Government spending on IT runs into billions, yet systems remain weak, fragmented and vulnerable to security breaches, the Auditor-General has found.
The Auditor-General’s latest report lays bare major failures in government IT delivery: 41 projects worth R12.1 billion had material findings, while over half of auditees (52%) failed to meet even basic targets on time, cost, quality or outcomes.
At the same time, cybersecurity weaknesses are widespread. Of the 70 institutions assessed, 45 (64%) had notable vulnerabilities, while eight (11%) were found to have critical exposures that could be exploited if not addressed.
These failures come despite sustained spending on digital infrastructure.
“Spending on ICT has not translated into improved outcomes,” Auditor-General Tsakani Maluleke notes in her latest report.
Government allocated R5.48 billion to IT infrastructure in 2024/25, yet many departments continue to operate on ageing systems, with investment largely focused on maintaining legacy infrastructure rather than system modernisation.
“In addition, there were instances where systems and licences were procured but never used,” she adds.
Gauteng health departmentÂ
A key constraint is fragmented platforms that continue to limit interoperability across departments.
The Auditor-General cited the Gauteng department of health in her report where the development of a health information system was intended to improve patient care.
“The project was planned to be completed by June 2022, with maintenance running from May 2023 to May 2025. However, the project was only 61% complete as at 31 March 2025, even though R257.8 million (76%) of the budget had been spent.”
She notes that project delays were primarily due to poor planning, inadequate project management processes and ineffective monitoring of strategic initiatives.
“The revised project completion date was August 2025. Key deliverables, which were planned for completion by June 2022, remain incomplete.”
Weak security systems
The Auditor-General found that many institutions are exposed to significant disruptions in the event of cyberattacks due to weak access controls, outdated systems and inadequate backup processes.
“We conducted technical assessments and systematic testing, including penetration testing and vulnerability scanning to identify vulnerabilities and test defensive capabilities,” she notes.
The audits showed shortcomings at 64% of institutions, of which 23 are high-impact institutions.
In addition, four high-impact auditees showed significant vulnerabilities that could be exploited if not remedied, she adds.
(High impact auditees are public institutions whose performance has a large, direct effect on citizens and the economy.)
In her report, the Auditor-General mentions a ransomware attack at the South African Bureau of Standards (SABS) in November 2024, which shut down business applications and delayed financial reporting, with recovery efforts still ongoing more than a year later.
She warns that more auditees regressed than improved, with systemic weaknesses in security management, user access controls and system continuity.
The overall state of IT controls remains “concerning”, with around 72% of institutions assessed as problematic.
These control failures expose institutions to unauthorised system access, data breaches and disruptions to business operations, while also undermining the reliability of financial and performance information.
State IT Agency failures
The Auditor-General further notes that failures at the State Information Technology Agency (Sita) – including slow procurement processes and missed service level targets – have affected government departments’ ability to access critical IT services.
In some cases, departments have sought approval to procure ICT services outside Sita processes to avoid delays.
“In 2024-25, our continued focus on Sita revealed persistent challenges in fulfilling its mandate to provide critical IT services to government departments.
“Apart from Sita’s procurement processes remaining outdated and slow, its inability to meet basic service levels has become a systemic risk to government operations,” she notes, pointing out that Sita failed to meet the service level agreements for virtual private networks in North West.
The IT findings form part of wider governance weaknesses and slow progress in the public sector.
Regression and ‘little improvement’
Releasing the report last week, the Auditor-General said there had been little improvement in audit outcomes.
“One year into the new administration, our audits show no clear improvement in audit outcomes, financial management, service delivery performance, accountability, transparency or institutional integrity,” she says.
Audit regressions were recorded for 45 auditees, including 22 high-impact institutions overseeing R523.42 billion in expenditure. “The scale of these regressions significantly outweighs the improvements made elsewhere,” she adds.
The most common audit outcome – “unqualified with findings” – masks significant weaknesses.
Maluleke says the 266 auditees that did not receive clean audits are responsible for managing 88% of the total expenditure budget but continue to lack the institutional capability to produce credible financial and performance reports or ensure compliance with legislation.
This article was republished from Moneyweb. Read the original here.
