The recent government probe of the Higher Education Examinations Council (HEXCO) has been covered in the media as yet another portrayal of irregular practices that affect service delivery in a state entity.
The probe has also brought to the surface a huge disregard of information systems controls which is a cause for concern when considering the risks that the entire Council and Ministry of Higher Education was exposed to.
According to The Herald, with the approval of the Secretary in the Ministry of Higher and Tertiary Education Dr. Washington Mbizvo, a Francis Taivavashe was appointed to oversee the council’s exam database. Apparently, Taivavashe designed, installed operated and managed the database without any supervision.
While other voices have focused on how HEXCO appointed an unqualified person for the job as well as their lack of a complete grasp of their own roles, a big issue that is emerging from this is the absence of internal controls and measures to supervise the systems that HEXCO wanted to use.
The fact that a single person handled the design and management of a national examinations database without any supervision and carried out all tasks and duties without having to account for any of his actions is alarming. What is even more peculiar is how he is reported to have carried the database on flash drives and was the only person with the authority to handle password and access queries.
It would appear that there was no observation of information systems controls to mitigate risks such as systems breach, theft of data and continuity. This paints a bad picture of the Ministry of Higher and Tertiary Education and HEXCO and brings into question their seriousness when it comes to information systems procedures.
All parastatals and state affiliated bodies are subjected to audits from the Office of The Auditor General so one wonders whether the same audit procedures that failed to identify such a blatant disregard for risk and internal controls are used for other entities.
Do state enterprises that handle public finances where risks of corruption and fund misappropriation have better IS controls or does one person move around with sensitive information on temporary storage devices? What about central government and national security subsidiaries? Are the same weak internal controls being used at other state entities?
The Ministry of Higher and Tertiary Education has its own guidelines and objectives independent of The Ministry of Education Sports and Culture but it is easy to draw comparisons between the two. We have experienced cases where secondary schools public examinations administered by ZIMSEC have been leaked and it’s anybody’s guess if the same lax approach to internal controls was being used there.
We live in a world where technology should be used to create measures against unnecessary risks at every level of enterprise engagement. Local authorities need to step up not only in how they talk about tech but also how they implement it.
Enterprise-wide risk management is a big consideration even at a national level and there should be clearer efforts at initiating e-government practices as well as a stronger stance on transparency.
More efforts need to be made to address these issues of we are to come off as a nation that fully appreciates the importance of technology in service delivery and enterprise efficiency.