gartner support to sars - sars commission 2018 of mr m...leaked. 5. tax payer machines are infected...

© 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This presentation, including all suppting materials, is proprietary to Gartner, Inc. and/ its affiliates and is f the sole internal use of the intended recipients. Because this presentation may contain infmation that is confidential, proprietary otherwise legally protected, it may not be further copied, distributed publicly displayed without the express written permission of Gartner, Inc. its affiliates.

Michael Lithgow FBCS FIET CITP CEng Managing Vice President Gartner Consulting – EMEA Public Sector

Gartner Support to SARS

1 © 2018 Gartner, Inc. and/ its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.

Qualifications to Lead SARS Engagement

Prior Experience to Gartner:

– Design and build of global networks supporting up to 400,000

– Head of Special Projects Procurement. Large portfolio of technology equipment required to meet urgent demands of diverse business units

– Programme Direct of build of new education facility which received government award.

– Change programme: function, people, equipment and locations of an organisation of 7,500

– Head of R&D with a large team of scientists and engineers with remit to pull through successful outcomes to field deployments rapidly, including safety certification

– Chartered Engineer and Chartered IT Professional

Role During SARS Engagement

– Senior Gartner Executive accountable to SARS for delivery of contracted outcomes

– Senior Gartner Executive accountable to Gartner for delivery quality, SARS satisfaction and contracted deliverables

– To act as the facilitator for wider Gartner Tax knowledge gained from around 16 tax administrations in EMEA and NA.

Qualifications

– Head of Public Sect in EMEA with a specific focus on large programmes:

National Tax Authority – replacement of core tax system. Tax revenue R1,520bn)

Oversight of work with a further 3 tax administrations – revenues: R11,183bn, R3,000bn, R3,000bn

Reviewer on behalf of an inter-governmental organization the technology to support a $1.4bn headquarters, including security.


Clients in 12,000 distinct enterprises across 100 countries

Research Industry’s largest database

135,793 documents across 1,372 technology and business topics

Advisory Services Unique client perspective

2,000+ analysts conduct 380,000+ one-to-one client interactions annually

Consulting Results on initiatives

2,000 custom engagements a year fueled by 14,000 peer benchmarks

Events Networking with peers

55,000 professionals a year attend 75+ worldwide events

All Gartner services are grounded in our world-class Research insights

Gartner has no affiliations with, or promote, any vendors, products or services. Gartner does not undertake services implementation – installation of hardware or software into a new or existing estate. Gartner is wholly independent and this independence is guaranteed by the Gartner Ombudsman.


Structure of Evidence Overview of the programme of work and relationship between the different phases/activities

Vignettes that illustrate the relationship between the work (Phas1, Phas2, STAR and GRAP) based upon:

– Security posture of SARS

– Gartner recommendations on use of technology to improve efficiency to improve citizen services and reduce cost

– Gartner recommendations on changes to procurement process to reduce cost and upskill workforce

Why SAP?

Governance - ensuring compliance with KING III

What did Gartner recommend that SARS should do?

Why did it not happen? What were the barriers to change?


Overview of Programme of Work


Objective – Provide advice and assist where appropriate to ensure that SARS can be and remain a world class tax administration Support to SARS – 2015-2017

Objective

Provide SARS with a baseline evaluation of the state of IT, identify areas where improvement can be made, and make recommendations

Generally Recognised Accounting Practice

(GRAP)

Simulated Target Attack and Response

(STAR) Phase 2 + Phase 3 IT Assessment

Objective • Assist SARS with implementing and prioritizing the recommendations from the IT Assessment - 21 areas

• Ensure knowledge transfer to SARS personnel

Objective Provide SARS with an assessment of the SA Cyber Threat, assess their vulnerability to this threat and test their capabilities

Time boxed to 10 weeks Constraint

10 weeks 5 Months 13 weeks

Output

Provide me with ground truth Measure/Baseline SARS against other like organisations What is required to build upon the Modernisation foundations?

Approach • Communicate to the SARS sponsor recommendations of the IT Assessment

• Create individual team charters and agree with Sponsors.

• Work with team sponsors to confirm the recommendations, create a plan of action, assist with implementation and/ creation of costed business cases

Change of Scope

Test was cancelled. Remaining funding moved to direct assistance to CISO – organizational design and business cases

Objective Assistance to SARS in the migration of accounting standards to GRAP issued by Accounting Standards Board

Approach Gartner co-ordinated and provided the IT subject matter expertise within a team consisting of SAP specialist and Accountants.

Are we confident that we are able to secure personal and corporate data?

20 months


Gartner put in place a governance mechanism that ensured that the work performed and the outputs produced were verified agains Gartner research, best practice and benchmarking data

Gartner Executive Committee

Global Head of Consulting.

Michael Lithgow Head of Global

Practices Head of Global

Operations

Gartner Quality Assurance Head of Quality Management

Head of Global Practices Head of Customer Satisfaction Surveys

Gartner Programme QA Reviews Head of Global Sourcing – Steve Buckley Head of Global Strategy – Shafqat Azim Head of Global Applications – Lindsay McRory Head of EMEA Infrastructure and Operations – Jeremy Griffith-Hone Head of EMEA Security – Terry Bebbington Head of Global Organisational Design – Scott Lever Head of Global IT Service Management – Andre Gravel Head of EMEA Benchmarking – Chris Smith

All deliverables reviewed before release to SARS Heads of Practices responsible for ensuring Delivery Consultants had access to most up to date research, toolkits and data

Michael Lithgow reported to Gartner Executive Committee monthly: • Project review and progress • Risks • Finance

There were 3 quality check points: • Sign off of charters by

SARS work-stream sponsors

• Sign off of deliverables by SARS work-stream sponsors

• Independent survey conducted by Gartner Quality Assurance


Addressing USAID and TADAT as a better set of models

US AID has been used to put forward alternative models for Tax Administrations. This is a valuable report and does contain doo general information and direction. Its purpose was to support US AID effort in central and southern America. Its main focus was on ‘start-up’ countries with a very low level of maturity. Gartner would not view South Africa in this bracket.

TADAT is a tool kit that examines high level business processes. It will help inform an organization as to whether its high level functions are effective and efficient. However it does not cover IT. An ‘A’ rating does not indicate an ‘A’ class IT organization. Gartner IT Score will measure the effectiveness of the IT organization to support the business processes. A Level 4 maturity does not necessarily equal a Level 4 business process. They are complimentary but answer difference questions.


Protecting Citizen Data and SARS Reputation


Sample Questions from Survey


We supplemented with interviews where required

"Have to stop fraud – R50 million lost in last two weeks"

“SARS is a target for fraudsters / hackers and people taking over personal identities of Taxpayers for scams etc. So you need a suite of tools and domain names etc. Local easier but attacks on international taxpayers."

"What keeps you awake at night? Identity theft threats… Info Sec Access to Information vs Protection Integrity of data (lack thereof) hold SARS back. Thus is hurting SARS as it affects outstanding returns… Cybersecurity and DDOS…

“There is no CISO at present… An IT Security strategy is needed as it does not exist"

"There are significant forensic issues, we should highlight problems are and make proposals"

“[Anonymous] is concerned about vulnerability to cyber attack…"

Engagement: 330027277 | © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. 11

Is data and information security sufficient to protect citizen data and SARS reputation? Gartner believes that SARS security is insufficient

Issue

There is insufficient alignment of IT security initiatives to address key risks There is no holistic view of exposure as a result of a fragmented and inadequate risk management approach There is no ownership of risk management activities There is no formal strategy for (a) endpoint protection; (b) classification of hosts by control; (c) long-term storage and off-line storage of encryption keys and cryptographic content; (d) cyber attacks.

Recommendation 1. Formalise the role of Chief Information Security Officer

(CISO) and build a security team with a comprehensive roadmap to execute the security programme

2. Establish an effective security education programme to influence behaviour and culture by all employees

3. Define formal identity data management processes and a formal endpoint protection strategy with regular review and validation.

4. Establish a cyber security strategy to protect citizen data

Evidence

Gartner was unable to discover a formal strategy for: Endpoint protection classification of hosts by control long-term storage and off-line storage of

encryption keys and cryptographic content cyber attacks

New HMRC cyber crime team to tackle tax fraud by organised criminals. The specialist cyber crime team will protect both HMRC and taxpayers from organised criminals using increasingly sophisticated methods to target HMRC’s tax repayment systems.

Info Security 2.6 IAM 3.0 Privacy 2.3


What is on the dark web and public locations that contains SARS sensitive information

Findings Overview

1. Clear text usernames and passwords of SARS employees leaked.

5. Tax payer machines are infected by PONY Malware leaking tax payer User Names and Passwords.

2. Details of sars.gov.za email addresses and credentials recovered from major hacks such as; Adult websites, Adobe, 000Webhost and SalesForce (some home addresses also).

3. Multiple SARS domains support SSL v2, which is especially vulnerable plus other vulnerabilities in older but active domains.

4. Documents marked ‘Confidential’ found in Open Source research.

6. The Hacking Team ‘Hack’ includes emails showing SARS wishing to buy specific cyber security products

7. Employees, suppliers, 3rd party associates and contractors leaking targetable information on websites, profiles and CVs.

8. Fake domains and Social Media being used to target taxpayers and SARS employees.

Anonymous and supporting individual actors, States of Israel, Israeli proxy group, Peoples Republic of China (PRC), PRC proxy group, Russian and European Organised crime groups, Nigerian Organised crime groups.

Excluding Anonymous, No other known Dark Web chatter on direct targeting of SARS or senior staff members (Research ceased).

Adversaries Not Found

@

REDACTED

REDACTED

CONFIDENTIAL AND PROPRIETARY Project Number: 330030117 | © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. 13

Threat Assessment – Summary Findings

Findings Overview

Excluding Anonymous, No other known Dark Web chatter on direct targeting of SARS or senior staff members (Research still continuing).

Note this level of exposure is not uncommon in both the commercial and public sector. It is an unusual level of presence/exposure for a Tier 1 Financial Institution or a Government Department that has custody of sensitive security, economic or personal data. Several core SARS domains had exploitable vulnerabilities for Internet facing services and this would tally with a SARS maturity score of 2.57. The Public Sector and Financial Services peer comparators were 3.0, and 3.41 at the time of the exercise. A world class security organisations today would have a maturity score of 4+ A world class security organisation would have a fully staffed intelligence led security operations centre (SOC), cyber incident response team (CIRT) and Cyber Intelligence team providing detection and response type services across the enterprise. Gartner saw limited evidence of this type of capability within SARS at the time of the assessment,


Gartner then identified the major threats to South Africa and SARS – comments below valid as of 2016


What Did Gartner Recommend – Selection of Internal Candidate for promotion into CISO Appointment +……

Vision Enable SARS to become an advanced and highly effective and efficient organisation by establishing an engaged Information Security capability focused on protecting the information assets of SARS

Mission To be a trusted critical business partner consisting of high performance individuals and teams with integrity that enables secure digital progression, continuously deliver value and safely manage information assets in line with SARS mandate and according to SARS Strategy

Key Objective To establish a comprehensive and mature information security programme on par with global tax, customs and excise authorities

The information security strategy has been defined to guide the establishment and operations of the information security functions within SARS for the period 2016/17 to 2018/19. The strategy has considered and is aligned to both the SARS Business and IT strategies for this period. Information Security is an enabling capability driven as a strategic imperative that is incorporated by default into all aspects of ICT planning, solution delivery and operational business-as-usual processes. The SARS information security function is mandated to: • Protect taxpayer and government information; • Enable the achievement of the SARS business plans; • Safeguard the SARS reputation; • Establish a comprehensive and mature information security programme on par with leading global tax, customs and excise authorities; • Maintain a risk profile commensurate to its risk exposure; • Have a security environment commensurate with international standards; and • Comply with information security related legislative, regulatory and government standards and policy requirements. The strategy has been developed to meet this mandate and address the gaps in the security functions and supporting process and technology capabilities. Strategy Execution To execute the strategy, at least 35 projects have been identified and grouped into 9 strategic programmes that implement around 70 recommendations identified in a security review conducted at the end of 2015. An investment of an estimated R300m over the period 2016/17 to 2018/19 will be required to implement these programmes, in addition to the establishment and staffing of the defined security organisation functions. The execution of the strategy will be measured through progress against a security benchmark. As at 2015/16 the SARS security maturity benchmark score was 2.57 while the target by the end of 2018/19 is a minimum score of 3.1. This target score represents the security maturity of global peer organisations as at January 2016. Information Security Vision & Mission


Development of a comprehensive Plan

The strategic plan consisted of 9 strategic programmes built around 35 projects. The projects addressed around 70 security gaps. This represented a comprehensive security programme that aimed to improve all aspects of the SARS information security capability – people, process, technology and policy. Strategic programmes: 1. Information Security Management Programme 2. Application Security Improvement Programme 3. Data Protection Programme 4. Service Continuity Programme 5. Identity & Access Management Programme 6. Network Security Programme 7. Security Monitoring & Analytics Programme 8. Endpoint Protection Programme 9. Physical Security Integration Programme


4. Major Programs

2016/17 2017/18 2018/19 1. Information Security Management Programme 8 384 800 4 935 200 939 200 2. Application Security Improvement Programme 23 915 200 14 052 000 6 163 600 3. Data Protection Programme 37 634 400 11 095 200 3 156 800 4. Service Continuity Programme 10 848 800 - - 5. Identity & Access Management Programme 22 683 200 27 857 600 4 635 200 6. Network Security Programme 60 370 400 19 001 600 - 7. Security Monitoring & Analytics Programme 3 478 400 8 913 600 3 971 200 8. Endpoint Protection Programme 1 971 200 8 778 400 - 9. Physical Security Integration Programme 5 442 400 8 413 600 -

Total 174 728 800 103 047 200 18 866 000 Total 3 Year Investment 296 642 000

Information Security Programmes containing 35 Projects


We also prioritised the work to enable SARS to make judgements on what was most important

Strategic Quick Wins Goal 1: To be a trusted critical business Partner High

5 - Data

Goal 2: High performance individuals and teams with integrity

Low Low High Low Priority Foundational Urgency

Size/Challenge High Medium Low

Ente

rpris

e Im

pact

2. Information Security Management Programme

1. Service Continuity Programme

6 - Application

3 - IAM

2 – InfoSec Mgnt

7 - Network 4. Analytics

1. Continuity

8. Endpoint

9. Physical

Goal 3: Enable secure digital progression 3. Identity & Access Management Programme

Goal 5: Safely manage systems and information assets in line with SARS mandate and according to SARS Strategy

6. Application Security Improvement Programme 7. Network Security Programme 8. Endpoint Protection Programme 9. Physical Security Integration Programme

Goal 4: Continuously deliver value 4. Security Monitoring & Analytics Programme 5. Data Protection Programme


Finances STAR Part 2

Funding for STAR • STAR – Part 1.

• Assessment of SARS profile on the Dark Web and other locations • Assessment of SARS vulnerabilities • Intelligence analysis of threats against SA and SARS • Identification of current Tools, Techniques and Tactics • Workshop to create credible threat scenarios

Delivery Resources: Gartner UK

Funding for STAR • STAR – Part 2.

• Completion of Security Strategy • Sub Strategies 1-9 – previous slide • Business Case Preparation • Business Case for Organizational Structure

Delivery Resources: Sanjay Charavanapavan John Cato Eben Muko Terry Bebbington (QA)


Using Technology to Create Efficiencies and Savings


What did we discover from the IT Assessment Contact Centres

Medium

Issue

There has been no planning undertaken to take SARS into a Digital Customer Service future There is no clear strategy to determine whether SARS IT strategy is based upon bespoke applications or investment in an ERP (SAP) platform Contact Centre (‘shop window’) is far below industry standard Public published statistics are misleading and create a misleading sense of progress

Recommendation 1. New customer focussed Customer Service strategy,

including digital customer interaction channels, required 2. Develop Voice of the Customer (VoC) strategy based on

COTS product to actively listen to the SARS customers 3. Replace the home grown Contact Center with COTS

solution inclusive of digital channels and knowledge management

4. Determine ERP (SAP) strategy

Evidence

The digital services that have been delivered i.e. eFiling has increased the amount of calls into the Contact Centers as opposed to reducing the interactions customers need with SARS. There is no focus on any “Voice of the Customer” (VoC) initiative to listen to customers and current satisfaction survey mechanisms deliver a <1% response. The software developed by BB&D for the contact center will require significant investments of time and money in order to implement an omnichannel strategy


Contact Centres – Building a Strategy

The contact strategy was created around:

1. Move tax payers from Direct (Branch Offices) to Indirect Channels (Contact Centre)

2. Meet changing customer demand – automation, multi-channel, digital experience.

3. Create efficiencies – reduce number of Branch Offices/Reduce Staff/Re-Purpose

This was an Omni-Channel programme of work – Omni-Channel does include face to face and branch offices.

However increasingly citizens will want to move to a digital experience. This was the ground work for this to happen.

Contact Centre Strategy Presentation Firdous Sallie 6th June 2016 South African (SA) statistics show 46% of the population are already

internet users and 92% of these internet users own a smart phone. Of this group there are 80% that have a data plan and the remainder access the internet via free Wi-Fi hotspots.


Gartner assisting the workstream leaders to take ownership of the business cases going forward

17th August 2016 Omni-Channel

Business case sent to Gartner for review.

Submission of Business Case

5th June 2016 Firdous Sallie share

strategy ppt with Gartner workstream leader “Again allow me to

thank you for being so open in sharing your previous presentations as it enabled us to reference it”

Illustrating the Concept of Omni Channels

19th May 2016 Firdous Sallie asks for

Gartner to review her slide show

Direct Channel Improvement Plan

8 Sep 2015 Firdous Sallie

confirms support to Gartner Team Leader in discussion with Bain “Looking forward to

an improved and better customer experience”

Moving Ahead with Programme

Invitation to Working Session for Phase 1 Findings & Planning

4th August 2015 Presentation on

Phase 1 Discuss Gartner

recommendations for Phase 2 Discuss resources

needed for Phase 2 Timeline for Phase 2

activities Invitation sent from Gartner Team Leader to Firdous Sallie


The Business Case was produced by SARS with Gartner Support

Queue Name Number of Interactions Potential Cost Savings

Advanced General Queries 628 737 R 20 748 321,00 Complex Queries 252 488 R 8 332 104,00 Estate Queries 87 960 R 2 902 680,00 Express Queries 1 317 705 R 43 484 265,00 Small Business General Queries 617 340 R 20 372 220,00

Standard General Queries 626 073 R 25 668 993,00 Tax Practitioners 125 547 R 4 143 051,00 TOTAL 3 655 850 R 125 651 634,00

Gartner RFQ Pricing Ranged from R95m – R294m


Challenging Supplier Costs & Upskilling SARS People


From the IT Assessment Gartner identified that SARS spend on IT as a proportion of overall operating cost was 22% v peer group of 15% and Financial Services 11%

Therefore for Phase 2, there was a focus on Applications Development – how can you manage the cost better? The aim of Gartner was to make SARS more self-sufficient specifically in managing application projects. This involved training 18 SARS personnel who would then form a ‘Value Management Centre’ for application projects. This is an observed best practice in many organisations including Tax Administrations, Financial Services and telco providers.


Why is application development cost a problem to manage Traditionally you competitively tender for application development and application support. Suppliers put forward a ‘rate card’ – the cost per man day of effort for different levels of experience. As price in tender assessments typically accounts for between 40%-60% of the marks awarded the tenderer is incentivized to provide a low rate card. However you are now at the mercy of the provider…. The difficulty with rate cards is that you cannot measure the scale or complexity of an application project accurately. Therefore all you can argue about with the suppliers is effort – which he may or may not agree with. Gartner proposed using Fast Function Point Analysis. This is an internationally recognized methodology for: • Sizing application projects or whole applications in what are known as

Function Points • Using benchmarking data to understand the typical ‘productivity’

(function points per day) for that type of work • Using a rate card calculate the cost of the requirement (function points

required, divided by application developer productivity, multiplied by day rate)

Can you develop me an

application? Yes I can it will take 4,500 man

days of effort and it will cost you R100m

That seems a lot

Well it is very complicated but

you have a really good rate card.

As a special customer we will charge you R85m


Gartner upskilling and empowering 18 SARS personnel to establish a Value Management Initiative focused on application projects.

Training delivered in SARS by Gartner personnel to 18 SARS individuals: Value Management Initiative would: • Size all application requirements – calculate the number of

function points • Impose this process on suppliers when bidding for work requiring

them to: • Size the work themselves – to compare supplier estimates

and to inform internal cost planning • Put forward a rate card with productivity per person • Calculate the fee • Commit to efficiency improvements (increase productivity

per person per year), thereby reducing cost to SARS The training was successful and the individuals highly motivated – investment by SARS to upskill their people and an exciting new role in establishing a new capability. When fully implemented Gartner would expect to see financial savings on application development and enhancement of the order of 25%.

Phase 2 Charter


GRAP & Why not SAP?


SAP – there was one formal project that examined GRAP and an informal request to facilitate discussion on ‘Why Not SAP?’ GRAP – Generally Recognised Accounting Practices

The overall objective of the Gartner review was to assess the GRAP plan for achieving GRAP compliance by 31 March 2018.

Gartner made use of SAP expertise and locally based accountants familiar with GRAP.

Gartner assessed that the present Core Tax Systems was unable to produce reporting in accordance with GRAP requirements. By continuing with a revised / upgraded SAP implementation process across all tax types and utilising the SAP TRM/PSCD functionality, this would assist in attaining GRAP compliance.

Recommendations:

– Undergo a significant IT system transformation.

– Transform solutions / systems to enable GRAP compliance service delivery, and transform system functionality from cash to accrual accounting, including estimation, reversal and adjustment functionality.

– Leverage GRAP compliance within current SAP investment (and sunset aging redundant and non-compliant bespoke systems and system components) applying best practices to SAP TRM product suite licensed).

– SAP is currently highly under-utilised with SARS using only around 20% of the licensed SAP Tax and Revenue functionality.

– Compared with other SAP installations, SARS has too many accounting exceptions/errors requiring adjustment (allocations). These manual actions should be an exception - being prevented by automation and validation rules. A central SAP tax platform would provide such capability.


Why Not SAP? SARS COO requested Gartner to facilitate an internal

review on the question of ‘Why Not SAP?’

Valid question as there was considerable internal debate on build v buy

SARS has already invested in SAP TRM (Tax and Revenue Management) as well as purchasing life time licenses for the use of SAP TRM which were not being utilized.

Gartner:

– One to one discussions with existing tax administrations who were using SAP and TRM, including HMRC (UK Tax Administration and Customs)

– Organized discussions with SAP Germany

– Held internal workshops

– Included business and their concerns

This was not a contracted activity, and Gartner undertook this work in parallel with other ongoing workstreams.

USAID Recommendations:

In total cost of ownership terms, custom-built solutions may be cheaper for smaller tax administrations, particularly in consideration of licensing costs, whereas COTS solutions may be more cost effective for larger implementations with a wider breadth of system requirements. COTS solutions may be appropriate where there is major tax administration reform across all tax administration functions that requires sufficient funding and commitment to reform.


What were Gartner observations on ‘Why not SAP?’ Gartner prepared a report for EXCO.

This was not a formal deliverable and Gartner was not asked to make a recommendation.

Gartner did highlight the following:

– Investment in licenses had already been made

– Simplification of application environment – cost and ‘time’ to implement changes – 50 plus custom applications existed

– Single view of customer

– Potential powerful analytic tools

– ‘Time to market’

– Cost of maintaining current legacy environment

– SAP experience in SARS

Gartner understands that the EXCO took the decision to adopt a SAP First policy. However Gartner understands that there remains resistance to this approach


Are there alternatives to SAP?

Over the past 20 years, the market for Integrated Tax Systems has matured and evolved. Many of the sizable and established jurisdictions went through an initial COTS implementation, but are soon to return to the market in search of a next-generation COTS system, representing a new market opportunity to the updated and changed vendor landscape

– Fast Enterprises initially captured a portion of the market with their GenTax® suite and has begun to re-compete as their initial COTS solutions/versions near the end of their useful life cycle. Major player in the market.

– SAP’s Tax & Revenue Management (TRM) has mostly held a footprint in Europe, but also found success in few U.S. states. Over 350 deployments world-wide.

– RSI has emerged as a top competitor to FAST in the North America market, positioning itself as robust and flexible alternative (recent wins in Saskatchewan) Emerging player

– Like SAP, Oracle has found success internationally and in a few U.S. states, but is not seen as a major player.

– Quite a few others (TCS, TechnoBrain, STI, DataTorque, AtoS, and FreeBalance) have relatively new products with the potential to be a good match for some jurisdictions Gartner has been following the ITS COTS vendor market and assisting clients

globally to analyze, evaluate, select, and implement the right COTS solution (if applicable) to match their environment and unique vision for future operations.


Governance – Ensuring alignment with King III


A Compliant Governance Strategy

Phase 1 March/April 2015 Assessment

Result

Target end 2018

IT Governance Capability 2,45 (Scale 1

to 5)

3,1

IT Risk Management 2,70 3,1

IT Renewal Programme

(November/December 2015)

King III 51,67% 85%

Public Service IT Governance Framework 40,75% 75%

The guiding principles for Gartner in designing the governance structure were that it must be compliant with the SA Legislative and Regulative environment: • KING III • Corporate Governance of ICT Policy Framework (Department of Public Service and Administration)

Both from the IT Assessment and a workshop in Phase 2, there was concern expressed with SARS compliance with these frameworks. It would have been irresponsible of Gartner to have designed a Corporate Governance model that did not fully comply with these key regulations/legislation. Gartner did recognize that this would add additional ‘process’

Gartner has designed governance frameworks for a large number of public sector clients which have been very successfully implemented. But there is a constant tension between too much and too little.


IT Strategy – Providing the Roadmap for taking Modernisation to the Next Step

37 This document is strictly confidential

1. Executive Summary IT Success Criteria/Business Success

Executive Summary

Increase customs compliance Increase tax compliance Increase ease of doing business

with SARS Increase fairness of doing business

with SARS Increase cost-effectiveness Increase efficiency Increase institutional respectability Turnaround customs and excise Address the tax gap and increase

compliance Become a customer centric organisation Build a high performance culture and

operations Improve Information services and

technology — at the service of the organisation

Implement revised operating model to support strategic priorities

External Focus Improved system availability Improved system usability Complete systems Leverage Big Data (Strategy, framework

and tools) Enabling multi channel framework Enhanced Customs and Excise system Enable single flexible tax engine Enable 360 degree view of client Complete key Initiatives * Improved change management Internal Focus Improved IT governance Improved IT HCM Improved service management Improved IT sourcing Improved architectural capability Improved security Improved vendor management Improved portfolio and project management Improved application management Improved customer management Mode 2 and Agile implemented

SARS Strategic Objectives IT Success Criteria

* E.g. Establish Data and Information Management Capability, Move off Mainframe, Interfront Strategy, NCAP, GRAP

Broad Business Requirements 360 degree view of clients Increased pre-population/validation Improved analytics Improved customer experience

(registration, eFiling, queries, information)

Improved user experience Improved customs and excise

systems (new legislation)

Innovation enabled Improved reputation Increased agility Simplification Automation Broaden tax base


1. Executive Summary (Continued) IT Strategy on a Page

IT Mission

Strategic Priorities

IT Principles

Description

Security

Applications

PPM

IT Strategy

To be a critical business partner consisting of high performance individuals and teams

that enable digital progression, continuously deliver value and safely manage systems, security, corporate data and information for the benefit of SARS and according to its mandate.

Prepare for increasing digitalization: Bimodal, Big Data and Analytics, Improved Customer Multichannel Interaction, 360 View and Pre-population

Applications Sourcing “Big” Decisions People

IT serves business (Business Partner) Partner well (Vendors, other state entities and internally) Architect for the future Consider buy before build Simplify, standardise and rationalise Keep renovating the core Good Governance, Risk and Compliance is good IT Consciously build and maintain a transformed IT organisation

Stabilise the division (Culture and Alignment with goals) Leaders appointed and

development plans implemented (skills for future) Recruitment for revised

organisational structures complete Skills development and capacity

building

IT Strategy complete and communicated (Rationalisation, de-risking, improve) Strategic plans completed and

projects started per plan Key IT enablement projects

completed (Data Management, Security, etc.)

Moving off the mainframe decision taken and projects started Interfront decision taken and

acted upon Review of SARS role in other

State Entities projects (Guide/Assist/Do) SAP as enterprise solution

Tower tenders complete and awarded Active planning for additional

work Proactive sourcing capability

building De-risking and dependence

reduction on external vendors

Understand and consider full SAP offering, architecture and strategic direction Stabilize and upgrade existing

SAP capability including catering for GRAP Plan expanded usage and

schedule and Complete projects (VAT, PAYE and MT) Customs re-development

according to SARS standards and priority

Governance

Service Management

Architecture

People

Sourcing

Improve governance through the re-introduction of COBIT aligned with King and ISO 38500 in three phases

Strengthen the service capability through the upgrade and application of ITIL supported by people and training

Implement an enterprise architecture capability supported by correct staffing and tools

Stabilise the organisational structure, followed by getting the basics right and lastly to implement advanced HCM practices

Move procurement from reactionary and adversarial to proactive and value adding (staff, use of tools, training)

Upgrade security through a combination of people, skills and tools to be delivered via 35 projects in 9 programmes

Change Implement a uniform and consistent change management approach utilising PROSCI and management involvement

Rationalise the application portfolio, reducing duplication and implementing an appropriate asset management tool

Finance Move from a budget oriented view of finance to a value understanding through activity based costing and show back

Combine PMO’s rationalising and standardising tools, methodologies and training

Strategic Shift IT Vision Enable SARS to become a digitally advanced and highly effective and efficient organisation

Executive Summary


Tax

Customs

Support

DIST

I

(GRAP) Vat, PAYE & MT Company Tax

Other Taxes Individual Tax

CRM Single Tax

360 View

Debt Management Case Management

Decommission

NCAP

NCAP Rewrite

U3tm, ATP/ SM, etc.

Multi channel Framework Customer portal / efiling

BPM Engine Rules Engine

Customer Interaction Capability

Refactor NCAP

Off Mainframe

BW on HANA Big Data Analytics

ERP on HANA

Digital Tagging

Bi Modal EIM

EA / Solution Architecture

GRAP

Independence

nnovation

Master Data Management

2016 2017 2018 2019 2020 Beyond

Ent App

Potential SAP Applications

Internally focused DIST projects (Security, Cobit, Service Management, Application Management, Change Management, etc.)

Full Pre-pop

TRM on HANA

Multichannel

= Funded

Off Mainframe

4. Major Programs (Straw Model) To be refined / elaborated in strategy initiative 2

Composite High Level Roadmap and Costs

Insight

DIST led initiatives

Development


6. Major DIST Programs and Project Costs by Domain

2016/17 2017/18 2018/19

1. Strategy 6 400 000 10 500 000 15 500 000

2. Application Management 13 000 000 3 700 000 4 700 000

3. Change Management 2 064 802 1 000 000 1 900 000

4. Enterprise and Solution Architecture 182 500 000 304 300 000 272 000 000

5. Governance 9 989 835 4 229 945 997 980

6. Human Capital Management 465 000 - -

7. Project & Programme Management 13 500 000 6 400 000 9 800 000

8. Security 151 293 600 124 546 400 18 866 000

9. Service Management 4 000 000 19 500 000 19 200 000

10. Sourcing and Vendor Management 1 500 000 - -

Total 384 713 237 474 176 345 342 963 980

Total 3 Year Investment 1 201 853 562

IT Programmes by 10 Domains

Composite High Level Roadmap and Costs


What were the Barriers to Change


Barriers to Change

During the Phase 2 activity there was a significant amount of turbulence in SARS.

– Staff were unsure of their roles

– Staff were being asked to re-apply for their appointments

– Engaging with some leaders was challenging due to turbulence

Resistance to change within SARS

– This resistance was more than just Gartner

– But there were attempts to derail the work

Lack of strong committed leadership in some key positions

– Raised with Commissioner (Letter and VTC)


Modernisation


Has modernisation delivered impact and value for money? Gartner believes that impact which has value has been delivered but not at fair market rate

Findings R3.997bn expended Appropriate approval and governance was lacking Procurement process did not meet best practice A high degree of dependence on 3rd parties created Complex bespoke environment exists which has had cost implications and will continue to have down-stream cost implications

Evidence Tender documentation was based upon an unclear requirement and not linked to outcomes Via an exception process a 3rd party was contracted without competition originally for R95m, with whom SARS has now spent R1bn+ No business case linking investment to business requirements to outcomes IT spend is above peers and what Gartner would expect

Recommendation/Actions

Gartner recommends that SARS: 1. Conduct an audit to identify lessons learnt plus quantify expenditure and

deliverables to date 2. Unify IT and Modernisation into a single accountable governance structure

to the Board 3. Undertake a financial analysis of the whole life cost of existing IT 4. Review current planned projects in order to:

I. Alignment to business need II. Not duplication or overlap III. Will deliver value for money


Is SARS IT Spending in line with the Industry? Gartner assessment is that SARS is above the Industry average

Issue & Evidence

When the Capex spent on Software is taken into account, the Software costs for SARS are 37% compared against the peer* group’s 8%. SARS has a much higher number of total employee numbers than the peers: 13,752 in SARS versus 5,514 in peers. This is an indication of low automation levels in SARS. The SARS distribution of IT resources is also substantially different than the peers – 61% of resources are within the Application Development & Support areas versus the peer’s 41% SARS has a higher IT capital expenditure than their peers - 31% compared against the peer’s 22%. SARS total IT Spend of 22.8% of the company’s operating expenditure is substantially higher than the Tax Administration peer of 15.85% as well as Financial Services peer (11.08%).

Recommendation

1. Undertake an organisational design review to identify gap to best practice and actions to close

2. Review planned capex against value for money and strategy alignment

3. Determine software development and support costs (productivity) against industry norm and top 25% percentile in order to establish improvement plan

Low


IT Assessment

GARTNER CONSULTING

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.

Issues and Recommendations

SARS Strategic IT Assessment

Prepared for:

Project Number: 330027277 22 April 2015


Key Design Principles

In designing all the recommendations, Gartner focussed on the following key business principles: Gartner Design Principle #1: SARS core business is Revenue Collection – SARS need to re-focus on its core business and all issues surrounding service delivery of the core business of Revenue Collection. Gartner Design Principle #2: SARS is a Customer Centric Organisation – SARS need to instantiate services, solutions, technology and structure that is focussed on delivering a great customer experience across all current and future customer interaction channels.


IT Strategy Review

Architecture & Technology

Sourcing Governance

App. Dev & Project

Management

Modernisation Project

■ IT strategy aligned with business goals and strategy

■Risk policies and procedures ■ IT delivery against IT strategic plan ■ IT HR assessment

■Data and information security

■Documented IT environment

■Overall cost of IT and ROI

■Business cases existence and realization

■Efficiency and effectiveness of infrastructure

■Governance in terms of bespoke and developed software

■Governance in relation to intellectual property

■Ownership of IP and where are Escrow agreements stored and who has access rights

■How is governance around the awarding of software contracts

■S/W development methodology & best practice alignment

■Project Management best practice ■Sustainability of the O/S, RDBMS,

development tools , applications & reusability

■Bespoke versus development or vice versa.

■Project Management capability within SARS & on time budget and quality delivery

■Spent to date and still to be spent

■Delivered to date and still to be delivered

■Effectiveness and efficiency of contract management & the sourcing of vendors

■Review of contractual arrangements, service level agreements, escalation procedures, product specifications, transitional requirements, roles and responsibilities, and exceptions.

■Review all the supplier agreements

Gartner has been engaged to conduct a “Health Check” along 5 IT dimensions


Process followed - Gartner's ITScore Maturity Models

• Most maturity models are only process-focused

• Gartner ITScore expands the maturity model to assesses people, technology, and business management maturity.

• The Gartner ITScore is action-oriented – not just a "grade"

• It enables the creation of a prioritized systematic road map for improvement over timeframes.

• Gartner ITScore has been tested against international market realities and proved to be accurate


Gartner's ITScore Typical Focus Areas (Example)

Technology: • Standards • Efficiency • Service

quality/agility • Tools

People: • Organisation • Roles • Culture • Skills • Training • Metrics

Process: • Focus • Standards • Integration • Metrics

Business: • Planning • Financial management • Metrics • Governance • Sourcing • Project management

Typical Management Dimensions

Typical Management

Attributes

Maturity Levels customized to area

being measured 4 — Service-Aligned

3 — Proactive 2 — Committed

1 — Awareness

5 — Business Partner

Business Value


Level 1 Awareness

Level 2 Committed

Level 3 Proactive

Level 4 Service-Aligned

Level 5 Business Partner

Reactive, Firefighting

System Management Tools Integration

Widespread Virtualization

Looking at Industry Best Practices

Initial Process Formalization

Working on Implementing Industry Best Practices

Day-to-Day Processes Mature

Industry Best Practices in Place

Service SLAs

Hybrid Cloud Computing

Consolidation/ Standardization

Tiered Support

Low Customer Confidence

Trusted Service Provider

Process Automation

Pilots New Technology for Business Innovation Ad Hoc

Processes

Strategic Relationship Managers

The IT Score Maturity Levels (Example)


Findings & Recommendations

Executive Summary


In undertaking the health check Gartner were asked to comment on key areas of activity and investment for both the Modernisation programme and IT

Has modernisation delivered impact and value for money? Medium

Is there a sufficiently accountable and transparent governance structure in place to ensure the right investment decisions are made?

Is there an executable plan to ensure that going forward IT is aligned to business needs/drivers?

Is data and information security sufficient to protect citizen data and SARS reputation?

Should SARS continue to ‘own’ Interfront as a commercial entity?

Is SARS positioned to deliver and support citizen centric services that will create more efficient and effective ways of tax and customs revenue collection ?

Low

Low

Medium

Low

Medium

Is SARS IT spending in line with the Industry? Low


Has modernisation delivered impact and value for money? Gartner believes that impact which has value has been delivered but not at fair market rate

Findings R3.997bn expended Appropriate approval and governance was lacking Procurement process did not meet best practice A high degree of dependence on 3rd parties created Complex bespoke environment exists which has had cost implications and will continue to have down-stream cost implications

Evidence Tender documentation was based upon an unclear requirement and not linked to outcomes Via a lawful exception process a 3rd party was contracted without competition originally for R95m, with whom SARS has now spent R1bn+ No business case linking investment to business requirements to outcomes IT spend is above peers and what Gartner would expect

Recommendation/Actions

Gartner recommends that SARS: 1. Conduct an audit to identify lessons learnt plus quantify expenditure and

deliverables to date 2. Unify IT and Modernisation into a single accountable governance structure

to the Board 3. Undertake a financial analysis of the whole life cost of existing IT 4. Review current planned projects in order to:

I. Alignment to business need II. Not duplication or overlap III. Will deliver value for money


Findings

In both the Public and Commercial Sector there is a requirement to account for decisions and financial investments made – Parliament or Shareholders. This was lacking in SARS Investment decisions were made with no quantifiable benefits nor clear accountability by a Senior Reporting Officer (SRO) It was unclear when a project had been delivered resulting in further expenditure and lack of control Whilst no evidence of illegal activity was discovered procurement fell short of best practice.

Recommendation 1. Establish a stronger governance regime that covers all IT

Investments 2. Review existing contracts (appropriateness, value for money,

quantifiable outcomes) to assess alignment with SARS objectives

3. Ensure that for each project there is a Senior Reporting Office accountable for the project

Low Is there a sufficiently accountable and transparent governance structure in place to ensure the right investment decisions are made? Gartner view is that there is insufficient accountability and transparency

Evidence

A governance forum existed for Modernisation but the Modernisation agenda was largely driven by a single individual and Business were not fully consulted in IT investments The IT Governance Framework is not defined and therefore the effective decision-making on IT was not well understood by all stakeholders Existing contract relationships were expanded to circumnavigate the need to go to market in order to achieve best value .

SARS


Is there an executable plan to ensure that going forward IT is aligned to business needs/drivers? There is a not a documented plan that exists that has been approved by business

Low

Issue The investment in IT, specifically modernization, is not aligned to any SARS business plan There is no forward looking roadmap that a Board of Directors can either improve or understand the value of the investments being made This has resulted in a high level of distrust in the Modernisation programme The Modernisation programme has delivered a number of good outcomes but these are eclipsed by the perception that it was unaccountable

Recommendation

1. A formal IT strategy developed with clearly documented initiatives that meet business priorities.

2. Priority for initiatives to address compliance, enhanced revenue collection and customer centricity.

3. IT should be unified and move to a service based organisastion accountable via a Chief Information and Digital Officer to the EXCO

Evidence

There is no formal signed off IT Strategy in SARS. The lack of an IT strategy and IT Strategic Plan is limiting SARS from effectively managing IT demand, supply and control. The Modernisation programme worked on a principle of “memos” describing what was going to be done. These memos included elements of alignment with SARS Business Plan but this was never 100% matched with the business needs. SARS IT is treated as a cost centre which is not the recommended operating model for driving efficiency and business alignment.

SARS is below comparable organisations in execution of strategy


Is data and information security sufficient to protect citizen data and SARS reputation? Gartner believes that SARS security is insufficient

Medium

Issue

There is insufficient alignment of IT security initiatives to addressing key risks There is no holistic view of exposure as a result of a fragmented and inadequate risk management approach There is no ownership of risk management activities There is no formal strategy for (a) endpoint protection; (b) classification of hosts by control; (c) long-term storage and off-line storage of encryption keys and cryptographic content; (d) cyber attacks.

Recommendation 1. Formalise the role of Chief Information Security Officer

(CISO) and build a security team with a comprehensive roadmap to execute the security programme

2. Establish an effective security education programme to influence behaviour and culture by all employees

3. Define formal identity data management processes and a formal endpoint protection strategy with regular review and validation.

4. Establish a cyber security strategy to protect citizen data

Evidence

Gartner was unable to discover a formal strategy for: Endpoint protection classification of hosts by control long-term storage and off-line storage of

encryption keys and cryptographic content cyber attacks

New HMRC cyber crime team to tackle tax fraud by organised criminals. The specialist cyber crime team will protect both HMRC and taxpayers from organised criminals using increasingly sophisticated methods to target HMRC’s tax repayment systems.


Should SARS continue to ‘own’ Interfront as a commercial entity? Gartner does not believe this is core to SARS mission

Low

Issue

Interfront has delivered value but currently is neither focused solely on SARS nor focused on marketing their solution to the international marketplace. Neither SARS nor Interfront fully understands the potential market size and potential future income from the sale of the Customs & Excise software. The Customs module will require SARS to invest several hundred million rand to complete the product and shrink wrap it for commercial sales.

Recommendation

1. SARS should not own any commercial entity. 2. Legal opinion should be sought to cancel the

agreements and other contractual commitments 3. Interfront has a strategic software development skills

base and people with extensive expertise. SARS should consider re-focussing Interfront skills on SARS activities.

Evidence

The commercial arrangements of Interfront are complex The customs solution is tailored for SARS use so would require a fair amount of work to make it suitable for the market Some modules of the Interfront customs solution have been built by a 3rd party on a different platform resulting in a duplication of costs


Is SARS positioned to deliver and support citizen centric services that will create more efficient and effective ways of tax and customs revenue collection? Gartner believes SARS has the capability to achieve this but is not presently doing so

Medium

Issue

There has been no planning undertaken to take SARS into a Digital Customer Service future There is no clear strategy to determine whether SARS IT strategy is based upon bespoke applications or investment in an ERP (SAP) platform Contact Centre (‘shop window’) is far below industry standard Public published statistics are misleading and create a misleading sense of progress

Recommendation 1. New customer focussed Customer Service strategy,

including digital customer interaction channels, required 2. Develop Voice of the Customer (VoC) strategy based on

COTS product to actively listen to the SARS customers 3. Replace the home grown Contact Center with COTS

solution inclusive of digital channels and knowledge management

4. Determine ERP (SAP) strategy

Evidence

The digital services that have been delivered i.e. eFiling has increased the amount of calls into the Contact Centers as opposed to reducing the interactions customers need with SARS. There is no focus on any “Voice of the Customer” (VoC) initiative to listen to customers and current satisfaction survey mechanisms deliver a <1% response. The software developed by BB&D for the contact center will require significant investments of time and money in order to implement an omnichannel strategy


Is SARS IT Spending in line with the Industry? Gartner assessment is that SARS is above the Industry average

Issue & Evidence

When the Capex spent on Software is taken into account, the Software costs for SARS are 37% compared against the peer* group’s 8%. SARS has a much higher number of total employee numbers than the peers: 13,752 in SARS versus 5,514 in peers. This is an indication of low automation levels in SARS. The SARS distribution of IT resources is also substantially different than the peers – 61% of resources are within the Application Development & Support areas versus the peer’s 41% SARS has a higher IT capital expenditure than their peers - 31% compared against the peer’s 22%. SARS total IT Spend of 22.8% of the company’s operating expenditure is substantially higher than the Tax Administration peer of 15.85% as well as Financial Services peer (11.08%).

Recommendation

1. Undertake an organisational design review to identify gap to best practice and actions to close

2. Review planned capex against value for money and strategy alignment

3. Determine software development and support costs (productivity) against industry norm and top 25% percentile in order to establish improvement plan

Low


Road Map & Preliminary Timeline

Draft High Level Plan

FY 2015 FY 2017 3Q 4Q 1Q 2Q 3Q 4Q Strategic Programs

Customer Service

Application Management

IT Governance Enhancement

Sourcing Governance

Architecture And Technology

IT Strategy Development

1Q 2Q FY 2016

Project Management