gartner support to sars - sars commission 2018 of mr m...leaked. 5. tax payer machines are infected...
TRANSCRIPT
© 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This presentation, including all suppting materials, is proprietary to Gartner, Inc. and/ its affiliates and is f the sole internal use of the intended recipients. Because this presentation may contain infmation that is confidential, proprietary otherwise legally protected, it may not be further copied, distributed publicly displayed without the express written permission of Gartner, Inc. its affiliates.
Michael Lithgow FBCS FIET CITP CEng Managing Vice President Gartner Consulting – EMEA Public Sector
Gartner Support to SARS
1 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Qualifications to Lead SARS Engagement
Prior Experience to Gartner:
– Design and build of global networks supporting up to 400,000
– Head of Special Projects Procurement. Large portfolio of technology equipment required to meet urgent demands of diverse business units
– Programme Direct of build of new education facility which received government award.
– Change programme: function, people, equipment and locations of an organisation of 7,500
– Head of R&D with a large team of scientists and engineers with remit to pull through successful outcomes to field deployments rapidly, including safety certification
– Chartered Engineer and Chartered IT Professional
Role During SARS Engagement
– Senior Gartner Executive accountable to SARS for delivery of contracted outcomes
– Senior Gartner Executive accountable to Gartner for delivery quality, SARS satisfaction and contracted deliverables
– To act as the facilitator for wider Gartner Tax knowledge gained from around 16 tax administrations in EMEA and NA.
Qualifications
– Head of Public Sect in EMEA with a specific focus on large programmes:
National Tax Authority – replacement of core tax system. Tax revenue R1,520bn)
Oversight of work with a further 3 tax administrations – revenues: R11,183bn, R3,000bn, R3,000bn
Reviewer on behalf of an inter-governmental organization the technology to support a $1.4bn headquarters, including security.
2 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Clients in 12,000 distinct enterprises across 100 countries
Research Industry’s largest database
135,793 documents across 1,372 technology and business topics
Advisory Services Unique client perspective
2,000+ analysts conduct 380,000+ one-to-one client interactions annually
Consulting Results on initiatives
2,000 custom engagements a year fueled by 14,000 peer benchmarks
Events Networking with peers
55,000 professionals a year attend 75+ worldwide events
All Gartner services are grounded in our world-class Research insights
Gartner has no affiliations with, or promote, any vendors, products or services. Gartner does not undertake services implementation – installation of hardware or software into a new or existing estate. Gartner is wholly independent and this independence is guaranteed by the Gartner Ombudsman.
3 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Structure of Evidence Overview of the programme of work and relationship between the different phases/activities
Vignettes that illustrate the relationship between the work (Phas1, Phas2, STAR and GRAP) based upon:
– Security posture of SARS
– Gartner recommendations on use of technology to improve efficiency to improve citizen services and reduce cost
– Gartner recommendations on changes to procurement process to reduce cost and upskill workforce
Why SAP?
Governance - ensuring compliance with KING III
What did Gartner recommend that SARS should do?
Why did it not happen? What were the barriers to change?
4 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Overview of Programme of Work
5 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Objective – Provide advice and assist where appropriate to ensure that SARS can be and remain a world class tax administration Support to SARS – 2015-2017
Objective
Provide SARS with a baseline evaluation of the state of IT, identify areas where improvement can be made, and make recommendations
Generally Recognised Accounting Practice
(GRAP)
Simulated Target Attack and Response
(STAR) Phase 2 + Phase 3 IT Assessment
Objective • Assist SARS with implementing and prioritizing the recommendations from the IT Assessment - 21 areas
• Ensure knowledge transfer to SARS personnel
Objective Provide SARS with an assessment of the SA Cyber Threat, assess their vulnerability to this threat and test their capabilities
Time boxed to 10 weeks Constraint
10 weeks 5 Months 13 weeks
Output
Provide me with ground truth Measure/Baseline SARS against other like organisations What is required to build upon the Modernisation foundations?
Approach • Communicate to the SARS sponsor recommendations of the IT Assessment
• Create individual team charters and agree with Sponsors.
• Work with team sponsors to confirm the recommendations, create a plan of action, assist with implementation and/ creation of costed business cases
Change of Scope
Test was cancelled. Remaining funding moved to direct assistance to CISO – organizational design and business cases
Objective Assistance to SARS in the migration of accounting standards to GRAP issued by Accounting Standards Board
Approach Gartner co-ordinated and provided the IT subject matter expertise within a team consisting of SAP specialist and Accountants.
Are we confident that we are able to secure personal and corporate data?
20 months
6 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Gartner put in place a governance mechanism that ensured that the work performed and the outputs produced were verified agains Gartner research, best practice and benchmarking data
Gartner Executive Committee
Global Head of Consulting.
Michael Lithgow Head of Global
Practices Head of Global
Operations
Gartner Quality Assurance Head of Quality Management
Head of Global Practices Head of Customer Satisfaction Surveys
Gartner Programme QA Reviews Head of Global Sourcing – Steve Buckley Head of Global Strategy – Shafqat Azim Head of Global Applications – Lindsay McRory Head of EMEA Infrastructure and Operations – Jeremy Griffith-Hone Head of EMEA Security – Terry Bebbington Head of Global Organisational Design – Scott Lever Head of Global IT Service Management – Andre Gravel Head of EMEA Benchmarking – Chris Smith
All deliverables reviewed before release to SARS Heads of Practices responsible for ensuring Delivery Consultants had access to most up to date research, toolkits and data
Michael Lithgow reported to Gartner Executive Committee monthly: • Project review and progress • Risks • Finance
There were 3 quality check points: • Sign off of charters by
SARS work-stream sponsors
• Sign off of deliverables by SARS work-stream sponsors
• Independent survey conducted by Gartner Quality Assurance
7 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Addressing USAID and TADAT as a better set of models
US AID has been used to put forward alternative models for Tax Administrations. This is a valuable report and does contain doo general information and direction. Its purpose was to support US AID effort in central and southern America. Its main focus was on ‘start-up’ countries with a very low level of maturity. Gartner would not view South Africa in this bracket.
TADAT is a tool kit that examines high level business processes. It will help inform an organization as to whether its high level functions are effective and efficient. However it does not cover IT. An ‘A’ rating does not indicate an ‘A’ class IT organization. Gartner IT Score will measure the effectiveness of the IT organization to support the business processes. A Level 4 maturity does not necessarily equal a Level 4 business process. They are complimentary but answer difference questions.
8 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Protecting Citizen Data and SARS Reputation
9 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Sample Questions from Survey
10 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
We supplemented with interviews where required
"Have to stop fraud – R50 million lost in last two weeks"
“SARS is a target for fraudsters / hackers and people taking over personal identities of Taxpayers for scams etc. So you need a suite of tools and domain names etc. Local easier but attacks on international taxpayers."
"What keeps you awake at night? Identity theft threats… Info Sec Access to Information vs Protection Integrity of data (lack thereof) hold SARS back. Thus is hurting SARS as it affects outstanding returns… Cybersecurity and DDOS…
“There is no CISO at present… An IT Security strategy is needed as it does not exist"
"There are significant forensic issues, we should highlight problems are and make proposals"
“[Anonymous] is concerned about vulnerability to cyber attack…"
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 11
Is data and information security sufficient to protect citizen data and SARS reputation? Gartner believes that SARS security is insufficient
Issue
There is insufficient alignment of IT security initiatives to address key risks There is no holistic view of exposure as a result of a fragmented and inadequate risk management approach There is no ownership of risk management activities There is no formal strategy for (a) endpoint protection; (b) classification of hosts by control; (c) long-term storage and off-line storage of encryption keys and cryptographic content; (d) cyber attacks.
Recommendation 1. Formalise the role of Chief Information Security Officer
(CISO) and build a security team with a comprehensive roadmap to execute the security programme
2. Establish an effective security education programme to influence behaviour and culture by all employees
3. Define formal identity data management processes and a formal endpoint protection strategy with regular review and validation.
4. Establish a cyber security strategy to protect citizen data
Evidence
Gartner was unable to discover a formal strategy for: Endpoint protection classification of hosts by control long-term storage and off-line storage of
encryption keys and cryptographic content cyber attacks
New HMRC cyber crime team to tackle tax fraud by organised criminals. The specialist cyber crime team will protect both HMRC and taxpayers from organised criminals using increasingly sophisticated methods to target HMRC’s tax repayment systems.
Info Security 2.6 IAM 3.0 Privacy 2.3
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 12
What is on the dark web and public locations that contains SARS sensitive information
Findings Overview
1. Clear text usernames and passwords of SARS employees leaked.
5. Tax payer machines are infected by PONY Malware leaking tax payer User Names and Passwords.
2. Details of sars.gov.za email addresses and credentials recovered from major hacks such as; Adult websites, Adobe, 000Webhost and SalesForce (some home addresses also).
3. Multiple SARS domains support SSL v2, which is especially vulnerable plus other vulnerabilities in older but active domains.
4. Documents marked ‘Confidential’ found in Open Source research.
6. The Hacking Team ‘Hack’ includes emails showing SARS wishing to buy specific cyber security products
7. Employees, suppliers, 3rd party associates and contractors leaking targetable information on websites, profiles and CVs.
8. Fake domains and Social Media being used to target taxpayers and SARS employees.
Anonymous and supporting individual actors, States of Israel, Israeli proxy group, Peoples Republic of China (PRC), PRC proxy group, Russian and European Organised crime groups, Nigerian Organised crime groups.
Excluding Anonymous, No other known Dark Web chatter on direct targeting of SARS or senior staff members (Research ceased).
Adversaries Not Found
@
REDACTED
REDACTED
CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. 13
Threat Assessment – Summary Findings
Findings Overview
Excluding Anonymous, No other known Dark Web chatter on direct targeting of SARS or senior staff members (Research still continuing).
Note this level of exposure is not uncommon in both the commercial and public sector. It is an unusual level of presence/exposure for a Tier 1 Financial Institution or a Government Department that has custody of sensitive security, economic or personal data. Several core SARS domains had exploitable vulnerabilities for Internet facing services and this would tally with a SARS maturity score of 2.57. The Public Sector and Financial Services peer comparators were 3.0, and 3.41 at the time of the exercise. A world class security organisations today would have a maturity score of 4+ A world class security organisation would have a fully staffed intelligence led security operations centre (SOC), cyber incident response team (CIRT) and Cyber Intelligence team providing detection and response type services across the enterprise. Gartner saw limited evidence of this type of capability within SARS at the time of the assessment,
14 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Gartner then identified the major threats to South Africa and SARS – comments below valid as of 2016
CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 15
What Did Gartner Recommend – Selection of Internal Candidate for promotion into CISO Appointment +……
Vision Enable SARS to become an advanced and highly effective and efficient organisation by establishing an engaged Information Security capability focused on protecting the information assets of SARS
Mission To be a trusted critical business partner consisting of high performance individuals and teams with integrity that enables secure digital progression, continuously deliver value and safely manage information assets in line with SARS mandate and according to SARS Strategy
Key Objective To establish a comprehensive and mature information security programme on par with global tax, customs and excise authorities
The information security strategy has been defined to guide the establishment and operations of the information security functions within SARS for the period 2016/17 to 2018/19. The strategy has considered and is aligned to both the SARS Business and IT strategies for this period. Information Security is an enabling capability driven as a strategic imperative that is incorporated by default into all aspects of ICT planning, solution delivery and operational business-as-usual processes. The SARS information security function is mandated to: • Protect taxpayer and government information; • Enable the achievement of the SARS business plans; • Safeguard the SARS reputation; • Establish a comprehensive and mature information security programme on par with leading global tax, customs and excise authorities; • Maintain a risk profile commensurate to its risk exposure; • Have a security environment commensurate with international standards; and • Comply with information security related legislative, regulatory and government standards and policy requirements. The strategy has been developed to meet this mandate and address the gaps in the security functions and supporting process and technology capabilities. Strategy Execution To execute the strategy, at least 35 projects have been identified and grouped into 9 strategic programmes that implement around 70 recommendations identified in a security review conducted at the end of 2015. An investment of an estimated R300m over the period 2016/17 to 2018/19 will be required to implement these programmes, in addition to the establishment and staffing of the defined security organisation functions. The execution of the strategy will be measured through progress against a security benchmark. As at 2015/16 the SARS security maturity benchmark score was 2.57 while the target by the end of 2018/19 is a minimum score of 3.1. This target score represents the security maturity of global peer organisations as at January 2016. Information Security Vision & Mission
CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 16
Development of a comprehensive Plan
The strategic plan consisted of 9 strategic programmes built around 35 projects. The projects addressed around 70 security gaps. This represented a comprehensive security programme that aimed to improve all aspects of the SARS information security capability – people, process, technology and policy. Strategic programmes: 1. Information Security Management Programme 2. Application Security Improvement Programme 3. Data Protection Programme 4. Service Continuity Programme 5. Identity & Access Management Programme 6. Network Security Programme 7. Security Monitoring & Analytics Programme 8. Endpoint Protection Programme 9. Physical Security Integration Programme
CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 17
4. Major Programs
2016/17 2017/18 2018/19 1. Information Security Management Programme 8 384 800 4 935 200 939 200 2. Application Security Improvement Programme 23 915 200 14 052 000 6 163 600 3. Data Protection Programme 37 634 400 11 095 200 3 156 800 4. Service Continuity Programme 10 848 800 - - 5. Identity & Access Management Programme 22 683 200 27 857 600 4 635 200 6. Network Security Programme 60 370 400 19 001 600 - 7. Security Monitoring & Analytics Programme 3 478 400 8 913 600 3 971 200 8. Endpoint Protection Programme 1 971 200 8 778 400 - 9. Physical Security Integration Programme 5 442 400 8 413 600 -
Total 174 728 800 103 047 200 18 866 000 Total 3 Year Investment 296 642 000
Information Security Programmes containing 35 Projects
CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 18
We also prioritised the work to enable SARS to make judgements on what was most important
Strategic Quick Wins Goal 1: To be a trusted critical business Partner High
5 - Data
Goal 2: High performance individuals and teams with integrity
Low Low High Low Priority Foundational Urgency
Size/Challenge High Medium Low
Ente
rpris
e Im
pact
2. Information Security Management Programme
1. Service Continuity Programme
6 - Application
3 - IAM
2 – InfoSec Mgnt
7 - Network 4. Analytics
1. Continuity
8. Endpoint
9. Physical
Goal 3: Enable secure digital progression 3. Identity & Access Management Programme
Goal 5: Safely manage systems and information assets in line with SARS mandate and according to SARS Strategy
6. Application Security Improvement Programme 7. Network Security Programme 8. Endpoint Protection Programme 9. Physical Security Integration Programme
Goal 4: Continuously deliver value 4. Security Monitoring & Analytics Programme 5. Data Protection Programme
19 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Finances STAR Part 2
Funding for STAR • STAR – Part 1.
• Assessment of SARS profile on the Dark Web and other locations • Assessment of SARS vulnerabilities • Intelligence analysis of threats against SA and SARS • Identification of current Tools, Techniques and Tactics • Workshop to create credible threat scenarios
Delivery Resources: Gartner UK
Funding for STAR • STAR – Part 2.
• Completion of Security Strategy • Sub Strategies 1-9 – previous slide • Business Case Preparation • Business Case for Organizational Structure
Delivery Resources: Sanjay Charavanapavan John Cato Eben Muko Terry Bebbington (QA)
20 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Using Technology to Create Efficiencies and Savings
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 21
What did we discover from the IT Assessment Contact Centres
Medium
Issue
There has been no planning undertaken to take SARS into a Digital Customer Service future There is no clear strategy to determine whether SARS IT strategy is based upon bespoke applications or investment in an ERP (SAP) platform Contact Centre (‘shop window’) is far below industry standard Public published statistics are misleading and create a misleading sense of progress
Recommendation 1. New customer focussed Customer Service strategy,
including digital customer interaction channels, required 2. Develop Voice of the Customer (VoC) strategy based on
COTS product to actively listen to the SARS customers 3. Replace the home grown Contact Center with COTS
solution inclusive of digital channels and knowledge management
4. Determine ERP (SAP) strategy
Evidence
The digital services that have been delivered i.e. eFiling has increased the amount of calls into the Contact Centers as opposed to reducing the interactions customers need with SARS. There is no focus on any “Voice of the Customer” (VoC) initiative to listen to customers and current satisfaction survey mechanisms deliver a <1% response. The software developed by BB&D for the contact center will require significant investments of time and money in order to implement an omnichannel strategy
22 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Contact Centres – Building a Strategy
The contact strategy was created around:
1. Move tax payers from Direct (Branch Offices) to Indirect Channels (Contact Centre)
2. Meet changing customer demand – automation, multi-channel, digital experience.
3. Create efficiencies – reduce number of Branch Offices/Reduce Staff/Re-Purpose
This was an Omni-Channel programme of work – Omni-Channel does include face to face and branch offices.
However increasingly citizens will want to move to a digital experience. This was the ground work for this to happen.
Contact Centre Strategy Presentation Firdous Sallie 6th June 2016 South African (SA) statistics show 46% of the population are already
internet users and 92% of these internet users own a smart phone. Of this group there are 80% that have a data plan and the remainder access the internet via free Wi-Fi hotspots.
23 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Gartner assisting the workstream leaders to take ownership of the business cases going forward
17th August 2016 Omni-Channel
Business case sent to Gartner for review.
Submission of Business Case
5th June 2016 Firdous Sallie share
strategy ppt with Gartner workstream leader “Again allow me to
thank you for being so open in sharing your previous presentations as it enabled us to reference it”
Illustrating the Concept of Omni Channels
19th May 2016 Firdous Sallie asks for
Gartner to review her slide show
Direct Channel Improvement Plan
8 Sep 2015 Firdous Sallie
confirms support to Gartner Team Leader in discussion with Bain “Looking forward to
an improved and better customer experience”
Moving Ahead with Programme
Invitation to Working Session for Phase 1 Findings & Planning
4th August 2015 Presentation on
Phase 1 Discuss Gartner
recommendations for Phase 2 Discuss resources
needed for Phase 2 Timeline for Phase 2
activities Invitation sent from Gartner Team Leader to Firdous Sallie
24 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Business Case was produced by SARS with Gartner Support
Queue Name Number of Interactions Potential Cost Savings
Advanced General Queries 628 737 R 20 748 321,00 Complex Queries 252 488 R 8 332 104,00 Estate Queries 87 960 R 2 902 680,00 Express Queries 1 317 705 R 43 484 265,00 Small Business General Queries 617 340 R 20 372 220,00
Standard General Queries 626 073 R 25 668 993,00 Tax Practitioners 125 547 R 4 143 051,00 TOTAL 3 655 850 R 125 651 634,00
Gartner RFQ Pricing Ranged from R95m – R294m
25 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Challenging Supplier Costs & Upskilling SARS People
26 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
From the IT Assessment Gartner identified that SARS spend on IT as a proportion of overall operating cost was 22% v peer group of 15% and Financial Services 11%
Therefore for Phase 2, there was a focus on Applications Development – how can you manage the cost better? The aim of Gartner was to make SARS more self-sufficient specifically in managing application projects. This involved training 18 SARS personnel who would then form a ‘Value Management Centre’ for application projects. This is an observed best practice in many organisations including Tax Administrations, Financial Services and telco providers.
27 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Why is application development cost a problem to manage Traditionally you competitively tender for application development and application support. Suppliers put forward a ‘rate card’ – the cost per man day of effort for different levels of experience. As price in tender assessments typically accounts for between 40%-60% of the marks awarded the tenderer is incentivized to provide a low rate card. However you are now at the mercy of the provider…. The difficulty with rate cards is that you cannot measure the scale or complexity of an application project accurately. Therefore all you can argue about with the suppliers is effort – which he may or may not agree with. Gartner proposed using Fast Function Point Analysis. This is an internationally recognized methodology for: • Sizing application projects or whole applications in what are known as
Function Points • Using benchmarking data to understand the typical ‘productivity’
(function points per day) for that type of work • Using a rate card calculate the cost of the requirement (function points
required, divided by application developer productivity, multiplied by day rate)
Can you develop me an
application? Yes I can it will take 4,500 man
days of effort and it will cost you R100m
That seems a lot
Well it is very complicated but
you have a really good rate card.
As a special customer we will charge you R85m
28 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Gartner upskilling and empowering 18 SARS personnel to establish a Value Management Initiative focused on application projects.
Training delivered in SARS by Gartner personnel to 18 SARS individuals: Value Management Initiative would: • Size all application requirements – calculate the number of
function points • Impose this process on suppliers when bidding for work requiring
them to: • Size the work themselves – to compare supplier estimates
and to inform internal cost planning • Put forward a rate card with productivity per person • Calculate the fee • Commit to efficiency improvements (increase productivity
per person per year), thereby reducing cost to SARS The training was successful and the individuals highly motivated – investment by SARS to upskill their people and an exciting new role in establishing a new capability. When fully implemented Gartner would expect to see financial savings on application development and enhancement of the order of 25%.
Phase 2 Charter
29 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
GRAP & Why not SAP?
30 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
SAP – there was one formal project that examined GRAP and an informal request to facilitate discussion on ‘Why Not SAP?’ GRAP – Generally Recognised Accounting Practices
The overall objective of the Gartner review was to assess the GRAP plan for achieving GRAP compliance by 31 March 2018.
Gartner made use of SAP expertise and locally based accountants familiar with GRAP.
Gartner assessed that the present Core Tax Systems was unable to produce reporting in accordance with GRAP requirements. By continuing with a revised / upgraded SAP implementation process across all tax types and utilising the SAP TRM/PSCD functionality, this would assist in attaining GRAP compliance.
Recommendations:
– Undergo a significant IT system transformation.
– Transform solutions / systems to enable GRAP compliance service delivery, and transform system functionality from cash to accrual accounting, including estimation, reversal and adjustment functionality.
– Leverage GRAP compliance within current SAP investment (and sunset aging redundant and non-compliant bespoke systems and system components) applying best practices to SAP TRM product suite licensed).
– SAP is currently highly under-utilised with SARS using only around 20% of the licensed SAP Tax and Revenue functionality.
– Compared with other SAP installations, SARS has too many accounting exceptions/errors requiring adjustment (allocations). These manual actions should be an exception - being prevented by automation and validation rules. A central SAP tax platform would provide such capability.
31 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Why Not SAP? SARS COO requested Gartner to facilitate an internal
review on the question of ‘Why Not SAP?’
Valid question as there was considerable internal debate on build v buy
SARS has already invested in SAP TRM (Tax and Revenue Management) as well as purchasing life time licenses for the use of SAP TRM which were not being utilized.
Gartner:
– One to one discussions with existing tax administrations who were using SAP and TRM, including HMRC (UK Tax Administration and Customs)
– Organized discussions with SAP Germany
– Held internal workshops
– Included business and their concerns
This was not a contracted activity, and Gartner undertook this work in parallel with other ongoing workstreams.
USAID Recommendations:
In total cost of ownership terms, custom-built solutions may be cheaper for smaller tax administrations, particularly in consideration of licensing costs, whereas COTS solutions may be more cost effective for larger implementations with a wider breadth of system requirements. COTS solutions may be appropriate where there is major tax administration reform across all tax administration functions that requires sufficient funding and commitment to reform.
32 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What were Gartner observations on ‘Why not SAP?’ Gartner prepared a report for EXCO.
This was not a formal deliverable and Gartner was not asked to make a recommendation.
Gartner did highlight the following:
– Investment in licenses had already been made
– Simplification of application environment – cost and ‘time’ to implement changes – 50 plus custom applications existed
– Single view of customer
– Potential powerful analytic tools
– ‘Time to market’
– Cost of maintaining current legacy environment
– SAP experience in SARS
Gartner understands that the EXCO took the decision to adopt a SAP First policy. However Gartner understands that there remains resistance to this approach
33 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Are there alternatives to SAP?
Over the past 20 years, the market for Integrated Tax Systems has matured and evolved. Many of the sizable and established jurisdictions went through an initial COTS implementation, but are soon to return to the market in search of a next-generation COTS system, representing a new market opportunity to the updated and changed vendor landscape
– Fast Enterprises initially captured a portion of the market with their GenTax® suite and has begun to re-compete as their initial COTS solutions/versions near the end of their useful life cycle. Major player in the market.
– SAP’s Tax & Revenue Management (TRM) has mostly held a footprint in Europe, but also found success in few U.S. states. Over 350 deployments world-wide.
– RSI has emerged as a top competitor to FAST in the North America market, positioning itself as robust and flexible alternative (recent wins in Saskatchewan) Emerging player
– Like SAP, Oracle has found success internationally and in a few U.S. states, but is not seen as a major player.
– Quite a few others (TCS, TechnoBrain, STI, DataTorque, AtoS, and FreeBalance) have relatively new products with the potential to be a good match for some jurisdictions Gartner has been following the ITS COTS vendor market and assisting clients
globally to analyze, evaluate, select, and implement the right COTS solution (if applicable) to match their environment and unique vision for future operations.
34 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Governance – Ensuring alignment with King III
35 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
A Compliant Governance Strategy
Phase 1 March/April 2015 Assessment
Result
Target end 2018
IT Governance Capability 2,45 (Scale 1
to 5)
3,1
IT Risk Management 2,70 3,1
IT Renewal Programme
(November/December 2015)
King III 51,67% 85%
Public Service IT Governance Framework 40,75% 75%
The guiding principles for Gartner in designing the governance structure were that it must be compliant with the SA Legislative and Regulative environment: • KING III • Corporate Governance of ICT Policy Framework (Department of Public Service and Administration)
Both from the IT Assessment and a workshop in Phase 2, there was concern expressed with SARS compliance with these frameworks. It would have been irresponsible of Gartner to have designed a Corporate Governance model that did not fully comply with these key regulations/legislation. Gartner did recognize that this would add additional ‘process’
Gartner has designed governance frameworks for a large number of public sector clients which have been very successfully implemented. But there is a constant tension between too much and too little.
36 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
IT Strategy – Providing the Roadmap for taking Modernisation to the Next Step
37 This document is strictly confidential
1. Executive Summary IT Success Criteria/Business Success
Executive Summary
Increase customs compliance Increase tax compliance Increase ease of doing business
with SARS Increase fairness of doing business
with SARS Increase cost-effectiveness Increase efficiency Increase institutional respectability Turnaround customs and excise Address the tax gap and increase
compliance Become a customer centric organisation Build a high performance culture and
operations Improve Information services and
technology — at the service of the organisation
Implement revised operating model to support strategic priorities
External Focus Improved system availability Improved system usability Complete systems Leverage Big Data (Strategy, framework
and tools) Enabling multi channel framework Enhanced Customs and Excise system Enable single flexible tax engine Enable 360 degree view of client Complete key Initiatives * Improved change management Internal Focus Improved IT governance Improved IT HCM Improved service management Improved IT sourcing Improved architectural capability Improved security Improved vendor management Improved portfolio and project management Improved application management Improved customer management Mode 2 and Agile implemented
SARS Strategic Objectives IT Success Criteria
* E.g. Establish Data and Information Management Capability, Move off Mainframe, Interfront Strategy, NCAP, GRAP
Broad Business Requirements 360 degree view of clients Increased pre-population/validation Improved analytics Improved customer experience
(registration, eFiling, queries, information)
Improved user experience Improved customs and excise
systems (new legislation)
Innovation enabled Improved reputation Increased agility Simplification Automation Broaden tax base
38 This document is strictly confidential
1. Executive Summary (Continued) IT Strategy on a Page
IT Mission
Strategic Priorities
IT Principles
Description
Security
Applications
PPM
IT Strategy
To be a critical business partner consisting of high performance individuals and teams
that enable digital progression, continuously deliver value and safely manage systems, security, corporate data and information for the benefit of SARS and according to its mandate.
Prepare for increasing digitalization: Bimodal, Big Data and Analytics, Improved Customer Multichannel Interaction, 360 View and Pre-population
Applications Sourcing “Big” Decisions People
IT serves business (Business Partner) Partner well (Vendors, other state entities and internally) Architect for the future Consider buy before build Simplify, standardise and rationalise Keep renovating the core Good Governance, Risk and Compliance is good IT Consciously build and maintain a transformed IT organisation
Stabilise the division (Culture and Alignment with goals) Leaders appointed and
development plans implemented (skills for future) Recruitment for revised
organisational structures complete Skills development and capacity
building
IT Strategy complete and communicated (Rationalisation, de-risking, improve) Strategic plans completed and
projects started per plan Key IT enablement projects
completed (Data Management, Security, etc.)
Moving off the mainframe decision taken and projects started Interfront decision taken and
acted upon Review of SARS role in other
State Entities projects (Guide/Assist/Do) SAP as enterprise solution
Tower tenders complete and awarded Active planning for additional
work Proactive sourcing capability
building De-risking and dependence
reduction on external vendors
Understand and consider full SAP offering, architecture and strategic direction Stabilize and upgrade existing
SAP capability including catering for GRAP Plan expanded usage and
schedule and Complete projects (VAT, PAYE and MT) Customs re-development
according to SARS standards and priority
Governance
Service Management
Architecture
People
Sourcing
Improve governance through the re-introduction of COBIT aligned with King and ISO 38500 in three phases
Strengthen the service capability through the upgrade and application of ITIL supported by people and training
Implement an enterprise architecture capability supported by correct staffing and tools
Stabilise the organisational structure, followed by getting the basics right and lastly to implement advanced HCM practices
Move procurement from reactionary and adversarial to proactive and value adding (staff, use of tools, training)
Upgrade security through a combination of people, skills and tools to be delivered via 35 projects in 9 programmes
Change Implement a uniform and consistent change management approach utilising PROSCI and management involvement
Rationalise the application portfolio, reducing duplication and implementing an appropriate asset management tool
Finance Move from a budget oriented view of finance to a value understanding through activity based costing and show back
Combine PMO’s rationalising and standardising tools, methodologies and training
Strategic Shift IT Vision Enable SARS to become a digitally advanced and highly effective and efficient organisation
Executive Summary
39 This document is strictly confidential
Tax
Customs
Support
DIST
I
(GRAP) Vat, PAYE & MT Company Tax
Other Taxes Individual Tax
CRM Single Tax
360 View
Debt Management Case Management
Decommission
NCAP
NCAP Rewrite
U3tm, ATP/ SM, etc.
Multi channel Framework Customer portal / efiling
BPM Engine Rules Engine
Customer Interaction Capability
Refactor NCAP
Off Mainframe
BW on HANA Big Data Analytics
ERP on HANA
Digital Tagging
Bi Modal EIM
EA / Solution Architecture
GRAP
Independence
nnovation
Master Data Management
2016 2017 2018 2019 2020 Beyond
Ent App
Potential SAP Applications
Internally focused DIST projects (Security, Cobit, Service Management, Application Management, Change Management, etc.)
Full Pre-pop
TRM on HANA
Multichannel
= Funded
Off Mainframe
4. Major Programs (Straw Model) To be refined / elaborated in strategy initiative 2
Composite High Level Roadmap and Costs
Insight
DIST led initiatives
Development
40 This document is strictly confidential
6. Major DIST Programs and Project Costs by Domain
2016/17 2017/18 2018/19
1. Strategy 6 400 000 10 500 000 15 500 000
2. Application Management 13 000 000 3 700 000 4 700 000
3. Change Management 2 064 802 1 000 000 1 900 000
4. Enterprise and Solution Architecture 182 500 000 304 300 000 272 000 000
5. Governance 9 989 835 4 229 945 997 980
6. Human Capital Management 465 000 - -
7. Project & Programme Management 13 500 000 6 400 000 9 800 000
8. Security 151 293 600 124 546 400 18 866 000
9. Service Management 4 000 000 19 500 000 19 200 000
10. Sourcing and Vendor Management 1 500 000 - -
Total 384 713 237 474 176 345 342 963 980
Total 3 Year Investment 1 201 853 562
IT Programmes by 10 Domains
Composite High Level Roadmap and Costs
41 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What were the Barriers to Change
42 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Barriers to Change
During the Phase 2 activity there was a significant amount of turbulence in SARS.
– Staff were unsure of their roles
– Staff were being asked to re-apply for their appointments
– Engaging with some leaders was challenging due to turbulence
Resistance to change within SARS
– This resistance was more than just Gartner
– But there were attempts to derail the work
Lack of strong committed leadership in some key positions
– Raised with Commissioner (Letter and VTC)
43 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Modernisation
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 44
Has modernisation delivered impact and value for money? Gartner believes that impact which has value has been delivered but not at fair market rate
Findings R3.997bn expended Appropriate approval and governance was lacking Procurement process did not meet best practice A high degree of dependence on 3rd parties created Complex bespoke environment exists which has had cost implications and will continue to have down-stream cost implications
Evidence Tender documentation was based upon an unclear requirement and not linked to outcomes Via an exception process a 3rd party was contracted without competition originally for R95m, with whom SARS has now spent R1bn+ No business case linking investment to business requirements to outcomes IT spend is above peers and what Gartner would expect
Recommendation/Actions
Gartner recommends that SARS: 1. Conduct an audit to identify lessons learnt plus quantify expenditure and
deliverables to date 2. Unify IT and Modernisation into a single accountable governance structure
to the Board 3. Undertake a financial analysis of the whole life cost of existing IT 4. Review current planned projects in order to:
I. Alignment to business need II. Not duplication or overlap III. Will deliver value for money
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 45
Is SARS IT Spending in line with the Industry? Gartner assessment is that SARS is above the Industry average
Issue & Evidence
When the Capex spent on Software is taken into account, the Software costs for SARS are 37% compared against the peer* group’s 8%. SARS has a much higher number of total employee numbers than the peers: 13,752 in SARS versus 5,514 in peers. This is an indication of low automation levels in SARS. The SARS distribution of IT resources is also substantially different than the peers – 61% of resources are within the Application Development & Support areas versus the peer’s 41% SARS has a higher IT capital expenditure than their peers - 31% compared against the peer’s 22%. SARS total IT Spend of 22.8% of the company’s operating expenditure is substantially higher than the Tax Administration peer of 15.85% as well as Financial Services peer (11.08%).
Recommendation
1. Undertake an organisational design review to identify gap to best practice and actions to close
2. Review planned capex against value for money and strategy alignment
3. Determine software development and support costs (productivity) against industry norm and top 25% percentile in order to establish improvement plan
Low
46 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
IT Assessment
GARTNER CONSULTING
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Issues and Recommendations
SARS Strategic IT Assessment
Prepared for:
Project Number: 330027277 22 April 2015
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 48
Key Design Principles
In designing all the recommendations, Gartner focussed on the following key business principles: Gartner Design Principle #1: SARS core business is Revenue Collection – SARS need to re-focus on its core business and all issues surrounding service delivery of the core business of Revenue Collection. Gartner Design Principle #2: SARS is a Customer Centric Organisation – SARS need to instantiate services, solutions, technology and structure that is focussed on delivering a great customer experience across all current and future customer interaction channels.
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 49
IT Strategy Review
Architecture & Technology
Sourcing Governance
App. Dev & Project
Management
Modernisation Project
■ IT strategy aligned with business goals and strategy
■Risk policies and procedures ■ IT delivery against IT strategic plan ■ IT HR assessment
■Data and information security
■Documented IT environment
■Overall cost of IT and ROI
■Business cases existence and realization
■Efficiency and effectiveness of infrastructure
■Governance in terms of bespoke and developed software
■Governance in relation to intellectual property
■Ownership of IP and where are Escrow agreements stored and who has access rights
■How is governance around the awarding of software contracts
■S/W development methodology & best practice alignment
■Project Management best practice ■Sustainability of the O/S, RDBMS,
development tools , applications & reusability
■Bespoke versus development or vice versa.
■Project Management capability within SARS & on time budget and quality delivery
■Spent to date and still to be spent
■Delivered to date and still to be delivered
■Effectiveness and efficiency of contract management & the sourcing of vendors
■Review of contractual arrangements, service level agreements, escalation procedures, product specifications, transitional requirements, roles and responsibilities, and exceptions.
■Review all the supplier agreements
Gartner has been engaged to conduct a “Health Check” along 5 IT dimensions
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 50
Process followed - Gartner's ITScore Maturity Models
• Most maturity models are only process-focused
• Gartner ITScore expands the maturity model to assesses people, technology, and business management maturity.
• The Gartner ITScore is action-oriented – not just a "grade"
• It enables the creation of a prioritized systematic road map for improvement over timeframes.
• Gartner ITScore has been tested against international market realities and proved to be accurate
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 51
Gartner's ITScore Typical Focus Areas (Example)
Technology: • Standards • Efficiency • Service
quality/agility • Tools
People: • Organisation • Roles • Culture • Skills • Training • Metrics
Process: • Focus • Standards • Integration • Metrics
Business: • Planning • Financial management • Metrics • Governance • Sourcing • Project management
Typical Management Dimensions
Typical Management
Attributes
Maturity Levels customized to area
being measured 4 — Service-Aligned
3 — Proactive 2 — Committed
1 — Awareness
5 — Business Partner
Business Value
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 52
Level 1 Awareness
Level 2 Committed
Level 3 Proactive
Level 4 Service-Aligned
Level 5 Business Partner
Reactive, Firefighting
System Management Tools Integration
Widespread Virtualization
Looking at Industry Best Practices
Initial Process Formalization
Working on Implementing Industry Best Practices
Day-to-Day Processes Mature
Industry Best Practices in Place
Service SLAs
Hybrid Cloud Computing
Consolidation/ Standardization
Tiered Support
Low Customer Confidence
Trusted Service Provider
Process Automation
Pilots New Technology for Business Innovation Ad Hoc
Processes
Strategic Relationship Managers
The IT Score Maturity Levels (Example)
Engagement: 330017106 | © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. 53
Findings & Recommendations
Executive Summary
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 54
In undertaking the health check Gartner were asked to comment on key areas of activity and investment for both the Modernisation programme and IT
Has modernisation delivered impact and value for money? Medium
Is there a sufficiently accountable and transparent governance structure in place to ensure the right investment decisions are made?
Is there an executable plan to ensure that going forward IT is aligned to business needs/drivers?
Is data and information security sufficient to protect citizen data and SARS reputation?
Should SARS continue to ‘own’ Interfront as a commercial entity?
Is SARS positioned to deliver and support citizen centric services that will create more efficient and effective ways of tax and customs revenue collection ?
Low
Low
Medium
Low
Medium
Is SARS IT spending in line with the Industry? Low
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 55
Has modernisation delivered impact and value for money? Gartner believes that impact which has value has been delivered but not at fair market rate
Findings R3.997bn expended Appropriate approval and governance was lacking Procurement process did not meet best practice A high degree of dependence on 3rd parties created Complex bespoke environment exists which has had cost implications and will continue to have down-stream cost implications
Evidence Tender documentation was based upon an unclear requirement and not linked to outcomes Via a lawful exception process a 3rd party was contracted without competition originally for R95m, with whom SARS has now spent R1bn+ No business case linking investment to business requirements to outcomes IT spend is above peers and what Gartner would expect
Recommendation/Actions
Gartner recommends that SARS: 1. Conduct an audit to identify lessons learnt plus quantify expenditure and
deliverables to date 2. Unify IT and Modernisation into a single accountable governance structure
to the Board 3. Undertake a financial analysis of the whole life cost of existing IT 4. Review current planned projects in order to:
I. Alignment to business need II. Not duplication or overlap III. Will deliver value for money
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 56
Findings
In both the Public and Commercial Sector there is a requirement to account for decisions and financial investments made – Parliament or Shareholders. This was lacking in SARS Investment decisions were made with no quantifiable benefits nor clear accountability by a Senior Reporting Officer (SRO) It was unclear when a project had been delivered resulting in further expenditure and lack of control Whilst no evidence of illegal activity was discovered procurement fell short of best practice.
Recommendation 1. Establish a stronger governance regime that covers all IT
Investments 2. Review existing contracts (appropriateness, value for money,
quantifiable outcomes) to assess alignment with SARS objectives
3. Ensure that for each project there is a Senior Reporting Office accountable for the project
Low Is there a sufficiently accountable and transparent governance structure in place to ensure the right investment decisions are made? Gartner view is that there is insufficient accountability and transparency
Evidence
A governance forum existed for Modernisation but the Modernisation agenda was largely driven by a single individual and Business were not fully consulted in IT investments The IT Governance Framework is not defined and therefore the effective decision-making on IT was not well understood by all stakeholders Existing contract relationships were expanded to circumnavigate the need to go to market in order to achieve best value .
SARS
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 57
Is there an executable plan to ensure that going forward IT is aligned to business needs/drivers? There is a not a documented plan that exists that has been approved by business
Low
Issue The investment in IT, specifically modernization, is not aligned to any SARS business plan There is no forward looking roadmap that a Board of Directors can either improve or understand the value of the investments being made This has resulted in a high level of distrust in the Modernisation programme The Modernisation programme has delivered a number of good outcomes but these are eclipsed by the perception that it was unaccountable
Recommendation
1. A formal IT strategy developed with clearly documented initiatives that meet business priorities.
2. Priority for initiatives to address compliance, enhanced revenue collection and customer centricity.
3. IT should be unified and move to a service based organisastion accountable via a Chief Information and Digital Officer to the EXCO
Evidence
There is no formal signed off IT Strategy in SARS. The lack of an IT strategy and IT Strategic Plan is limiting SARS from effectively managing IT demand, supply and control. The Modernisation programme worked on a principle of “memos” describing what was going to be done. These memos included elements of alignment with SARS Business Plan but this was never 100% matched with the business needs. SARS IT is treated as a cost centre which is not the recommended operating model for driving efficiency and business alignment.
SARS is below comparable organisations in execution of strategy
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 58
Is data and information security sufficient to protect citizen data and SARS reputation? Gartner believes that SARS security is insufficient
Medium
Issue
There is insufficient alignment of IT security initiatives to addressing key risks There is no holistic view of exposure as a result of a fragmented and inadequate risk management approach There is no ownership of risk management activities There is no formal strategy for (a) endpoint protection; (b) classification of hosts by control; (c) long-term storage and off-line storage of encryption keys and cryptographic content; (d) cyber attacks.
Recommendation 1. Formalise the role of Chief Information Security Officer
(CISO) and build a security team with a comprehensive roadmap to execute the security programme
2. Establish an effective security education programme to influence behaviour and culture by all employees
3. Define formal identity data management processes and a formal endpoint protection strategy with regular review and validation.
4. Establish a cyber security strategy to protect citizen data
Evidence
Gartner was unable to discover a formal strategy for: Endpoint protection classification of hosts by control long-term storage and off-line storage of
encryption keys and cryptographic content cyber attacks
New HMRC cyber crime team to tackle tax fraud by organised criminals. The specialist cyber crime team will protect both HMRC and taxpayers from organised criminals using increasingly sophisticated methods to target HMRC’s tax repayment systems.
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 59
Should SARS continue to ‘own’ Interfront as a commercial entity? Gartner does not believe this is core to SARS mission
Low
Issue
Interfront has delivered value but currently is neither focused solely on SARS nor focused on marketing their solution to the international marketplace. Neither SARS nor Interfront fully understands the potential market size and potential future income from the sale of the Customs & Excise software. The Customs module will require SARS to invest several hundred million rand to complete the product and shrink wrap it for commercial sales.
Recommendation
1. SARS should not own any commercial entity. 2. Legal opinion should be sought to cancel the
agreements and other contractual commitments 3. Interfront has a strategic software development skills
base and people with extensive expertise. SARS should consider re-focussing Interfront skills on SARS activities.
Evidence
The commercial arrangements of Interfront are complex The customs solution is tailored for SARS use so would require a fair amount of work to make it suitable for the market Some modules of the Interfront customs solution have been built by a 3rd party on a different platform resulting in a duplication of costs
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 60
Is SARS positioned to deliver and support citizen centric services that will create more efficient and effective ways of tax and customs revenue collection? Gartner believes SARS has the capability to achieve this but is not presently doing so
Medium
Issue
There has been no planning undertaken to take SARS into a Digital Customer Service future There is no clear strategy to determine whether SARS IT strategy is based upon bespoke applications or investment in an ERP (SAP) platform Contact Centre (‘shop window’) is far below industry standard Public published statistics are misleading and create a misleading sense of progress
Recommendation 1. New customer focussed Customer Service strategy,
including digital customer interaction channels, required 2. Develop Voice of the Customer (VoC) strategy based on
COTS product to actively listen to the SARS customers 3. Replace the home grown Contact Center with COTS
solution inclusive of digital channels and knowledge management
4. Determine ERP (SAP) strategy
Evidence
The digital services that have been delivered i.e. eFiling has increased the amount of calls into the Contact Centers as opposed to reducing the interactions customers need with SARS. There is no focus on any “Voice of the Customer” (VoC) initiative to listen to customers and current satisfaction survey mechanisms deliver a <1% response. The software developed by BB&D for the contact center will require significant investments of time and money in order to implement an omnichannel strategy
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 61
Is SARS IT Spending in line with the Industry? Gartner assessment is that SARS is above the Industry average
Issue & Evidence
When the Capex spent on Software is taken into account, the Software costs for SARS are 37% compared against the peer* group’s 8%. SARS has a much higher number of total employee numbers than the peers: 13,752 in SARS versus 5,514 in peers. This is an indication of low automation levels in SARS. The SARS distribution of IT resources is also substantially different than the peers – 61% of resources are within the Application Development & Support areas versus the peer’s 41% SARS has a higher IT capital expenditure than their peers - 31% compared against the peer’s 22%. SARS total IT Spend of 22.8% of the company’s operating expenditure is substantially higher than the Tax Administration peer of 15.85% as well as Financial Services peer (11.08%).
Recommendation
1. Undertake an organisational design review to identify gap to best practice and actions to close
2. Review planned capex against value for money and strategy alignment
3. Determine software development and support costs (productivity) against industry norm and top 25% percentile in order to establish improvement plan
Low
Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 62
Road Map & Preliminary Timeline
Draft High Level Plan
FY 2015 FY 2017 3Q 4Q 1Q 2Q 3Q 4Q Strategic Programs
Customer Service
Application Management
IT Governance Enhancement
Sourcing Governance
Architecture And Technology
IT Strategy Development
1Q 2Q FY 2016
Project Management