Abstract
The local government in South Africa (SA) plays a critical role in the provision of basic services such as water, electricity, sanitation, housing, and road infrastructure. In recent years, municipalities have embarked on digitalising and automating their operations to enhance the effectiveness and efficiency of their service delivery efforts. However, this move towards digitisation has made the local government a target of cyberattacks, posing significant risks to its Information Technology (IT) system and underlying infrastructure. The 2020/2021 Auditor General South Africa (AGSA) report on local government audit outcomes highlighted a concerning state of information security in local government and thus called upon municipalities’ leadership to do more in this area.
Considering the above, this study aims to analyse the perception of the audit committee in local government towards cybersecurity. The study pursues the following research objectives to achieve the abovementioned research aim, i.e., (1) exploring the theories relevant to the audit committee’s role in cybersecurity, (2) exploring cybersecurity threats, and measures thereof, (3) exploring cybersecurity in the local government, and (4) examining the awareness and perception of the audit committee towards cybersecurity, and their role in relation to cybersecurity.
The study is deemed to be grounded in the corporate governance field, employing the agency theory, upper echelons theory and neo-institutional theory as frameworks through which the researcher explores the phenomena under investigation. A case study methodology is used for an in-depth analysis and understanding of the research phenomena. The audit committee from one of the biggest metropolitan municipalities in South Africa (SA) is purposively selected as a case study. The data collection methods adopted are questionnaires and document analysis for the purpose of triangulation. While the case study approach offers a rich and in-depth view of the phenomena under investigation, it does, however, provide a limited focus. Future research could extend the focus to the general population of the audit committee members in the SA public sector.
The study finds that there are growing threats of cyberattacks as more organisations and businesses occupy cyberspace. SA organisations both in the private and the public sector have not been immune to cyberattacks. In recent years, cybersecurity reports/publications have ranked SA as one of the worst affected countries globally in terms of cybercrime, the costs thereof reaching an estimated R2.2 billion a year. With the rise in cyberattacks, the adequacy and effectiveness of organisations’ cybersecurity have come under the spotlight,
iv
particularly with the enactment of cybersecurity-related laws and regulations aimed, amongst other things, at enhancing citizen’s privacy. The research on the state of cybersecurity in the SA local government is limited owing to the concept still in its infancy.
Moreover, the study highlights that governing bodies (Board of Directors (BoD)) have been called upon to play an active role in cybersecurity oversight as the associated risk has consequences on compliance issues, reputation, and business disruption. In this regard, there has been a notable trend, wherein, the audit committees are delegated the cybersecurity oversight responsibility. The audit committee has however remained steadfast in its traditional oversight over financial reporting, the system of internal control, internal and external audit, risk management, and compliance matters. Consequently, cybersecurity matters have featured less in the audit committee meetings, however, there is a commitment by the audit committee members to allocate more agenda time to cybersecurity in the future.
The audit committee in the City of Johannesburg (CoJ) comprises two members with an IT background, a competency deemed a key aspect in fostering engagement on IT or cybersecurity matters. Furthermore, the majority of the members are relatively aware of cyberattacks and recognise these as a significant risk to the municipality’s service delivery efforts. The members, therefore, regard cybersecurity as a critical component in addressing cyberattacks to ensure the confidentiality, integrity, and availability of its technology systems. Notwithstanding, that most of the CoJ audit committee members currently deem the committee to be appropriately capacitated to deal with cybersecurity oversight matters, they perceive that this oversight should rather reside with the risk management committee.
This study posits that the audit committee’s view on cybersecurity oversight can be attributed to the absence of coercive and normative pressure due to a lack of regulations and frameworks clarifying the cybersecurity governance in the municipality. Consequently, the committee would rather hold fast to its statutory requirements as stipulated in the Municipal Finance Management Act (MFMA). It is recommended that specific local government regulations or frameworks regarding cybersecurity be developed, wherein, the governance of cybersecurity is addressed.
KEYWORDS
Audit committee, corporate governance, cybersecurity awareness, cybersecurity threat, public sector