report of the auditor general on the … · 1 part “b” detailed report of the auditor general...

THE REPUBLIC OF UGANDA

REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS OF

MICROFINANCE SUPPORT CENTRE LIMITED

FOR THE YEAR ENDED 30TH JUNE 2016

OFFICE OF THE AUDITOR GENERAL

UGANDA

ii

TABLE OF CONTENTS

1.0 INTRODUCTION .................................................................................................. 1

2.0 BACKGROUND .................................................................................................... 1

3.0 PRINCIPAL ACTIVITIES ....................................................................................... 1

4.0 FUNDING ........................................................................................................... 2

5.0 AUDIT OBJECTIVE .............................................................................................. 2

6.0 SCOPE OF THE AUDIT ......................................................................................... 2

7.0 CATEGORIZATION AND SUMMARY OF FINDINGS .................................................. 3

7.1 Categorization of findings .................................................................................... 3

7.2 Summary of Findings ........................................................................................... 4

8.0 DETAILED FINDINGS ........................................................................................... 4

8.1 Compliance with the Financing Agreement and Government of Uganda Provisions .... 4

8.1.1 Withholding Tax (WHT) on payments for professional services ................................ 5

8.1.2 PAYE on employment income to volunteers ........................................................... 5

8.1.3 Taxation of allowances and benefits...................................................................... 6

8.2 General Standard of Accounting and Internal Control ............................................. 6

8.2.1 Weaknesses in the Credit Origination Process ........................................................ 6

8.2.2 Areas of Non-Compliance with the Teachers’ SACCO Contract Provisions .................. 7

8.2.3 Absence of documented business risk matrix and risk management policy ............... 9

8.2.4 Need to plan and prepare for implementation of IFRS 9 and 15 .............................. 9

8.2.5 Need to Optimise Costs at the Zones ................................................................... 10

8.3 Review of IT Matters .......................................................................................... 11

8.3.1 Weakness in Change Management Environment ................................................... 11

8.3.2 Weak domain password settings and no password required for Microsoft Dynamics . 11

8.3.3 Weakness in the user management process ......................................................... 12

8.3.4 Weakness in the backing up of the data at MSC .................................................... 13

8.3.5 System and user activity monitoring .................................................................... 14

8.3.6 Lack of Incident Management logs & an Incident Management Policy ..................... 15

8.3.7 No periodic user validation carried out ................................................................. 15

iii

LIST OF ACRONYMS

ADF - African Development Fund

AfDB - African Development Bank

GoU - Government of Uganda

IAS - International Accounting Standards

IFRS - International Financial Reporting Standards

IsDB - Islamic Development Bank

MFIs - Microfinance Institutions

MSC - The Microfinance Support Centre Ltd

NSADP - Northwest Smallholder Agricultural Development Project

NSSF - National Social Security Fund

PAP - Poverty Alleviation Project

RIEEP - Rural Income and Employment Enhancement Project

RMSP - Rural Microfinance Support Project

SACCOs - Savings and Credit Cooperatives

URA - Uganda Revenue Authority

UGX - Uganda Shillings

USD - United States Dollar

VAT - Value Added Tax

WHT - Withholding Tax

iv

REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS OF THE



THE RT. HON. SPEAKER OF PARLIAMENT

I have audited the accompanying financial statements of the Microfinance Support Centre

Limited for the year ended 30th June, 2016. The financial statements set out on pages 7 to

38 comprise of the statement of comprehensive income, the statement of financial position,

statement of changes in equity, statement of cash flow and notes to the financial statements

including a summary of significant accounting policies adopted.

Director’s Responsibility for the financial statements

The Company Directors are responsible for the preparation and fair presentation of the

financial statements in accordance with International Financial Reporting Standards and in a

manner required by the Companies Act of Uganda 2012, and for such internal controls as

the Directors determines is necessary to enable the preparation of the financial statements

that are free from material misstatement, whether due to fraud or error.

Auditor’s Responsibility

My responsibility is to express an opinion on the financial statements based on my audit. I

conducted the audit in accordance with International Standards on Auditing (ISA). Those

standards require that I comply with the ethical requirements and plan and perform the

audit to obtain reasonable assurance about whether the financial statements are free from

material misstatements.

An audit involves performing procedures to obtain audit evidence about the amounts and

disclosures in the financial statements. The procedures selected depend on the Auditor’s

judgment, including the assessment of the risks of material misstatements of the financial

statements, whether due to fraud or error. In making those risk assessments, the Auditor

considers internal controls relevant to the entity’s preparation and fair presentation of the

financial statements in order to design audit procedures that are appropriate in the

circumstances but not for the purpose of expressing an opinion on the effectiveness of the

entity’s internal control. An audit also includes evaluating the appropriateness of accounting

policies used and the reasonableness of accounting estimates made by management, as well

as evaluating the overall presentation of the financial statements. I believe that the audit

evidence I have obtained is sufficient and appropriate to provide a reasonable basis for my

audit opinion.

v

Part “A” of this report sets out my opinion on the financial statements. Part “B” which forms

an integral part of this report presents in detail all the significant audit findings made during

the audit which have been brought to the attention of management.

Opinion

In my opinion, the accompanying financial statements present fairly, in all material

respects, the financial position of the Microfinance Support Centre Limited as at 30th June

2016, and its financial performance and its cash flows for the period then ended in

accordance with the International Financial Reporting Standards and the requirements of the

Companies Act of Uganda, 2012.

Report on other legal requirements

As required by the Companies Act of Uganda, 2012, I report to you, based on my audit that;

(i) I obtained all the information and explanations which to the best of my knowledge

and belief were necessary for the purposes of my audit;

(ii) In my opinion, proper books of account have been kept by the company so far as

appears from my examination of those books; and

(iii) The statement of financial position and statement of comprehensive income are in

agreement with the books of account.

John F.S. Muwanga

AUDITOR GENERAL

KAMPALA

29th December, 2016

vi

REPORT OF THE AUDITOR GENERAL ON THE SPECIAL ACCOUNT OPERATIONS



I have audited the Special Accounts for credit funds financed under Rural Income and

Employment Enhancement Project (AfDB and IsDB) for the year ended 30th June, 2016 as

set out on pages 41 - 43.

Directors’ responsibility for the Special Account Statement

Directors are responsible for preparation of the Special Account Statements and their fair

presentation in accordance with the Government of Uganda regulations and the funding

(AfDB and IsDB) guidelines. Management is also responsible for designing and implementing

internal controls relevant to the preparation of the Special Account Statements that is free

from material misrepresentation, either due to fraud or error and selecting and applying

appropriate accounting policies, and making accounting estimates that are reasonable in the

circumstances.


My responsibility is to express an opinion on the Special Account Statements based on my

audit. I conducted my audit in accordance with International Standards on Auditing and the

donor guidelines on auditing. Those standards and the loan guidelines require that I plan

and perform the audit to obtain reasonable assurance about whether the Special Account

Statement is free from material misstatement. All information and explanations that to the

best of my knowledge and belief that were necessary for the purposes of the audit were

obtained and I believe that the audit evidence obtained is sufficient and appropriate to

provide a basis for my opinion.

Opinion

In my opinion, the Special Accounts have been maintained in accordance with the provisions

of the funding agreements and present fairly, in all material respects, the beginning and

ending balances and the account activity for the year ended 30th June 2016.

John F.S. Muwanga

AUDITOR GENERAL

29th December, 2016

vii

REPORT OF THE AUDITOR GENERAL ON THE STATEMENTS OF EXPENDITURE OF

THE MICROFINANCE SUPPORT CENTRE LIMITED


I have audited the statements of expenditure financed under Rural Income and Employment

Enhancement Project for the year ended 30th June 2016, set out on page 7.

Directors’ responsibility for the Statements of Expenditure

Directors are responsible for preparation of the statements of expenditure and its fair

presentation in accordance with the Government of Uganda regulations and funding (AfDB

and IsDB) guidelines. Management is also responsible for designing and implementing

internal controls relevant to the preparation of the Statements of Expenditure that is free

from material misrepresentation, either due to fraud or error and selecting and applying

appropriate accounting policies, and making accounting estimates that are reasonable in the

circumstances.


My responsibility is to express an opinion on the statements of expenditure based on my

audit. I conducted my audit in accordance with International Standards on Auditing and the

donors guidelines on auditing. Those standards and the loan guidelines require that I plan

and perform the audit to obtain reasonable assurance about whether the Statements of

Expenditure is free from material misstatement. All information and explanations that to the

best of my knowledge and belief were necessary for the purposes of the audit was obtained

and I believe that the audit evidence obtained is sufficient and appropriate to provide a

basis for my opinion.

Opinion

In my opinion, for the Statements of Expenditure, adequate supporting documentation has

been maintained to support claims to the AfDB and IsDB for reimbursement of expenditures

incurred; and the expenditures are eligible for financing under the loan agreements.

John F.S. Muwanga

AUDITOR GENERAL

29th December, 2016

REPORT OF THE AUDITOR GENERAL AND

SUPPLEMENTARY INFORMATION

1

PART “B”

DETAILED REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS

OF MICROFINANCE SUPPORT CENTRE FOR THE YEAR ENDED 30TH JUNE 2016

This Section outlines the detailed audit findings, management responses, and my

recommendations in respect thereof.

1.0 INTRODUCTION

Article 163 (3) of the Constitution of the Republic of Uganda, 1995 (as amended),

requires me to audit and report on the public accounts of Uganda and all public

offices including the courts, the central and local government administrations,

universities and public institutions of the like nature and any public corporation or

other bodies or organizations established by an Act of Parliament. Accordingly, I

appointed M/s Ernst and Young, Certified Public Accountants to carry out the audit of

the above project to enable me report to Parliament.

2.0 BACKGROUND

The Microfinance Support Centre Limited (MSC) is wholly owned by the Government

of Uganda (GoU) and was incorporated in 2001 as a company limited by guarantee.

MSC was formed to manage and deliver financial services in the whole country on

behalf of the GoU. It took over the proceeds of the Rural Microfinance Support

Project (RMSP) funded under a loan agreement between African Development Bank

(ADB) and the Government of Uganda. MSC also took over the activities, assets and

liabilities of Poverty Alleviation Project (PAP) that was jointly funded by ADB and GoU

from 1994 to 1998.

Arising out of past Government experiences and lessons learnt, Government found it

appropriate to divest itself from direct intervention in delivery of microfinance

services by creating MSC with a purpose of the Company being able to manage and

deliver financial services in the whole country. It’s upon that background that MSC

was made a project implementation unit for the Rural Income and Employment

Enhancement Project (RIEEP).

3.0 PRINCIPAL ACTIVITIES

The Company is responsible for supporting the Government of Uganda in resource

mobilization for rural microfinance. MSC exists to facilitate access to affordable,

sustainable and convenient financial and business development services to active

and productive Ugandans. MSC supports legally established entities engaged in

2

agricultural value chain, production, processing and marketing. MSC provides

financial services to savings and Credit Cooperative Organizations (SACCO’s), Area

Cooperative Enterprises (ACE’s), Microfinance Institutions (MFI’s), Small and Medium

enterprises, Special Interest Groups and Cooperative Unions. In addition it also

provides Business Development services to its clients. The Company operates

countrywide through 12 Zonal Offices located in Arua, Gulu, Hoima, Iganga, Kabale,

Kabarole, Kampala, Masaka, Mbale, Soroti, Mbarara and Moroto.

4.0 FUNDING

The Government of Uganda on 21st April 2010 and 22nd February 2010 signed loan

agreements with African development Bank/African Development fund (ADB)/(ADF)

and Islamic Development Bank (ISDB) respectively to finance the Rural Income and

Employment Enhancement Project (RIEEP) to be implemented by MSC over 5 year

period. The funding is as follows: ADF UA.10.21M (approximately US$15.3 million)

and ISDB of US$ 9.7 million. The purpose of the loans is facilitating access to

affordable financial and business development services for rural Ugandans.

5.0 AUDIT OBJECTIVE

The objective of the audit of the Microfinance Support Centre’s financial statements

was to express an independent opinion on the financial statements of the Company

for the financial year ended 30th June 2016 and to establish whether the grants or

loans received by the Company have been properly dealt with in the financial

statements and utilized for intended purposes.

6.0 SCOPE OF THE AUDIT

The assignment covered audit of the Rural Income and Employment Enhancement

Project (RIEEP) and the Microfinance Support Centre Ltd (MSC) in general as the

implementation unit.

The audit was carried out in accordance with International Standards on Auditing

and included such tests and verification procedures as we considered necessary

under the circumstances. In conducting the audit, Special attention was paid to the

following:-

i) All Bank funds have been used in accordance with the conditions of the loan

agreement, with due attention to economy and efficiency and only for the

purposes for which the funds were provided.

3

ii) Counterpart funds (government budget) and external funds (in case of co-

financing) have been provided and used in accordance with the conditions of the

loan agreement, with due attention to economy and efficiency and only for the

purposes for which they were provided;

iii) Goods, works and services financed have been procured in accordance with GoU

regulations, the loan agreement and in accordance with the Bank’s rules and

procedures; and have been properly accounted for;

iv) Appropriate supporting documents, records and books of accounts relating to all

the company activities have been kept. Clear linkages should exist between the

books of accounts and the financial statements presented to the Bank;

v) Special accounts have been maintained in accordance with the provisions of the

loan agreement and in accordance with the Bank’s disbursement rules and

procedures;

vi) The financial statements of MSC have been prepared by management in

accordance with International Financial Reporting Standards and give a true and

fair view of the financial position of the company as at the year end and of its

receipts and expenditures for the period ended on that date;

vii) Comprehensive assessment of the adequacy and effectiveness of the accounting

and overall internal control system to monitor expenditures and other financial

transactions and ensure safe custody of project-financed assets and that they

are being used for the intended purposes;

viii) Company’s fixed assets are real and properly evaluated and company property

rights or related beneficiaries’ rights are established in accordance with loan

conditions; and

ix) Identify ineligible expenditures and report them accordingly.

7.0 CATEGORIZATION AND SUMMARY OF FINDINGS

7.1 Categorization of findings

The following system of profiling of the audit findings has been adopted to better

prioritise the implementation of audit recommendations:

4

No Description Category

1 Has a significant/material impact, has a high likelihood of

reoccurrence, and in the opinion of the Auditor General, it

requires urgent remedial action. It is a matter of high risk

or high stakeholder interest.

High significance

2 Has a moderate impact, has a likelihood of reoccurrence,

and in the opinion of the Auditor General, it requires

remedial action. It is a matter of medium risk or moderate

stakeholder interest.

Moderate

significance

3 Has a low impact, has a remote likelihood of

reoccurrence, and in the opinion of the Auditor General,

may not require much attention, though its remediation

may add value to the entity. It is a matter of low risk or

low stakeholder interest.

Low significance

7.2 Summary of Findings

No Finding Significance

8.1.1 Withholding tax on payments for professional services Moderate

8.1.2 PAYE on employment income to volunteers Moderate

8.1.3 Taxation of allowances and benefits Moderate

8.2.1 Weaknesses in the Credit Organisation process High

8.2.2 Areas of non-compliance with the Teachers’ SACOO contract

provisions

High

8.2.3 Absence of documented business risk matrix and risk

management policy

Moderate

8.2.4 Need to plan and prepare for implementation of IFRS 9 and

15

Moderate

8.2.5 Need to optimise costs at the Zones Moderate

8.3.1 Weakness in Change Management Environment Moderate

8.3.2 Weak domain password settings and no password required

for Microsoft Dynamics

Moderate

8.3.3 Weakness in the user management process Moderate

8.3.4 Weakness in the backing up of the data at MSC Moderate

8.3.5 System and user activity monitoring Moderate

8.3.6 Lack of Incident Management logs & an Incident

Management Policy

Moderate

8.3.7 No periodic user validation carried out Moderate

8.0 DETAILED FINDINGS

8.1 Compliance with the Financing Agreement and Government of Uganda

Provisions

A review was carried out on the project compliance with the grant agreement

provisions and GOU financial regulations and it was noted that the project complied

in all material respects with the provisions in the agreement and applied GOU

regulations except in the following matters:

5

8.1.1 Withholding Tax (WHT) on payments for professional services

The company makes payments for professional services which are not subjected to

WHT at 6%. This is due to uniform application of WHT exception under section 119

on amounts below UGX 1 million on all payments made including professional

services payments.

Section 118[A] states that ‘a resident person who pays management or professional

fees to a resident person shall withhold tax on the gross amount of the payment at

the rate prescribed’. Failure to withhold on payments for professional fees below

UGX.1 million on the may attract fines and penalties from the tax authority.

Management indicated all future payments for professional services will subjected to

withholding tax irrespective of the amount.

I advised management should ensure WHT is computed on all payments including

payments for professional services.

8.1.2 PAYE on employment income to volunteers

I noted that MSC engages volunteers on contractual terms and pays them a weekly

allowance. Allowances paid to volunteers on a weekly basis construe to employment

income under section 19(a) of the Income Tax Act (ITA). Subsidiary Legislation

(Statutory Instrument 340-1), the Income tax (Withholding Tax) Regulations 2000,

Section 3(6) provides guideline on how tax for weekly enumerated employees may

be computed.

MSC treatment of payments to volunteers as tax exempt or non-taxable employment

income is non-compliance with the provisions of the ITA.

This leaves the company with possible payment of tax with interest and penalties in

future. The weekly payment to volunteers was meant to facilitate them to conduct

the activities/tasks assigned to them and was not to be taxed.

Management explained that they will consult further on the matter regarding tax

planning options to avoid the tax.

6

I advised management to ensure that all employment income is subject to tax as per

the Income Tax Act.

8.1.3 Taxation of allowances and benefits

The company did not compute PAYE on overtime and subscriptions to health clubs

paid on behalf of staff. Section 19(1) of the Income Tax Act describes employment

income to mean any income derived by an employee from any employment and

includes 19(1) (a) any wages, salary, overtime pay, gratuity, bonus, or other

allowance.

Under Section 136 (1)(c) of the Income Tax Act failure by the company to withhold

tax on employment income makes it liable to interest on the unpaid tax at a rate

equal to 2% per month on the amount unpaid calculated from the date on which the

payment was due until the date on which the payment is made.

Management should ensure that all employment income is subject to tax as per the

Income Tax Act.

8.2 General Standard of Accounting and Internal Control

8.2.1 Weaknesses in the Credit Origination Process

I noted that for all loans, clients were required to provide quarterly reports. However,

I did not obtain evidence to confirm these progressive reports were sought by MSC

and provided by the different loan clients. Other weaknesses included cases of loan

clients who borrowed for onward-lending. For these, the offer letters did not define

the maximum interest rate that should be charged on their clients. Lapses were also

noted in cross-checking auditors used by loan clients against the list of approved

auditors provided by ICPAU

There is increased risk of credit and reputation against the company.

In response, management explained that there are still a few clients who have not

made timely submissions due to the complexity of the reporting tool. However, a

simplified reporting tool has been developed to ease reporting for such clients.

I advised management to ensure that the lapses noted are resolved and ensure

compliance with the operations manual and internal processes as required.

7

8.2.2 Areas of Non-Compliance with the Teachers’ SACCO Contract Provisions

I noted the following with the Teachers’ SACCO product:

Low absorption rates. Table I below refers.

Other non-compliance with contract provisions of fund management services for

the teachers’ SACCOS and lack of evidence of resolution of correspondences from

the Ministry. Table II refers.

Total receipts versus total loan disbursements as at 30 June 2016 Table I

Table II

Amount (UGX)

Total receipts to date: Ministry quarterly releases 9,317,424,000

Share of interest (9%) 121,079,000

9,438,503,000

Total loan disbursements to date

1,805,000,000

Balance as at 30 June 2016

7,633,503,000

Section Requirement Status as at 30 June 2016

Management comment

GCC 30.1 of the contract and 3(d) of

terms of reference to the said contract

The Fund Manager is required to submit quarterly reports on

performance of the Teachers’ SACCO fund to the Ministry of Education, Science, Technology and Sports (MoESTS) and Ministry of Finance, Planning and Economic Development.

Quarterly reports were not submitted to the Ministry for

the financial year 2015/2016.

MSC has since submitted the required reports. However, MoESTS

frustrated the contract and required a review and the terms have since then not been reviewed. MoESTS breached the contract as they stopped disbursing the funds.

Section 4 of the financial proposal

For ease of accountability and monitoring, a separate bank account to handle this fund will be maintained at MSC head office and collection accounts at Zonal Offices.

No separate bank account and collection accounts were maintained at head office and zones respectively by MSC for the teachers' SACCO fund.

MSC maintains a separate account in the system which has enabled MSC to accurately track, monitor and report on the teachers’ fund account. The fund has been audited for the last two years and found accurate. MSC found it

costly to maintain 13 separate accounts because the management fee earned on the fund is very little.

Section 2.1 of the guidelines for management of the teachers' SACCO fund 2014

Interest rate charged by MSC to the SACCO will be 11% annually (calculated on declining balance method).

Mukono and Kayunga Teachers SACCO was charged an interest rate of 13%.

The clients in question accessed a regular loan product of MSC rather than the teachers SACCO fund. The loan was accessed the said loan before the launch of the teachers fund.

8

The Ministry may feel compelled to invoke GCC 14.1 (f) to terminate the entire

contract due to such contract breaches by the company.

In response, management explained that the first tranche of the teachers fund was

received on 23 June 2014, at the time, not all teachers’ SACCOs had the capacity to

utilise the funds and only disbursed to the few SACCOs that had the capacity to

manage the fund. MSC has since then built the capacity of a number of teachers’

SACCOs which shall improve the absorption of the fund.

I advised management ensure that such cases of non-compliance are resolved and

ensure full compliance with the General Conditions of Contract.

Section 2.2 of the financial proposal and

section "g" of the terms of reference

In turn, the SACCOs will retain the funds to the teachers’ members at an

interest rate not exceeding 15% per annum (calculated on declining balance method) which works out to an interest rate of 1.25% per month.

Section provisions not enforced by MSC. South Buganda

Teachers' SACCO Masaka for example, charges 24% annually for commercial loans and 18% annually for agricultural loans.

MSC has written to the SACCOs calling their attention to charging

interest rates not exceeding 15% per annum. MSC encourages membership of the SACCOs to demand for lower interest rates.

Communication from the PS of Ministry of Education, Science, Technology and Sports (MoESTS)

In a letter dated 7 December 2015, the PS of MoESTS directed MSC to: sign an addendum to

the contract before 11

December 2015 and transfer UGX. 5.7 billion funds to the Uganda

Teachers Savings and Co-operative Union (UTSCU) as agreed in the meeting on 3 December 2015 and the communication alluded to H.E the President’s directive to transfer the management of the Teachers’ SACCO funds from MSC to UTSCU.

avail the PS of MoESTS a detailed status report on the funds disbursed as of the communication date as well as the plan

for committing the funds that had not yet been committed for purposes of preparing a hand over report.

MSC has not implemented these directives to date and continued disbursing loans on the basis that there are still a number of unresolved issues arising out of the

proposed transaction. Subsequent to the letter, loans of UGX. 330 million were disbursed.

MSC was guided by the opinion of the Solicitor General in implementing the Presidential directive alluded to by the PS of MoESTS, It guided that MSC should continue with the funds already received from the MoESTS (i.e Shs

9.3 Bln) While the balance of Shs 15.7 Bn is passed on to the relevant teachers Institution.

9

8.2.3 Absence of documented business risk matrix and risk management policy

I noted that MSC has no risk management framework in place. Management deals

with the risks on an ad-hoc basis or at functional level without a centralised planning

or effort to deal with emerging risks on a continual basis, that are likely to prevent

the organisation from achieving its objectives.

Although management gives priority to monitoring of risks affecting the company, I

noted that there was no formal documentation of the risks the company needs to

monitor, and the risk rating in terms of the likelihood and extent of the impact they

would have if they occurred.

This may lead to inadequate monitoring of the risks facing the company and failure

to establish measures to prevent or mitigate the risk.

Management explained that a risk management framework developed is yet to be

discussed by the board within Quarter Oct-Dec 2016.

I advised management to design formal and documented risk management

procedures with a balanced and multi-dimensional risk criteria matrix in terms of the

likelihood and the impact if the risk materialised. This should be reviewed regularly to

capture new risks and reclassify risks accordingly.

8.2.4 Need to plan and prepare for implementation of IFRS 9 and 15

The International Accounting Standards Board (IASB) issued the following standards

which could have an impact on the company’s financial statements:

New or revised pronouncement Effective date

IFRS 9 Financial Instruments 01-Jan-18

IFRS 15 Revenue from Contracts with Customers 01-Jan-18

The new standards could have an impact on multiple business functions outside the

finance and accounting function. Resources may therefore be required to implement

across functions. Management is yet to assess the impact on the company’s

operations.

10

Failure to have a plan and/or implementation road map to prepare for adoption of

the new standards may lead to improper or untimely implementation of these new

standards.

Management promised implement the IFRS by June 2017.

I advised management to prepare an implementation roadmap and ensure readiness

for adoption by the effective dates.

8.2.5 Need to Optimise Costs at the Zones

A review of the zonal revenue realised against actual expenditure per quarter, zones

in the table below revealed consistent reported net deficits (costs exceeded income)

throughout the year.

Zonal performance2 per Quarter based on Net (deficit)/ surplus:

Zone Description

Net deficit

Net (Deficit)/Surplus Net deficit

Net (Deficit)/Surplus

Total net deficit

UGX. 'million UGX. 'million

UGX. 'million

UGX. 'million

UGX. 'million

Qtr1 Qtr2 Qtr3 Qtr4

Jinja (35.3) (27.03) (28) (1) (91.33)

Mbale (18.6) (13.65) (7.9) 4.6 (35.55)

Soroti (9.9) 2.04 (2.6) (8.3) (18.76)

Moroto (47.7) (8.91) (30.7) (1) (88.31)

There is a risk that increased cost to income ratio may hinder the company’s

expansion plans and dynamism in the financial services (Microfinance) sector.

Management explained that not all zones are viable due to MSC’s objective of

ensuring wide outreach however, they are expected to break even in the next three

years. The Company has also developed a cost optimisation strategy which is yet to

be approved by board in Q2 2016/17.

I advised management to review these cost centres and find ways of minimising

costs while still achieving the overall objectives of the MSC.

11

8.3 Review of IT Matters

8.3.1 Weakness in Change Management Environment

During our review, I noted the following weaknesses in the IT change management

environment of MSC.

Changes are not tested before deployment in the production environment.

Changes made during the audit period were not tracked, there is no record of

the changes, therefore we cannot establish the completeness of the changes

implemented whether minor or major changes.

The use of the change management document is not enforced. I noted that some

changes were not documented using the change management document and when i

interviewed some of the IT officers they were not informed about the Change

management form. This makes it is difficult to track the different activities done in

the change management environment of MSC.

There is a risk that program changes may be implemented to the production

environment without user acceptance.

Management explained that Testing Environment will be used by Web-Discount for

all future changes.

I advised management that;

For program changes, controls should be in place to ensure that changes are

authorized, tested, and approved for promotion to production and supported

with appropriate signoffs and documentation.

set up a test environment to be used for testing program changes and ensure

that programmers do not have access to this environment

MSC should implement a system to ensure all changes made to the IT

environment are captured and can be tracked at every step of the process flow.

8.3.2 Weak domain password settings and no password required for Microsoft

Dynamics

During our review of the Active directory settings in the current year, we noted that

the password complexity of the end users was set to “Disabled”. There is a single

sign on for the users of MSC who need to access the Domain and Microsoft

12

dynamics. This means the users do not need a password to access Microsoft

dynamics.

Lack of complexity of passwords makes it easy for unauthorized users to run

password crackers and get the passwords. This being a setting on the active

directory is high risk to information security especially if passwords are not required

for Microsoft Dynamics login.

Management explained that Password complexity is now enabled. It was resolved

that the Single Log On is the MSC Organization policy and would remain as is. Prior

to this Audit, this was discussed intensively during the ICT Retreat and proposed as

best way to go based on our setup network resources and how we provide support.

I recommended that the following improvements could be made to strengthen

password and login controls for the end users:

Parameters:

► Password complexity – enabled

MSC should also activate password logins for Microsoft Dynamics.

8.3.3 Weakness in the user management process

The user management process for MSC has the following weaknesses

a) Inconsistency in the use of user creation forms

For the new users who joined MSC during the current year of audit, we reviewed the

user forms and noted that once the user details are entered, approvals from the

executive director and the IT department are not recorded on this form. The person

who sets up this user does not sign on the form for accountability. An example is

Emmanuel Tashobya user access form. We also noted the user is set up before the

forms approvals have been fully obtained as observed with the user forms. An

example is Simon Olukor who needed access set up, he was given rights in January

2016 and yet approvals were obtained in April 2016. We also noted that

implementation was signed in April 2016 after the expiry of the user rights as per

user form.

13

b) No standard user termination process

During our review of this process we noted that it is not a standard procedure as it

varies from user to user.

Sometimes the HR sends an email to terminate the user, and the IT department

terminates the user. However this is not the norm, and because of this there is a risk

that users may be terminated later than the date they left as HR does not issue this

email for all cases.

These identified matters increase the risk of unauthorized processing of transactions

and breach of data confidentiality.

Management explained that consistency will be followed and users will not be setup

with uncomplete forms. Users will only be terminated/disabled when appropriate

forms are forwarded to MIS.

I advised management that in order to reduce the level of risk within the IT

environment, MSC should focus on implementing the following procedures to follow-

up inactive users. For access to the data, controls should be in place to ensure that

only authorized persons have access to data and applications (including programs,

tables, and related resources) and that they can perform only specifically authorized

functions.

8.3.4 Weakness in the backing up of the data at MSC

No Backup Testing

Microfinance Support Center has a backup process in place in section 7.3 of the ICT

policy. It states that “Ensure the ability to restore backed-up data through periodic

testing of the restoration process. Perform a full System backup prior to installing

system upgrades or maintenance fixes”. During our review, i noted that, no testing

was done for the information backed up.

Storing of backup onsite:

Section 7.3 of the ICT policy manual states “Perform a full system (volume) backup

on a weekly basis. Remove the backup media from the IT”.

14

However, I noted that the backup of the data done is kept on site. In case of data

loss, MSC may not be able to recover all the data. Storing backed up data onsite

increases the risk of losing the original and the backup at the same time in cases of

catastrophe.

Management explained that testing backup data and transporting to Offsite (Kampala

Zone) will commence in January 2017.

I advised management to back-up information be stored in a separate location

(either physical or electronic) to maintain the continuity and integrity of data in case

of an emergency. This will reduce the risk that both the original and back up are lost.

8.3.5 System and user activity monitoring

I noted that no review is being performed on the activity logs of the firewall or of any

systems for invalid login attempts or suspicious activity. The system is not

monitored; MSC only has a tool that monitors its network. MSC does not monitor

user activity.

In the absence of the user access monitoring, there is a risk that:

► MSC may be exposed to information practices that may compromise data

confidentiality or integrity.

► Security violations by authorized and unauthorized users may go undetected.

► Accountability for unauthorized activity may be difficult to establish.

Management explained that in January 2017, the company will commence;

► Reviewing Fire Wall logs, and

► Monitor users and their activities in the System and record.

I advised management to implement procedures to monitor the environment and

review for unauthorized access. Activity logs should be periodically reviewed for both

the systems and the firewall to ensure there is no suspicious activity. Procedures for

monitoring logical security and reviewing relevant logs. ……..

15

8.3.6 Lack of Incident Management logs & an Incident Management Policy

I noted Incidents are not logged. The policy of MSC is to log the incidents and there

is a support tool in place, however the staff prefer calling helpdesk and the team in

charge of the help desk does not log the issues raised. I was not in position to obtain

the list of all incidents that took place in the current period of audit. I also noted that

there is no incident management policy in the new ICT policy.

There is a risk that incidents are not resolved timely and that incidents keep

reoccurring but because they are not tracked, red flags may never be raised. Lack of

a policy on incident management makes it difficult for the IT department to have

guidelines to follow when incidents arise and when escalation is needed.

Management explained that MIS unit will build capacity to staff on the Incident Tool

and staff to start using it in January. The ICT Policy Manual shall be updated with

Incident Management Policy in January.

I recommend that incidents are logged through the helpdesk and the support tool in

place, and we recommend that that MSC staff are sensitized about the tool and its

use. On receipt of calls from staff , the helpdesk officer must log all incidents. I also

recommend for the ICT policy is amended to include the Incident management

policy/ guidelines.

8.3.7 No periodic user validation carried out

I noted that there is no formal procedure in place to periodically (e.g., quarterly or

semi-annually) review all of the users’ access to the systems.

Users are not periodically reviewed to check that they have the access rights they are

supposed to have.

MSC may be exposed to information practices that may compromise data

confidentiality or integrity. Appropriate monitoring of the environment is necessary to

ensure there is no unauthorized access to the systems.

Management explained that on a quarterly basis, starting end of March, MIS shall

verify existing and former staff in the System and keep records them.

16

Management should review user access rights on a quarterly basis as part of

standardizing the process of periodically reviewing and confirming access of users

within MSC.

APPENDIX 1

FINANCIAL STATEMENTS

report of the auditor general on the … · 1 part “b” detailed report of the auditor general...

Documents