Consultant - Quality Assurance of CDGP Registration, Payment & Exit Processes at Save the Children Nigeria

Job type: Temporary

Project Summary

• The Child Development Grant Programme (CDGP) is a DFID Funded program that provides an unconditional cash transfer of 4,000 NGN per month to pregnant women and women with children under the age of two (2) in Zamfara and Jigawa. It is delivered in partnership with Action Against Hunger (AAH)).
• The programme is being implemented in close collaboration with state governments and is aimed at reducing the prevalence of stunting and improving food security.
• The overall anticipated outcome is: A scalable programme showing how cash transfers can bring cost-effective immediate and long-term food security and nutrition benefits to eligible households with young children in poor communities in northern Nigeria:
  • Output 1: Secure payments mechanism providing regular, timely cash transfers to pregnant  women and women with under-2s
  • Output 2: An Effective system for mobilisation, targeting and delivering complementary interventions established.
  • Output 3: Enhanced government capacities for and engagement in managing social protection and cash transfers in focus states.
  • Output 4: Evidence of cash transfer modalities and impacts provided to policymakers and practitioners at State and Federal levels.
• DFID, SCI and AAH, through the CDGP, aims to secure increased political and institutional commitment by the Zamfara and Jigawa state governments to implement effective state-wide social protection to deliver improved nutrition, food security and poverty reduction for women and children at scale.
• The programme also aims to inform the design and roll out of the National Social Investment Programme (NSIP) and specifically their flagship programme, National Social Safety Net programme (NSSNP).  CDGP’s community-based enrolment, registration, payment and exit processes play a critical role in the success of the programme and provide critical learning for SCI as well as for the Federal and State-financed social protection programmes.

Overview of the Consultancy

• CDGP has a beneficiary registration and payment portal developed by our payment service provider Stanbic IBTC (Stanbic).
• The portal has beneficiary data and tracks when they are registered, money paid into their wallets, cash paid out and exited from the programme.
• The programme has also developed a Management Information System (MIS), which is expected to a repository of all the beneficiary’s information on enrollment and exit into the program.
• However, challenges in the reconciliation of beneficiaries going through these processes need to be harmonized to provide for checks and balances between the two systems.
• This we observed could lead to potential inclusion error which needs to be rectified immediately. To address these concerns and refine the processes for greater impact and further learning, the Country Director is inviting an external consultant to conduct a quality assurance assessment of CDGPs beneficiary registration, payment and exit practices from inception till date – approximately a 5 years period.
• Summarily, the objective of the audit is to enable the auditor to express a professional opinion(s) on the Confidentiality, Integrity and Availability of the CDGP MIS and Stanbic portal systems.

Risks/Audit Rationale

• Unreliable data leading to wrong payments or unwarranted penalization.
• Irregular, inaccurate or interrupted payments.
• Beneficiary identification information inclusion/exclusion errors.
• Unauthorized access to data or information.
• Unauthorized changes or creation of false transactions.
• Lack of system scalability.
• Uniformed decisions, lack of data quality/integrity causing reputational or political risks.
• Lack / unavailability of system generated an Audit trail

Audit Objective
The audit’s objective is to determine whether risk management, control, and governance processes over the Management Information System (MIS) (CDGP system and Stanbic Payment portal) provide reasonable assurance that:

• Security and confidentiality of data and information are appropriate.
• Quality  and  Integrity  of  the  data  processed  ensures  accurate  and  complete management reporting.
• Availability  of  information  for  the  users  is  consistent  with  Service  Level Agreement (SLA) requirements.
• Effective and efficient processing of information systems.
• System documentation is adequately maintained.

The consultant will consider the following during the Audit:

• Procedures to ensure that the application software and subsequent modifications are authorized and tested before implementation.
• The review, approval, control and editing of source transactions to ensure completeness and prevent error.
• Reconciliation of Output records with Input entries.
• Error detection and correction procedures.
• Logical security, Access Control and right privilege of both systems.
• Computer facilities and its components.

Audit Scope
The scope of the audit includes the CDGP MIS and Stanbic portal MIS for Save The Children International in Nigeria which consists of the following modules:

• Registration of Beneficiaries.
• Beneficiaries’ Information updates.
• Verification of compliance on Balances, Payments and Cash outs.
• Monitoring.
• Administration.
• Parametrization.

The audit will cover the Governance & Organizational Structure, Information Management, Application Management and Infrastructure components of the MIS, and will assess the following IT General Control and Application control areas:

• Logical  Access Controls: Verifying  that  controls  exist  to  ensure  that  only authorized users have access to the system and that the people who have access to the system do not have a segregation of duties (SOD) problem with having this access.
• Data Protection: Determining if data can be accessed or changed without proper authentication and accountability.
• Input Controls: Determining if input controls are built into the system to verify only valid and correct data can be entered.
• Processing Controls: Verifying if controls exist to ensure  that  all  data  is processed and accounted for.
• Output Controls: Verifying that controls are in place to ensure that output confidentiality is maintained according to its classification level.
• Interface Controls: Verifying that application controls are in place to ensure that data received from other automated sources are verified as accurate before being loaded into the application.
• Change Management and Control: Determining that the processes and tools used to report, track, approve, fix, and monitor changes on the system are appropriate.
• Contingency Planning and Backup: Verifying that backup and disaster recovery plan for the systems exist and is appropriately tested.
• Service Level Agreement: Determining whether the service level agreement requirements are being met such as system response time, system availability and system processing time.
• System Scalability: Determining whether the information system and related infrastructure can adequately support the anticipated growth in the program beneficiaries.

Specific Areas of Scope focus within Context include:

• Registration and re-registration practices:
  • Assess registration of new and re-enrolled beneficiaries within the 12 month period including:
  • Approval of registration, re-registrations (women who had been previously exited)
  • Approval of beneficiary changes
• Payment Practices:
  • Assess creation of payments, disbursement of cash to beneficiary wallets and the cash out within that time period including:
  • Creating and approval of payment
  • Approval of disbursement
  • Cash out process, looking specifically at instances of over-payment or short-payment of beneficiaries.
• Beneficiary de-activation and Exit:
  • Assess how beneficiaries were de-activated- specifically, evidence to initiate the process, based on what information and what communication was shared to document the decision and process.
  • Assess how beneficiaries were re-activated- specifically, the evidence to initiated the process, based on what information and what communication was shared to document the decision and process
  • Assess how beneficiaries are exited from the programme-specifically, specifically, justification to  initiated the process, based on what information and what communication was shared to document the decision and process

Audit Approach:

• The  audit will be undertaken through an evaluation of risk management practices, obtaining an understanding of how the system operates, related risks, and relevant risk responses including control measures.
• The appropriateness of stated controls will be evaluated and compliance assessed by testing whether key controls are working as prescribed, consistently and continuously. The risk of control objectives not being met will be substantiated.

Detailed Tasks Conducted by the Consultant will include:

• Interview the system and business unit owners
• Interviews and surveys of technology staff and key business stakeholders (if applicable)
• Review of existing documentation.
• Observation of relevant procedures and processes.
• Identify and review key IT General and Application Controls.
• Testing of key controls identified
• Identify and report control gaps and recommendations.

Administration and Reporting:

• The Consultant will carry out the information system audit in accordance with professional auditing standards preferably with IS Audit and Assurance Standards / Guidelines issued by ISACA and ISO 19011:2018, and will develop an assessment report detailing the extent and impact (consequence) of the identified risks and vulnerabilities for the CDGP MIS and the Stanbic – CDGP payment MIS under review.
• The report will provide a professional opinion on the reliability of the information processes, the level of control of the systems and also identify corrective actions for the risks that represent significant vulnerabilities.
• The Consultant will also document recommendations for improvement of managing issues discovered  during  the  assessments  and  ensuing analyses.
• The audit criteria that should be used must at a minimum include management policies and procedure, and management control guidelines, which are outlined in COBIT 5, as issued by ISACA.

Responsibilities

• Conduct quality assessment of the three areas (registration and re-registration, payment Practices, beneficiary de-activation and exit) processes on the portal as outlined in section 3 and document non-compliant practices.
• Understudy the two systems (CDGP MIS and Stanbic) for design errors and make recommendations on how best to improve and synergize the process with a view to perfecting the systems.
• Cross check compliance with SCI policies, protocol and procedures and documents any breaches and make recommendations  on how best to prevent future occurrences.
• Compile a report detailing instance of compliance or non-compliances if any and identify the immediate and remote causes with supporting documentation and recommended actions.
• Report back to the Country Director or his designate on the findings and recommend management actions to further strengthen our controls based on the findings.

Deliverables
The following will be provided upon completion of this task:

• An audit report with a brief executive summary (one to four pages) containing the audit objectives, scope, approach, overall conclusion, and key business issues.
• A  detailed  summary  of  observations  supporting  the  report,  containing  the observation,  risk/implication,  and  recommendation  for  improvement  for  each issue.
• A data dump of beneficiary details as secured from the two MIS systems
• A report on beneficiary payments,  withdrawals, balances and any possible refunds made from the accounts
• A report showing number of over-payments / short-payment within the period under review.
• A listing of all over-payments / short-payment beneficiaries and their values as culled from the database of the systems.
• All working papers, test results, interview notes, meeting minutes, and other audit evidence.
• The above-mentioned deliverables must be presented to the country director in a printed form and electronically in a compact disc. In addition, it must also be sent via electronic email / flash drive (if too large) to the Internal Audit Manager, CDGP program Manager, SCI IT Manager, Director of Awards, Director of Operations, Head of Logistics and the Country Director.

Key Contacts:

• The Country Director
• The CDGP MIS and Beneficiary Manager
• The Internal Audit and Control Manager
• The SCI IT Manager
• The CDGP Program Manager
• Senior Social Protection Advisor
• The Director of Operations
• The Head of Logistics
• Field Program Staffs
• MIS developers (HutSoft)
• Stanbic IBTC MIS developers

Duration of Consultancy

• It is expected that the duration of the Audit exercise should be no more than 25 working days to include report submission. Consultancy start date will be agreed between the consultant and SCI CDGP Management Team.

Other Matters Arising:

• Any other issues of concern arising from this assessment requiring further review will be discussed with the Country Director or his designate and form part of management recommendations / actions when submitting the final report.

Ways of Working:

• Informal/formal briefs as required
• Submission of the final report with key findings and recommendations

Qualifications

• University Degree in IT, Engineering, Systems, Accounting, Finance or related fields.
• Professional certification of CISA (Certified Information Systems Auditor).
• Working Knowledge of ISO 19011:2018.
• Additional professional certifications (CIA, CFE) are desirable
• Additional professional certifications on information technology are desirable.

Experience

• At least 7 years of practical experience in IT audit, preferably in government, public administration or not-for-profit sector.
• Expert level knowledge and practical experience in auditing IT governance, security, risk management and management of large IT projects.
• Knowledge in Management Information System Applications is a plus.
• Knowledge of System design and Architecture is a plus.
• Language skills: Excellent writing, editing and oral communication skills in English.

Competencies:

• Strong interpersonal skills, communication and diplomatic skills, ability to work in a team.
• Openness to change and the ability to receive/integrate feedback.
• Ability to work under pressure and stressful situations.
• Strong analytical, reporting, and writing abilities.
• Excellent public speaking and presentation skills.