[kictanet] ICT Authority, not Treasury, should oversee IFMIS
James Muritu
james.muritu at gmail.com
Thu Jan 19 12:52:50 EAT 2017
Thanks for the thought Muraya,,,,
On Thu, Jan 19, 2017 at 12:37 PM, S.M. Muraya <murigi.muraya at gmail.com>
wrote:
> James,
>
> Would be very interested in an IFMIS "outsider event" moderated by Walu
> and yourself.
>
> Straight forward fellows are hard to come by in this day and age.
>
> On Jan 19, 2017 12:32 PM, "James Muritu via kictanet" <
> kictanet at lists.kictanet.or.ke> wrote:
>
> Interesting conversations going on here. In simple terms, what IFIMIS
> lacks is a Governance Framework. The "software component" of an ERP is just
> one drop in the ocean. People+Processes+Operating Procedures+Decision
> Rights are the bigger drops. Am currently reviewing a similar system in a
> Kenya based corporation and for almost 2 years, the system had been blamed
> for all the wrong reasons. The ultimate results, revealed more loopholes
> outside the actual software.
>
> On Thu, Jan 19, 2017 at 12:01 PM, waudo siganga via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Thank Walu. I'll wait fro the coffee...
>> W.
>>
>> On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote:
>>
>> @Daktari Siganga,
>>
>> I was the ICT Director for our university for 5yrs and managed both the
>> University Network & ERP - but I dont say :-)
>>
>> We switch between the classroom and ICT operations like that. So I kinda
>> have both the academic and practical view of these things
>>
>> Anyway, you are right in that the IT expert(Superuser) should NOT be a
>> normal 'Finance' /'HR'/Procurement/ or other regualr user of the ERP.
>> However, the IT guys still assign these roles and privileges to the various
>> functional users. i.e. they must grant rights to the Finance/HR/ and other
>> Directors to execute their work within the ERP.
>>
>> Different implementations (company policy) maybe that this is delegated
>> to the various functional heads who can then subsequently grant
>> privileges/access rights down through their departments.
>>
>> But this is NOT ideal since you lose the segregation of duties where you
>> want the Functional heads(e.g. Finance Director) to make the access-rights
>> requests IN WRITING, and have SOMEONE ELSE implement that request.
>>
>> This is the 'control' auditors are looking for when auditing the
>> information system later on - in terms of checks and balances. Such a
>> control is what leads to the questions like:-
>> a) Who within the ERP system has privileges that were not formally
>> requested for in writing? Or
>> b) Who within the ERP system has more privileges than what was formally
>> requested for?
>> c) Who within the ERP exists but has no supporting access request from
>> the Functional head?
>> d) etc, etc.
>>
>> Even if the IT expert abused his/her superuser privileges by granting
>> themselves some user rights within the Financial module, they will be outed
>> by the above audit process.
>>
>> Denying the IT expert the ability to grant access rights within the ERP
>> and passing the same to the functional heads does not solve the problem of
>> abuse. The functional heads can simply become the new kingpins. Only
>> segregation of duty cures the problem of abuse.
>>
>> But we can meet over coffee and share the pros and cons of the various
>> implementations :-)
>>
>> walu.
>>
>>
>>
>> ------------------------------
>> From: waudo siganga <emailsignet at mailcan.com>
>> To: Walubengo J <jwalu at yahoo.com>; KICTAnet ICT Policy Discussions <
>> kictanet at lists.kictanet.or.ke>
>> Sent: Thursday, January 19, 2017 10:36 AM
>> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS
>>
>> Hi Walu - I can see from your comments that you have never worked in a
>> finance environment. For secure setup there is no way "IT guys must then
>> translate x, y & z function into the appropriate access levels for that
>> accountant within the system". Simply put a person who is a trained IT
>> expert knows too much about how the system works and therefore cannot be
>> assigned access administration. The overall person for access admin is a
>> "super-user" or "Chief Security Officer"or a title in that direction. This
>> super user assigns access rights to users, such as ability to add,delete,
>> update, edit, view, etc records. To assign these rights in practically all
>> IT systems the super user must himself have those same rights, otherwise
>> he/she cannot assign them to other users. A system where a super-user is an
>> IT expert is a very weak system. The IT expert should never have ability to
>> enter a system and change records. If you analyse the IFMIS problem you
>> will realise that it is not a problem of IT experts infiltrating the
>> system. It is just password misuse by ordinary users. At least I agree with
>> you on one thing - IT expertise role and password administration must never
>> be put in the same office. In most banks and finance environments the
>> super-user function is undertaken by the CEO or a very senior executive who
>> is OUTSIDE the IT function.
>>
>> THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system,
>> are the weakest link. It is like having pilots who are busy with corruption
>> to fly a plane then when the plane crashes we say there was a problem with
>> the plane.
>>
>> W.
>>
>> On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:
>>
>> @Dr Siganga, my comments below:
>>
>> >>1. Hi Walu - I do not agree with you that access administration
>> (passwords) is a technical function. In most cases passwords just mimic
>> authorization structures that pre-exist in a manual system.
>> >>>
>> Response:Yes and NO.
>> Yes passwords and their access levels are controls that mimic the
>> authorization levels of the manual system. However, their implementation in
>> an ideal environment should be segregated. E.g the finance director
>> should say in writing: 'I need my accountant to do x, y & z function' .
>> The IT guys must then translate x, y & z function into the appropriate
>> access levels for that accountant within the system.
>>
>> Finance retains the administrative oversight in terms of triggering the
>> password request and profiling the access levels desired. IT retains the
>> technical function of implementing the same. Never put these two roles in
>> one office. Shida mingi inajiletea.
>>
>> >>2. I also differ with your suggestion that it is the work of technical
>> people to enforce, check or review system controls. That should be the
>> function of an independent auditor.
>> >>
>> RESPONSE: Yes and NO.
>> Yes, independent or external auditors (hopefully Information System
>> Auditors) do review the technical controls. But this is often an annual
>> exercise. So serious organisation do not wait for a year to be told their
>> controls were not effective. They have INTERNAL information system auditors
>> (who are technical) to continuously monitor/enforce that these IT controls
>> are in place, working and/or need to be updated. Other organisation may
>> allocate this role to the Information Security Officer, either way these
>> are ICT technical chaps.
>>
>> walu.
>>
>>
>>
>> ------------------------------
>> From: waudo siganga <emailsignet at mailcan.com>
>> To: Walubengo J <jwalu at yahoo.com>; KICTAnet ICT Policy Discussions <
>> kictanet at lists.kictanet.or.ke>
>> Sent: Wednesday, January 18, 2017 1:55 PM
>> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS
>>
>> Hi Walu - I do not agree with you that access administration (passwords)
>> is a technical function. In most cases passwords just mimic authorization
>> structures that pre-exist in a manual system. It is very important that the
>> access of technical people to a system, especially a financial one, be as
>> inhibited as possible. Those who access the system should only be capable
>> of doing the functions they would perform in a manual system. To enhance
>> security of the system, access administration should be overseen by a most
>> senior person who is NOT trained to do technical work on the system.
>>
>> I also differ with your suggestion that it is the work of technical
>> people to enforce, check or review system controls. That should be the
>> function of an independent auditor.
>>
>> Overall I think there is much misunderstanding about IFMIS. The problem
>> is not technical; it is administrative. Specifically access administration
>> (passwords).
>>
>> W.
>>
>> On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:
>>
>> Grace B via kictanet <kictanet at lists.kictanet.or.ke> wrote>>>
>> Second, the problem with IFMIS, it appears is a lack of commitment to
>> simple values such as integrity and prudent stewardship of public funds.
>> What guarantee wold we have that ICTA would be different from Treasury?
>>
>> >>
>> Segregation of duties solves this. Treasury continues being the Process
>> owner, but surrenders the Technical leadership of the system/ERP to ICT
>> Authority. So if it is a case of passwords and their use, expiry amongst
>> other technical issues, we know it is ICT Authority to manage (and take
>> blame).
>>
>> It is often a confusing and thin line. The line between Administrative
>> and Technical authority.
>>
>> But you can look at it in terms of the President's Security detail. The
>> President maybe the (Administrative) boss of his security detail, but the
>> President can never tell his security detail HOW to guard him or what
>> weapons to use or how many guards he needs, where to position them etc.
>>
>> These are TECHNICAL issues that the President cannot and should never
>> pretend to be dictating on since they lie squarely within the NIS/Inspector
>> General domain. The moment NIS start taking technical instructions from the
>> President, is the moment our security system will collapse.
>>
>> If we get this seperation of authority right, we solve the IFMIS puzzle.
>>
>> walu.
>>
>>
>> ------------------------------
>> From: Grace B via kictanet <kictanet at lists.kictanet.or.ke>
>> To: jwalu at yahoo.com
>> Cc: Grace B <nmutungu at gmail.com>
>> Sent: Wednesday, January 18, 2017 7:11 AM
>> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS
>>
>> Interesting discussion. There are those who would look at IFMIS as a
>> public finance management issue as opposed to an ICT one but this is not
>> really count when giving management mandate to either Treasury or ICTA as
>> long as the objectives of PFM (Article 201 of Katiba) are met.
>> One of the issues voiced about IFMIS since devolution/new Constitution
>> has been the problems experienced by county governments and other
>> independent organs eg commissions in accessing funds in a timely manner.
>> (We assume that Executive has not had too many problems assessing funds and
>> may have indeed been facilitating leakage)
>> One issue with transferring the responsibility of maintaining IFMIS to
>> ICTA, it seems would be that there could be few differences between ICTA
>> and Treasury. First, both are Executive institutions that may support
>> devolved and independent structures in line with the soft policy direction
>> of the government of the day. Second, the problem with IFMIS, it appears is
>> a lack of commitment to simple values such as integrity and prudent
>> stewardship of public funds. What guarantee wold we have that ICTA would be
>> different from Treasury?
>>
>> Regards
>>
>> 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <
>> kictanet at lists.kictanet.or.ke>:
>>
>> Barrack
>>
>> We are saying the same thing really.. Let's assume that the ICTA is the
>> ICT Department of the Government (which I doubt it is equipped to execute
>> that mandate) then 'managing' here really means providing support to the
>> system.
>>
>> I think it's time the Government considers the role of Chief Information
>> Officer to really manage the strategic thrust of all ICT initiatives across
>> ministries. The CIO can then be held accountable for overall efficiency and
>> security of all Government ICT Systems. This CIO needs to report directly
>> to the Chief Executive Officer (President) of the country. Now, that person
>> could be seconded or be a part of the ICTA with a doted line responsibility
>> to the CS, MOICT...
>>
>> Ultimately the overall responsibility of how well our Government ICT
>> Systems work lies squarely on the CEO's desk. Look no further.
>>
>> Ali Hussein
>> Principal
>> Hussein & Associates
>> +254 0713 601113
>>
>> Twitter: @AliHKassim
>> Skype: abu-jomo
>> LinkedIn: http://ke.linkedin. com/in/alihkassim
>> <http://ke.linkedin.com/in/alihkassim>
>> "We are what we repeatedly do. Excellence, therefore, is not an act but a
>> habit." ~ Aristotle
>>
>>
>> Sent from my iPad
>>
>> On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <
>> kictanet at lists.kictanet.or.ke > wrote:
>>
>>
>> Hi Ali,
>>
>> ERP grew from MRP (Material Resource Planning which was a means of
>> planning and allocating resources in Factories. The difference between
>> the two is that MRP's were stand alone systems whereas ERP's are
>> modular and have more functionality. From an evolution perspective ,
>> it would be ideal to manage IFMIS from Ministry of Finance since they
>> are the custodians of the treasury and normally allocate resources
>> through the budgeting process. From a Project Management perspective,
>> it would be ideal to manage IFMIS from ICTA since it is the
>> specialized agency meant to manage government technology investments.
>>
>> Regards
>>
>> On 1/17/17, S.M. Muraya via kictanet <kictanet at lists.kictanet.or.ke >
>> wrote:
>>
>> Doubt Treasury economists and accountants are well placed to provide Cyber
>>
>> Security :)
>>
>>
>>
>> We need the ICT Authority to configure enterprise wide data protection
>>
>> (limiting theft of passwords & access to IFMIS).
>>
>>
>>
>> In 2016, the UN ranked the UK as # 1 in providing digital services.
>>
>>
>>
>> https://publicadministration. un.org/egovkb/en-us/Reports/
>> UN-E-Government-Survey-2016
>> <https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016>
>>
>>
>>
>> The Government Digital Service (GDS) is part of their Cabinet Office, not
>>
>> their Treasury.
>>
>>
>>
>> https://www.gov.uk/government/ publications/govuk-pay/govuk- pay
>> <https://www.gov.uk/government/publications/govuk-pay/govuk-pay>
>>
>>
>>
>> Their Treasury is consulted about the payment system 👆🏾 the GDS
>>
>> continues to build.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> SMM
>>
>>
>>
>> *"Better a patient person than a warrior, one with self-control than one
>>
>> who takes a city." Prov 16:32*
>>
>>
>>
>> On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali at hussein.me.ke> wrote:
>>
>>
>>
>> I fundamentally disagree with this assertion.
>>
>>
>>
>> First,y, the role of a CIO is to support the enterprise. I have never
>>
>> heard in my life of an ERP Director. This is just adding a superfluous
>>
>> layer of useless bureaucracy.
>>
>>
>>
>> The owner of an ERP is the business with each department taking ownership
>>
>> of their components:-
>>
>>
>>
>> 1. Financials - CFO
>>
>> 2. CRM (Commercial/marketing/sales)
>>
>> 3. Procurement - Procurement which sometimes comes under Finance
>>
>>
>>
>> Etc.
>>
>>
>>
>> The CIO takes ownership to ensure that the company is well oiled to
>>
>> execute on its mandate. This in my humble opinion goes beyond ERPs and
>>
>> talks to aligning the Technology Strategy with the Business Strategy. For
>>
>> example in the banking sector where increasingly the more savvy banks are
>>
>> taking a 'Platform Thinking' approach. This allows partners to plug into
>>
>> their core technology through APIs to enable them extend capabilities and
>>
>> hence offerings to their customers.
>>
>>
>>
>> The role of a CIO has fundamentally changed to speak to the need for
>>
>> using
>>
>> Technology as an accelerator to successful business models.
>>
>>
>>
>> Secondly, I don't see how the ICT Authority would be better in managing
>>
>> the monster that is IFMIS. Let them first learn the basics of
>>
>> communicating
>>
>> effectively with the community before taking on this elephant in the
>>
>> room.
>>
>>
>>
>> *Ali Hussein*
>>
>> *Principal*
>>
>> *Hussein & Associates*
>>
>> +254 0713 601113
>>
>>
>>
>> Twitter: @AliHKassim
>>
>>
>>
>> Skype: abu-jomo
>>
>>
>>
>> LinkedIn: http://ke.linkedin.com/in/ alihkassim
>> <http://ke.linkedin.com/in/alihkassim>
>>
>>
>>
>> "We are what we repeatedly do. Excellence, therefore, is not an act but a
>>
>> habit." ~ Aristotle
>>
>>
>>
>>
>>
>> Sent from my iPad
>>
>>
>>
>> On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <
>>
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>
>>
>> Interesting comments...
>>
>>
>>
>> ICT Authority, not Treasury, should oversee IFMIS
>>
>>
>>
>> http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-
>> <http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560->
>>
>> 3520560-5j04aq/index.html
>>
>>
>>
>> ______________________________ _________________
>>
>> kictanet mailing list
>>
>> kictanet at lists.kictanet.or.ke
>>
>> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
>> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
>>
>> Twitter: http://twitter.com/kictanet
>>
>> Facebook: https://www.facebook.com/ KICTANet/
>> <https://www.facebook.com/KICTANet/>
>>
>>
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/
>>
>> mailman/options/kictanet/info% 40alyhussein.com
>>
>>
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>
>> for people and institutions interested and involved in ICT policy and
>>
>> regulation. The network aims to act as a catalyst for reform in the ICT
>>
>> sector in support of the national aim of ICT enabled growth and
>>
>> development.
>>
>>
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>
>> online that you follow in real life: respect people's times and
>>
>> bandwidth,
>>
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>
>> not spam, do not market your wares or qualifications.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Barrack O. Otieno
>> +254721325277
>> +254733206359
>> Skype: barrack.otieno
>> PGP ID: 0x2611D86A
>>
>> ______________________________ _________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
>> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/ KICTANet/
>> <https://www.facebook.com/KICTANet/>
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/
>> mailman/options/kictanet/info% 40alyhussein.com
>> <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>> ______________________________ _________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
>> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/ KICTANet/
>> <https://www.facebook.com/KICTANet/>
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/
>> mailman/options/kictanet/ nmutungu%40gmail.com
>> <https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com>
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>>
>> --
>> Grace L.N. Mutung'u
>> Skype: gracebomu
>> Twitter: @Bomu
>>
>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>
>> PGP ID : 0x33A3450F
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/jwalu%40yahoo.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>> *_______________________________________________*
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/emailsignet%40mailcan.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/james.muritu%40gmail.com
>>
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
> ailman/options/kictanet/murigi.muraya%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170119/1c484528/attachment.htm>
More information about the KICTANet
mailing list