Each of the expenditures made by the national government, from supplies, travel, and salaries, to the execution of all programs, are recorded in what is known as the Integrated Financial Information System (SIDIF), a mechanism that operates under the aegis of the Finance in the Ministry of Economy, which allows tracking of the general ledger transaction level, i.e., movements of funds, generating orders, and bank reconciliations.
The SIDIF was analyzed by the General Audit Office (AGN, for its acronym in Spanish). The report approved late last year, dates from 2009 and warns of "higher than the recommended risk" in several respects, mainly on internal control and security.
According to the AGN, the system should establish mechanisms to identify risks that could arise in the management of Information Technology (IT), and measure their impacts, but the methods of evaluation "were not applied in all areas"of SIDIF. The research adds that "decisions are made based on the expertise of key personnel" and no formal procedures for internal reporting to account for how computing resources (staff, facilities, systems, etc.) are used are observed).
This feature, of resting an area's strategic factors in the "ability of key personnel", can also be seen in the generation of quality indicators and performance, a space where the AGN could not detect the existence of formal procedures for measure the efficiency of the SIDIF.
Also, the watchdog noted that the system, although "virtually everyone in Information Technology is hired," and, in that sense, the analysis performed by "the ability of external suppliers is not checked" the Office of the Comptroller General (SIGEN) and own Internal Audit Unit (IAU) of the Ministry of Economy "are possible."
The Integrated Financial Information System came into use in 1993. Each state jurisdiction has a Financial Management Service (SAF) and a proper mechanism to track their expenses. Initially, most areas had a Unified Local SIDIF (SLU). While these systems functioned independently, they allow transactions in connection with the Central SIDIF through a data transmission mode called TRANSAF.
From 2003 it began a process of technological update of SIDIF. The audit report explains that they sought to achieve a system that would cover the functionality of the financial administration at both central and decentralized agencies for using web-based technologies.
At the time of analysis of the watchdog, the SIDIF was still in "transition" from its primitive form of work to a new web form called "e-SIDIF". For the AGN, this situation caused risks in the processing of financial data that was located above the recommended levels, finding, first, coexistence mechanisms applied at different times and on the other, the coexistence of "multiple databases with duplication and / or tripling." The technicians pointed out that during its investigation they found "243 databases in production."
The National Audit Office concludeds: "To mitigate this problem a number of procedures, automatic and manual, verifying that data has the same value in all its appearances were developed. The solution to this problem will exist only when the development of the missing modules (referring to e-SIDIF) is completed and all the organisms migrate users to the new system, thereby unify data in a single base." It recommends that "every effort should be made available to end this situation which threatens the reliability and integrity of the data."
In its survey, the audit states that "it is necessary to maintain the integrity of the information (the SIDIF) and protect IT assets, which requires a process safety management." In this sense, the watchdog found that the risk is "high" because "no statistics are kept, nor are they regular reports on security incidents."