The auditor general has uncovered a number of information technology deficiencies at the Jamaica Customs Agency (JCA) for the fiscal period 2014-2015 to 2016-2017.

The JCA, in addition to assessing and collecting duties and fees, is responsible for facilitating international trade and ensuring the protection of Jamaica’s borders against illicit imports.

The efficient execution of its functions is highly dependent on the use of Information Technology (IT) in its core processes, but the auditor general in a report tabled in Parliament yesterday, found gaps in some of those systems for specified periods.

“Given this dependence and the value of IT investments made over the years, the agency should implement the necessary controls to ensure that IT risks are managed in a structured manner. The JCA should also ensure that it can appropriately respond and continue to offer critical services in spite of technological disruptions,” Auditor General Pamela Monroe Ellis has recommended.

The report is the result of an IT audit which was commissioned to determine whether the JCA has an effective business continuity management system to ensure the timely resumption of critical services in the event of any serious interruptions.

Among the findings were inadequate IT oversight. “We found that though the Information Management Unit (IMU) reported its operational performance to the executive management and Ministry of Finance and the Public Service, the JCA did not have an IT steering committee or equivalent to oversee the management of IT service delivery and projects. An IT Steering Committee, as recommended by best practice, would be responsible for determining IT investment priorities based on business strategies, IT project tracking, service level monitoring and improvements. However, the agency did not establish a committee to perform such functions and ensure the strategic alignment,” the report outlined.

For example, it was noted that the IMU developed an ICT strategic plan for the 2013-14 to 2015-16 financial years, but there was no evidence of formal review by a senior management committee to ensure consistency with the JCA’s strategic priorities or availability of the resources required to execute the 20 strategies planned.

The audit also found that there was unstructured IT risk management at the JCA. The report says that while the agency had implemented elements of the World Customs Organization (WCO) risk management procedures in its core operations, it could not demonstrate that IT risks were managed in a structured manner.

“The JCA did not provide documentary evidence that security assessments were performed for critical systems and locations, or that vulnerabilities and threats relevant to its IT assets were assessed,” the auditor general said.

There is also the issue of inadequate business continuity and disaster recovery planning. “The JCA did not have a business continuity plan,” the report said, and the agency’s draft IT disaster recovery plan only related to the Automated System for Customs Data (ASYCUDA) World application, although reliance was placed on 15 legacy systems for historical data used for valuations, the establishment of risk patterns, and back-up transaction processing.

“The development of the plan was also not informed by a risk assessment and business impact analysis (BIA), which would allow the JCA to determine the significant risks to be managed, critical services, acceptable downtime, and data loss,” the report revealed.

The audit involved a review of the entity’s general controls, systems, and procedures relating to IT governance and business continuity for the financial years 2014-2015 to 2016-2017.