performance audit on utilization of document …
TRANSCRIPT
OFFICE OF THE AUDITOR GENERAL
OF STATE FINANCES, RWANDA
PERFORMANCE AUDIT ON
UTILIZATION OF DOCUMENT TRACKING AND WORKFLOW
MANAGEMENT SYSTEM (DTWMS) / E-MBONI
&
REVIEW OF RDB IT GENERAL CONTROLS
April 2016
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
i
Office of the Auditor General of State Finances
REPORT STRUCTURE
This audit report provides detailed information relating to the performance audit conducted on the
utilization of Document Tracking and Workflow Management System (DTWMS) in public
institutions of which Rwanda Development Board (RDB) is the implementing and coordinating
agency, and a review of the IT controls within Rwanda Development Board.
The report is divided in two sections;
a.) The first section focuses on the utilization of the Document Tracking and Workflow
Management System and provides detailed information on how the system otherwise
known as e-mboni functions, weaknesses/audit findings that were noted in its planning and
implementation to which recommendations have been provided to address those
weaknesses.
b.) The second section focuses on RDB’s IT controls and provides weaknesses that were
specifically noted within RDB relating to its IT governance and management.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
ii
Office of the Auditor General of State Finances
Table of Contents SECTION 1: UTILIZATION OF DOCUMENT TRACKING AND WORKFLOW MANAGEMENT SYSTEM ................ 1
ACRONYMS AND ABBREVIATIONS ................................................................................................................. 2
1. EXECUTIVE SUMMARY ....................................................................................................................... 3
2. INTRODUCTION ................................................................................................................................. 6
2.1. Terms of reference ............................................................................................................................ 6
2.2. Background ....................................................................................................................................... 6
2.3. Necessity of the Audit ....................................................................................................................... 7
3. AUDIT DESIGN ................................................................................................................................... 8
4. DESCRIPTION OF DTWMS, THE PROCESS AND SYSTEMS ................................................................... 9
5. FINDINGS ......................................................................................................................................... 14
5.1. PLANNING ....................................................................................................................................... 15
5.2. DTWMS PROJECT IMPLEMENTATION .............................................................................................. 17
5.3. USAGE OF DTWMS IN PUBLIC INSTITUTIONS .................................................................................. 19
SECTION 2: REVIEW OF RDB IT GENERAL CONTROLS .................................................................................. 21
5.4. WEAKNESSES NOTED IN IT GENERAL CONTROLS OF RDB ............................................................... 22
6. CONCLUSION ................................................................................................................................... 28
7. RECOMMENDATIONS ...................................................................................................................... 30
8. APPENDICES .................................................................................................................................... 32
Appendix 1: NICI III projects ........................................................................................................................ 32
Appendix 2: Sampled institutions ................................................................................................................ 33
Appendix 3: Documents Reviewed .............................................................................................................. 34
Appendix 4: Responsibilities of RDB ............................................................................................................ 34
Appendix 5: Relevant costs that have been incurred as of April 2016 ........................................................ 34
Appendix 6: DTWMS deployment in institutions ......................................................................................... 35
Appendix 7: Details on levels of support in the maintenance contract ....................................................... 37
Appendix 8: Institutions without user licenses ............................................................................................ 37
Appendix 9: Public institutions that minimally use the software ................................................................ 38
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
1
Office of the Auditor General of State Finances
SECTION 1: UTILIZATION OF DOCUMENT TRACKING AND
WORKFLOW MANAGEMENT SYSTEM
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
2
Office of the Auditor General of State Finances
ACRONYMS AND ABBREVIATIONS
BAM Business Activity Monitor
DTWMS Document Tracking & Work-flow Management System
EDPRS Economic Development and Poverty Reduction Strategy
GoR Government of Rwanda
ICT Information, Communication & Technology
ISO International Organisation for Standardisation
KPI Key Performance Indicators
LAN Local Area Network
NICI National Information and Communication Infrastructure Plan
RDB Rwanda Development Board
S.A.R.L Société À Responsabilité Limitée (Limited company)
SRS Software Requirement Specifications
UAT User Acceptance Test
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
3
Office of the Auditor General of State Finances
1. EXECUTIVE SUMMARY
Global ICT policies have become more mainstream in the last decade underpinning growth, job
creation, increasing productivity, enhancing service delivery and achieving broad socio-economic
objectives in the areas of health care, education, climate change, energy, employment and social
development.
As such, the global ICT industry is fast changing as a result of emerging technologies, economic,
social and business trends. As ICT applications and services are increasingly essential for ensuring
sustainable economic development, Rwanda is not an exception.1
The Government of Rwanda has made ICT one of the priority areas and essential for reaching the
Vision 2020 goal of transforming Rwanda into a knowledge-based economy.2
The National ICT Strategy and Plans (NICI) I, II and III were developed to realize the national
vision of developing the sector. The third plan, NICI III focused on the development of services by
leveraging ICTs to improve service delivery to citizens.3
NICI III (2011-2015) had 59 projects which include ‘Document Tracking and Work-flow
Management System (DTWMS)’
This was initiated to cater for government processes being largely paper-based and numerous
systems not integrated causing duplication and hindering efficient service delivery.
The purpose of the Document Tracking and Work-flow Management System is to reduce costs and
increase efficiency of service delivery in government institutions. The system does so by providing
scanning and secure archiving of all incoming and outgoing mail documents while also enabling
tracking the progress of those documents through their life cycles.
I conducted a performance audit of DTWMS, in order to assess the extent of its utilization and to
identify causes of low rate of usage as well as providing recommendation for its improvement. The
project has been running since 2010, and money invested in it as of April 2016 is USD
2,681,112.62. Data was collected through interviews with the RDB coordinator of the project and
IT administrators of the project within 39 sampled institutions. It was also collected though
physical verification, observation and documentary review in the sampled institutions to confirm
its implementation status.
Below I highlight the key findings:
● Absence of concept document
DTWMS is being implemented without a concept document. The document considered as concept,
is an initial draft project definition that was drafted in 2009. At the time of audit (April 2016), it
was not yet approved to guide the implementation of the project. See details in section 5.1.1
1 National ICT Strategy and Plan NICI-2015 2 Rwanda Vision 2020, pg. 9&20 3 National ICT Strategy and Plan NICI-2015
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
4
Office of the Auditor General of State Finances
● Lack of awareness in public institutions before deployment of the system
There has not been an awareness program in public institutions before launching the system. This
was raised during the interview with the IT administrators of the system in 39 sampled institutions,
where the main challenge reported was that the institution's top management are not being involved
in enforcement and implementation of the project, which affects the use and success of the system.
See details in section 5.1.2
● Absence of Key Performance Indicators to check the progress of DTWMS
RDB has not put in place key performance indicators that will be used to track progress in the
implementation of the project in public institutions. Consequently, when performance indicators
are not set, management will not be able to know whether the project is on the right track for
success. See details in section 5.1.3
● Acquiring the system without cost-benefit assessment
When an entity intends to automate its business processes so as to improve on their productivity it
considers either to buy or build the application system bearing in mind cost, suitability of the
system (needs match software features) and time to deploy for use. RDB acquired the system
without a cost-benefit assessment, to justify the choice of buying instead of its development. See
details in section 5.1.4
● Delay in implementation of the system by RDB
From the National ICT Strategy and Plan (NICI 2010-2015), one of outcome indicators of the
DTWMS was that 50% of government institutions would be installed with mail management
system by 2013. This includes incoming mails and outgoing mails. However, during the audit in
April 2016, I noted the following delays:
(a) All elements of the mail management system were not launched, only incoming mail was
launched.
(b) All features were not customized, it was only done for 3 institutions (WDA, MINAFFET
and NAEB) out of 39 sampled public institutions that were visited. The remaining 36 insti-
tutions with the system have the basic features of Omni scan and Omni flow, which could
be the case with the other 77 public institutions that also have the system but were not
sampled. See details in section 5.2.1
● Multiple software that perform similar functions (Duplication)
The project was acquired to serve all public institutions, however, I noted 12 public institutions
with different software which provide similar service as the rolled-out DTWMS (E-mboni) See
details in section 5.2.2
● Low utilization of DTWMS in public institutions
RDB deployed the system in 116 public institutions (ministries, provinces, districts and other
public institutions). However, 28 institutions out of 116 institutions (24.1%) had not acquired
licenses, to be able to use the system. In addition to this, I noted that 53 public institutions out of
84, equivalent to 63% have installed the system and acquired licenses but have not scanned, or
scanned a less number of documents over a period of 3 months. See details in section 5.3.1
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
5
Office of the Auditor General of State Finances
Overall conclusion
Government is not realising value for money from funds which have been invested in acquiring
the system and licenses.This was mainly caused by the fact that there was no involvement of public
institutions (the stakeholders) to ensure their ownership over the project. There was no awareness
in public institutions and involvement of managers in the utilization of the system. This resulted in
low utilization of the system and duplication of the project by other institutions which purchased
similar programme. Consequently there is a wastage of government funds (through the budgets of
RDB and public institutions) which have invested USD 2,681,112.62 in acquiring the system and
licenses yet not being used. The institutions are continuing to spend a lot of money for paper,
printers, stationary and transportation expenses for couriers.
Overall recommendation
To make DTWMS project achieve its intended objectives, RDB should put in place a clear
implementation strategy, involve the stakeholders (users) and carry out continuous monitoring and
evaluation. In addition, RDB should raise awareness of the system especially with top managers
of participating institutions and put in place means of ensuring value for money utilization. Finally,
going forward, MYICT in collaboration with RDB, should ensure that ICT projects are properly
conceptualized, stakeholders are defined, their role and responsibilities are defined and timely
communicated, key performance indicators (KPI) are defined and monitored, and awareness is
raised to get the ownership of users. This will enable Rwandan people to benefit from value for
money envisaged in government investments into ICT.
Obadiah R. BIRARO
Auditor General
Kigali
........................... 2016
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
6
Office of the Auditor General of State Finances
2. INTRODUCTION
2.1. Terms of reference
In accordance with Article 165 of the Constitution of the Republic of Rwanda of 2003 revised in
2015, and Articles 6 and 14 of Law n° 79/2013 of 11/09/2013 determining the mission,
organization and functioning of the Office of the Auditor General of State Finances, I carried out
a performance audit of the Document Tracking and Workflow Management System.
2.2. Background
Global ICT policies have become more mainstream in the last decade underpinning growth, jobs,
increasing productivity, enhancing the delivery of public and private services, and achieving broad
socio-economic objectives in the areas of health care, education, climate change, energy,
employment and social development. As such, the global ICT industry is fast changing as a result
of emerging technologies, economic, social and business trends. As ICT applications and services
are increasingly essential for ensuring sustainable economic development, Rwanda is not an
exception.4
Adopted in 2000, Vision 2020 aims to transform Rwanda into a middle-income country, and
transforming from an agrarian to a knowledge-based economy. Through communication & ICT,
the objective of the vision is that efficiency of public services is increased through the application
of e-government principles.5
From the priorities of EDPRS II, ICT sector has a key cross-cutting role to play in supporting
businesses, skills development and public service delivery. Development of ICT capacity is
essential for reaching the Vision 2020 goals.6
To achieve the objectives of vision 2020 in ICT sector, the National ICT Strategy and Plan (NICI)
process started. It begun with the first of four five-year rolling plans, NICI I (NICI-2005 Plan) that
focused on creating the necessary enabling environment that would enable the establishment and
growth of Rwanda’s ICT sector. The second plan NICI II (NICI-2010 Plan), focused on providing
world-class communications infrastructure that would serve as the backbone for current and future
communications requirements. The third plan, NICI III (NICI-2015 Plan) focused on the
development of services by leveraging ICTs to improve service delivery to citizens as Rwanda
approached the fourth and final phase of the NICI process which would propel Rwanda to achieve
Vision 2020 goals.7
NICI III (2011-2015) had 48 projects grouped into 6 clusters to which 13 key new projects were
added as a result of revising EDPRS II planning and the dynamic nature of ICT sector. See details
of projects in appendix 1.
4 National ICT Strategy and Plan NICI-2015 5 Rwanda Vision 2020, pg. 9&20 6 EDPRS II, Pg65 7 National ICT Strategy and Plan NICI-2015
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
7
Office of the Auditor General of State Finances
Due to government processes being largely paper-based and numerous systems not integrated
causing duplication and hindering efficient service delivery, the project of Document Tracking and
Work-flow Management System (DTWMS) was rolled over from NICI II and put among projects
to be implemented during the period of NICI III.8 The main purpose was to provide a system that
can be used in any ministry or public agency to scan, archive and track the progress of all incoming
and outgoing mail documents through their life cycles. The system would also enable secure and
consistent storage of documents while increasing efficiency and reducing costs in service delivery.9
2.3. Necessity of the Audit
The Document Tracking and Work-flow Management System project was put in place, with the
purpose of improving information, sharing and management thereby reducing bureaucracy in
government processes. The planned activities were analysis and design of institutional processes
for all government entities then implementing the system in all government entities.
Through area watching of the public ICT sector, I noted that the system is being utilized at a low
level and is not being implemented in all public institutions, yet the government has heavily
invested public funds to acquire it.
It is against this background, that I planned to conduct a performance audit of the Document
Tracking and Work-flow Management System, in order to assess its utilization and to identify the
causes of low rate of usage by public institutions.
8 National ICT Strategy And Plan NICI-2015, pg50 9 Integrated ICT-Led Socio-Economic Development Plan For Rwanda (NICI-2010 Plan)
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
8
Office of the Auditor General of State Finances
3. AUDIT DESIGN
The audit was conducted in accordance with the International Organization of Supreme Audit
Institutions auditing standards and guidelines documented in the Office of the Auditor General’s
Performance Audit manual. The standards require that the audit is planned in a manner which
ensures that an audit of high quality is carried out.
3.1. Audit Scope
Audit period: The period audited is from 2010 up to April 2016.
Geographical coverage:
The audit focused on the institutions located in the City of Kigali. This included districts, ministries
and other public institutions.
3.2. Audit objective
The overall objective of the audit was to assess utilization of Document Tracking and Workflow
Management System, in order to assess whether the project is enabling to reduce the use paper-
based processing in public organizations; automate, accelerate and simplify administrative
processes.
3.3. Audit questions
a.) How adequate was the implementation planning of the Document Tracking and Workflow
Management System project?
b.) To what extent is RDB implementing the project and how does it monitor its utilization by
users?
c.) To what extent is DTWMS utilized by public institutions?
3.4. Methods of data collection
a.) Interviews: Face to face interviews carried out with administrators of the system in 39
public institutions visited.
b.) Physical verification and observation: Field visit was undertaken in 39 public institutions
to confirm the existence and utilization of the system in public institutions. See appendix
2
c.) Documentary review: Secondary data was mainly collected through review of various
documents related to DTWMS project. See appendix 3
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
9
Office of the Auditor General of State Finances
4. DESCRIPTION OF DTWMS, THE PROCESS AND SYSTEMS
4.1. Rwanda Development Board
4.1.1 Legislation
Rwanda Development Board is a public institution with administrative and financial autonomy that
was established in 2008 by organic law n°53/2008 of 02/09/2008 which was later repealed by law
nº06/2013/OL of 16/06/2013 and amended by law nº46/2013 of 16/06/2013 which set its
responsibilities, organization and functioning.
4.1.2 Mission and responsibility of RDB
RDB is tasked with fast tracking development activities in Rwanda, including ICT projects. For
the main responsibilities see appendix 4 for details
RDB is organized into several departments that have different responsibilities. Among them the
ICT department which has five (5) divisions that include the new project development division
which is the project management unit of the department and is responsible for centralized and
coordinated management of projects in the department.
4.1.3 DTWMS Project Funding
The government has through RDB invested in acquiring the system and licenses to make it
functional. RDB procured the servers, user licenses and omniscan licenses on behalf of all
ministries and districts with the other public institutions required pay the user and omniscan
licenses on their own. As of April 2016 the government has spent USD 2,681,112.62. See appendix
5 for details
(a) Acquisition and deployment of the system
DTWMS was acquired through a contract dated November 2010, signed between RDB and CAL
Rwanda S.A.R.L in joint venture with NEWGEN Software Technologies limited, India, to supply
and install DTWMS for $1,080,406.47 (see details in appendix 5). The system was deployed in 3
pilot institutions (RDB, Office of The President and MINAFFET) and the staff were trained on
workflows development and system deployment.
After the pilot phase, RDB deployed the system in 116 public institutions (ministries, provinces,
districts and other public institutions) and procured user licenses (omniflow licenses) and omniscan
licenses on behalf of all ministries and districts. Other public institutions had to pay the user and
omniscan licenses on their own. (See details of deployment in appendix 6)
(b) Provision of trainings to the users
As the DTWMS was a new initiative in most public institutions, for its success, user training was
one of the most important and integral components. Training was imparted at various levels,
namely the Pre-Software Requirement Specifications Training (SRS), End User Training,
Technical Training and User Acceptance Test Training (UAT). The Supplier provided hands-on-
training to the designated personnel of the Software Development Division of RDB/IT to enable
them to effectively operate the whole system so that they would train other users of public
institutions.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
10
Office of the Auditor General of State Finances
The users from public institutions were exposed to the live product during training sessions by the
RDB team. The coverage included introduction to the product modules, basic operations, scope of
operation and variations in each of the modules. The users were taken through various business
cases that comprehensively cover the functionality of the system.
(c) Maintenance of the software
In April 2015, RDB on behalf of all Rwandan public entities that use DTWMS signed a contract
with Symphony Rwanda Ltd for the annual maintenance of DTWMS amounting to Frw
125,817,872 with the option of being renewed annually for 3 years. As part of maintenance,
Newgen Software Ltd and Symphony Rwanda Ltd (the joint venture software suppliers) agreed to:
● Provide RDB with all new software upgrades and patches of Omniflow, Omnidocs, Om-
niScan and Omni Records Server released before or during the agreement to ensure the
system’s continuous improvement and compatibility with emerging technologies.
● Train RDB resources at Newgen office in Delhi at the cost of Symphony in case of major
upgrade (e.g. upgrading Omniflow 8.0 or Omnidocs 7.0 to latest version)
● Provide documentation of API's (application program interface) which are required for in-
tegration with third party applications
● Provide RDB with the necessary support required to ensure integration with third party
applications is successfully done.
The software’s maintenance is provided at 3 levels of escalation based on the nature of support
required by RDB. See details in appendix 7
4.2. DTWMS PROCESS AND SYSTEM DESCRIPTION
4.2.1. Document Tracking and Workflow Management System/E-
mboni
E-mboni or DTWMS is the official document management, workflow and archival system used by
the Government of Rwanda. It is meant to improve transparency and efficiency in the public service
delivery.
The primary objective of DTWMS is to improve overall efficiency, accountability and
transparency through using technology to harmonize document and records life-cycle
management. DTWMS’s mandate is to create a centralized system that can be used in any public
institution to improve information sharing and management thereby reducing bureaucracy in all
government processes.
4.2.2. Components of the DTWMS (E-mboni/Omnisuite)
The fundamental components of Document Tracking and Workflow Management System
(DTWMS) are the following:
● Omniscan: A document scanning system with built-in document recognition and separa-
tion capabilities. It can scan various types of documents with different scanning properties
without human intervention by using powerful scripts. This application is locally installed
on the Central Secretariat's Computer.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
11
Office of the Auditor General of State Finances
● Omniflow: A workflow system defining how a document is transferred from one user to
another for a required action.
● Omnidoc: An Enterprise Document Management (EDM) platform for creating, capturing,
managing, delivering and archiving large volumes of documents and contents. It integrates
seamlessly with other external applications. OmniDoc handles Scanned Document Images,
Electronic Documents, Emails and Electronic Data Output from other applications with
equal efficiency and ease. It effectively manages document centric work-flows from the
point of content origination to the final delivery of output across multiple enterprise appli-
cations.
● Business Activity Monitor (BAM) an enterprise solution to provide a real-time summary
of business activities to operations managers and the top management.
● Process manager: is a system administration tool through which system administration
tasks are performed. It provides the functionality to configure an application, application’s
various components and component’s several instances within the user system panel, de-
pending upon the roles and needs of a user. It creates a single window for business users to
perform, manage and monitor all their tasks, taking their productivity up by several notches.
● Master Data Management (MDM)/Classificator: is a tool to simplify, plan, build, deploy
and manage master data tables for a centralized source of accurate business intelligence.
With configurable Maker-Checker10 functionality, it enforces the data governance by mak-
ing sure that all actions performed in the module can be approved, before they are commit-
ted to the server. Users are not permitted to perform any operation on tables that are not
created through this module.
4.2.3. Key elements of DTWMS (E-mboni)
Incoming mails: DTWMS makes document and information processing and archiving easier than
ever, whether it's physical incoming mail, internal mail, agreements, e-mails or social media
information. For all documents, letters, entering a public institution requesting service or
information about something in the institution are scanned at the central secretariat, entered in the
system and dispatched to the concerned staff to handle them.
Outgoing mails: Outgoing mail in DTWMS consists of all the correspondence types that you use
to communicate with other parties. This can include memos, emails, instructions, requests for
information, advice notes – in fact any correspondence types used in each customers business.
After handling documents in the institutions, the concerned staff is supposed to send responses
electronically through the system to other institutions or clients via email without taking more time
to send them by post or service’s cars.
10 Maker-Checker is a feature made to provide dual factor authentication in users, groups and role level operations. Maker has the
supervisory control to create user/s whereas checker finalizes all the decisions made by the maker. Maker's actions are not valid till
the time they have been approved by the checker. All Maker- Checker operations are tracked in the audit log.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
12
Office of the Auditor General of State Finances
4.2.4. Use of DTWMS in public institutions
Each public institution is assigned an Internet protocol (IP) address which they use to access the
web-based software (requires internet), after which a user logs in using his\her user name and
password. Users are able to scan and upload the documents to the system using Omniscan, fill in
relevant metadata with the scanned images and give only rights based access to the users over work
steps/folders/documents to be able to perform their designated tasks as per the defined roles/rights.
The system is also able to define custom check-lists, auto-generate acknowledgement letter as per
a pre-defined template and defining turn-around times for each step in the process flow. Users are
able to view the workflow history of any particular work item, search for any transaction/document
based on the defined parameters and the system can also generate regular MIS reports as well as
show a real time view of the process using a dashboard.
For archiving process, folder hierarchy for storage of documents is defined as per customer’s
requirement. The System allows creation of users / user groups, Access rights for the users / groups
are defined in the system and Users are able to search and retrieve the required documents.
Storage, retention and disposition policies are defined in the system and it allows defining the
storage locations for the physical documents as well and also allows for tracking the movement of
the same.
4.2.5. Monitoring and evaluation of the software and project
For monitoring the status of work items and work steps a web-based tool called Business Activity
Monitor (BAM) is used. BAM provides real-time information about the status and results of
various operations, processes and transactions through user defined reports so that a user can
address the problem areas and resolve the issues within his/her business process. Various reports
can be generated in BAM, they include:
● Incoming mails tracker; displays a report of all incoming mails in the institution for a se-
lected period of time, by department
● Due incoming mails tracker; displays all the documents that were not processed before the
set deadline.
4.2.6. Key stakeholders and their responsibilities
The following table outlines responsibilities of the system’s stakeholders
Table 2.DTWMS project stakeholders and their responsibilities
Stakeholder Roles & Responsibilities
RDB a) Implementation of ICT applications/systems as well as harmonizing all
ICT related procurement needs across government institutions
b) Facilitate and support development of Rwanda’s ICT sector towards
transforming into an ICT hub for the region
MYICT a) Coordinate and monitor the management of ICT projects in RDB
Public institutions a) Overall responsibility for management of the documents and records in
the DTWMS, ensuring adherence to the document management procedures
and protection of the confidentiality, integrity and availability of the
information
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
13
Office of the Auditor General of State Finances
ICT department in
each institution
a) The ICT department is responsible for the technical aspects and
functioning of DTMWS including administration of passwords and system
security, backups and disaster management
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
14
Office of the Auditor General of State Finances
5. FINDINGS
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
15
Office of the Auditor General of State Finances
5.1. PLANNING
5.4.1. Absence of concept document
For a programme to be successful, it requires a plan documenting the implementation strategy
(concept document) that elaborates objectives of the programme, activities to be undertaken, key
performance indicators, infrastructure and resources required (financial and human resources),
stakeholders, their roles and responsibilities. The implementation and roll out plan illustrates when
the programme would start, when it will reach its maturity level and serves as guidance to all
implementers of the programme to enable them keep checking whether they are on the right track.
However during the audit I noted that, the DTWMS is being implemented without a concept
document. The document considered as concept document, is an initial draft project definition that
was drafted in 2009. At the time of audit April 2016, it was not yet approved to guide the
implementation of the project.
Implementing the project without a concept document hinders management’s ability to track the
progress, success or failures of the programme. Subsequently, valid corrective actions cannot be
undertaken as well as mitigating factors against specific risks of the programme.
Recommendation
A concept document that elaborates what will be done, who will do it, and how and when it will
be done should be developed. Key stakeholders should be determined, their role and
responsibilities should be elaborated and communicated to them. Resources (infrastructure, human
and financial) needed for the programme should be determined to enable its implementation.
Management comments
The recommendation has been noted and proper documentation of the project will be elaborated.
5.4.2. Lack of awareness in public institutions before deployment of the system
Managing change means making changes in a planned and systemic fashion. With reference to the
IT projects we can say the change in the versions of a project and managing these versions properly.
In this way Change Management focuses on how people and teams are affected by integration of
new ICT project in the institutions.
However, during the audit I noted that there has not been an awareness program in public
institutions before launching the system. In addition, this was raised during the interview with the
IT administrators of the system in 39 sampled institutions, where the main challenge reported was
that the institution's top management are not being involved in enforcement and implementation
of the project, which affects the use of the system.
Apart from the challenges highlighted by the users of the system, there was no consultation done
in public institutions before launching the system. Consequently, this has caused a resistance in its
usage, while participation is critical in the success of the project.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
16
Office of the Auditor General of State Finances
Recommendation
As the new ICT initiatives impact how individual people do their work: their processes, work-
flows, reporting structures, behaviors within the organization, RDB should put more emphasis on
the awareness program before any launch of new technology in public institutions.
Management comments
Recommendation is noted. We agree that awareness will go a long way in getting the system fully
adopted and we will putting more efforts.
5.4.3. Absence of Key Performance Indicators to check the progress of DTWMS
Key Performance Indicators define factors the institution needs to benchmark and monitor. In an
electronic documents and records management project, KPIs could be used to measure user uptake
as the system rolls out. Another example is to measure the timeliness and quality of service delivery
– in this case, KPIs may be used to measure that records services meet agreed delivery times.
However, RDB has not put in place key performance indicators that will be used to track progress
in the implementation of the project in public institutions. Consequently, when performance
indicators are not set, management will not be able to know whether the project is on the right track
for success.
Recommendation
RDB should set performance indicators for DTWMS project. It will help to understand whether
the project is on the right track for success or not more easily and identify where to make
improvements and focus more attention.
Management comments
Recommendation is noted. In the past years, the indicators were mainly about the system
development, deployment and adoption. But now that the basic deployment has been done, RDB is
going to add more specific indicators to measure the real impact of the system
5.4.4. No buy or build assessment was conducted
When an entity intends to automate its business processes so as to improve on their productivity it
considers either to buy or build the application system bearing in mind cost, suitability of the
system (needs match software features) and time to deploy for use. Based on an entity’s current
situation, the choice is to buy if the system is a fundamental requirement for the entity to operate
and it is difficult to find a qualified and able developer that can design the system that meets the
requirements. Or build if the development can be handled in house with permanent resources, the
time of development is not a constraint and the system will provide competitive advantage.
However during the audit, I noted that there was no build or buy assessment report that justified
RDB’s choice, to buy off-the-shelf software from a commercial vendor over developing a custom
made software that addressed user’s needs.
Absence of a cost-benefit assessment to justify build over buy (or vice-versa), results in RDB
making a choice that results in lower return on investment.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
17
Office of the Auditor General of State Finances
Recommendation
In future, RDB needs to undertake a thorough initial cost-benefit analysis to ensure that IT
investments are made at the most economical cost and they deliver optimally on functionality. RDB
should seek the most appropriate software development approach, whether to buy or to build and
adopt it after assessing cost, suitability and time to deployment. Local software development
companies or individuals should also be considered as was the case of the Integrated Payroll and
Personnel Information System (IPPIS) which MIFOTRA (Ministry of public service and labour)
used a local software developer to build and incurred lower cost compared to procuring off-the-
shelf.
Management comments
Developing the platform would have been out of focus for RDB, as it was just a tool to help work
on the core functionalities.
5.2. DTWMS PROJECT IMPLEMENTATION
5.2.1. Delay in implementation of the system by RDB
From the National ICT Strategy and Plan (NICI 2010-2015), one of the outcome indicators of
DTWMS was that 50 % of government institutions will be installed with mail management system
by 2013.This includes incoming mails and outgoing mails. However, during the audit in April
2016, I noted the following delays:
(a) All components of the mail management system not launched: Only incoming mails
was launched in public institutions by RDB (receiving mails and processing internally in
the institutions). The component of outgoing mails has not yet been launched in public
institutions (this refers to sending and receiving documents externally between public in-
stitutions). Consequently, the objective of improving information sharing in government
processes was not achieved at the planned time.
(b) All features are not customized: With the system it is possible to customize it according
to the process flow of documents in the institution. It can also include several features like
Leave Request, Out of Office Request, Transport Request, Stock Request and internal
Memo. However during the field visit in 39 sampled public institutions I noted a delay in
customization of all features. It was done only for WDA, MINAFET and NAEB, while the
remaining 36 institutions with the system, have the basic features of Omni scan and Omni
flow, which could be the case with the other 77 public institutions that also have the system
but were not sampled. Consequently, a big part of work in the institutions is still being done
with papers while there is an option to use the system.
Recommendation
As RDB is the implementing institution, it should speed up the customization of all features and
the launching of outgoing mails component. This will facilitate the sharing of documents in all
public institutions.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
18
Office of the Auditor General of State Finances
Management comments
Noted. The biggest challenge was a high rate of employees turnover (employees leaving and not
getting replaced); the staff working on DTWMS are on short contracts, which caused RDB to loose
many (and the best) of them, when they get more stable jobs. Moreover, we were not allowed to
immediately replace them in the middle of RDB restructuring. We believe this will be solved by the
establishment of RISA.
Also, outgoing Mails deployment was delayed by efforts to do it together with Digital Signatures
to avoid any printing. The integration to the National PKI added more burden to the already
overloaded team, as these were new skills to learn. However, there is a plan to deploy the workflow
in phases (starting with Ministries by the end of this financial year), to reach the objective of
sharing documents and add improvements when ready.
5.2.2. Multiple software that perform similar functions (Duplication)
The NICI 3 plan designates to RDB the role of lead implementing and coordination agency for
GoR-ICT initiatives such as E-Government (e-GOV). Which aims at improving government
operational efficiency and service delivery by encouraging a paperless public administration. To
be able to perform this task RDB is required to adopt working partnerships with other public
institutions to ease the roll-out of the program and its coordination.
During the audit from RDB’s report, I noted the following public institutions running different
software which perform a similar function to the rolled-out DTWMS (E-mboni):
● Capital Markets Authority
● Ministry of finance and economic planning
● Ministry of Health
● National Capacity Building Secretariat
● National Institute of Statistics Rwanda
● Office of the Ombudsman
● Rwanda Biomedical Centre
● Rwanda Housing Authority
● Rwanda Public Procurement Authority
● Rwanda Revenue Authority
● Rwanda Social Security Board
● Special Guarantee Fund
Running different software that perform a similar function raises the risk that those different
software cannot easily integrate to enable easy inter-agency communication and sharing of
electronic documents. When the DTWMS outgoing mail starts to work and creates duplication of
effort and resources.
Recommendation
RDB in collaboration with other public institutions need to work together and share information
regularly and consistently relating to acquisition of ICT equipment.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
19
Office of the Auditor General of State Finances
Management comments
The Documents Tracking System project was clearly highlighted in NICI II, which was well known
to all institutions. Also, in 2008, a preliminary study was made, and some of the said institutions
(like the Ministry of Finance and Economic Planning) were visited and contributed to the study in
preparation to the DTWMS implementation. Despite this, the ministry separately acquired another
Documents Management System without consulting RDB. An Enterprise Architecture Board will
be put in place in collaboration with MYICT with the legal framework to oversee and formally
authorize acquisition of ICT equipment by all public institutions.
5.3. USAGE OF DTWMS IN PUBLIC INSTITUTIONS
5.4.1. Low utilization of DTWMS in public institutions
The Document Tracking and Work-flow Management System project was put in place, with the
purpose of improving information sharing and management thereby reducing bureaucracy in
government processes. The government has invested in acquiring the system and licenses to make
it functional. RDB as an institution implementing the project deployed the system in 116 public
institutions (ministries, provinces, districts and other public institutions) and procured the user
licenses and omniscan licenses to all ministries and districts. Other public institutions had to pay
the user and omniscan licenses on their own.
However during the physical verification, interviews done in 39 sampled public institutions and
review of reports. I noted the following:
(a) Public institutions with the system but no licenses acquired
The system to be functional at institution level, it requires to be equipped with user licenses and
omniscan licenses. However, during the review of reports provided by RDB, I noted that 17 public
institutions with the system have not acquired the user licenses and omniscan licenses. In addition,
during the field visit in 39 sampled public institutions, I noted that 11 institutions don’t have user
and omniscan licenses. Consequently they are not using the Document Tracking System in their
daily work, while the government has invested more funds in acquiring it. See details in appendix
8
Table 3: Institutions with the system but no licenses acquired
Status No. of entities
Installed the system but are yet to acquire licenses (Field Visit) 11
Installed the system but are yet to acquire licenses (Documentary review) 17
Total 28
(b) Public institutions using the scanning option only
With the system deployed in public institutions, the component of incoming mails includes
scanning documents and sharing them internally through the system (workflow). However, during
the physical verification in the public institutions, I noted that REMA, MINAFFET and MINICOM
are using scanning option only without sharing them through the workflow. Documents are
scanned only and the sharing is done by using hard copies. Consequently, the objective of sharing
documents through the system is not being achieved.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
20
Office of the Auditor General of State Finances
(c) Public institutions with licenses but not using the system
During the audit field visit I noted 4 public institutions that have installed the system, acquired
licenses but are not using the system. See the table below for details:
Table 4: Institutions not using the system
No. Entity
1 Ministry of Gender & Family Promotion (MIGEPROF)
2 Ministry of East African Community (MINEAC)
3 Rwanda Biomedical Center (RBC)
4 Rwanda Demobilization & Reintegration Commission (RDRC)
(d) Public institutions that minimally use the software (Low utilization)
Apart from the work to be done though the system, the scanning option shows how institution use
the system. During the audit I reviewed DTWMS’s monitoring reports generated by BAM,
showing the scanned documents per each institution that has installed the system and acquired user
licenses. The analysis done was comparing the number of scanned documents, from 10/12/2015
up to 15/03/2016.
I noted that 53 public institutions out of 84, equivalent to 63% which have installed the system and
acquired licenses have not or scanned a less number of documents during the period of 3 months.
Consequently, they are minimally using the system. See details in appendix 9 (a).
Among the 53 public institutions, 19 institutions are not using the system at all while 23 institutions
have scanned very little quantity ranging between 1 and 60 documents for a period of 3 months.
See details in appendix 9 (b) and (c).
There is a wastage of government funds (through the budgets of RDB and public institutions)
which have invested USD 2,681,112.62 in acquiring the system and licenses yet not being used.
The institutions will continue spending a lot of money for paper, printers, stationary and
transportation expenses for couriers. Consequently the objective of improving overall efficiency,
accountability and transparency will not be achieved.
Recommendation
RDB should work closely with the concerned entities to put in place an enforcement on the usage
of DTWMS and regularly monitor the system utilization.
Management comments
Recommendation Noted. RDB is working with MIFOTRA, with regards to improving service
delivery in public institutions, to enforce the system usage in all institutions (at least those having
user licenses) by June 2016. Concerning institutions that have the system but no licenses, it is an
issue of budget where support is needed from MINECOFIN.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
21
Office of the Auditor General of State Finances
SECTION 2: REVIEW OF RDB IT GENERAL CONTROLS
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
22
Office of the Auditor General of State Finances
5.4. WEAKNESSES NOTED IN IT GENERAL CONTROLS OF RDB
5.4.1. Weak IT Governance Structure
IT best practice through the COBIT 5 IT Governance framework and its mechanism recommends
that an institution whose activities are significantly IT based should have an IT Steering committee
that should work in close partnership with the management to guide management decisions
especially those pertaining to IT investments to ensure that they are aligned to IT strategies and
overall Strategy. The implementation of the IT strategy is the responsibility of the executive
management assisted by an IT steering committee.
The COBIT 5 framework states that an ICT steering committee should be composed of executive,
business and IT management to represent every department and unit in the institution. However,
during the audit of the general controls of RDB’s IT, I noted the following:
a) Lack of IT strategic plan: Even though there is an action plan for the period starting July
2014 to June 2015 and an overall strategic plan, there should be an IT strategic plan (not a part
or another strategic plan) where the action plan would be used as an implementation tool of the
strategic plan.
b) Lack of a steering committee: The committee is not in place yet RDB continues to acquire,
develop and implement new IT systems and invest in new technologies.
Due to the above IT Governance gaps, the ICT related projects are given less attention and this
may result in sub-optimal decisions on IT investments and lack of value for money on IT
investments and implemented IT systems. RDB could lack better information during decision
making due to absence of designated persons at the strategic level to evaluate appropriateness of
IT investment decisions as well as monitor implementation of those adopted. As there is no IT
strategic plan that could help RDB management to evaluate ICT performance and monitor
implementation of aligning IT to RDB core objectives.
Recommendations
a) IT strategic plan: RDB management should develop, approve, implement and monitor an IT
strategy that is aligned to the overall RDB strategy. This document should be a platform for
which future plans would be derived. The implementation of this plan should be monitored and
reported to ensure achievement and performance of IT in terms of supporting the overall strat-
egy and should be evaluated based on implementation of the activities stated by this document.
b) IT steering committee: RDB management should appoint staff members to the IT steering
committee to work with RDB management in evaluating and monitoring implementation of IT
projects.
Management comments
a) Currently RDB has a general strategic plan that covers the RDB mission. The current IT unit
action plan is addressed according to the general strategic plan. However as RDB is currently
working on a revised strategic plan, once this is done we shall look on designing an IT strategic
plan which reflects the new strategic plan for RDB.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
23
Office of the Auditor General of State Finances
b) An IT steering committee has already been proposed and it is remaining just approval from
senior management.
5.4.2. Review of RDB ICT policies and procedures
IT best practices and internationally recognized standards require that institutions develop IT
policies that are used to guide the effective use of ICT resources, mitigate risks and promote
responsible, ethical and secure use of ICT resources. The development of various IT policies and
procedures should be a result of an IT risk assessment and a need to comply with international
standards such as ISO 27001 on Information Security Management Systems) and ISO 22301 on
Business continuity.
During the audit I noted that RDB has developed general regulations on the use and protection of
IT equipment. I noted that the document in place has not been fully aligned to ISO 27001 and in
addition there is no evidence that the document was developed based on an IT risk assessment done
on RDB ICT resources. With reference to best practices, the following important policies and
guidelines have not yet been developed:
Telephone usage policy
Web posting policy
Support and maintenance policy
Service level agreement policy
Incident management policy
Change management policy
Data classification and retention policy
Business continuity plan and disaster recovery plan
Change management policy
A review of the general regulations on the use and protection of IT equipment document provided
by RDB IT unit revealed the following weaknesses:
The document is silent on the enforcement and monitoring of compliance to all the proce-
dures in it
The document is silent on how, who and when this it is updated
The document is silent on how it should be communicated to all RDB users (user awareness
trainings)
The document is silent on the position of other external users (consultants and third party
users) of RDB IT resources
In addition, there is no proof that the following guidelines are implemented as stated in the docu-
ment:
Measures in place to verify that only authorized and licensed software is used by RDB staff
Forms that require access to RDB IT systems are filled in
LAN analyzer and packet sniffing software are used to monitor and detect unauthorized
intrusion to RDB systems
Computer hardware and software audits are carried out periodically to track unauthorized
copies of software and unauthorized changes to hardware and software configurations
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
24
Office of the Auditor General of State Finances
Due to the fact that some of the policies or regulations are not yet developed, and are silent on key
points, there might be lack of safeguard of information which may lead to security breaches, data
loss, fraud, and errors in operations as well as inefficient and ineffective use of ICT resources to
achieve RDB’s mission and objectives. Furthermore, given that the general regulations on the use
and protection of IT equipment document, was not developed as a mitigation tool to identified IT
risks, it may not cover all the ICT resources.
Recommendations
RDB IT should put more effort to develop ICT policies and procedures based on comprehensive
risk analysis to cover all ICT resources and align the developed document to international stand-
ards, this will help avoid misuse of ICT resources and allow maximization of their usage in safe
environment. RDB IT should put in place measures to monitor and evaluate implementation and
compliance to the policies in RDB.
Management comment
All documentations have been done however, they are still drafts and only remain with official
approval from senior management so that the IT unit starts the application of all controls,
procedures and strengthen the usage the new developed policy.
5.4.3. Weakness noted in risk management process
Risk management is the process of identifying vulnerabilities and threats to the information
resources used by an organization in our case RDB in achieving business objectives and deciding
what countermeasures (safeguards or controls), if any, to take in reduction risk to acceptable level,
based on the value of the IT resources to the organization. The risk management encompasses
identifying, analyzing, treating, monitoring and communicating the impact of risk on IT process.
According to COBIT 5 APO 12 - management of risk, the key risk management practices include:
Collecting data
Analyzing risk
Maintaining a risk profile
Articulating risk
Defining risk management action portfolio
Responding to risk
During the audit I noted that RDB hired an external consulting firm to help it identify and analyze
IT risks that could impact on IT processes, however, treating and monitoring of identified risks
was not done.
If the identified risks are not mitigated, transferred or shared RDB’s activities can be negative
affected in the following manner:
Elevation of privilege: an attacker exploiting these vulnerabilities could assume greater
privileges on a compromised system, allowing them to potentially destroy data or take con-
trol of computers for malicious purposes.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
25
Office of the Auditor General of State Finances
Information disclosure: an attacker exploiting IT vulnerabilities could obtain access to
confidential information.
Denial of services: an attacker exploiting IT Vulnerabilities could prevent authorized ac-
cess to computing resources or interfere with a system‘s operations.
In addition, there is no value for the money invested in identifying the risk if they are not mitigated
appropriately.
Recommendation
RDB management should put more effort in understanding the entity’s risk appetite then develop
and implement strategies that reduce IT risks to an acceptable level. They should also keep an IT
risk register that is updated regularly with newly recorded security incidents that have not been
captured in the risk register.
Management comment
The recommendation has been noted and will be implemented.
5.4.4. Business continuity and disaster recovery plan
The ISO 22301 on Business Continuity recommends that organizations of all sizes and types should
engage in a comprehensive and systematic process of prevention, protection, preparedness,
mitigation, response for business continuity and recovery. To be able to do this, it is very important
for an organization to:
Ensure that there is a Business Continuity Plan covering the entire organization/system
which would be activated in case of an interruption to business
Ensure that all risks to business systems, infrastructure, applications, data and personnel
are identified and managed and that systems and applications can be recovered within spec-
ified time scales.
Ensure that there is a Disaster Recovery Plan for the organization/system
Ensure data that needs to be backed up has been identified and prioritized, and that backups
are done frequently and stored outside the premises of the organization or where the system
is hosted
Ensure there is a backup retention policy and that backups are tested periodically.
Ensure that backups made are well secured and safe
Ensure that organization/system manager has made provision for adequate hard drive space
for incoming data and data storage.
However, RDB/IT unit does not have a backup plan and disaster recovery plan to ensure business
continuity in case something goes wrong. Even though backup is done regularly the process is not
documented and furthermore there is no proof that the backups done are tested to ensure that they
are working and will be useful in case of disaster.
In case of a disaster while there is no Business Continuity Plan/Disaster Recovery Plan put in place,
RDB staff may not know where to start in response to the disaster so as to prevent any loss of
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
26
Office of the Auditor General of State Finances
resources or what procedures to follow to safeguard the resources. Due to not testing of the backups
done, it may be very difficult for RDB to know whether the back up in place will help to recover
IT processes in the event of disaster.
Recommendation
RDB management should put in place a Business continuity Plan and Disaster Recovery Plan,
implement them and monitor their compliance and this will formalize the process of safeguarding
RDB data from any kind of loss or disaster that could occur any time. Back up should be tested on
a regular basis to ensure that in case of data loss or disaster, data can be used to recover RDB IT
systems.
Management comment
Recommendation noted. The backup and a disaster recovery plan will be put in place.
5.4.5. Lack of internal audit or quality assurance involvement
RDB has the ultimate responsibility of ensuring that an adequate system of internal controls is in
place and working properly to reduce IT related risks and provide periodic assurance to
management that the different IT controls related to the business processes are implemented.
However, during the audit I did not find proof that there was an internal audit or quality assurance
assessment conducted on the RDB ICT systems to ensure that risk over IT systems, projects and
investments are detected, prevented and corrected.
In the absence of internal audit or quality assurance involvement, management may not be able to
obtain timely, reliable, periodic information about the adequacy of compliance to the control
framework established throughout RDB.
Recommendation
RDB management should involve the internal audit or quality assurance function so as to review
the IT controls in place to ensure that they are working to lower risks which the entity is susceptible
to while delivering value for money
Management comment
The recommendation is noted and will be implemented.
5.4.6. Weakness noted in IT operations controls
IT best practices require that an institution that relies on information technology/system should
maintain IT equipment, evaluate problem and incident management practices to determine whether
incidents, problems or errors are recorded, analysed and resolved in a timely manner, and ensure
that network is monitored and administered effectively and efficiently.
However, during the audit review of IT unit I did not find any evidence that errors, problems and
incident are reported, and that RDB network is monitored and administered in manner that can
help to detect, prevent or collect any intrusion detected.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
27
Office of the Auditor General of State Finances
If all the errors, problems and incidents are not reported, monitored, recorded and kept, there is a
risk of these same issues re-occurring and not being addressed timely. It is difficult for RDB
management to know the level of satisfaction of users in order to provide insight in IT improvement
if RDB does not keep track on all issues regarding IT, how have they been resolved and the time it
takes to fix them.
Recommendation
RDB management should formalize the process of maintenance to keep track on all the issues as
they occur, also IT unit should be equipped with tools to monitor and administer the network usage
and detect any intrusion to RDB network.
Management comment
Recommendation is noted. Currently RDB does not have appropriate tools to report and record
errors, incidents that have occurred. However RDB is implementing a new IT policy and
procedures which describes provision of errors, incidents reporting and recording. Progressively
while RDB unit is implementing the policy, this observation will be addressed
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
28
Office of the Auditor General of State Finances
6. CONCLUSION
One of the priorities of EDPRS II is the development of ICT, where the ICT sector has a key cross-
cutting role to play in supporting businesses, skills, and public service delivery.
The DTWMS project was put in place, with the purpose of improving government processes,
reducing costs and increasing efficiency of service delivery through information sharing and
management thereby reducing bureaucracy.
However, I noted that the project is not achieving its objectives and Government is not realising
value for money from funds invested in acquiring the system and licenses.
i.) Planning the implementation of the system
The plan of implementation of the DTWMS project was not adequate, there was no plan
documenting the implementation strategies, activities to be undertaken as well as role and
responsibilities of stakeholders. Consequently, this affected the implementation and utilization of
the system. The effects are as follows:
● There was no awareness in public institutions before deployment of the system and
this caused a resistance in the using the system. Some other twelve (12) institutions spent
money in buying similar programmes which cannot integrate to enable inter-agency com-
munication and sharing of electronic documents.
● No Key Performance Indicators developed to track the progress of DTWMS, the man-
agement cannot be able to know whether the project is on the right track for success or not.
● No buy or build assessment was conducted. Absence of a cost-benefit assessment to
justify build over buy (or vice-versa), results in RDB making a choice that results in lower
return on investment.
ii.) Implementation of the system in user institutions
While it was planned that by 2013, 50 % of government institutions will be installed with mail
management system, during the audit (in April 2016), only incoming mails was launched in 116
institutions. In addition to this, all features are not customized, they are only in 3 institutions
(WDA, MINAFET and NAEB) out of the 116 which have the system installed. The objective of
improving information sharing in government processes cannot be achieved as long as all compo-
nents are not launched.
iii.) Utilization of DTWMS in public institutions
The expected value for money can only be obtained if the system is optimally used by all intended
institutions. 28 institutions out of 116 institutions (24.1%) have the system installed but have not
acquired licences. Another 84 have acquired licenses, but some of them are not using the system
at all (19 institutions) while others (23 institutions) are scanning very little quantity ranging
between 1 and 60 documents for a period of 3 months. Consequently the objective of improving
overall efficiency, service delivery, accountability and transparency will not be achieved.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
29
Office of the Auditor General of State Finances
I also noted several weaknesses in the internal controls of RDB’s IT unit:
i.) Weak IT Governance Structure
Lack of IT strategic plan and steering committee in RDB. Even though there is an action plan for
the period starting July 2014 to June 2015 and an overall strategic plan, there should be an IT
strategic plan (not a part or another strategic plan) where the action plan would be used as an
implementation tool of the strategic plan. RDB continues to acquire, develop and implement new
IT systems and invest in new technologies yet it does not have a steering committee.
ii.) Review of RDB ICT policies and procedures
RDB has developed general regulations on the use and protection of IT equipment but they are not
fully aligned to ISO 27001 and in addition there is no evidence that they were developed based on
an IT risk assessment done on RDB ICT resources.
iii.) Business continuity and disaster recovery plan
RDB does not have a backup plan and disaster recovery plan to ensure business continuity in case
something goes wrong and the backup process is not documented. Furthermore there is no proof
that the backups done are tested to ensure that they are working and will be useful in case of dis-
aster.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
30
Office of the Auditor General of State Finances
7. RECOMMENDATIONS
● A concept document that elaborates what will be done, who will do it, and how and when
it will be done should be developed. Key stakeholders should be determined, their role and
responsibilities should be elaborated and communicated to them. Resources (infrastructure,
human and financial) needed for the programme should be determined to enable its imple-
mentation.
● As the new ICT initiatives impact how individual people do their work: their processes,
work-flows, reporting structures, behaviors within the organization, RDB should put more
emphasis on the awareness program before any launch of new technology in public insti-
tutions.
● RDB should set performance indicators for DTWMS project. It will help to understand
whether the project is on the right track for success or not more easily and identify where
to make improvements and focus more attention.
● In future, RDB needs to undertake a thorough initial cost-benefit analysis to ensure that IT
investments are made at the most economical cost and they deliver optimally on function-
ality. RDB should seek the most appropriate software development approach, whether to
buy or to build and adopt it after assessing cost, suitability and time to deployment. Local
software development companies or individuals should also be considered.
● As RDB is the implementing institution, it should speed up in launching of outgoing mails
component. This will facilitate the sharing of documents in all public institutions.
● RDB in collaboration with other public institutions need to work together and share infor-
mation regularly and consistently relating to acquisition of ICT equipment.
● RDB should work closely with the concerned entities to put in place an enforcement on the
usage of DTWMS and regularly monitor the system utilization.
● IT strategic plan: RDB management should develop, approve, implement and monitor an
IT strategy that is aligned to the overall RDB strategy. This document should be a platform
for which future plans would be derived. The implementation of this plan should be moni-
tored and reported to ensure achievement and performance of IT in terms of supporting the
overall strategy and should be evaluated based on implementation of the activities stated
by this document.
● IT steering committee: RDB management should appoint staff members to the IT steering
committee to work with RDB management in evaluating and monitoring implementation
of IT projects.
● RDB IT should put more effort to develop ICT policies and procedures based on compre-
hensive risk analysis to cover all ICT resources and align the developed document to inter-
national standards, this will help avoid misuse of ICT resources and allow maximization of
their usage in safe environment. RDB IT should put in place measures to monitor and eval-
uate implementation and compliance to the policies in RDB.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
31
Office of the Auditor General of State Finances
● RDB management should put more effort in understanding the entity’s risk appetite then
develop and implement strategies that reduce IT risks to an acceptable level. They should
also keep an IT risk register that is updated regularly with newly recorded security incidents
that have not been captured in the risk register.
● RDB management should put in place a Business continuity Plan and Disaster Recovery
Plan, implement them and monitor their compliance and this will formalize the process of
safeguarding RDB data from any kind of loss or disaster that could occur any time. Back
up should be tested on a regular basis to ensure that in case of data loss or disaster, data can
be used to recover RDB IT systems.
● RDB management should involve the internal audit or quality assurance function so as to
review the IT controls in place to ensure that they are working to lower risks which the
entity is susceptible to while delivering value for money
● RDB management should formalize the process of maintenance to keep track on all the
issues as they occur, also IT unit should be equipped with tools to monitor and administer
the network usage and detect any intrusion to RDB network.
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
32
Office of the Auditor General of State Finances
8. APPENDICES
Appendix 1: NICI III projects Cluster No Projects Status
Skills
Development
1 ICT Professional Training and Certification Programs Ongoing
2 SchoolNet (includes OLPC component) Ongoing
3 ICT Training for Teachers Ongoing
4 RwEdNet Ongoing
5 Open, Distance and e-Learning Ongoing
6 Digital Library Ongoing
Private Sector
Development
7 Technopole Ongoing
8 e-Payment System Completed
9 Tourism Portal Completed
10 ICT Business Financing Mechanism Ongoing
11 Virtual Landing Point Ongoing
12 Access Network Ongoing
13 e-Soko 2.0 Ongoing
14 SMART Electricity Grid and Energy Market Design Ongoing
15 Commodity and Securities Platform Ongoing
16 Adoption of ICT Industry Standards Ongoing
17 Content and Application Development Ongoing
Community
Development
18 Land Administration Information System Completed
19 Business Delivery Service Centers Ongoing
20
ICT Infrastructure & Applications for Local Government
(Video Conferencing)
Completed
21 Community Health worker Reporting and Information System Completed
22 Health Insurance Information System Ongoing
23 Integrated Public Safety Communication System Ongoing
24 Telemedicine Ongoing
25 Vision 2020 e-Citizen Ongoing
E-Government
26 Government Enterprise Architecture Ongoing
27 Government Intranet Completed
28 Document Tracking and Workflow Management System Ongoing
29 e-Procurement Ongoing
30 National ID and Smartcard System Ongoing
31 JRLOS Information Systems Ongoing
32 Disaster Recovery Center Ongoing
33 National Portal Completed
34 Mining Portal Ongoing
35 Training and Education Portal Ongoing
Cyber Security
36 Rwanda-CERT/CSIRT Ongoing
37 Rwanda Public Key Infrastructure (PKI) Ongoing
38 Security Operation Centre (SOC) Ongoing
39 Information Infrastructure Security System Ongoing
40 Cyber Security Capacity Building Ongoing
41 National Cyber Security Research Centre (NCSRC) Completed
Cross-Cutting
Projects
42 NICI III Implementation Support Ongoing
43 ICT Awareness Campaign Ongoing
44 Policy, Legal and Regulatory Framework Ongoing
45 Green ICT Ongoing
46 Climate Change Observatory Ongoing
47 Digital Migration Completed
48 CNS-ATM Completed
49 Transform Africa Summit (2013) Completed
50 4G LTE Broadband Internet Completed
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
33
Office of the Auditor General of State Finances
Cluster No Projects Status
New Projects
(EDPRS II - ICT
SSP)
51 Rwanda Online Completed
52 Government Command Center Completed
53 SMART Village Ongoing
54 K-Lab Completed
55 Regional ICT Center of Excellence Ongoing
56 ICT Innovation Center Ongoing
57 Sim Card Registration Completed
58
ICT Northern Corridor Integration Project (eg.One area
network)
Ongoing
59 CCTV Project Ongoing
Appendix 2: Sampled institutions No. Entity
1 Kigali City
2 Gasabo District
3 Kicukiro District
4 Nyarugenge District
5 Funds for Assistance to Genocide Survivors (FARG)
6 Gender Monitoring Office (GMO)
7 Integrated Polytechnic Regional Centre – Kigali (IPRC-Kigali)
8 Ministry of Disaster Management & Refugee Affairs (MIDIMAR)
9 Ministry of East African Community (MINEAC)
10 Ministry of Foreign Affairs & Cooperation (MINAFFET)
11 Ministry of Gender & Family Planning(MIGEPROF)
12 Ministry of Infrastructure (MININFRA)
13 Ministry of Natural Resources (MINIRENA)
14 Ministry of Public Service & Labour (MIFOTRA)
15 Ministry of Sport & Culture (MINISPOC)
16 Ministry of Trade & Commerce (MINICOM)
17 Ministry of Youth & ICT (MYICT)
18 National Agricultural Export Board (NAEB)
19 National Commission For The Fight Against Genocide (CNLG)
20 National Council of Persons with Disability (NCPD)
21 National Electoral Commission (NEC)
22 National Youth Council (NYC)
23 Public Service Commission (PSC)
24 Rwanda Environmental Management Authority (REMA)
25 Rwanda Academy of Language & Culture (RALC)
26 Rwanda Agriculture Board (RAB)
27 Rwanda Biomedical Center (RBC)
28 Rwanda Broadcasting Agency (RBA)
29 Rwanda Cooperatives Agency (RCA)
30 Rwanda Demobilization & Reintegration Commission (RDRC)
31 Rwanda Education Board (REB)
32 Rwanda Governance Board (RGB)
33 Rwanda Institute of National Museums (RINM)
34 Rwanda Local Development Support Fund/Local Development Agency (RLDSF/LODA)
35 Rwanda Meteorology Agency (RMA)
36 Rwanda National Commission for UNESCO (RNCU)
37 Rwanda Standards Bureau (RSB)
38 Rwanda Transport Development Agency (RTDA)
39 Workforce Development Agency (WDA)
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
34
Office of the Auditor General of State Finances
Appendix 3: Documents Reviewed No. Documents Reviewed
1 Rwanda Vision 2020
National ICT Strategy and NICI Plan 1,2 and 3
2 EDPRS II (Pg65)
3 MYICT Review of implementation of NICI 3
4 Rwanda Information Technology Authority (RITA) Document Management System Final Report
5 RDB/ICT Monitoring & Evaluation Report Quarter 4 2014-2015
6 DTWMS Implementation Report
7 Contract for license supply with Symphony Rwanda Ltd 2013 & 2014
8 Contract for acquiring a Document Tracking System with CAL Rwanda and Newgen Technologies 2010
9 E-mboni Wiki
Appendix 4: Responsibilities of RDB No. Responsibilities of RDB
1 To fast track development activities and to facilitate Government and the private sector and undertake an
active role
2 To promote local and foreign direct investments in Rwanda
3 To promote exports to regional and international markets of goods and services as well as adding value
4 To participate in initiating and implementing policies and strategies in matters relating to tourism and
conservation of National Parks and other protected areas in matters relating to tourism, and to advise
Government on the promotion of the tourism sector
5 To participate in initiating and implementing policies and strategies in the field of Information and
Communication Technology and to advise Government on the promotion of the sector
6 To provide guidelines, analyze project proposals and follow up on the implementation of Government
decisions in line with public and private investment
7 To carry out privatization programs, monitor them and advise Government accordingly
8 To promote entrepreneurship and support the creation and development of private enterprises
9 To initiate, implement and follow up the activities relating to modernizing, harness relationship and
registering, trading companies and businesses, secured transactions, intellectual property rights and
activities to initiate, exercise and halt business activities
10 To insure appropriate mechanisms of building pro-development institutions in the Public, private and civil
society sectors and increase staff capacity building in those institutions in order to improve their efficiency
and competitiveness on both the national and international labor market
11 To facilitate and help investors meet environmental standards in the execution of their projects
12 To cooperate and collaborate with other regional and international institutions having similar responsibilities
13 To advise Government on all activities which can fast track development in Rwanda.
Appendix 5: Relevant costs that have been incurred as of April 2016 Description Amount ($)
Hardware (including installation) 257,468.97
Software licenses 516,500.00
Implementation cost 177,500.00
Training cost 31,250.00
Recurrent costs (support & maintenance) 97,687.50
Contract price 1- Acquisition November 2010 1,080,406.47
Contract 2 -Licenses (October 2013)
OmniDoc & OmniFlow Software license provision (approx.2000 users)
900 user licenses for all ministries + 2 server licenses for RURA 481,213.76
600 user licenses for all districts + 70 scanning licenses 407,000.00
Omnisuite licenses bought by individual agencies (331 licenses) 182,050.00
Omniscan licenses bought by individual agencies (14 licenses) 15,400.00
Sub-total 1,085,663.76
Contract 2 amendment (May 2014)
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
35
Office of the Auditor General of State Finances
Description Amount ($)
OmniDoc Enterprise Service 6.0.2 Server license 1pc (support unlimited user) 13,200.00
OmniFlow Enterprise Service 8.0.2 Server license 1pc (support unlimited user) 17,600.00
Omniscan Server license 1pc 1,100.00
Sub-total 31,900
Software maintenance 183,142.39
Onsite Support 2012 (August 2012) 150,000.00
Onsite Support Renewal (October 2013) 150,000.00
Sub-total 483,142,49
Total incurred cost 2,681,112.62
Appendix 6: DTWMS deployment in institutions No. Ministries
1 Ministry of Local Government (MINALOC)
2 Ministry of Justice (MINIJUST)
3 Ministry of Internal Affairs (MININTER)
4 Ministry of Foreign Affairs and Cooperation (MINAFFET)
5 Ministry of Natural Resources (MINIRENA)
6 Ministry of Agriculture (MINAGRI)
7 Ministry of Public Service and Labour (MIFOTRA)
8 Ministry of Disaster Management and Refugee Affairs (MIDIMAR)
9 Ministry of Education (MINEDUC)
10 Ministry of Youth and ICT (MYICT)
11 Ministry of Sport and Culture (MINISPOC)
12 The Prime Minister’s Office (PRIMATURE)
13 Ministry of Trade and Commerce (MINICOM)
14 Ministry of Infrastructure (MININFRA)
15 Ministry of Health (MOH)
16 Ministry of East African Community (MINEAC)
17 Ministry of Gender and Family Promotion (MIGEPROF)
No. Districts and Provinces
18 Eastern Province
19 Northern province
20 Southern Province
21 Western Province
22 Kigali City
23 Kicukiro
24 Nyarugenge
25 Gasabo
26 Bugesera
27 Burera
28 Gakenke
29 Gatsibo
30 Gicumbi
31 Gisagara
32 Huye
33 Kamonyi
34 Karongi
35 Kayonza
36 Kirehe
37 Muhanga
38 Musanze
39 Ngoma
40 Ngororero
41 Nyabihu
42 Nyagatare
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
36
Office of the Auditor General of State Finances
No. Districts and Provinces
43 Nyamagabe
44 Nyamasheke
45 Nyanza
46 Nyaruguru
47 Rubavu
48 Ruhango
49 Rulindo
50 Rusizi
51 Rutsiro
52 Rwamagana
No. Other Government Institutions
53 Centre Hospitalier Univfersitaire – Butare (CHUB)
54 Centre Hospitalier Univfersitaire – Kigali (CHUK)
55 Chancellery for Heros National Orders & Decoration (CHENO)
56 Directorate General of Immigration and Emigration
57 Gender Monitoring Office (GMO)
58 Genocide Survivors Assistance Fund (FARG)
59 Higher Education Council (HEC)
60 Institute of Legal Practice and Development (ILPD)
61 Integrated Polytechnic Regional Centre – Kigali (IPRC-Kigali)
62 Integrated Polytechnic Regional Centre – Tumba (IPRC-Tumba)
63 Kacyiru Police Hospital (KPH)
64 Media High Council (MHC)
65 Military Medical Insurance (MMI)
66 National Agricultural Export Board (NAEB)
67 National Commission for Children (NCC)
68 National Commission for Science and Technology (NCST)
69 National Commission For The Fight Against Genocide (CNLG)
70 National Council of Persons with Disability (NCPD)
71 National Electoral Commission (NEC)
72 National Human Rights Commission (NHRC)
73 National Identification Agency (NIDA)
74 National Industrial Research and Development Agency (NIRDA)
75 National Itorero Commission (NIC)
76 National Public Prosecution Authority (NPPA)
77 National Security Services (NSS)
78 National Unity and Reconciliation Commission (NURC)
79 National Women's Council (NAWOCO)
80 National Youth Council (NYC)
81 Neuro-psychiatric Hospital Caraes Ndera (NPHN)
82 Office of the Auditor General (OAG)
83 Office of the Government Spokesperson (OGS)
84 Office of the President (PRESIREP)
85 Public Service Commission (PSC)
86 Rehabilitation & Vocational Skills Development Center – Gitagata (RVSDC-Gitagata)
87 Rehabilitation & Vocational Skills Development Center – Iwawa (RVSDC-Iwawa)
88 Road Maintenance Fund (RMF)
89 Ruhengeri Hospital
90 Rwanda Education Board (REB)
91 Rwanda Academy of Language and Culture (RALC)
92 Rwanda Agriculture Board (RAB)
93 Rwanda Bio-Medical Center (RBC)
94 Rwanda Broadcasting Agency (RBA)
95 Rwanda Civil Aviation Authority (RCAA)
96 Rwanda Cooperative Agency (RCA)
97 Rwanda Correctional Services (RCS)
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
37
Office of the Auditor General of State Finances
No. Other Government Institutions
98 Rwanda Demobilization & Reintegration Commission (RDRC)
99 Rwanda Development Board (RDB)
100 Rwanda Environment Management Authority (REMA)
101 Rwanda Governance Board (RGB)
102 Rwanda Institute of National Museums (RINM)
103 Rwanda Law Reform Commission (RLRC)
104 Rwanda Local Development Support Fund/Local Development Agency (RLDSF/LODA)
105 Rwanda Management Institute (RMI)
106 Rwanda Meteorology Agency (RMA)
107 Rwanda Military Hospital (RMH)
108 Rwanda National Commission for UNESCO (RNCU)
109 Rwanda National Police (RNP)
110 Rwanda Standards Board (RBS)
111 Rwanda Transport Development Agency (RTDA)
112 Rwanda Utilities and Regulatory Authority (RURA)
113 The Parliament
114 The Senate
115 University of Rwanda (UR)
116 Workforce Development Authority(WDA)
Appendix 7: Details on levels of support in the maintenance contract
Level 1 provided on-site in Rwanda by
Symphony Rwanda Ltd
Level 2 provided offshore in New
Delhi by Newgen Software Ltd
Level 3 provided
offshore in New Delhi
by Newgen Software
Ltd
a) Problem identification and resolution
b) Preventive maintenance
c) User hand holding
d) Monitoring of all services
e) Monitoring configuration server
f) System administration
g) Patch deployment on UAT (User
Acceptance Test) along with testing
h) Patch deployment on production after
taking UAT sign-off from business
i) Working closely with operational team to
ensure cycle completion for the day
j) Co-ordination with back end team for
problem resolution
k) Consolidation of administrator's and
configurations training
l) Knowledge sharing with user trainers on
processes
m) On the job knowledge sharing of the
activities related to above points
n) Maintenance of the system deployment
environment to ensure full time availability,
performance and security of the system
a) Provides in-depth application
and process knowledge of system
b) Response to queries generated at
level 1
c) Maintenance of the environment
of RDB deployment, debugging &
bug correction for custom code
(subject to availability of code at
on-site)
d) Knowledge of the process logic
& maintain documentation related
to the implementation
e) Knowledge of route
configuration, interfaces developed
and system configuration
f) Detailed analysis report and
impact analysis of issues for L3
offshore team
g) Seamless forwarding of product-
related issues to respective product
team for L3 support
a) Maintenance of
complete code
base of application
b) Immediate response
for queries and issues
related to custom code
c) Bug correction for
custom code
d) Version control of the
patches/bug fixes
released
e) Coordination for
faster resolution of core
product related issues
f) Supporting on-site
team for issue analysis
and faster resolution
g) Providing technical
and functional expertise
for all queries and issues
Appendix 8: Institutions without user licenses No. Deployed Institutions pending to buy user licenses
1 Funds for Assistance to Genocide Survivors (FARG)
2 Institute of Legal Practice & Development (ILPD)
3 Integrated Polytechnic Regional Centre – Kigali (IPRC-Kigali)
4 Kacyiru Police Hospital (KPH)
5 Media High Council (MHC)
6 National Commission for Science & Technology (NCST)
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
38
Office of the Auditor General of State Finances
No. Deployed Institutions pending to buy user licenses
7 National Commission For The Fight Against Genocide (CNLG)
8 National Human Rights Commission (NHRC)
9 National Council of Persons with Disability (NCPD)
10 National Electoral Commission (NEC)
11 National Identification Agency (NIDA)
12 National Industrial Research & Development Agency (NIRDA)
13 National Security Services (NSS)
14 National Itorero Commission (NIC)
15 National Public Prosecution Authority (NPPA)
16 National Unity & Reconciliation Commission (NURC)
17 National Women Council (NAWOCO)
18 Rehabilitation & Vocational Skills Development Center – Gitagata (RVSDC-Gitagata)
19 Rehabilitation & Vocational Skills Development Center – Iwawa (RVSDC-Iwawa)
20 Rwanda Academy of Language & Culture (RALC)
21 Rwanda Agriculture Board (RAB)
22 Rwanda Broadcasting Agency (RBA)
23 Rwanda Correctional Services (RCS)
24 Rwanda Institute of National Museums (RINM)
25 Rwanda Law Reform Commission (RLRC)
26 Rwanda Meteorology Agency (RMA)
27 Rwanda National Police (RNP)
28 The Parliament
Appendix 9: Public institutions that minimally use the software
(a) 53 public institutions with minimal use
No.
Public Institution Between
10/12/2015 and
15/01/2016
Between
15/01/2016 and
15/02/2016
Between
15/02/2016
and
15/03/2016
1 Ministry of Natural Resources (MINIRENA) 0 0 16
2 Ministry of Agriculture (MINAGRI) 0 1 6
3 Ministry of Education (MINEDUC) 0 6 3
4 Ministry of Health MOH 0 0 388
1 Neuro-psychiatric Hospital Caraes Ndera (NPHN) 0 0 0
2 The Senate 0 0 0
3
Rwanda National Commission for UNESCO
(RNCU) 0 0 0
4 Rwanda Education Board (REB) 0 0 0
5
Chancellery for Heros National Orders &
Decoration (CHENO) 0 0 0
6 Military Medical Insurance (MMI) 0 0 0
7 Rwanda Cooperative Agency (RCA) 0 0 0
8 Rwanda Civil Aviation Authority (RCAA) 0 0 5
9 Road Maintenance Fund (RMF) 0 0 0
10 Rwanda Military Hospital (RMH) 0 0 0
11 National Commission for Children (NCC) 0 0 0
12 Higher Education Council (HEC) 0 0 0
13 HNN 0 0 0
14 Ruhengeri Hospital 0 0 1
15
Centre Hospitalier Univfersitaire – Butare
(CHUB) 2 0 1
16
Integrated Polytechnic Regional Centre – Tumba
(IPRC-Tumba) 0 0 3
17 Office of the Government Spokesperson (OGS) 1 0 2
18 Rwanda Management Institute (RMI) 0 0 3
19 Gender Monitoring Office (GMO) 0 0 6
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
39
Office of the Auditor General of State Finances
No.
Public Institution Between
10/12/2015 and
15/01/2016
Between
15/01/2016 and
15/02/2016
Between
15/02/2016
and
15/03/2016
20 Rwanda Governance Board (RGB) 3 10 0
21 Centre Hospitalier Univfersitaire – Kigali (CHUK) 1 3 50
22 National Youth Council (NYC) 32 15 47
23 Rwanda Transport Development Agency (RTDA) 20 79 65
1 Bugesera District 2 0 2
2 Burera District 1 6 0
3 Gakenke District 2 0 0
4 Gasabo District 28 0 2
5 Gatsibo District 23 4 37
6 Gicumbi District 0 0 15
7 Huye District 18 56 76
8 Kayonza District 0 0 0
9 Kirehe District 0 0 0
10 Muhanga District 0 0 0
11 Musanze District 14 0 0
12 Ngoma District 2 0 2
13 Ngororero District 0 0 0
14 Nyabihu District 38 86 27
15 Nyagatare District 0 0 0
16 Nyamagabe District 5 45 58
17 Nyamasheke District 4 27 5
18 Nyanza District 31 16 16
19 Nyaruguru District 73 20 70
20 Rubavu District 0 0 0
21 Ruhango District 5 28 12
22 Rulindo District 0 0 0
23 Rusizi District 31 260 29
24 Rutsiro District 3 7 0
25 Northern Province 4 1 0
26 Southern Province 1 8 206
(b) 19 public institutions that did not scan any document
No.
Public Institution Between
10/12/2015 and
15/01/2016
Between
15/01/2016 and
15/02/2016
Between
15/02/2016
and
15/03/2016
1 The Senate 0 0 0
2 Neuro-psychiatric Hospital Caraes Ndera (NPHN) 0 0 0
3
Rwanda National Commission for UNESCO
(RNCU)
0 0 0
4 Rwanda Education Board (REB) 0 0 0
5
Chancellery for Heros National Orders &
Decoration (CHENO)
0 0 0
6 Military Medical Insurance (MMI) 0 0 0
7 Rwanda Cooperative Agency (RCA) 0 0 0
8 Road Maintenance Fund (RMF) 0 0 0
9 Rwanda Military Hospital (RMH) 0 0 0
10 National Commission for Children (NCC) 0 0 0
11 Higher Education Council (HEC) 0 0 0
12 HNN 0 0 0
13 Kayonza District 0 0 0
14 Kirehe District 0 0 0
15 Muhanga District 0 0 0
16 Ngororero District 0 0 0
17 Nyagatare District 0 0 0
PERFORMANCE AUDIT REPORT ON UTILIZATION OF DTWMS & REVIEW OF RDB
IT GENERAL CONTROLS
40
Office of the Auditor General of State Finances
No.
Public Institution Between
10/12/2015 and
15/01/2016
Between
15/01/2016 and
15/02/2016
Between
15/02/2016
and
15/03/2016
18 Rubavu District 0 0 0
19 Rulindo District 0 0 0
(c) 23 public institutions that scanned very little quantity of documents
No.
Public Institution
Between
10/12/2015
and
15/01/2016
Between
15/01/2016
and
15/02/2016
Between
15/02/2016 and
15/03/2016
Total
1
Ministry of Natural Resources
(MINIRENA) 0 0 16
16
2 Ministry of Agriculture (MINAGRI) 0 1 6 7
3 Ministry of Education (MINEDUC) 0 6 3 9
4 Rwanda Civil Aviation Authority (RCAA) 0 0 5 5
5 Ruhengeri Hospital 0 0 1 1
6
Centre Hospitalier Univfersitaire – Butare
(CHUB) 2 0 1
3
7
Integrated Polytechnic Regional Centre –
Tumba (IPRC-Tumba) 0 0 3
3
8
Office of the Government Spokesperson
(OGS) 1 0 2
3
9 Rwanda Management Institute (RMI) 0 0 3 3
10 ender Monitoring Office (GMO) 0 0 6 6
11 Rwanda Governance Board (RGB) 3 10 13
12
Centre Hospitalier Univfersitaire – Kigali
(CHUK) 1 3 50
54
13 Bugesera District 2 0 2 4
14 Burera District 1 6 0 7
15 Gakenke District 2 0 0 2
16 Gasabo District 28 0 2 30
17 Gicumbi District 0 0 15 15
18 Musanze District 14 0 0 14
19 Ngoma District 2 0 2 4
20 Nyamasheke District 4 27 5 36
21 Ruhango District 5 28 12 45
22 Rutsiro District 3 7 0 10
23 Northern Province 4 1 0 5