoring implementation of IT

projects.

Management comments

a) Currently RDB has a general strategic plan that covers the RDB mission. The current IT unit

action plan is addressed according to the general strategic plan. However as RDB is currently

working on a revised strategic plan, once this is done we shall look on designing an IT strategic

plan which reflects the new strategic plan for RDB.


IT GENERAL CONTROLS

23


b) An IT steering committee has already been proposed and it is remaining just approval from

senior management.

5.4.2. Review of RDB ICT policies and procedures

IT best practices and internationally recognized standards require that institutions develop IT

policies that are used to guide the effective use of ICT resources, mitigate risks and promote

responsible, ethical and secure use of ICT resources. The development of various IT policies and

procedures should be a result of an IT risk assessment and a need to comply with international

standards such as ISO 27001 on Information Security Management Systems) and ISO 22301 on

Business continuity.

During the audit I noted that RDB has developed general regulations on the use and protection of

IT equipment. I noted that the document in place has not been fully aligned to ISO 27001 and in

addition there is no evidence that the document was developed based on an IT risk assessment done

on RDB ICT resources. With reference to best practices, the following important policies and

guidelines have not yet been developed:

Telephone usage policy

Web posting policy

Support and maintenance policy

Service level agreement policy

Incident management policy

Change management policy

Data classification and retention policy

Business continuity plan and disaster recovery plan

Change management policy

A review of the general regulations on the use and protection of IT equipment document provided

by RDB IT unit revealed the following weaknesses:

The document is silent on the enforcement and monitoring of compliance to all the proce-

dures in it

The document is silent on how, who and when this it is updated

The document is silent on how it should be communicated to all RDB users (user awareness

trainings)

The document is silent on the position of other external users (consultants and third party

users) of RDB IT resources

In addition, there is no proof that the following guidelines are implemented as stated in the docu-

ment:

Measures in place to verify that only authorized and licensed software is used by RDB staff

Forms that require access to RDB IT systems are filled in

LAN analyzer and packet sniffing software are used to monitor and detect unauthorized

intrusion to RDB systems

Computer hardware and software audits are carried out periodically to track unauthorized

copies of software and unauthorized changes to hardware and software configurations


IT GENERAL CONTROLS

24


Due to the fact that some of the policies or regulations are not yet developed, and are silent on key

points, there might be lack of safeguard of information which may lead to security breaches, data

loss, fraud, and errors in operations as well as inefficient and ineffective use of ICT resources to

achieve RDB’s mission and objectives. Furthermore, given that the general regulations on the use

and protection of IT equipment document, was not developed as a mitigation tool to identified IT

risks, it may not cover all the ICT resources.

Recommendations

RDB IT should put more effort to develop ICT policies and procedures based on comprehensive

risk analysis to cover all ICT resources and align the developed document to international stand-

ards, this will help avoid misuse of ICT resources and allow maximization of their usage in safe

environment. RDB IT should put in place measures to monitor and evaluate implementation and

compliance to the policies in RDB.

Management comment

All documentations have been done however, they are still drafts and only remain with official

approval from senior management so that the IT unit starts the application of all controls,

procedures and strengthen the usage the new developed policy.

5.4.3. Weakness noted in risk management process

Risk management is the process of identifying vulnerabilities and threats to the information

resources used by an organization in our case RDB in achieving business objectives and deciding

what countermeasures (safeguards or controls), if any, to take in reduction risk to acceptable level,

based on the value of the IT resources to the organization. The risk management encompasses

identifying, analyzing, treating, monitoring and communicating the impact of risk on IT process.

According to COBIT 5 APO 12 - management of risk, the key risk management practices include:

Collecting data

Analyzing risk

Maintaining a risk profile

Articulating risk

Defining risk management action portfolio

Responding to risk

During the audit I noted that RDB hired an external consulting firm to help it identify and analyze

IT risks that could impact on IT processes, however, treating and monitoring of identified risks

was not done.

If the identified risks are not mitigated, transferred or shared RDB’s activities can be negative

affected in the following manner:

Elevation of privilege: an attacker exploiting these vulnerabilities could assume greater

privileges on a compromised system, allowing them to potentially destroy data or take con-

trol of computers for malicious purposes.


IT GENERAL CONTROLS

25


Information disclosure: an attacker exploiting IT vulnerabilities could obtain access to

confidential information.

Denial of services: an attacker exploiting IT Vulnerabilities could prevent authorized ac-

cess to computing resources or interfere with a system‘s operations.

In addition, there is no value for the money invested in identifying the risk if they are not mitigated

appropriately.

Recommendation

RDB management should put more effort in understanding the entity’s risk appetite then develop

and implement strategies that reduce IT risks to an acceptable level. They should also keep an IT

risk register that is updated regularly with newly recorded security incidents that have not been

captured in the risk register.

Management comment

The recommendation has been noted and will be implemented.

5.4.4. Business continuity and disaster recovery plan

The ISO 22301 on Business Continuity recommends that organizations of all sizes and types should

engage in a comprehensive and systematic process of prevention, protection, preparedness,

mitigation, response for business continuity and recovery. To be able to do this, it is very important

for an organization to:

Ensure that there is a Business Continuity Plan covering the entire organization/system

which would be activated in case of an interruption to business

Ensure that all risks to business systems, infrastructure, applications, data and personnel

are identified and managed and that systems and applications can be recovered within spec-

ified time scales.

Ensure that there is a Disaster Recovery Plan for the organization/system

Ensure data that needs to be backed up has been identified and prioritized, and that backups

are done frequently and stored outside the premises of the organization or where the system

is hosted

Ensure there is a backup retention policy and that backups are tested periodically.

Ensure that backups made are well secured and safe

Ensure that organization/system manager has made provision for adequate hard drive space

for incoming data and data storage.

However, RDB/IT unit does not have a backup plan and disaster recovery plan to ensure business

continuity in case something goes wrong. Even though backup is done regularly the process is not

documented and furthermore there is no proof that the backups done are tested to ensure that they

are working and will be useful in case of disaster.

In case of a disaster while there is no Business Continuity Plan/Disaster Recovery Plan put in place,

RDB staff may not know where to start in response to the disaster so as to prevent any loss of


IT GENERAL CONTROLS

26


resources or what procedures to follow to safeguard the resources. Due to not testing of the backups

done, it may be very difficult for RDB to know whether the back up in place will help to recover

IT processes in the event of disaster.

Recommendation

RDB management should put in place a Business continuity Plan and Disaster Recovery Plan,

implement them and monitor their compliance and this will formalize the process of safeguarding

RDB data from any kind of loss or disaster that could occur any time. Back up should be tested on

a regular basis to ensure that in case of data loss or disaster, data can be used to recover RDB IT

systems.

Management comment

Recommendation noted. The backup and a disaster recovery plan will be put in place.

5.4.5. Lack of internal audit or quality assurance involvement

RDB has the ultimate responsibility of ensuring that an adequate system of internal controls is in

place and working properly to reduce IT related risks and provide periodic assurance to

management that the different IT controls related to the business processes are implemented.

However, during the audit I did not find proof that there was an internal audit or quality assurance

assessment conducted on the RDB ICT systems to ensure that risk over IT systems, projects and

investments are detected, prevented and corrected.

In the absence of internal audit or quality assurance involvement, management may not be able to

obtain timely, reliable, periodic information about the adequacy of compliance to the control

framework established throughout RDB.

Recommendation

RDB management should involve the internal audit or quality assurance function so as to review

the IT controls in place to ensure that they are working to lower risks which the entity is susceptible

to while delivering value for money

Management comment

The recommendation is noted and will be implemented.

5.4.6. Weakness noted in IT operations controls

IT best practices require that an institution that relies on information technology/system should

maintain IT equipment, evaluate problem and incident management practices to determine whether

incidents, problems or errors are recorded, analysed and resolved in a timely manner, and ensure

that network is monitored and administered effectively and efficiently.

However, during the audit review of IT unit I did not find any evidence that errors, problems and

incident are reported, and that RDB network is monitored and administered in manner that can

help to detect, prevent or collect any intrusion detected.


IT GENERAL CONTROLS

27


If all the errors, problems and incidents are not reported, monitored, recorded and kept, there is a

risk of these same issues re-occurring and not being addressed timely. It is difficult for RDB

management to know the level of satisfaction of users in order to provide insight in IT improvement

if RDB does not keep track on all issues regarding IT, how have they been resolved and the time it

takes to fix them.

Recommendation

RDB management should formalize the process of maintenance to keep track on all the issues as

they occur, also IT unit should be equipped with tools to monitor and administer the network usage

and detect any intrusion to RDB network.

Management comment

Recommendation is noted. Currently RDB does not have appropriate tools to report and record

errors, incidents that have occurred. However RDB is implementing a new IT policy and

procedures which describes provision of errors, incidents reporting and recording. Progressively

while RDB unit is implementing the policy, this observation will be addressed


IT GENERAL CONTROLS

28


6. CONCLUSION

One of the priorities of EDPRS II is the development of ICT, where the ICT sector has a key cross-

cutting role to play in supporting businesses, skills, and public service delivery.

The DTWMS project was put in place, with the purpose of improving government processes,

reducing costs and increasing efficiency of service delivery through information sharing and

management thereby reducing bureaucracy.

However, I noted that the project is not achieving its objectives and Government is not realising

value for money from funds invested in acquiring the system and licenses.

i.) Planning the implementation of the system

The plan of implementation of the DTWMS project was not adequate, there was no plan

documenting the implementation strategies, activities to be undertaken as well as role and

responsibilities of stakeholders. Consequently, this affected the implementation and utilization of

the system. The effects are as follows:

● There was no awareness in public institutions before deployment of the system and

this caused a resistance in the using the system. Some other twelve (12) institutions spent

money in buying similar programmes which cannot integrate to enable inter-agency com-

munication and sharing of electronic documents.

● No Key Performance Indicators developed to track the progress of DTWMS, the man-

agement cannot be able to know whether the project is on the right track for success or not.

● No buy or build assessment was conducted. Absence of a cost-benefit assessment to

justify build over buy (or vice-versa), results in RDB making a choice that results in lower

return on investment.

ii.) Implementation of the system in user institutions

While it was planned that by 2013, 50 % of government institutions will be installed with mail

management system, during the audit (in April 2016), only incoming mails was launched in 116

institutions. In addition to this, all features are not customized, they are only in 3 institutions

(WDA, MINAFET and NAEB) out of the 116 which have the system installed. The objective of

improving information sharing in government processes cannot be achieved as long as all compo-

nents are not launched.

iii.) Utilization of DTWMS in public institutions

The expected value for money can only be obtained if the system is optimally used by all intended

institutions. 28 institutions out of 116 institutions (24.1%) have the system installed but have not

acquired licences. Another 84 have acquired licenses, but some of them are not using the system

at all (19 institutions) while others (23 institutions) are scanning very little quantity ranging

between 1 and 60 documents for a period of 3 months. Consequently the objective of improving

overall efficiency, service delivery, accountability and transparency will not be achieved.


IT GENERAL CONTROLS

29


I also noted several weaknesses in the internal controls of RDB’s IT unit:

i.) Weak IT Governance Structure

Lack of IT strategic plan and steering committee in RDB. Even though there is an action plan for

the period starting July 2014 to June 2015 and an overall strategic plan, there should be an IT

strategic plan (not a part or another strategic plan) where the action plan would be used as an

implementation tool of the strategic plan. RDB continues to acquire, develop and implement new

IT systems and invest in new technologies yet it does not have a steering committee.

ii.) Review of RDB ICT policies and procedures

RDB has developed general regulations on the use and protection of IT equipment but they are not

fully aligned to ISO 27001 and in addition there is no evidence that they were developed based on

an IT risk assessment done on RDB ICT resources.

iii.) Business continuity and disaster recovery plan

RDB does not have a backup plan and disaster recovery plan to ensure business continuity in case

something goes wrong and the backup process is not documented. Furthermore there is no proof

that the backups done are tested to ensure that they are working and will be useful in case of dis-

aster.


IT GENERAL CONTROLS

30


7. RECOMMENDATIONS

● A concept document that elaborates what will be done, who will do it, and how and when

it will be done should be developed. Key stakeholders should be determined, their role and

responsibilities should be elaborated and communicated to them. Resources (infrastructure,

human and financial) needed for the programme should be determined to enable its imple-

mentation.

● As the new ICT initiatives impact how individual people do their work: their processes,

work-flows, reporting structures, behaviors within the organization, RDB should put more

emphasis on the awareness program before any launch of new technology in public insti-

tutions.

● RDB should set performance indicators for DTWMS project. It will help to understand

whether the project is on the right track for success or not more easily and identify where

to make improvements and focus more attention.

● In future, RDB needs to undertake a thorough initial cost-benefit analysis to ensure that IT

investments are made at the most economical cost and they deliver optimally on function-

ality. RDB should seek the most appropriate software development approach, whether to

buy or to build and adopt it after assessing cost, suitability and time to deployment. Local

software development companies or individuals should also be considered.

● As RDB is the implementing institution, it should speed up in launching of outgoing mails

component. This will facilitate the sharing of documents in all public institutions.

● RDB in collaboration with other public institutions need to work together and share infor-

mation regularly and consistently relating to acquisition of ICT equipment.

● RDB should work closely with the concerned entities to put in place an enforcement on the

usage of DTWMS and regularly monitor the system utilization.

● IT strategic plan: RDB management should develop, approve, implement and monitor an

IT strategy that is aligned to the overall RDB strategy. This document should be a platform

for which future plans would be derived. The implementation of this plan should be moni-

tored and reported to ensure achievement and performance of IT in terms of supporting the

overall strategy and should be evaluated based on implementation of the activities stated

by this document.

● IT steering committee: RDB management should appoint staff members to the IT steering

committee to work with RDB management in evaluating and monitoring implementation

of IT projects.

● RDB IT should put more effort to develop ICT policies and procedures based on compre-

hensive risk analysis to cover all ICT resources and align the developed document to inter-

national standards, this will help avoid misuse of ICT resources and allow maximization of

their usage in safe environment. RDB IT should put in place measures to monitor and eval-

uate implementation and compliance to the policies in RDB.


IT GENERAL CONTROLS

31


● RDB management should put more effort in understanding the entity’s risk appetite then

develop and implement strategies that reduce IT risks to an acceptable level. They should

also keep an IT risk register that is updated regularly with newly recorded security incidents

that have not been captured in the risk register.

● RDB management should put in place a Business continuity Plan and Disaster Recovery

Plan, implement them and monitor their compliance and this will formalize the process of

safeguarding RDB data from any kind of loss or disaster that could occur any time. Back

up should be tested on a regular basis to ensure that in case of data loss or disaster, data can

be used to recover RDB IT systems.

● RDB management should involve the internal audit or quality assurance function so as to

review the IT controls in place to ensure that they are working to lower risks which the

entity is susceptible to while delivering value for money

● RDB management should formalize the process of maintenance to keep track on all the

issues as they occur, also IT unit should be equipped with tools to monitor and administer

the network usage and detect any intrusion to RDB network.


IT GENERAL CONTROLS

32


8. APPENDICES

Appendix 1: NICI III projects Cluster No Projects Status

Skills

Development

1 ICT Professional Training and Certification Programs Ongoing

2 SchoolNet (includes OLPC component) Ongoing

3 ICT Training for Teachers Ongoing

4 RwEdNet Ongoing

5 Open, Distance and e-Learning Ongoing

6 Digital Library Ongoing

Private Sector

Development

7 Technopole Ongoing

8 e-Payment System Completed

9 Tourism Portal Completed

10 ICT Business Financing Mechanism Ongoing

11 Virtual Landing Point Ongoing

12 Access Network Ongoing

13 e-Soko 2.0 Ongoing

14 SMART Electricity Grid and Energy Market Design Ongoing

15 Commodity and Securities Platform Ongoing

16 Adoption of ICT Industry Standards Ongoing

17 Content and Application Development Ongoing

Community

Development

18 Land Administration Information System Completed

19 Business Delivery Service Centers Ongoing

20

ICT Infrastructure & Applications for Local Government

(Video Conferencing)

Completed

21 Community Health worker Reporting and Information System Completed

22 Health Insurance Information System Ongoing

23 Integrated Public Safety Communication System Ongoing

24 Telemedicine Ongoing

25 Vision 2020 e-Citizen Ongoing

E-Government

26 Government Enterprise Architecture Ongoing

27 Government Intranet Completed

28 Document Tracking and Workflow Management System Ongoing

29 e-Procurement Ongoing

30 National ID and Smartcard System Ongoing

31 JRLOS Information Systems Ongoing

32 Disaster Recovery Center Ongoing

33 National Portal Completed

34 Mining Portal Ongoing

35 Training and Education Portal Ongoing

Cyber Security

36 Rwanda-CERT/CSIRT Ongoing

37 Rwanda Public Key Infrastructure (PKI) Ongoing

38 Security Operation Centre (SOC) Ongoing

39 Information Infrastructure Security System Ongoing

40 Cyber Security Capacity Building Ongoing

41 National Cyber Security Research Centre (NCSRC) Completed

Cross-Cutting

Projects

42 NICI III Implementation Support Ongoing

43 ICT Awareness Campaign Ongoing

44 Policy, Legal and Regulatory Framework Ongoing

45 Green ICT Ongoing

46 Climate Change Observatory Ongoing

47 Digital Migration Completed

48 CNS-ATM Completed

49 Transform Africa Summit (2013) Completed

50 4G LTE Broadband Internet Completed


IT GENERAL CONTROLS

33


Cluster No Projects Status

New Projects

(EDPRS II - ICT

SSP)

51 Rwanda Online Completed

52 Government Command Center Completed

53 SMART Village Ongoing

54 K-Lab Completed

55 Regional ICT Center of Excellence Ongoing

56 ICT Innovation Center Ongoing

57 Sim Card Registration Completed

58

ICT Northern Corridor Integration Project (eg.One area

network)

Ongoing

59 CCTV Project Ongoing

Appendix 2: Sampled institutions No. Entity

1 Kigali City

2 Gasabo District

3 Kicukiro District

4 Nyarugenge District

5 Funds for Assistance to Genocide Survivors (FARG)

6 Gender Monitoring Office (GMO)

7 Integrated Polytechnic Regional Centre – Kigali (IPRC-Kigali)

8 Ministry of Disaster Management & Refugee Affairs (MIDIMAR)


10 Ministry of Foreign Affairs & Cooperation (MINAFFET)

11 Ministry of Gender & Family Planning(MIGEPROF)

12 Ministry of Infrastructure (MININFRA)

13 Ministry of Natural Resources (MINIRENA)

14 Ministry of Public Service & Labour (MIFOTRA)

15 Ministry of Sport & Culture (MINISPOC)

16 Ministry of Trade & Commerce (MINICOM)

17 Ministry of Youth & ICT (MYICT)

18 National Agricultural Export Board (NAEB)

19 National Commission For The Fight Against Genocide (CNLG)

20 National Council of Persons with Disability (NCPD)

21 National Electoral Commission (NEC)

22 National Youth Council (NYC)

23 Public Service Commission (PSC)

24 Rwanda Environmental Management Authority (REMA)

25 Rwanda Academy of Language & Culture (RALC)

26 Rwanda Agriculture Board (RAB)

27 Rwanda Biomedical Center (RBC)

28 Rwanda Broadcasting Agency (RBA)

29 Rwanda Cooperatives Agency (RCA)


31 Rwanda Education Board (REB)

32 Rwanda Governance Board (RGB)

33 Rwanda Institute of National Museums (RINM)

34 Rwanda Local Development Support Fund/Local Development Agency (RLDSF/LODA)

35 Rwanda Meteorology Agency (RMA)

36 Rwanda National Commission for UNESCO (RNCU)

37 Rwanda Standards Bureau (RSB)

38 Rwanda Transport Development Agency (RTDA)

39 Workforce Development Agency (WDA)


IT GENERAL CONTROLS

34


Appendix 3: Documents Reviewed No. Documents Reviewed

1 Rwanda Vision 2020

National ICT Strategy and NICI Plan 1,2 and 3

2 EDPRS II (Pg65)

3 MYICT Review of implementation of NICI 3

4 Rwanda Information Technology Authority (RITA) Document Management System Final Report

5 RDB/ICT Monitoring & Evaluation Report Quarter 4 2014-2015

6 DTWMS Implementation Report

7 Contract for license supply with Symphony Rwanda Ltd 2013 & 2014

8 Contract for acquiring a Document Tracking System with CAL Rwanda and Newgen Technologies 2010

9 E-mboni Wiki

Appendix 4: Responsibilities of RDB No. Responsibilities of RDB

1 To fast track development activities and to facilitate Government and the private sector and undertake an

active role

2 To promote local and foreign direct investments in Rwanda

3 To promote exports to regional and international markets of goods and services as well as adding value

4 To participate in initiating and implementing policies and strategies in matters relating to tourism and

conservation of National Parks and other protected areas in matters relating to tourism, and to advise

Government on the promotion of the tourism sector

5 To participate in initiating and implementing policies and strategies in the field of Information and

Communication Technology and to advise Government on the promotion of the sector

6 To provide guidelines, analyze project proposals and follow up on the implementation of Government

decisions in line with public and private investment

7 To carry out privatization programs, monitor them and advise Government accordingly

8 To promote entrepreneurship and support the creation and development of private enterprises

9 To initiate, implement and follow up the activities relating to modernizing, harness relationship and

registering, trading companies and businesses, secured transactions, intellectual property rights and

activities to initiate, exercise and halt business activities

10 To insure appropriate mechanisms of building pro-development institutions in the Public, private and civil

society sectors and increase staff capacity building in those institutions in order to improve their efficiency

and competitiveness on both the national and international labor market

11 To facilitate and help investors meet environmental standards in the execution of their projects

12 To cooperate and collaborate with other regional and international institutions having similar responsibilities

13 To advise Government on all activities which can fast track development in Rwanda.

Appendix 5: Relevant costs that have been incurred as of April 2016 Description Amount ($)

Hardware (including installation) 257,468.97

Software licenses 516,500.00

Implementation cost 177,500.00

Training cost 31,250.00

Recurrent costs (support & maintenance) 97,687.50

Contract price 1- Acquisition November 2010 1,080,406.47

Contract 2 -Licenses (October 2013)

OmniDoc & OmniFlow Software license provision (approx.2000 users)

900 user licenses for all ministries + 2 server licenses for RURA 481,213.76

600 user licenses for all districts + 70 scanning licenses 407,000.00

Omnisuite licenses bought by individual agencies (331 licenses) 182,050.00

Omniscan licenses bought by individual agencies (14 licenses) 15,400.00

Sub-total 1,085,663.76

Contract 2 amendment (May 2014)


IT GENERAL CONTROLS

35


Description Amount ($)

OmniDoc Enterprise Service 6.0.2 Server license 1pc (support unlimited user) 13,200.00

OmniFlow Enterprise Service 8.0.2 Server license 1pc (support unlimited user) 17,600.00

Omniscan Server license 1pc 1,100.00

Sub-total 31,900

Software maintenance 183,142.39

Onsite Support 2012 (August 2012) 150,000.00

Onsite Support Renewal (October 2013) 150,000.00

Sub-total 483,142,49

Total incurred cost 2,681,112.62

Appendix 6: DTWMS deployment in institutions No. Ministries

1 Ministry of Local Government (MINALOC)

2 Ministry of Justice (MINIJUST)

3 Ministry of Internal Affairs (MININTER)

4 Ministry of Foreign Affairs and Cooperation (MINAFFET)

5 Ministry of Natural Resources (MINIRENA)

6 Ministry of Agriculture (MINAGRI)

7 Ministry of Public Service and Labour (MIFOTRA)

8 Ministry of Disaster Management and Refugee Affairs (MIDIMAR)

9 Ministry of Education (MINEDUC)

10 Ministry of Youth and ICT (MYICT)

11 Ministry of Sport and Culture (MINISPOC)

12 The Prime Minister’s Office (PRIMATURE)

13 Ministry of Trade and Commerce (MINICOM)

14 Ministry of Infrastructure (MININFRA)

15 Ministry of Health (MOH)


17 Ministry of Gender and Family Promotion (MIGEPROF)

No. Districts and Provinces

18 Eastern Province

19 Northern province

20 Southern Province

21 Western Province

22 Kigali City

23 Kicukiro

24 Nyarugenge

25 Gasabo

26 Bugesera

27 Burera

28 Gakenke

29 Gatsibo

30 Gicumbi

31 Gisagara

32 Huye

33 Kamonyi

34 Karongi

35 Kayonza

36 Kirehe

37 Muhanga

38 Musanze

39 Ngoma

40 Ngororero

41 Nyabihu

42 Nyagatare


IT GENERAL CONTROLS

36


No. Districts and Provinces

43 Nyamagabe

44 Nyamasheke

45 Nyanza

46 Nyaruguru

47 Rubavu

48 Ruhango

49 Rulindo

50 Rusizi

51 Rutsiro

52 Rwamagana

No. Other Government Institutions

53 Centre Hospitalier Univfersitaire – Butare (CHUB)

54 Centre Hospitalier Univfersitaire – Kigali (CHUK)

55 Chancellery for Heros National Orders & Decoration (CHENO)

56 Directorate General of Immigration and Emigration

57 Gender Monitoring Office (GMO)

58 Genocide Survivors Assistance Fund (FARG)

59 Higher Education Council (HEC)

60 Institute of Legal Practice and Development (ILPD)


62 Integrated Polytechnic Regional Centre – Tumba (IPRC-Tumba)

63 Kacyiru Police Hospital (KPH)

64 Media High Council (MHC)

65 Military Medical Insurance (MMI)

66 National Agricultural Export Board (NAEB)

67 National Commission for Children (NCC)

68 National Commission for Science and Technology (NCST)




72 National Human Rights Commission (NHRC)

73 National Identification Agency (NIDA)

74 National Industrial Research and Development Agency (NIRDA)

75 National Itorero Commission (NIC)

76 National Public Prosecution Authority (NPPA)

77 National Security Services (NSS)

78 National Unity and Reconciliation Commission (NURC)

79 National Women's Council (NAWOCO)

80 National Youth Council (NYC)

81 Neuro-psychiatric Hospital Caraes Ndera (NPHN)

82 Office of the Auditor General (OAG)

83 Office of the Government Spokesperson (OGS)

84 Office of the President (PRESIREP)

85 Public Service Commission (PSC)

86 Rehabilitation & Vocational Skills Development Center – Gitagata (RVSDC-Gitagata)

87 Rehabilitation & Vocational Skills Development Center – Iwawa (RVSDC-Iwawa)

88 Road Maintenance Fund (RMF)

89 Ruhengeri Hospital

90 Rwanda Education Board (REB)

91 Rwanda Academy of Language and Culture (RALC)


93 Rwanda Bio-Medical Center (RBC)


95 Rwanda Civil Aviation Authority (RCAA)

96 Rwanda Cooperative Agency (RCA)

97 Rwanda Correctional Services (RCS)


IT GENERAL CONTROLS

37


No. Other Government Institutions


99 Rwanda Development Board (RDB)

100 Rwanda Environment Management Authority (REMA)

101 Rwanda Governance Board (RGB)


103 Rwanda Law Reform Commission (RLRC)

104 Rwanda Local Development Support Fund/Local Development Agency (RLDSF/LODA)

105 Rwanda Management Institute (RMI)


107 Rwanda Military Hospital (RMH)

108 Rwanda National Commission for UNESCO (RNCU)

109 Rwanda National Police (RNP)

110 Rwanda Standards Board (RBS)

111 Rwanda Transport Development Agency (RTDA)

112 Rwanda Utilities and Regulatory Authority (RURA)

113 The Parliament

114 The Senate

115 University of Rwanda (UR)

116 Workforce Development Authority(WDA)

Appendix 7: Details on levels of support in the maintenance contract

Level 1 provided on-site in Rwanda by

Symphony Rwanda Ltd

Level 2 provided offshore in New

Delhi by Newgen Software Ltd

Level 3 provided

offshore in New Delhi

by Newgen Software

Ltd

a) Problem identification and resolution

b) Preventive maintenance

c) User hand holding

d) Monitoring of all services

e) Monitoring configuration server

f) System administration

g) Patch deployment on UAT (User

Acceptance Test) along with testing

h) Patch deployment on production after

taking UAT sign-off from business

i) Working closely with operational team to

ensure cycle completion for the day

j) Co-ordination with back end team for

problem resolution

k) Consolidation of administrator's and

configurations training

l) Knowledge sharing with user trainers on

processes

m) On the job knowledge sharing of the

activities related to above points

n) Maintenance of the system deployment

environment to ensure full time availability,

performance and security of the system

a) Provides in-depth application

and process knowledge of system

b) Response to queries generated at

level 1

c) Maintenance of the environment

of RDB deployment, debugging &

bug correction for custom code

(subject to availability of code at

on-site)

d) Knowledge of the process logic

& maintain documentation related

to the implementation

e) Knowledge of route

configuration, interfaces developed

and system configuration

f) Detailed analysis report and

impact analysis of issues for L3

offshore team

g) Seamless forwarding of product-

related issues to respective product

team for L3 support

a) Maintenance of

complete code

base of application

b) Immediate response

for queries and issues

related to custom code

c) Bug correction for

custom code

d) Version control of the

patches/bug fixes

released

e) Coordination for

faster resolution of core

product related issues

f) Supporting on-site

team for issue analysis

and faster resolution

g) Providing technical

and functional expertise

for all queries and issues

Appendix 8: Institutions without user licenses No. Deployed Institutions pending to buy user licenses

1 Funds for Assistance to Genocide Survivors (FARG)

2 Institute of Legal Practice & Development (ILPD)


4 Kacyiru Police Hospital (KPH)

5 Media High Council (MHC)

6 National Commission for Science & Technology (NCST)


IT GENERAL CONTROLS

38


No. Deployed Institutions pending to buy user licenses


8 National Human Rights Commission (NHRC)



11 National Identification Agency (NIDA)

12 National Industrial Research & Development Agency (NIRDA)

13 National Security Services (NSS)

14 National Itorero Commission (NIC)

15 National Public Prosecution Authority (NPPA)

16 National Unity & Reconciliation Commission (NURC)

17 National Women Council (NAWOCO)

18 Rehabilitation & Vocational Skills Development Center – Gitagata (RVSDC-Gitagata)

19 Rehabilitation & Vocational Skills Development Center – Iwawa (RVSDC-Iwawa)

20 Rwanda Academy of Language & Culture (RALC)



23 Rwanda Correctional Services (RCS)


25 Rwanda Law Reform Commission (RLRC)


27 Rwanda National Police (RNP)

28 The Parliament

Appendix 9: Public institutions that minimally use the software

(a) 53 public institutions with minimal use

No.

Public Institution Between

10/12/2015 and

15/01/2016

Between

15/01/2016 and

15/02/2016

Between

15/02/2016

and

15/03/2016

1 Ministry of Natural Resources (MINIRENA) 0 0 16

2 Ministry of Agriculture (MINAGRI) 0 1 6

3 Ministry of Education (MINEDUC) 0 6 3

4 Ministry of Health MOH 0 0 388

1 Neuro-psychiatric Hospital Caraes Ndera (NPHN) 0 0 0

2 The Senate 0 0 0

3

Rwanda National Commission for UNESCO

(RNCU) 0 0 0

4 Rwanda Education Board (REB) 0 0 0

5

Chancellery for Heros National Orders &

Decoration (CHENO) 0 0 0

6 Military Medical Insurance (MMI) 0 0 0

7 Rwanda Cooperative Agency (RCA) 0 0 0

8 Rwanda Civil Aviation Authority (RCAA) 0 0 5

9 Road Maintenance Fund (RMF) 0 0 0

10 Rwanda Military Hospital (RMH) 0 0 0

11 National Commission for Children (NCC) 0 0 0

12 Higher Education Council (HEC) 0 0 0

13 HNN 0 0 0

14 Ruhengeri Hospital 0 0 1

15

Centre Hospitalier Univfersitaire – Butare

(CHUB) 2 0 1

16

Integrated Polytechnic Regional Centre – Tumba

(IPRC-Tumba) 0 0 3

17 Office of the Government Spokesperson (OGS) 1 0 2

18 Rwanda Management Institute (RMI) 0 0 3

19 Gender Monitoring Office (GMO) 0 0 6


IT GENERAL CONTROLS

39


No.


10/12/2015 and

15/01/2016

Between

15/01/2016 and

15/02/2016

Between

15/02/2016

and

15/03/2016

20 Rwanda Governance Board (RGB) 3 10 0

21 Centre Hospitalier Univfersitaire – Kigali (CHUK) 1 3 50

22 National Youth Council (NYC) 32 15 47

23 Rwanda Transport Development Agency (RTDA) 20 79 65

1 Bugesera District 2 0 2

2 Burera District 1 6 0

3 Gakenke District 2 0 0

4 Gasabo District 28 0 2

5 Gatsibo District 23 4 37

6 Gicumbi District 0 0 15

7 Huye District 18 56 76

8 Kayonza District 0 0 0

9 Kirehe District 0 0 0

10 Muhanga District 0 0 0

11 Musanze District 14 0 0

12 Ngoma District 2 0 2

13 Ngororero District 0 0 0

14 Nyabihu District 38 86 27

15 Nyagatare District 0 0 0

16 Nyamagabe District 5 45 58

17 Nyamasheke District 4 27 5

18 Nyanza District 31 16 16

19 Nyaruguru District 73 20 70

20 Rubavu District 0 0 0

21 Ruhango District 5 28 12

22 Rulindo District 0 0 0

23 Rusizi District 31 260 29

24 Rutsiro District 3 7 0

25 Northern Province 4 1 0

26 Southern Province 1 8 206

(b) 19 public institutions that did not scan any document

No.


10/12/2015 and

15/01/2016

Between

15/01/2016 and

15/02/2016

Between

15/02/2016

and

15/03/2016

1 The Senate 0 0 0

2 Neuro-psychiatric Hospital Caraes Ndera (NPHN) 0 0 0

3

Rwanda National Commission for UNESCO

(RNCU)

0 0 0

4 Rwanda Education Board (REB) 0 0 0

5

Chancellery for Heros National Orders &

Decoration (CHENO)

0 0 0

6 Military Medical Insurance (MMI) 0 0 0

7 Rwanda Cooperative Agency (RCA) 0 0 0

8 Road Maintenance Fund (RMF) 0 0 0

9 Rwanda Military Hospital (RMH) 0 0 0

10 National Commission for Children (NCC) 0 0 0

11 Higher Education Council (HEC) 0 0 0

12 HNN 0 0 0

13 Kayonza District 0 0 0

14 Kirehe District 0 0 0

15 Muhanga District 0 0 0

16 Ngororero District 0 0 0

17 Nyagatare District 0 0 0


IT GENERAL CONTROLS

40


No.


10/12/2015 and

15/01/2016

Between

15/01/2016 and

15/02/2016

Between

15/02/2016

and

15/03/2016

18 Rubavu District 0 0 0

19 Rulindo District 0 0 0

(c) 23 public institutions that scanned very little quantity of documents

No.

Public Institution

Between

10/12/2015

and

15/01/2016

Between

15/01/2016

and

15/02/2016

Between

15/02/2016 and

15/03/2016

Total

1

Ministry of Natural Resources

(MINIRENA) 0 0 16

16

2 Ministry of Agriculture (MINAGRI) 0 1 6 7

3 Ministry of Education (MINEDUC) 0 6 3 9

4 Rwanda Civil Aviation Authority (RCAA) 0 0 5 5

5 Ruhengeri Hospital 0 0 1 1

6

Centre Hospitalier Univfersitaire – Butare

(CHUB) 2 0 1

3

7

Integrated Polytechnic Regional Centre –

Tumba (IPRC-Tumba) 0 0 3

3

8

Office of the Government Spokesperson

(OGS) 1 0 2

3

9 Rwanda Management Institute (RMI) 0 0 3 3

10 ender Monitoring Office (GMO) 0 0 6 6

11 Rwanda Governance Board (RGB) 3 10 13

12

Centre Hospitalier Univfersitaire – Kigali

(CHUK) 1 3 50

54

13 Bugesera District 2 0 2 4

14 Burera District 1 6 0 7

15 Gakenke District 2 0 0 2

16 Gasabo District 28 0 2 30

17 Gicumbi District 0 0 15 15

18 Musanze District 14 0 0 14

19 Ngoma District 2 0 2 4

20 Nyamasheke District 4 27 5 36

21 Ruhango District 5 28 12 45

22 Rutsiro District 3 7 0 10

23 Northern Province 4 1 0 5