report of the auditor general on the … · 1 part “b” detailed report of the auditor general...
TRANSCRIPT
THE REPUBLIC OF UGANDA
REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS OF
MICROFINANCE SUPPORT CENTRE LIMITED
FOR THE YEAR ENDED 30TH JUNE 2016
OFFICE OF THE AUDITOR GENERAL
UGANDA
ii
TABLE OF CONTENTS
1.0 INTRODUCTION .................................................................................................. 1
2.0 BACKGROUND .................................................................................................... 1
3.0 PRINCIPAL ACTIVITIES ....................................................................................... 1
4.0 FUNDING ........................................................................................................... 2
5.0 AUDIT OBJECTIVE .............................................................................................. 2
6.0 SCOPE OF THE AUDIT ......................................................................................... 2
7.0 CATEGORIZATION AND SUMMARY OF FINDINGS .................................................. 3
7.1 Categorization of findings .................................................................................... 3
7.2 Summary of Findings ........................................................................................... 4
8.0 DETAILED FINDINGS ........................................................................................... 4
8.1 Compliance with the Financing Agreement and Government of Uganda Provisions .... 4
8.1.1 Withholding Tax (WHT) on payments for professional services ................................ 5
8.1.2 PAYE on employment income to volunteers ........................................................... 5
8.1.3 Taxation of allowances and benefits...................................................................... 6
8.2 General Standard of Accounting and Internal Control ............................................. 6
8.2.1 Weaknesses in the Credit Origination Process ........................................................ 6
8.2.2 Areas of Non-Compliance with the Teachers’ SACCO Contract Provisions .................. 7
8.2.3 Absence of documented business risk matrix and risk management policy ............... 9
8.2.4 Need to plan and prepare for implementation of IFRS 9 and 15 .............................. 9
8.2.5 Need to Optimise Costs at the Zones ................................................................... 10
8.3 Review of IT Matters .......................................................................................... 11
8.3.1 Weakness in Change Management Environment ................................................... 11
8.3.2 Weak domain password settings and no password required for Microsoft Dynamics . 11
8.3.3 Weakness in the user management process ......................................................... 12
8.3.4 Weakness in the backing up of the data at MSC .................................................... 13
8.3.5 System and user activity monitoring .................................................................... 14
8.3.6 Lack of Incident Management logs & an Incident Management Policy ..................... 15
8.3.7 No periodic user validation carried out ................................................................. 15
iii
LIST OF ACRONYMS
ADF - African Development Fund
AfDB - African Development Bank
GoU - Government of Uganda
IAS - International Accounting Standards
IFRS - International Financial Reporting Standards
IsDB - Islamic Development Bank
MFIs - Microfinance Institutions
MSC - The Microfinance Support Centre Ltd
NSADP - Northwest Smallholder Agricultural Development Project
NSSF - National Social Security Fund
PAP - Poverty Alleviation Project
RIEEP - Rural Income and Employment Enhancement Project
RMSP - Rural Microfinance Support Project
SACCOs - Savings and Credit Cooperatives
URA - Uganda Revenue Authority
UGX - Uganda Shillings
USD - United States Dollar
VAT - Value Added Tax
WHT - Withholding Tax
iv
REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS OF THE
MICROFINANCE SUPPORT CENTRE LIMITED
FOR THE YEAR ENDED 30TH JUNE 2016
THE RT. HON. SPEAKER OF PARLIAMENT
I have audited the accompanying financial statements of the Microfinance Support Centre
Limited for the year ended 30th June, 2016. The financial statements set out on pages 7 to
38 comprise of the statement of comprehensive income, the statement of financial position,
statement of changes in equity, statement of cash flow and notes to the financial statements
including a summary of significant accounting policies adopted.
Director’s Responsibility for the financial statements
The Company Directors are responsible for the preparation and fair presentation of the
financial statements in accordance with International Financial Reporting Standards and in a
manner required by the Companies Act of Uganda 2012, and for such internal controls as
the Directors determines is necessary to enable the preparation of the financial statements
that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
My responsibility is to express an opinion on the financial statements based on my audit. I
conducted the audit in accordance with International Standards on Auditing (ISA). Those
standards require that I comply with the ethical requirements and plan and perform the
audit to obtain reasonable assurance about whether the financial statements are free from
material misstatements.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the Auditor’s
judgment, including the assessment of the risks of material misstatements of the financial
statements, whether due to fraud or error. In making those risk assessments, the Auditor
considers internal controls relevant to the entity’s preparation and fair presentation of the
financial statements in order to design audit procedures that are appropriate in the
circumstances but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control. An audit also includes evaluating the appropriateness of accounting
policies used and the reasonableness of accounting estimates made by management, as well
as evaluating the overall presentation of the financial statements. I believe that the audit
evidence I have obtained is sufficient and appropriate to provide a reasonable basis for my
audit opinion.
v
Part “A” of this report sets out my opinion on the financial statements. Part “B” which forms
an integral part of this report presents in detail all the significant audit findings made during
the audit which have been brought to the attention of management.
Opinion
In my opinion, the accompanying financial statements present fairly, in all material
respects, the financial position of the Microfinance Support Centre Limited as at 30th June
2016, and its financial performance and its cash flows for the period then ended in
accordance with the International Financial Reporting Standards and the requirements of the
Companies Act of Uganda, 2012.
Report on other legal requirements
As required by the Companies Act of Uganda, 2012, I report to you, based on my audit that;
(i) I obtained all the information and explanations which to the best of my knowledge
and belief were necessary for the purposes of my audit;
(ii) In my opinion, proper books of account have been kept by the company so far as
appears from my examination of those books; and
(iii) The statement of financial position and statement of comprehensive income are in
agreement with the books of account.
John F.S. Muwanga
AUDITOR GENERAL
KAMPALA
29th December, 2016
vi
REPORT OF THE AUDITOR GENERAL ON THE SPECIAL ACCOUNT OPERATIONS
MICROFINANCE SUPPORT CENTRE LIMITED
FOR THE YEAR ENDED 30TH JUNE 2016
I have audited the Special Accounts for credit funds financed under Rural Income and
Employment Enhancement Project (AfDB and IsDB) for the year ended 30th June, 2016 as
set out on pages 41 - 43.
Directors’ responsibility for the Special Account Statement
Directors are responsible for preparation of the Special Account Statements and their fair
presentation in accordance with the Government of Uganda regulations and the funding
(AfDB and IsDB) guidelines. Management is also responsible for designing and implementing
internal controls relevant to the preparation of the Special Account Statements that is free
from material misrepresentation, either due to fraud or error and selecting and applying
appropriate accounting policies, and making accounting estimates that are reasonable in the
circumstances.
Auditor’s Responsibility
My responsibility is to express an opinion on the Special Account Statements based on my
audit. I conducted my audit in accordance with International Standards on Auditing and the
donor guidelines on auditing. Those standards and the loan guidelines require that I plan
and perform the audit to obtain reasonable assurance about whether the Special Account
Statement is free from material misstatement. All information and explanations that to the
best of my knowledge and belief that were necessary for the purposes of the audit were
obtained and I believe that the audit evidence obtained is sufficient and appropriate to
provide a basis for my opinion.
Opinion
In my opinion, the Special Accounts have been maintained in accordance with the provisions
of the funding agreements and present fairly, in all material respects, the beginning and
ending balances and the account activity for the year ended 30th June 2016.
John F.S. Muwanga
AUDITOR GENERAL
29th December, 2016
vii
REPORT OF THE AUDITOR GENERAL ON THE STATEMENTS OF EXPENDITURE OF
THE MICROFINANCE SUPPORT CENTRE LIMITED
FOR THE YEAR ENDED 30TH JUNE 2016
I have audited the statements of expenditure financed under Rural Income and Employment
Enhancement Project for the year ended 30th June 2016, set out on page 7.
Directors’ responsibility for the Statements of Expenditure
Directors are responsible for preparation of the statements of expenditure and its fair
presentation in accordance with the Government of Uganda regulations and funding (AfDB
and IsDB) guidelines. Management is also responsible for designing and implementing
internal controls relevant to the preparation of the Statements of Expenditure that is free
from material misrepresentation, either due to fraud or error and selecting and applying
appropriate accounting policies, and making accounting estimates that are reasonable in the
circumstances.
Auditor’s Responsibility
My responsibility is to express an opinion on the statements of expenditure based on my
audit. I conducted my audit in accordance with International Standards on Auditing and the
donors guidelines on auditing. Those standards and the loan guidelines require that I plan
and perform the audit to obtain reasonable assurance about whether the Statements of
Expenditure is free from material misstatement. All information and explanations that to the
best of my knowledge and belief were necessary for the purposes of the audit was obtained
and I believe that the audit evidence obtained is sufficient and appropriate to provide a
basis for my opinion.
Opinion
In my opinion, for the Statements of Expenditure, adequate supporting documentation has
been maintained to support claims to the AfDB and IsDB for reimbursement of expenditures
incurred; and the expenditures are eligible for financing under the loan agreements.
John F.S. Muwanga
AUDITOR GENERAL
29th December, 2016
1
PART “B”
DETAILED REPORT OF THE AUDITOR GENERAL ON THE FINANCIAL STATEMENTS
OF MICROFINANCE SUPPORT CENTRE FOR THE YEAR ENDED 30TH JUNE 2016
This Section outlines the detailed audit findings, management responses, and my
recommendations in respect thereof.
1.0 INTRODUCTION
Article 163 (3) of the Constitution of the Republic of Uganda, 1995 (as amended),
requires me to audit and report on the public accounts of Uganda and all public
offices including the courts, the central and local government administrations,
universities and public institutions of the like nature and any public corporation or
other bodies or organizations established by an Act of Parliament. Accordingly, I
appointed M/s Ernst and Young, Certified Public Accountants to carry out the audit of
the above project to enable me report to Parliament.
2.0 BACKGROUND
The Microfinance Support Centre Limited (MSC) is wholly owned by the Government
of Uganda (GoU) and was incorporated in 2001 as a company limited by guarantee.
MSC was formed to manage and deliver financial services in the whole country on
behalf of the GoU. It took over the proceeds of the Rural Microfinance Support
Project (RMSP) funded under a loan agreement between African Development Bank
(ADB) and the Government of Uganda. MSC also took over the activities, assets and
liabilities of Poverty Alleviation Project (PAP) that was jointly funded by ADB and GoU
from 1994 to 1998.
Arising out of past Government experiences and lessons learnt, Government found it
appropriate to divest itself from direct intervention in delivery of microfinance
services by creating MSC with a purpose of the Company being able to manage and
deliver financial services in the whole country. It’s upon that background that MSC
was made a project implementation unit for the Rural Income and Employment
Enhancement Project (RIEEP).
3.0 PRINCIPAL ACTIVITIES
The Company is responsible for supporting the Government of Uganda in resource
mobilization for rural microfinance. MSC exists to facilitate access to affordable,
sustainable and convenient financial and business development services to active
and productive Ugandans. MSC supports legally established entities engaged in
2
agricultural value chain, production, processing and marketing. MSC provides
financial services to savings and Credit Cooperative Organizations (SACCO’s), Area
Cooperative Enterprises (ACE’s), Microfinance Institutions (MFI’s), Small and Medium
enterprises, Special Interest Groups and Cooperative Unions. In addition it also
provides Business Development services to its clients. The Company operates
countrywide through 12 Zonal Offices located in Arua, Gulu, Hoima, Iganga, Kabale,
Kabarole, Kampala, Masaka, Mbale, Soroti, Mbarara and Moroto.
4.0 FUNDING
The Government of Uganda on 21st April 2010 and 22nd February 2010 signed loan
agreements with African development Bank/African Development fund (ADB)/(ADF)
and Islamic Development Bank (ISDB) respectively to finance the Rural Income and
Employment Enhancement Project (RIEEP) to be implemented by MSC over 5 year
period. The funding is as follows: ADF UA.10.21M (approximately US$15.3 million)
and ISDB of US$ 9.7 million. The purpose of the loans is facilitating access to
affordable financial and business development services for rural Ugandans.
5.0 AUDIT OBJECTIVE
The objective of the audit of the Microfinance Support Centre’s financial statements
was to express an independent opinion on the financial statements of the Company
for the financial year ended 30th June 2016 and to establish whether the grants or
loans received by the Company have been properly dealt with in the financial
statements and utilized for intended purposes.
6.0 SCOPE OF THE AUDIT
The assignment covered audit of the Rural Income and Employment Enhancement
Project (RIEEP) and the Microfinance Support Centre Ltd (MSC) in general as the
implementation unit.
The audit was carried out in accordance with International Standards on Auditing
and included such tests and verification procedures as we considered necessary
under the circumstances. In conducting the audit, Special attention was paid to the
following:-
i) All Bank funds have been used in accordance with the conditions of the loan
agreement, with due attention to economy and efficiency and only for the
purposes for which the funds were provided.
3
ii) Counterpart funds (government budget) and external funds (in case of co-
financing) have been provided and used in accordance with the conditions of the
loan agreement, with due attention to economy and efficiency and only for the
purposes for which they were provided;
iii) Goods, works and services financed have been procured in accordance with GoU
regulations, the loan agreement and in accordance with the Bank’s rules and
procedures; and have been properly accounted for;
iv) Appropriate supporting documents, records and books of accounts relating to all
the company activities have been kept. Clear linkages should exist between the
books of accounts and the financial statements presented to the Bank;
v) Special accounts have been maintained in accordance with the provisions of the
loan agreement and in accordance with the Bank’s disbursement rules and
procedures;
vi) The financial statements of MSC have been prepared by management in
accordance with International Financial Reporting Standards and give a true and
fair view of the financial position of the company as at the year end and of its
receipts and expenditures for the period ended on that date;
vii) Comprehensive assessment of the adequacy and effectiveness of the accounting
and overall internal control system to monitor expenditures and other financial
transactions and ensure safe custody of project-financed assets and that they
are being used for the intended purposes;
viii) Company’s fixed assets are real and properly evaluated and company property
rights or related beneficiaries’ rights are established in accordance with loan
conditions; and
ix) Identify ineligible expenditures and report them accordingly.
7.0 CATEGORIZATION AND SUMMARY OF FINDINGS
7.1 Categorization of findings
The following system of profiling of the audit findings has been adopted to better
prioritise the implementation of audit recommendations:
4
No Description Category
1 Has a significant/material impact, has a high likelihood of
reoccurrence, and in the opinion of the Auditor General, it
requires urgent remedial action. It is a matter of high risk
or high stakeholder interest.
High significance
2 Has a moderate impact, has a likelihood of reoccurrence,
and in the opinion of the Auditor General, it requires
remedial action. It is a matter of medium risk or moderate
stakeholder interest.
Moderate
significance
3 Has a low impact, has a remote likelihood of
reoccurrence, and in the opinion of the Auditor General,
may not require much attention, though its remediation
may add value to the entity. It is a matter of low risk or
low stakeholder interest.
Low significance
7.2 Summary of Findings
No Finding Significance
8.1.1 Withholding tax on payments for professional services Moderate
8.1.2 PAYE on employment income to volunteers Moderate
8.1.3 Taxation of allowances and benefits Moderate
8.2.1 Weaknesses in the Credit Organisation process High
8.2.2 Areas of non-compliance with the Teachers’ SACOO contract
provisions
High
8.2.3 Absence of documented business risk matrix and risk
management policy
Moderate
8.2.4 Need to plan and prepare for implementation of IFRS 9 and
15
Moderate
8.2.5 Need to optimise costs at the Zones Moderate
8.3.1 Weakness in Change Management Environment Moderate
8.3.2 Weak domain password settings and no password required
for Microsoft Dynamics
Moderate
8.3.3 Weakness in the user management process Moderate
8.3.4 Weakness in the backing up of the data at MSC Moderate
8.3.5 System and user activity monitoring Moderate
8.3.6 Lack of Incident Management logs & an Incident
Management Policy
Moderate
8.3.7 No periodic user validation carried out Moderate
8.0 DETAILED FINDINGS
8.1 Compliance with the Financing Agreement and Government of Uganda
Provisions
A review was carried out on the project compliance with the grant agreement
provisions and GOU financial regulations and it was noted that the project complied
in all material respects with the provisions in the agreement and applied GOU
regulations except in the following matters:
5
8.1.1 Withholding Tax (WHT) on payments for professional services
The company makes payments for professional services which are not subjected to
WHT at 6%. This is due to uniform application of WHT exception under section 119
on amounts below UGX 1 million on all payments made including professional
services payments.
Section 118[A] states that ‘a resident person who pays management or professional
fees to a resident person shall withhold tax on the gross amount of the payment at
the rate prescribed’. Failure to withhold on payments for professional fees below
UGX.1 million on the may attract fines and penalties from the tax authority.
Management indicated all future payments for professional services will subjected to
withholding tax irrespective of the amount.
I advised management should ensure WHT is computed on all payments including
payments for professional services.
8.1.2 PAYE on employment income to volunteers
I noted that MSC engages volunteers on contractual terms and pays them a weekly
allowance. Allowances paid to volunteers on a weekly basis construe to employment
income under section 19(a) of the Income Tax Act (ITA). Subsidiary Legislation
(Statutory Instrument 340-1), the Income tax (Withholding Tax) Regulations 2000,
Section 3(6) provides guideline on how tax for weekly enumerated employees may
be computed.
MSC treatment of payments to volunteers as tax exempt or non-taxable employment
income is non-compliance with the provisions of the ITA.
This leaves the company with possible payment of tax with interest and penalties in
future. The weekly payment to volunteers was meant to facilitate them to conduct
the activities/tasks assigned to them and was not to be taxed.
Management explained that they will consult further on the matter regarding tax
planning options to avoid the tax.
6
I advised management to ensure that all employment income is subject to tax as per
the Income Tax Act.
8.1.3 Taxation of allowances and benefits
The company did not compute PAYE on overtime and subscriptions to health clubs
paid on behalf of staff. Section 19(1) of the Income Tax Act describes employment
income to mean any income derived by an employee from any employment and
includes 19(1) (a) any wages, salary, overtime pay, gratuity, bonus, or other
allowance.
Under Section 136 (1)(c) of the Income Tax Act failure by the company to withhold
tax on employment income makes it liable to interest on the unpaid tax at a rate
equal to 2% per month on the amount unpaid calculated from the date on which the
payment was due until the date on which the payment is made.
Management should ensure that all employment income is subject to tax as per the
Income Tax Act.
8.2 General Standard of Accounting and Internal Control
8.2.1 Weaknesses in the Credit Origination Process
I noted that for all loans, clients were required to provide quarterly reports. However,
I did not obtain evidence to confirm these progressive reports were sought by MSC
and provided by the different loan clients. Other weaknesses included cases of loan
clients who borrowed for onward-lending. For these, the offer letters did not define
the maximum interest rate that should be charged on their clients. Lapses were also
noted in cross-checking auditors used by loan clients against the list of approved
auditors provided by ICPAU
There is increased risk of credit and reputation against the company.
In response, management explained that there are still a few clients who have not
made timely submissions due to the complexity of the reporting tool. However, a
simplified reporting tool has been developed to ease reporting for such clients.
I advised management to ensure that the lapses noted are resolved and ensure
compliance with the operations manual and internal processes as required.
7
8.2.2 Areas of Non-Compliance with the Teachers’ SACCO Contract Provisions
I noted the following with the Teachers’ SACCO product:
Low absorption rates. Table I below refers.
Other non-compliance with contract provisions of fund management services for
the teachers’ SACCOS and lack of evidence of resolution of correspondences from
the Ministry. Table II refers.
Total receipts versus total loan disbursements as at 30 June 2016 Table I
Table II
Amount (UGX)
Total receipts to date: Ministry quarterly releases 9,317,424,000
Share of interest (9%) 121,079,000
9,438,503,000
Total loan disbursements to date
1,805,000,000
Balance as at 30 June 2016
7,633,503,000
Section Requirement Status as at 30 June 2016
Management comment
GCC 30.1 of the contract and 3(d) of
terms of reference to the said contract
The Fund Manager is required to submit quarterly reports on
performance of the Teachers’ SACCO fund to the Ministry of Education, Science, Technology and Sports (MoESTS) and Ministry of Finance, Planning and Economic Development.
Quarterly reports were not submitted to the Ministry for
the financial year 2015/2016.
MSC has since submitted the required reports. However, MoESTS
frustrated the contract and required a review and the terms have since then not been reviewed. MoESTS breached the contract as they stopped disbursing the funds.
Section 4 of the financial proposal
For ease of accountability and monitoring, a separate bank account to handle this fund will be maintained at MSC head office and collection accounts at Zonal Offices.
No separate bank account and collection accounts were maintained at head office and zones respectively by MSC for the teachers' SACCO fund.
MSC maintains a separate account in the system which has enabled MSC to accurately track, monitor and report on the teachers’ fund account. The fund has been audited for the last two years and found accurate. MSC found it
costly to maintain 13 separate accounts because the management fee earned on the fund is very little.
Section 2.1 of the guidelines for management of the teachers' SACCO fund 2014
Interest rate charged by MSC to the SACCO will be 11% annually (calculated on declining balance method).
Mukono and Kayunga Teachers SACCO was charged an interest rate of 13%.
The clients in question accessed a regular loan product of MSC rather than the teachers SACCO fund. The loan was accessed the said loan before the launch of the teachers fund.
8
The Ministry may feel compelled to invoke GCC 14.1 (f) to terminate the entire
contract due to such contract breaches by the company.
In response, management explained that the first tranche of the teachers fund was
received on 23 June 2014, at the time, not all teachers’ SACCOs had the capacity to
utilise the funds and only disbursed to the few SACCOs that had the capacity to
manage the fund. MSC has since then built the capacity of a number of teachers’
SACCOs which shall improve the absorption of the fund.
I advised management ensure that such cases of non-compliance are resolved and
ensure full compliance with the General Conditions of Contract.
Section 2.2 of the financial proposal and
section "g" of the terms of reference
In turn, the SACCOs will retain the funds to the teachers’ members at an
interest rate not exceeding 15% per annum (calculated on declining balance method) which works out to an interest rate of 1.25% per month.
Section provisions not enforced by MSC. South Buganda
Teachers' SACCO Masaka for example, charges 24% annually for commercial loans and 18% annually for agricultural loans.
MSC has written to the SACCOs calling their attention to charging
interest rates not exceeding 15% per annum. MSC encourages membership of the SACCOs to demand for lower interest rates.
Communication from the PS of Ministry of Education, Science, Technology and Sports (MoESTS)
In a letter dated 7 December 2015, the PS of MoESTS directed MSC to: sign an addendum to
the contract before 11
December 2015 and transfer UGX. 5.7 billion funds to the Uganda
Teachers Savings and Co-operative Union (UTSCU) as agreed in the meeting on 3 December 2015 and the communication alluded to H.E the President’s directive to transfer the management of the Teachers’ SACCO funds from MSC to UTSCU.
avail the PS of MoESTS a detailed status report on the funds disbursed as of the communication date as well as the plan
for committing the funds that had not yet been committed for purposes of preparing a hand over report.
MSC has not implemented these directives to date and continued disbursing loans on the basis that there are still a number of unresolved issues arising out of the
proposed transaction. Subsequent to the letter, loans of UGX. 330 million were disbursed.
MSC was guided by the opinion of the Solicitor General in implementing the Presidential directive alluded to by the PS of MoESTS, It guided that MSC should continue with the funds already received from the MoESTS (i.e Shs
9.3 Bln) While the balance of Shs 15.7 Bn is passed on to the relevant teachers Institution.
9
8.2.3 Absence of documented business risk matrix and risk management policy
I noted that MSC has no risk management framework in place. Management deals
with the risks on an ad-hoc basis or at functional level without a centralised planning
or effort to deal with emerging risks on a continual basis, that are likely to prevent
the organisation from achieving its objectives.
Although management gives priority to monitoring of risks affecting the company, I
noted that there was no formal documentation of the risks the company needs to
monitor, and the risk rating in terms of the likelihood and extent of the impact they
would have if they occurred.
This may lead to inadequate monitoring of the risks facing the company and failure
to establish measures to prevent or mitigate the risk.
Management explained that a risk management framework developed is yet to be
discussed by the board within Quarter Oct-Dec 2016.
I advised management to design formal and documented risk management
procedures with a balanced and multi-dimensional risk criteria matrix in terms of the
likelihood and the impact if the risk materialised. This should be reviewed regularly to
capture new risks and reclassify risks accordingly.
8.2.4 Need to plan and prepare for implementation of IFRS 9 and 15
The International Accounting Standards Board (IASB) issued the following standards
which could have an impact on the company’s financial statements:
New or revised pronouncement Effective date
IFRS 9 Financial Instruments 01-Jan-18
IFRS 15 Revenue from Contracts with Customers 01-Jan-18
The new standards could have an impact on multiple business functions outside the
finance and accounting function. Resources may therefore be required to implement
across functions. Management is yet to assess the impact on the company’s
operations.
10
Failure to have a plan and/or implementation road map to prepare for adoption of
the new standards may lead to improper or untimely implementation of these new
standards.
Management promised implement the IFRS by June 2017.
I advised management to prepare an implementation roadmap and ensure readiness
for adoption by the effective dates.
8.2.5 Need to Optimise Costs at the Zones
A review of the zonal revenue realised against actual expenditure per quarter, zones
in the table below revealed consistent reported net deficits (costs exceeded income)
throughout the year.
Zonal performance2 per Quarter based on Net (deficit)/ surplus:
Zone Description
Net deficit
Net (Deficit)/Surplus Net deficit
Net (Deficit)/Surplus
Total net deficit
UGX. 'million UGX. 'million
UGX. 'million
UGX. 'million
UGX. 'million
Qtr1 Qtr2 Qtr3 Qtr4
Jinja (35.3) (27.03) (28) (1) (91.33)
Mbale (18.6) (13.65) (7.9) 4.6 (35.55)
Soroti (9.9) 2.04 (2.6) (8.3) (18.76)
Moroto (47.7) (8.91) (30.7) (1) (88.31)
There is a risk that increased cost to income ratio may hinder the company’s
expansion plans and dynamism in the financial services (Microfinance) sector.
Management explained that not all zones are viable due to MSC’s objective of
ensuring wide outreach however, they are expected to break even in the next three
years. The Company has also developed a cost optimisation strategy which is yet to
be approved by board in Q2 2016/17.
I advised management to review these cost centres and find ways of minimising
costs while still achieving the overall objectives of the MSC.
11
8.3 Review of IT Matters
8.3.1 Weakness in Change Management Environment
During our review, I noted the following weaknesses in the IT change management
environment of MSC.
Changes are not tested before deployment in the production environment.
Changes made during the audit period were not tracked, there is no record of
the changes, therefore we cannot establish the completeness of the changes
implemented whether minor or major changes.
The use of the change management document is not enforced. I noted that some
changes were not documented using the change management document and when i
interviewed some of the IT officers they were not informed about the Change
management form. This makes it is difficult to track the different activities done in
the change management environment of MSC.
There is a risk that program changes may be implemented to the production
environment without user acceptance.
Management explained that Testing Environment will be used by Web-Discount for
all future changes.
I advised management that;
For program changes, controls should be in place to ensure that changes are
authorized, tested, and approved for promotion to production and supported
with appropriate signoffs and documentation.
set up a test environment to be used for testing program changes and ensure
that programmers do not have access to this environment
MSC should implement a system to ensure all changes made to the IT
environment are captured and can be tracked at every step of the process flow.
8.3.2 Weak domain password settings and no password required for Microsoft
Dynamics
During our review of the Active directory settings in the current year, we noted that
the password complexity of the end users was set to “Disabled”. There is a single
sign on for the users of MSC who need to access the Domain and Microsoft
12
dynamics. This means the users do not need a password to access Microsoft
dynamics.
Lack of complexity of passwords makes it easy for unauthorized users to run
password crackers and get the passwords. This being a setting on the active
directory is high risk to information security especially if passwords are not required
for Microsoft Dynamics login.
Management explained that Password complexity is now enabled. It was resolved
that the Single Log On is the MSC Organization policy and would remain as is. Prior
to this Audit, this was discussed intensively during the ICT Retreat and proposed as
best way to go based on our setup network resources and how we provide support.
I recommended that the following improvements could be made to strengthen
password and login controls for the end users:
Parameters:
► Password complexity – enabled
MSC should also activate password logins for Microsoft Dynamics.
8.3.3 Weakness in the user management process
The user management process for MSC has the following weaknesses
a) Inconsistency in the use of user creation forms
For the new users who joined MSC during the current year of audit, we reviewed the
user forms and noted that once the user details are entered, approvals from the
executive director and the IT department are not recorded on this form. The person
who sets up this user does not sign on the form for accountability. An example is
Emmanuel Tashobya user access form. We also noted the user is set up before the
forms approvals have been fully obtained as observed with the user forms. An
example is Simon Olukor who needed access set up, he was given rights in January
2016 and yet approvals were obtained in April 2016. We also noted that
implementation was signed in April 2016 after the expiry of the user rights as per
user form.
13
b) No standard user termination process
During our review of this process we noted that it is not a standard procedure as it
varies from user to user.
Sometimes the HR sends an email to terminate the user, and the IT department
terminates the user. However this is not the norm, and because of this there is a risk
that users may be terminated later than the date they left as HR does not issue this
email for all cases.
These identified matters increase the risk of unauthorized processing of transactions
and breach of data confidentiality.
Management explained that consistency will be followed and users will not be setup
with uncomplete forms. Users will only be terminated/disabled when appropriate
forms are forwarded to MIS.
I advised management that in order to reduce the level of risk within the IT
environment, MSC should focus on implementing the following procedures to follow-
up inactive users. For access to the data, controls should be in place to ensure that
only authorized persons have access to data and applications (including programs,
tables, and related resources) and that they can perform only specifically authorized
functions.
8.3.4 Weakness in the backing up of the data at MSC
No Backup Testing
Microfinance Support Center has a backup process in place in section 7.3 of the ICT
policy. It states that “Ensure the ability to restore backed-up data through periodic
testing of the restoration process. Perform a full System backup prior to installing
system upgrades or maintenance fixes”. During our review, i noted that, no testing
was done for the information backed up.
Storing of backup onsite:
Section 7.3 of the ICT policy manual states “Perform a full system (volume) backup
on a weekly basis. Remove the backup media from the IT”.
14
However, I noted that the backup of the data done is kept on site. In case of data
loss, MSC may not be able to recover all the data. Storing backed up data onsite
increases the risk of losing the original and the backup at the same time in cases of
catastrophe.
Management explained that testing backup data and transporting to Offsite (Kampala
Zone) will commence in January 2017.
I advised management to back-up information be stored in a separate location
(either physical or electronic) to maintain the continuity and integrity of data in case
of an emergency. This will reduce the risk that both the original and back up are lost.
8.3.5 System and user activity monitoring
I noted that no review is being performed on the activity logs of the firewall or of any
systems for invalid login attempts or suspicious activity. The system is not
monitored; MSC only has a tool that monitors its network. MSC does not monitor
user activity.
In the absence of the user access monitoring, there is a risk that:
► MSC may be exposed to information practices that may compromise data
confidentiality or integrity.
► Security violations by authorized and unauthorized users may go undetected.
► Accountability for unauthorized activity may be difficult to establish.
Management explained that in January 2017, the company will commence;
► Reviewing Fire Wall logs, and
► Monitor users and their activities in the System and record.
I advised management to implement procedures to monitor the environment and
review for unauthorized access. Activity logs should be periodically reviewed for both
the systems and the firewall to ensure there is no suspicious activity. Procedures for
monitoring logical security and reviewing relevant logs. ……..
15
8.3.6 Lack of Incident Management logs & an Incident Management Policy
I noted Incidents are not logged. The policy of MSC is to log the incidents and there
is a support tool in place, however the staff prefer calling helpdesk and the team in
charge of the help desk does not log the issues raised. I was not in position to obtain
the list of all incidents that took place in the current period of audit. I also noted that
there is no incident management policy in the new ICT policy.
There is a risk that incidents are not resolved timely and that incidents keep
reoccurring but because they are not tracked, red flags may never be raised. Lack of
a policy on incident management makes it difficult for the IT department to have
guidelines to follow when incidents arise and when escalation is needed.
Management explained that MIS unit will build capacity to staff on the Incident Tool
and staff to start using it in January. The ICT Policy Manual shall be updated with
Incident Management Policy in January.
I recommend that incidents are logged through the helpdesk and the support tool in
place, and we recommend that that MSC staff are sensitized about the tool and its
use. On receipt of calls from staff , the helpdesk officer must log all incidents. I also
recommend for the ICT policy is amended to include the Incident management
policy/ guidelines.
8.3.7 No periodic user validation carried out
I noted that there is no formal procedure in place to periodically (e.g., quarterly or
semi-annually) review all of the users’ access to the systems.
Users are not periodically reviewed to check that they have the access rights they are
supposed to have.
MSC may be exposed to information practices that may compromise data
confidentiality or integrity. Appropriate monitoring of the environment is necessary to
ensure there is no unauthorized access to the systems.
Management explained that on a quarterly basis, starting end of March, MIS shall
verify existing and former staff in the System and keep records them.
16
Management should review user access rights on a quarterly basis as part of
standardizing the process of periodically reviewing and confirming access of users
within MSC.