Professional Documents
Culture Documents
17.10 Presentation To
17.10 Presentation To
1. Introduction
2. Infrastructure Assessment
3. Software Technical Assessment
4. Functional Assessment
5. Summary
6. Other Recommendations
Connectivity • COPOMIS servers have adequate capacity for network connectivity, However end users from
rural cooperatives may require special provisions to connect to COPOMIS
• It is recommended that COPOMIS to have a mobile app on popular mobile platforms and the
governing institutions of cooperatives may provide service desk or kiosks for the cooperatives
DR Infrastructure • The architecture of DR infrastructure is adequate however the DR Location, the DR activation
mechanism and data backup process are not adequate
• The DR should be shifted to a location away from primary location
• Recovery objectives should be agreed with the service provider
• DoC should assess its data backup requirements and implement a comprehensive back up
process
Internal IT Organization • Significant improvement is required for DoC IT organization and its processes and there are no
system monitoring tools used by DoC
• It is recommended that, DoC should organize a formal IT function staffed by empowered staff and
ensure their capability through adequate capacity building programmes
• DoC should also implement a adequate system monitoring tools
End User Readiness • Readiness of end users at grass root level cooperatives seems to be not adequate due to
infrastructure and capacity limitations
• It is recommended that, DoC may extend the required functionality on popular mobile platforms
through apps and provide assistance through service desks and kiosks at governing institutions
level
Network & Security • The G Cloud is in an isolated network at GIDC. GIDC provides the space & physical infra for G
Cloud
• The Virtual servers are managed by DoC staff or its subcontractors
• The G Cloud network is protected by a Sonic Wall firewall, a virtual firewall and ESET security
Connectivity • The COPOMIS servers are connected to Nepal Internet Exchange (NPIX) through 10Gbps link
and to the Internet with 10mbps primary and 2mbps secondary common links of the G Cloud
DR Infrastructure • DR instance of the COPOMIS is available in the DR instance of the G Cloud with same capacity as
that of Primary Instances
Internal IT organization • DoC currently does not have an Internal IT organization, IT management system and Processes
• DoC internal IT infrastructure consists of 25 computers connected to a LAN covering 2 floors and The
LAN is established using a 24 Port switch.
• The Internet Service provider has established a Wi-Fi network as part of the internet service
provisioning
End User Readiness • Grass root level cooperatives requires basic IT infrastructure to access the COPOMIS application such
as a computer and internet connection.
• The extend of readiness of grass root level cooperatives on this aspect cannot be ascertained due to
lack of information
• The production instance of IIS and Database are running on the same physical infrastructure. Thus there is no redundancy
measures implemented for the production environment
• DoC has limited control over the physical infrastructure and controls supporting COPOMIS system
• The capacity requirement for future enhancements and the ability of the cloud to meet the requirements cannot be ascertained
Functional and Technical Assessment for Scale-up of COPOMIS 17 October 2019
PwC 11
IT Infrastructure Deployment – Recommendations
• DoC Should have a formal Agreement with DoIT and NITC for the services with clearly defined quantifiable SLA
parameters
• DoC / DoIT should consider modifying the production deployment by increasing the IIS and database server
instances to 2 each operating in clustered environment to ensure high availability
Anti Virus
Intrusion Detection
Access Control
Site Encryption
• The Network Level control measures for the G-Cloud and COPOMIS are adequate
• COPOMIS servers are not protected with HIDS (host Intrusion Detection System)
• The COPOMIS production servers are accessible through remote desk top from the internet with default administrator account and
the features of COPOMIS required for the DoC staff and management.
• DoC should restrict the access of the functionalities related to DoC operations from DoC office network only. To achieve this DoC
may implement a secured link using physical link or VPN over Internet to the GIDC where servers are hosted
• DoC should consider installing a reliable Antivirus solution for the COPOMIS environment
• DoC should consider installing a reliable HIDS for COPOMIS production servers as the COPOMIS application has limited auditing
and logging features
• DoC should restrict the access to the production servers using privileged accounts from secured networks/IP addresses/devices only
• DoC should restrict the access of the functionalities related to DoC operations from DoC office network only and to achieve this DoC
may implement a secured link using physical link or VPN over Internet to the GIDC where servers are hosted
Recommendations
• DoC and other governing institutions such as local governments may provision shared facilities such as service centres/desks or kiosks
for the grass root level cooperatives
• The COPOMIS may be extended to have a mobile app with limited functionality for cooperatives on popular smart phone platforms such
as Android and Apple
Architecture
Location
Management & Activation
Back Up
• The current location of DR infrastructure does not ensure successful recovery as it is housed in the same Data Centre
• The Management and Activation processes of DR is a DoIT responsibility and the Recovery Objectives and processes are
ambiguous
• DoIT should ensure the shifting of DR instance of the cloud to Hetauda at the earliest as planned
• In case the relocation of DR instance of the cloud is getting delayed, DoC should identify alternate options for
Disaster Recovery
• DoC should work with DoIT to formulate acceptable Recovery Objectives (RTO & RPO) and should develop
internal Disaster response and recovery process for DoC and COPOMIS
• DoC should assess its data backup requirements and develop a comprehensive back up process in collaboration
with DoIT for COPOMIS data base and Virtual Machines
Findings
Sub Domain Rating
• There is no reliable documentation of IT infrastructure deployment such as
Availability of Infrastructure
deployment architecture document, Network diagrams and LAN/WAN
Documentation
diagrams are available
Recommendations
• DoC should ensure that adequate level of documentation is maintained for IT infrastructure through out its life cycle
• The Internal IT Organization of DoC requires significant improvement to Manage and Support the Current COPOMIS in
terms of number of staff and expertise
• There are no formal IT Management Systems and Processes followed in DoC IT Division
• There is no facility or tools available in DoC IT function to monitor the COPOMIS systems
• DoC should develop and implement the management system and processes for the management and maintenance of IT systems and
underlying infrastructure based on proven frameworks such as ITIL or CoBIT
• DoC should identify and implement appropriate monitoring tools for the systems and underlying infrastructure. The processes
should be developed and implemented to utilize the tools
Findings
Sub Domain Rating
• The extend of readiness of grass root level cooperatives on this aspect cannot
be ascertained due to lack of information End User Devices
Recommendations
• DoC and other governing institutions such as local governments may provision shared facilities such as service centres/ desks
or kiosks for the grass root level cooperatives
• The COPOMIS may be extended to have a mobile app with limited functionality for cooperatives on popular smart phone
platforms such as Android and Apple
• The application should be modified to improve the functionalities and user interfaces
• Software Architecture
• Data Access
• Performance
• The implementation has a 2 tier architecture and does not • Refactor the code with SOLID principle
have a separate Database access Layer, Service and/or
business layer
• There is no clear separation between different layers of the
application and violates Single responsibility principal
• Absence of Indexes in Database • Application should display friendly error message to the
end users
• Improper Indentation of the code
• Add unit test cases in the code
• Absence of adequate comments
• Add proper indexes in all tables
• Presence of dead code
• The database calls during page loading is not • Change the design and approach
optimized
Memory Leakage
Performance The methodology of using SQL in the application code Use string builder to avoid memory leakage
may lead to memory leakage and frequent garbage
collection
Cooperatives can submit an application to register themselves online in the current implementation. However there is no
provision to update the application once it is submitted. Even DoC staff are not provided with a feature to update the
information. Any such changes can only be done at the database level
Know Your Member (KYM) A one time entry of all the members of a cooperative has to be entered into the system through an excel
file. Subsequently details of new members joining the cooperative can also be entered into the system on
a monthly basis
Domain Rating
Registration of Existing Cooperatives
Registration of New The details of cooperatives which are being formed newly can be entered by the cooperatives
Cooperatives themselves onto the system. After entering and submitting the details, cooperatives have no way track
their registration status
• Cooperatives are required to upload information as per the below mentioned frequencies
• However, the frequency of submission of information can vary according to the local and provincial laws
• System currently has the provision to capture all the below mentioned information online
MONT
ANNU
ALLY
HOC
HLY
AD-
1. General Meetings 1. Financial Reports 1. Bylaw Amendments
2. Elections 2. Summary Report 2. Change in area of
3. Committee 3. New Members details operations
4. Sub Committee 4. Change in Shareholder pattern
5. Cooperative Unions 5. Produce Export Details
6. Produce Cooperative Services
7. Agri Produce Purchase reports
8. Loans taken by Committee
members
Key Recommendations
• System should have a dashboard to display all the recent information collected and have certain parameters to assess the health of a
cooperative based on information received from cooperatives
• General Meeting (GM), First GM and Special GM forms can be clubbed into one single form with customized detailing for each type
of General Meeting
• By-Law Amendments and Change in Geographical Working Area forms can be combined to a single form
• System should have a new feature to capture details of a cooperative member whose savings exceed AML limit through a form
• System should have search and pagination features for all the types of information collected. A list of approved and rejected returns
should be shown separately
• System should only accept information in non editable formats like PDF or else Access control must be ensured to not allow the
supervisors to tamper with the reports submitted
Revenue Supervisors are authorized to levy certain fines for non-compliance with Cooperative Act 2075,
Cooperative Subsidiary Legislature 2075 and Money Laundering Act
Communication Supervisors have to communicate certain information to the cooperatives like IT Maintenance of
COPOMIS, Corrections in any of the submitted information, fines imposed, etc.
Password Distribution Administrators have to send username and passwords to both the existing and newly registered
cooperatives
Communication System currently lists all the notices sent by the supervisors on a single page. Only the IT
Maintenance notices are presently functional
Password Distribution Passwords are currently sent to the cooperatives in the form of physical letters
Functional and Technical Assessment for Scale-up of COPOMIS 17 October 2019
PwC 33
Functions Related to Supervision – Recommendations
Revenue • System should generate a report to display the total amount of fines collected in time periods like a month,
quarter or a year
• A search and pagination for the list of fines imposed must be added
Communication
• System should have visual cues for the supervisors to see which cooperatives have read and not read the
notices for the supervisors to follow up on the notice sent
Password Distribution • System should be sending links through email or OTPs through SMS to cooperatives, for creating passwords
• System should also have a password reset button for cooperatives at the supervisor’s end
1. Based on the functional assessment, it was found that while most of the activities are provisioned to be
done online, gaps in functionality of most features has led to the low adoption levels of COPOMIS
2. For the system to support the core supervisory and regulatory functions of the DoC, the system requires
significant enhancements over the current state
3. In the Software Technical Review, it was found that the existing code does not follow international coding
and design guidelines . Thus, it is not feasible to scale up the current system as it may not support
significant changes to the code and software functionality
4. In the IT Infrastructure assessment, it was found that while computing infrastructure is adequately
provided, IT infrastructure service related agreements need to be formalized. Security of the application,
Internal DoC IT organization capacity and IT Infrastructure documentation were found to be weak and
needing significant improvements
5. Considering all the above assessments, DoC may look forward to developing a completely new system
by comprehensively defining their requirements end-to-end with professional help.
6. PwC recommends an international competitive bidding for selection of a vendor to develop a new
COPOMIS to assist DoC in regulation and supervision of cooperatives
1. Deficiencies in Infrastructure Deployment such single point of failures at server level, Network and Security
such as absence of Anti-virus and HIDS (Host Intrusion Detection System), DR Infrastructure being at the
same premise as that of production and Lack of Infrastructure documentation can pose a serious threat to the
security and availability of COPOMIS. Thus it is recommended to correct the deficiencies
2. Current deployment of COPOMIS has adequate resource allocation but DoC has no effective control over the
resource's availability and scalability. DoC should have proper contracts and SLAs with service providers
3. Servers can be accessed using Privileged accounts from the Internet and thus posing a serious security threat
to the COPOMIS. The access to the privileged accounts should be restricted from secured networks and
devices
4. IT Infrastructure documentation is currently not maintained, and this affects the maintainability of the system /
environment. DoC should ensure maintenance of required IT Infrastructure Documentation
5. DR location is same as the primary location which defeats the purpose of having a DRS. There are significant
deficiencies in the DR activation mechanism and data backup process. DoC should ensure the separation of
DR and production environments and should implement adequate data backup processes
6. End users may not have the necessary infrastructure to access the COPOMIS system, resulting in low
adoption of the system. DoC may consider extending the required functionality to mobile platforms through
apps and provide assistance through service desks and kiosks at governing institutions level
1. The current design and coding approach uses too many database calls to load a page and this shall result in
database bottlenecks, performance issues and scalability issues
2. The methodology of using SQL in the application code may lead to memory leakage and frequent garbage
collection affecting the application performance
3. Current architecture and code violates Single Responsibility principle as there is no clear separation between
layers (UI, Business and Data) impacting the architecture robustness and extensibility of the application
4. Same logic has been implemented in many places by duplicating the code. Thus, any changes should be made in
every place where the logic has been implemented which severely affects the maintainability of COPOMIS
5. In the current implementation, exceptions are not adequately handled and are displayed to the end user as error
dump rather than as functional error messages. This can be a potential security issue as such errors may reveal
the critical information about the application architecture and vulnerabilities
6. Database is not indexed adequately, and this can affect the performance of the application severely as this affects
the data access from database
7. Things like lack proper commenting (for classes and methods), dead code (code which is not used), improper
indentation are present in the current code which are affecting the readability and maintainability of the code
8. Standard developer practices were not followed while developing the code. Unit test cases are missing which
impacts the test coverage and time to market
Functional and Technical Assessment for Scale-up of COPOMIS 17 October 2019
PwC 38
Summary of Findings – Functional Assessment
8 Add a feature to report the number of members who have taken a loan from the cooperative
9 Add a feature to report the total amount of wages paid to the members for a labour cooperative
10 Add a feature for Supervisory units to view report on indicators of harmony with members for individual
cooperative and average of all the cooperatives working under their jurisdiction as per the SACOOs supervision
and monitoring directives
11 Add a reporting feature on the Supervisory units’ login to allow view of the trends of value and ratio of the
indicators shown in table 1 for last 5 years, previous month and the same month of the previous year as shown
in per the SACOOs supervision and monitoring directives
12 Add a feature to predict the values of the indicators as follows by extrapolating the available indicator data as
per the SACOOs supervision and monitoring directives
13 Add a feature to assess and color codify the risk of a SACOO by categorizing it based on the 12 financial ratios
and 3 ratios to measure harmony of a cooperative with its member
ii. P2 Net Allowance for Loan Losses / Delinquency 1-12 35% >30
months(WOCCU Standard)
viii. A1 Total Loan Delinquency / Gross Loan Portfolio <= 5% <= 7.5%
ix. R9 Total Operating Expenses / Avg. Total Assets <= 5% <= 7.5%
x. R12 Net Income / Average Total Assets (ROA) >= 10% >=5%
16 Add a random cooperative selection tool to select random x number of cooperatives in their jurisdictions for
random sampling for cooperative monitoring
17 Add a feature to list the cooperatives in their jurisdictions which have not been monitored last three fiscal
years for basic monitoring and selection of at least 5 % of the cooperatives for detailed monitoring
18 Add a feature to include service centres and other offices of large SACCOS
19 Add alerts to the supervisory units until they have prepared the year plan for monitoring with a selection of
random 10 cooperatives, list of cooperatives which have not been monitored during last 5 fiscal years, at least
5% of the cooperatives for detailed monitoring working under their jurisdiction
20 Add a recording tool to add records of supervision and monitoring (basic and detailed) of cooperatives, their
service centres and offices as per the SACOOs supervision and monitoring directive’s
21 Add separate KYM forms to enter cooperative members’ details according to the nature of the business of a
cooperative
24 Add a feature to view the tenure details of the members of the management committee and other sub-
committees along with their KYM on a yearly to the supervisory unit’s panel
25 Add a feature in COPOMIS for the cooperatives to report AML report as per the Annex 6 of Cooperative AML
directive 2074
26 In the election reporting feature, add a feature to show distinction between fixed-term election and by-election.
The number of years of the term of a newly elected members of a by-election should automatically be updated as
per the fixed-term election. In the by-term election, there should be a field to mark the fixed-term election for
which the by-election was conducted
27 Add an alert system on both cooperative and supervisory units’ login to inform users about the need or deadline
of updating the KYM forms as per the article 9 of cooperative AML directive 2074
30 Add a feature for cooperative supervisory unit to update cooperative registration information. Such feature
must also ensure that the history of changes is visible to the cooperative, supervisory unit, DOC and
COPOMIS support unit
31 Add a feature in supervisory units’ panel to handle the workflow of information amendments as per the
application of the cooperatives as per the following steps
a.Cooperative sends an application for amendment of information
b.Officer at the supervisory units decides if such amendment is legally possible.
c. If amendment is not possible, deny the cooperative with a reason
32 Supervisory units will need to review and approve amendments in financial report, AGM report, election
report and committee / sub-committee report after the submission by cooperative
35 Query Builder should be incorporated for wide arrays of reports which are necessary for stakeholders
38 Configuration of Separate File server for the reports uploaded by the users
40 To drive adoption, COPOMIS should be multilingual along with English as a language option
41 To enforce use of Unicode Nepali for storing textual data and Latin Numbers for storing numerical
data across the country
pwc.com
© 2019 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers
International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as
agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its
member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of
any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.