Auditly Advisory Services · Confidential — Client Copy

Engagement ATL-2026-LGU-0142

Full IT Systems Audit

City Government of San Isidro de Calatagan

Province of Batangas · Region IV-A (CALABARZON)

Engagement period

09 March – 03 April 2026

Report date

14 April 2026

Engagement Partner

Mr. Andres N. Calingasan, CPA, CISA

PRC 0114-237 · ISACA 24-019887

Lead Auditor

Ms. Patricia I. Velasco, CISA, CRISC

ISACA 21-105442 · CRISC 22-008371

This report contains confidential information and is intended solely for the use of the City Government of San Isidro de Calatagan and the Commission on Audit (Provincial Auditor's Office, Batangas). Reproduction in whole or in part is restricted.

Chapter 00Letter of Transmittal

14 April 2026

The Honorable
Hon. Reynaldo P. Mendoza
City Mayor
City Government of San Isidro de Calatagan
City Hall, P. Burgos Street, San Isidro de Calatagan, Batangas

Dear Mayor Mendoza:

Pursuant to the engagement letter dated 24 February 2026, we have completed the Full IT Systems Audit of the City Government of San Isidro de Calatagan covering the fiscal year 2025 and the operating environment as of the field visit. Our examination was conducted in accordance with the International Professional Practices Framework of the Institute of Internal Auditors, COBIT 2019, ISO/IEC 27001:2022 (used for benchmark only), and the IT audit guidelines set out in COA Circular 2020-006.

We examined the eleven (11) information systems comprising the City's mission-critical and supporting application portfolio, the underlying infrastructure (one office data center and one annex site), the procurement records of FY2025 IT acquisitions amounting to ₱11,482,700, and the governance and personnel arrangements supporting these assets.

Our work identified twelve (12) findings, of which two (2) are rated Critical, four (4) High, four (4) Medium, and two (2) Low. The aggregate annual loss exposure across all findings is estimated at ₱15,280,000, against an estimated remediation cost of ₱2,640,000 over a twelve-month horizon — a benefit-to-cost ratio of approximately 5.8 to 1.

We are particularly concerned with two findings that, in our professional judgment, warrant the City's immediate attention: (i) the sole-developer custody of the eBPLS source code (F-01), which materially threatens revenue continuity, and (ii) the lapsed Data Protection Officer designation with the National Privacy Commission (F-02), which exposes the City to administrative penalty under RA 10173.

We thank the MIS Division — particularly Engr. Marlon V. Dizon — and your management team for the courtesies extended during fieldwork. The cooperation we received was exemplary and is reflected in the depth of evidence gathered.

Respectfully,

Andres N. Calingasan

Engagement Partner · CPA, CISA

Patricia I. Velasco

Lead Auditor · CISA, CRISC

Chapter 00·BMayor's Briefing

Read this first · 4 minutes

San Isidro de Calatagan runs on systems that work today — and on a small handful of people who could stop them tomorrow.

Mayor Mendoza, this briefing condenses sixteen days of fieldwork into the picture you would want before your next executive committee meeting. The full technical report follows; nothing in it contradicts what is on this page.

Movement I · What is working

Your eleven information systems carry the City's daily transactions reliably. Citizen-facing services — business permits, real-property tax, civil registry — were operating during fieldwork. Your MIS team is competent and visibly cares. Annual IT spend, at ₱28,400,000 (1.7% of LGU budget), is below the DICT-recommended floor of 2.5% but is being deployed without obvious waste.

Movement II · What is fragile

The eBPLS — the system that issues business permits and brings in roughly ₱184,000,000 a year — has its source code on one contracted developer's personal laptop. The City does not hold a copy. If that developer disappears for any reason, permit issuance falls back to manual procedure within hours; our walkthrough estimates a 9 to 14-day backlog within the first week.

Backups exist, but the last successful restore drill was nineteen months ago. The offsite copy is a USB drive in the MIS Chief's desk. Three production systems share a database password through a Viber group of fourteen people, four of whom no longer work for the City.

Movement III · What is exposed

Your Data Protection Officer designation with the National Privacy Commission has been stale since November 2023. With ~412,000 citizen records on file, an NPC inquiry today could attract administrative penalties of up to ₱5,000,000. Three FY2025 IT procurements were awarded sole-source without the BAC justification required by RA 9184 — a pattern COA's resident auditor has flagged informally and may formalise.

The single most important figure in this report

We estimate the City is carrying ₱15,280,000 in annual loss exposure — revenue that could fail to come in, fines that could be levied, services that could fall over. Closing every finding in this report would cost approximately ₱2,640,000 over twelve months. That is a return of 5.8 pesos for every peso spent, and most of the spending is in the first ninety days.

Annual exposure

₱15,280,000

vs. ₱2,640,000 to fix

Figure

Operational incidents — last twelve months

Minor incidents (line) have nearly tripled since Apr 2025; five major outages occurred in the last six months. Cf. F-04, F-05.

Source · MIS ticketing system (GLPI) export, 25 March 2026 · WP-OPS-014

§0B.1What we are asking you to decide

Three decisions only the Mayor can make. The rest are operational and addressed in §9 Roadmap.

Decision
01
Critical · F-01
Authorise immediate source-code repatriation for eBPLS.
Direct the MIS Chief to invoke clause §11(b) of PO 2022-IT-0089 and bring the eBPLS source code, deployment scripts, and credentials under City control within thirty (30) days. Cost: ₱120,000. This single decision removes the largest non-financial risk in this report.
Decision
02
Critical · F-02
Re-lodge the Data Protection Officer designation with the NPC.
Sign the formal designation of Atty. Sheryl Ramos-Tan and direct that it be transmitted to the NPC within fifteen (15) days, in line with NPC Advisory 2017-01. Cost: ₱25,000. This closes the City's largest statutory exposure.
Decision
03
Funding decision
Approve a one-time supplemental allocation of ₱2.64M for FY2026 IT remediation.
Funds the full twelve-month roadmap in §9. Pays for itself within the first averted incident. Can be sourced from the IT Modernisation line of the 20% Development Fund or proposed as a supplemental appropriation at the next sanggunian session.

“The City is not in crisis. It is, however, one resignation, one ransomware email, or one NPC inquiry away from being in one. Each of those scenarios is preventable with decisions that can be made this quarter.”

Auditly Engagement Team · Concluding observation, fieldwork close

The remainder of this report sets out the evidence, the technical detail, the statutory references, and a costed twelve-month plan. We are available to walk the executive committee through any portion of it.

Chapter 01Executive Summary

§1.1Overall conclusion

The City Government of San Isidro de Calatagan operates an IT estate that is broadly functional in day-to-day terms but materially under-controlled in three respects: (a) resilience — the City cannot demonstrate that critical systems can be restored within an acceptable window; (b) insider concentration — operational and developmental knowledge is concentrated in a small number of individuals, two of whom are non-plantilla; and (c) privacy compliance — statutory designations and registrations under RA 10173 have not been maintained.

None of the deficiencies observed are, individually, indicative of fraud or wrongdoing. They are, taken together, the predictable outcome of an IT function that has grown faster than its governance arrangements. They are remediable within twelve months at modest cost.

§1.2By the numbers

Findings raised

Critical · 4 High

₱15,280,000

Estimated annual loss exposure

5.8×

Remediation benefit / cost

§1.3Severity composition

Figure

Distribution of findings by severity

12 findings raised across the engagement, classified per Auditly severity rubric (cf. §2.2).

Critical2
17%
High4
33%
Medium4
33%
Low2
17%

Source · Auditly fieldwork, 09–24 March 2026 · WP-RR-001

§1.4Findings at a glance

Ref	Finding	Severity	ALE
F-01	Sole-developer custody of eBPLS source code Insider / Key-Person Risk	Critical	₱2,840,000
F-02	DPO designation lapsed; no NPC re-registration since 2023 Privacy / RA 10173	Critical	₱1,750,000
F-03	Production database credentials shared via Viber group Access Control	High	₱640,000
F-04	Backup restore not tested in 19 months; sole offsite copy is on a USB drive Resilience / DR	High	₱3,120,000
F-05	RPTAS runs on Windows Server 2012 R2 (EOL since October 2023) Patching / End-of-Life	High	₱4,400,000
F-06	Three IT procurements in FY2025 awarded sole-source without BAC justification Procurement / RA 9184	High	₱1,400,000
F-07	No second-approver enforcement on production database changes Change Management	Medium	₱380,000
F-08	COI declarations missing for 4 of 11 IT staff (RA 6713 §8) Insider / Conflict of Interest	Medium	₱220,000
F-09	eBPLS does not log who viewed citizen records Audit Trail / Privacy	Medium	₱290,000
F-10	Civil Registry portal lacks WCAG 2.1 AA compliance Accessibility / ARTA	Medium	—
F-11	Cloud spend up 47% YoY with no cost-allocation tagging FinOps	Low	₱180,000
F-12	Acceptable Use Policy last revised 2019 Governance	Low	₱60,000
—	Aggregate		₱15,280,000

Chapter 02Methodology

§2.1Approach

Fieldwork was conducted on-site at the City Hall and the Mayor's Office Annex over a sixteen working-day period. The engagement followed Auditly's structured methodology, comprising five phases: Plan, Discover, Test, Analyse, Report. Procedures included documentary review, structured interviews, system walkthroughs, sampled transaction testing, configuration inspection (read-only), and external scanning of public-facing assets with prior written authorisation (Authorisation Memo dated 03 March 2026).

§2.2Standards applied

— International Professional Practices Framework (IPPF) of the IIA, 2024 edition.
— COBIT 2019 — for governance and management objective benchmarking.
— ISO/IEC 27001:2022 and ISO/IEC 27002:2022 — for control benchmarking only; no certification claim is made.
— COA Circular 2020-006 — IT audit guidelines for the public sector.
— DICT Memorandum Circular 2020-011 — Cloud-First & Cybersecurity Policy.
— NPC Circulars 16-01 and 16-03; NPC Advisory 2017-01.

§2.3Limitations

Our examination did not include penetration testing of internal network segments beyond the publicly addressable perimeter. One server (HRMS-DB-02) was unavailable for inspection on 11 March 2026 due to a scheduled maintenance window; it was re-tested on 18 March 2026. The sampling intervals applied to change-management evidence (n=23 of population 47) are documented in working paper WP-CHG-001.

Chapter 03Engagement Scope

§3.1Organisation profile

Classification

Component City (5th class)

Population

~284,310 (2024 PSA estimate)

Total employees

1,247 (plantilla 873; JO/contract 374)

IT plantilla

11 (1 chief, 4 plantilla staff, 6 contracted)

Annual IT budget (FY2025)

₱28,400,000 (1.7% of LGU budget)

Sites

City Hall (HQ), Mayor's Office Annex, 14 barangay halls (terminal access only)

Citizens served (digital)

~412,000 unique records across systems

External regulators

COA, NPC, DICT, ARTA, BLGF, DOF

§3.2Systems in scope

System	Purpose	Users	Citizens	Host	OS	DB	Criticality
eBPLS v2.3	Business permits & licensing	47	38,400	On-prem (HP DL360 Gen10)	Ubuntu 22.04	MariaDB 10.6	Mission-critical
RPTAS	Real Property Tax Assessment	22	87,400	On-prem (HP DL380 Gen9)	Win Server 2012 R2	SQL Server 2014	Mission-critical
HRMS	Human Resource & Payroll	14	—	On-prem (Dell R740)	Win Server 2019	SQL Server 2019	Mission-critical
Civil Registry System	Birth/Marriage/Death records	18	412,000	On-prem (Dell PowerEdge T440, Mayor's Annex)	Ubuntu 20.04	PostgreSQL 14	Mission-critical
Civil Registry Online Portal	Citizen-facing requests	4	412,000	AWS Lightsail (Singapore)	Ubuntu 22.04	PostgreSQL 14 (RDS)	High
GIS-MIS Map Server	Land-use & zoning	9	—	On-prem (Dell R640)	Win Server 2019	PostGIS 13	Medium
DTS (Document Tracking)	Office document routing	312	—	On-prem (HP ML350 Gen10)	Ubuntu 22.04	MariaDB 10.6	High
Microsoft 365 (E3)	Email & collaboration	142	—	Cloud (Microsoft tenant)	—	—	High
Office Website (CMS)	Public information	6	—	Shared hosting (third-party)	Linux (CentOS 7)	MySQL 5.7	Low

Chapter 04Detailed Findings

§4Findings — IIA / COA standard format

Each finding is presented with Observation, Condition, Criteria, Cause, Effect, Recommendation, and Management Response, in accordance with the structure recommended by the Institute of Internal Auditors and reflected in COA Circular 2020-006.

Finding 1 of 12Ref F-01

CriticalInsider / Key-Person Risk

Sole-developer custody of eBPLS source code

System: eBPLS v2.3 (Electronic Business Permit & Licensing System)

Observation: The complete source code, deployment scripts, and the only known administrator credentials for the eBPLS production environment reside on a personal laptop belonging to a single contracted developer (Mr. R. Aguilar, engaged through PO 2022-IT-0089). No copy of the repository is held in any City Government-controlled location. The developer is not a plantilla employee and his current consultancy expires 30 June 2026.
Condition: On-site walkthrough on 12 March 2026 confirmed: (i) no City-controlled Git remote exists; (ii) the GitLab account hosting the working branch is registered to the developer's personal Gmail; (iii) the City IT Office cannot independently rebuild or redeploy the system without the developer present.
Criteria: DICT MC 2020-011 §7.2 ("Source code of government-funded systems shall be deposited in the agency's controlled repository"); COA Circular 2020-006 §6.4 on safeguarding of intangible assets; and the contract clause in PO 2022-IT-0089 §11(b) requiring source code turnover.
Cause: No technical owner was assigned within the MIS Division at contract execution. The IT Steering Committee did not include source-code escrow as an acceptance criterion. Turnover required by §11(b) of the PO was never formally invoked or documented.
Effect: If the developer becomes unavailable (resignation, illness, contractual dispute), the City cannot patch security vulnerabilities, cannot issue business permits beyond manual fallback (estimated 9–14 day backlog per simulation), and cannot demonstrate ownership in the event of an IP dispute. Estimated annual loss exposure: ₱2,840,000 (revenue collection delay + emergency re-development).
Recommendation: Within 30 days: (a) execute the turnover clause in PO 2022-IT-0089; (b) mirror all repositories to a City-owned GitLab/Gitea instance hosted at the MIS Data Center; (c) require all future commits to flow through the City repository as the system-of-record; (d) rotate all production credentials and store in a City-controlled secret vault. Within 90 days: amend the standard IT services PO template to make source-code escrow a mandatory deliverable on first milestone payment.
Management response: Concur. The MIS Chief commits to executing the turnover by 15 May 2026. Item (d) is already in progress as of 22 March 2026.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion15 May 2026
EvidenceEV-014 · EV-015 · EV-016 · INT-04

Finding 2 of 12Ref F-02

CriticalPrivacy / RA 10173

DPO designation lapsed; no NPC re-registration since 2023

System: Office-wide (NPC registration scope: 14 personal data systems)

Observation: The City Government's Data Protection Officer designation, originally filed with the National Privacy Commission on 4 February 2021 (NPC Ref: SYS-LGU-2021-00417), has not been refreshed since the previous DPO's separation in November 2023. No replacement designation has been transmitted to the NPC. The current acting DPO (Atty. S. Ramos-Tan) was appointed by internal memorandum dated 9 December 2023 but the designation has not been lodged externally.
Condition: NPC public registry inquiry on 13 March 2026 returned status "DPO record stale — last updated 04 Feb 2021". The City's 14 registered personal data systems remain on file but are unaffiliated with any current designated officer.
Criteria: RA 10173 §21; NPC Circular 16-01 §3 (continuous designation requirement); NPC Advisory 2017-01 (re-registration upon DPO change within fifteen [15] days).
Cause: Internal HR notification of the previous DPO's separation was not routed to the Privacy Compliance Officer. No SOP exists for triggering NPC re-registration upon personnel change.
Effect: In the event of a personal data breach, the City cannot demonstrate a compliant DPO chain. NPC may impose administrative fines of ₱50,000 to ₱5,000,000 under the 2022 NPC Schedule of Fines depending on volume of records affected (~412,000 citizen records currently held).
Recommendation: Within 15 days: file the updated DPO designation with the NPC via the e-Registration portal, attaching the December 2023 internal memorandum. Within 60 days: publish an SOP titled "NPC Re-registration on DPO Change" and assign a backup DPO.
Management response: Concur. Atty. Ramos-Tan to coordinate with the City Legal Office for filing on or before 28 April 2026.

ResponsibleAtty. S. Ramos-Tan, Acting DPO
Target completion28 April 2026
EvidenceEV-021 · EV-022 · INT-07

Finding 3 of 12Ref F-03

HighAccess Control

Production database credentials shared via Viber group

System: RPTAS, eBPLS, HRMS (3 production database instances)

Observation: A persistent Viber group titled "MIS Tech Team" (12 members, including 3 non-employees: 2 vendor contacts and 1 former staff) contains pinned messages with the production database username and password for RPTAS (last updated 14 January 2025) and eBPLS (last updated 28 August 2024). The HRMS credentials were posted as a chat message on 02 February 2026 and never deleted.
Condition: Confirmed via screenshot capture during interview INT-12 on 18 March 2026. The MIS Chief acknowledged the practice as informal but "convenient when troubleshooting outside office hours."
Criteria: DICT MC 2020-011 Annex B §4.3 (privileged credential handling); ISO/IEC 27002:2022 §5.17 (authentication information); the City's own IT Security Policy 2019 §6.2 prohibiting credential sharing.
Cause: Absence of a privileged access management (PAM) tool. No just-in-time access provisioning. Out-of-hours support model relies on shared credentials rather than break-glass accounts.
Effect: Three former personnel and two vendor staff retain functional production database access without an audit trail. Any malicious or accidental change is non-attributable. ₱640,000 ALE based on conservative single-incident DB tampering scenario.
Recommendation: Within 30 days: rotate all three sets of credentials; remove all persistent credentials from chat platforms; implement a free-tier Bitwarden organization or equivalent with audited per-user access. Within 120 days: stand up a basic break-glass procedure and JIT access workflow.
Management response: Concur. Credentials rotated 21 March 2026 (post-fieldwork). Bitwarden trial started 25 March 2026.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion30 April 2026
EvidenceEV-031 · EV-032 · INT-12

Finding 4 of 12Ref F-04

HighResilience / DR

Backup restore not tested in 19 months; sole offsite copy is on a USB drive

System: All on-premise systems (RPTAS, eBPLS, HRMS, Civil Registry)

Observation: The last documented end-to-end restore test was performed 24 August 2024 for HRMS only. RPTAS, eBPLS, and Civil Registry have no record of a successful restore drill in the past 19 months. The only offsite backup copy is a 2 TB Seagate USB drive kept in the MIS Chief's office drawer and rotated to his residence on weekends.
Condition: Backup logs reviewed for the period Sep 2024 – Mar 2026 confirm nightly tape and disk backups completing successfully (>98% success rate) but no restore tests beyond ad-hoc file-level recoveries. The USB practice was confirmed in interview INT-04 and observed in situ on 11 March 2026.
Criteria: DICT MC 2020-011 Annex B §6.1 ("Restore tests shall be conducted at least semi-annually"); ISO/IEC 27002:2022 §8.13; COA Circular 2020-006 §7.3 on data continuity.
Cause: No assigned owner for DR drills. Storage budget for a proper offsite (cloud or alternate site) was deferred in the FY2024 and FY2025 supplemental budget rounds.
Effect: Untested backups frequently fail at restoration. Loss of the office annex (fire, theft, flood) coincident with USB unavailability would mean total data loss for 4 mission-critical systems. ALE ₱3,120,000 (lower bound: 2 weeks revenue interruption + reconstitution).
Recommendation: Within 60 days: conduct a full restore drill of RPTAS and eBPLS to a sandbox environment; document RTO/RPO actuals. Within 180 days: procure cloud-based offsite backup (immutable storage, ~₱48,000/yr at current data volumes); retire the USB practice.
Management response: Concur with reservation: cloud offsite is contingent on FY2027 budget approval. Sandbox restore drill scheduled for 12 May 2026.

ResponsibleMr. J. P. Salonga, Network & Infra Lead
Target completion30 June 2026
EvidenceEV-041 · EV-042 · EV-043 · INT-04

Finding 5 of 12Ref F-05

HighPatching / End-of-Life

RPTAS runs on Windows Server 2012 R2 (EOL since October 2023)

System: RPTAS (Real Property Tax Assessment System) — single VM on HP ProLiant DL380 Gen9

Observation: The Real Property Tax Assessment System, which processes approximately 87,400 property tax bills per cycle and posted FY2025 collections of ₱284,700,000, runs on Windows Server 2012 R2 with SQL Server 2014. Microsoft extended support ended 10 October 2023; no Extended Security Updates (ESU) license has been procured.
Condition: Confirmed via remote inspection on 12 March 2026 (build 9600.21996, last cumulative update April 2023). The system reports 47 missing security patches in the post-EOL window.
Criteria: DICT MC 2020-011 §5.4 (vendor-supported software baseline); COA AOM 2024-LGU-IT-019 (general); ISO/IEC 27002:2022 §8.8 (vulnerability management).
Cause: RPTAS upgrade has been in the FY2024 and FY2025 IT plan but deferred due to vendor (Pega-based 2017 build) requiring a paid migration package estimated at ₱2,200,000. Migration was not bid out.
Effect: Unpatched OS hosting the City's largest revenue system. Multiple known CVEs publicly exploitable (CVE-2024-38063, CVE-2024-43491). Successful exploit could halt collections, expose PII of all property owners, and trigger a COA AOM.
Recommendation: Within 30 days: isolate the RPTAS VM behind a dedicated firewall ruleset; disable inbound RDP from the City LAN; require jump-host access only. Within 270 days: complete the OS+DB upgrade to Windows Server 2022 / SQL Server 2022 with vendor's supported migration path.
Management response: Concur. Network isolation completed 26 March 2026. Migration to be programmed in FY2026 supplemental budget.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion31 December 2026
EvidenceEV-051 · EV-052 · EV-053

Finding 6 of 12Ref F-06

HighProcurement / RA 9184

Three IT procurements in FY2025 awarded sole-source without BAC justification

System: Procurement records, FY2025

Observation: Three IT-related procurements totaling ₱4,287,500 were awarded in FY2025 via Negotiated Procurement (Sole-Source) without a BAC Resolution citing the specific ground under RA 9184 §53. POs in question: PO 2025-IT-0034 (network switches, ₱1,842,000), PO 2025-IT-0061 (CCTV expansion, ₱1,605,500), PO 2025-IT-0078 (annual SSL certificates, ₱840,000).
Condition: Procurement files reviewed 14–15 March 2026. PO 2025-IT-0034 has a one-paragraph BAC minute citing "urgency" but no Sec. 53(b) determination of imminent danger. PO 2025-IT-0061 file is missing the BAC Resolution entirely. PO 2025-IT-0078 cites "sole distributor" but no Distributor Certificate is attached.
Criteria: RA 9184 §53; 2016 Revised IRR §53.1 and §53.5; GPPB Resolution 09-2020 on emergency procurement documentation.
Cause: BAC Secretariat understaffed (1 secretariat for 4 BACs across the City). Templated justification language reused without Sec. 53 ground analysis.
Effect: All three POs are at risk of COA disallowance. Combined exposure: ₱4,287,500. Personal liability under §65 of RA 9184 attaches to the BAC and the approving official.
Recommendation: Within 60 days: prepare ratification documentation citing the specific Sec. 53 ground for each PO; attach Distributor Certificate for PO 2025-IT-0078. Within 180 days: BAC Secretariat to adopt a Sec. 53 checklist as a mandatory attachment to all alternative-mode procurements.
Management response: Partial concur. BAC Chair to consult City Legal regarding ratification feasibility.

ResponsibleBAC Chairperson (Asst. City Administrator)
Target completion30 June 2026
EvidenceEV-061 · EV-062 · EV-063 · EV-064

Finding 7 of 12Ref F-07

MediumChange Management

No second-approver enforcement on production database changes

System: RPTAS, eBPLS, HRMS

Observation: Database schema and stored-procedure changes are deployed by the MIS Chief or his designate using direct connections to the production instance. There is no enforced four-eyes review. Of 23 production changes sampled across CY2025, 19 (82.6%) were self-approved (executed by the same individual who authored the change request).
Condition: Change log analysis from RPTAS audit table dbo.aud_ddl, period 01 Jan 2025 – 31 Dec 2025, covering 23 DDL events.
Criteria: ISO/IEC 27002:2022 §8.32 (change management); COBIT 2019 BAI06.01; DICT MC 2020-011 §7.5.
Cause: Small IT team (11 plantilla), informal escalation culture, no ITSM tool (changes tracked in a shared Excel).
Effect: No independent assurance that production changes are reviewed for risk. Increases likelihood of an unauthorized or erroneous change going undetected. ALE ₱380,000.
Recommendation: Within 90 days: adopt a lightweight change ticket workflow (e.g., GLPI, free) requiring a named second approver before any production DDL. Backfill change records for Q1 2026.
Management response: Concur. GLPI pilot to commence Q2 2026.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion31 August 2026
EvidenceEV-071 · EV-072

Finding 8 of 12Ref F-08

MediumInsider / Conflict of Interest

COI declarations missing for 4 of 11 IT staff (RA 6713 §8)

System: Office-wide HR records

Observation: Of 11 IT plantilla and contracted personnel with administrative or developer access, only 7 have a current Statement of Assets, Liabilities and Net Worth (SALN) and conflict-of-interest declaration on file with the HR Office. The remaining 4 (3 contracted developers, 1 plantilla network admin) have no COI declaration for CY2025.
Condition: HR records review 17 March 2026. Comparison against the access roster maintained by MIS.
Criteria: RA 6713 §8 (Statements and Disclosure); CSC Memorandum Circular No. 03 s. 2015 on COI for contracted personnel handling sensitive data.
Cause: Contracted personnel are not routinely included in the HR Office's annual SALN reminder cycle. No cross-check between MIS access list and HR declarations.
Effect: Undeclared COIs (e.g., a developer whose spouse owns a vendor company) can compromise procurement integrity and lead to administrative cases. Two of the four are involved in a current vendor selection.
Recommendation: Within 30 days: collect COI declarations from the 4 personnel; cross-check against current vendor/supplier registry. Within 90 days: institute a quarterly reconciliation between the MIS access list and HR's COI register.
Management response: Concur. HR Officer to action by 30 April 2026.

ResponsibleMrs. L. Ortega, HRMO IV
Target completion30 April 2026
EvidenceEV-081 · INT-09

Finding 9 of 12Ref F-09

MediumAudit Trail / Privacy

eBPLS does not log who viewed citizen records

System: eBPLS v2.3

Observation: The eBPLS application logs CREATE, UPDATE, and DELETE events on permit records but does not log READ events. Approximately 412,000 business and citizen records (with TIN, address, mobile number) can be browsed by 47 authorized users without any record of who accessed which entity.
Condition: Application code review (file: app/controllers/permit_view.php, lines 88–142) and log table inspection on 13 March 2026.
Criteria: RA 10173 §20(c) (Implementation of security measures); NPC Circular 16-01 §28 on access logging; ISO/IEC 27002:2022 §8.15.
Cause: Original 2022 build prioritized write auditing only. Read logging was deferred as a Phase 2 enhancement that was never funded.
Effect: In the event of a privacy complaint or insider misuse allegation, the City cannot identify the responsible viewer. Investigative dead-end.
Recommendation: Within 120 days: extend the audit trigger to include a SELECT-via-controller log; retain 24 months minimum. Coordinate with developer (see F-01 remediation) to ensure change is captured in the controlled repository.
Management response: Concur. Targeted for next maintenance window (Q3 2026).

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion30 September 2026
EvidenceEV-091 · EV-092

Finding 10 of 12Ref F-10

MediumAccessibility / ARTA

Civil Registry portal lacks WCAG 2.1 AA compliance

System: Civil Registry Online Request Portal (civilregistry.sancalatagan.gov.ph)

Observation: Automated and manual accessibility scan (axe-core 4.8 plus keyboard-only walkthrough) returned 23 distinct WCAG 2.1 AA violations on the public Civil Registry Online Request Portal: missing form labels (8), insufficient contrast (4), no skip-to-content (1), images without alt text (7), keyboard trap on the date picker (1), no focus indicator on 2 primary buttons.
Condition: Scan performed 16 March 2026 against the public production URL.
Criteria: ARTA Memorandum Circular 2022-03 (digital service accessibility); DICT MC 2020-011 §8.3 referencing WCAG 2.1; UN Convention on the Rights of Persons with Disabilities, ratified by RP.
Cause: Frontend was built by an outsourced web shop in 2022 without an accessibility acceptance criterion in the SOW.
Effect: Excludes an estimated 8.6% of intended users (PWD population). Citizen complaints to ARTA can result in a Notice to Explain.
Recommendation: Within 90 days: remediate the 8 form-label and 4 contrast issues (low effort). Within 180 days: complete remaining items and publish an Accessibility Statement.
Management response: Concur. MIS to coordinate with the original vendor under the warranty clause.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion31 August 2026
EvidenceEV-101 · EV-102

Finding 11 of 12Ref F-11

LowFinOps

Cloud spend up 47% YoY with no cost-allocation tagging

System: AWS account 8417-2235-9012; Microsoft 365 tenant

Observation: AWS spend grew from ₱43,200/month average in CY2024 to ₱63,500/month average in CY2025 (+47%). No resource tags exist for cost allocation. Microsoft 365 has 142 active licenses but staff headcount with documented need is 118 — a 24-license drift (₱33,600/yr).
Condition: AWS Cost Explorer export reviewed 14 March 2026; M365 admin center license report on the same date.
Criteria: Internal IT Spend Policy 2022 §4.1 (quarterly cost reviews); general principles of public-fund stewardship under PD 1445.
Cause: No cost-management role assigned. License joiner/mover/leaver process for M365 is informal.
Effect: Estimated ₱180,000/yr in avoidable spend. Untagged resources risk being orphaned.
Recommendation: Within 60 days: implement minimum tag set (Owner, Environment, System) on all AWS resources; reclaim the 24 unused M365 licenses. Within 180 days: institute a quarterly cloud cost review.
Management response: Concur.

ResponsibleEngr. M. V. Dizon, MIS Chief
Target completion31 July 2026
EvidenceEV-111 · EV-112

Finding 12 of 12Ref F-12

LowGovernance

Acceptable Use Policy last revised 2019

System: Office-wide policy register

Observation: The City's IT Acceptable Use Policy carries an effective date of 14 May 2019. It does not reference work-from-home, BYOD, generative-AI tools, or the post-2020 NPC issuances.
Condition: Policy register reviewed 11 March 2026.
Criteria: ISO/IEC 27001:2022 A.5.1; common practice of triennial policy review.
Cause: No assigned policy owner; no review calendar.
Effect: Policy gaps in modern work patterns (cloud, remote, AI) leave staff without guidance.
Recommendation: Within 180 days: revise the AUP to cover remote work, BYOD prohibition (or controlled enrolment), and generative-AI usage; route through the IT Steering Committee for adoption.
Management response: Concur. Drafting to commence Q2 2026.

ResponsibleAtty. S. Ramos-Tan, Acting DPO (policy lead)
Target completion31 October 2026
EvidenceEV-121

Chapter 05Risk Heatmap

§5.1Likelihood × impact

Plotted using the COSO ERM 5×5 convention. Each cell shows the finding references that fall within that combination of likelihood and impact, as judged at the close of fieldwork.

Likelihood ↓ / Impact →	Insignificant	Minor	Moderate	Major	Severe
Almost certain	·	·	F-03	F-01, F-04	·
Likely	·	F-11	F-07, F-09	F-05, F-02	·
Possible	F-12	F-08	F-10	F-06	·
Unlikely	·	·	·	·	·
Rare	·	·	·	·	·

Chapter 05·BRisk Panorama

§5B.1Risk register — inherent vs residual

The heatmap in §5.1 plots inherent risk at the close of fieldwork. The table below carries that further: for each finding it states the residual risk after the §09 remediation completes, the named risk owner, whether the residual remains above the City's stated risk appetite, and the velocity at which the risk could materialise if no action is taken.

Ref	Risk owner	Inherent	Residual	Appetite	Velocity
F-01	City Admin (Atty. Villaruz)	Critical	Low	Within	Slow
F-02	Acting DPO (Atty. Ramos-Tan)	Critical	Low	Within	Fast
F-03	MIS Chief (Engr. Dizon)	High	Low	Within	Very fast
F-04	Network Lead (Mr. Salonga)	High	Medium	Breach	Fast
F-05	MIS Chief (Engr. Dizon)	High	Medium	Breach	Slow
F-06	BAC Secretariat (Mrs. Lim)	High	Low	Within	Slow
F-07	App Support (Ms. Bautista)	Medium	Low	Within	Medium
F-08	HRMO IV (Mrs. Ortega)	Medium	Low	Within	Slow
F-09	App Support (Ms. Bautista)	Medium	Low	Within	Medium
F-10	Civil Reg. (Atty. Santiago)	Medium	Low	Within	Slow
F-11	MIS Chief (Engr. Dizon)	Low	Low	Within	Slow
F-12	City Admin (Atty. Villaruz)	Low	Low	Within	Slow

Two findings (F-04, F-05) leave residual risk above the City's stated appetite even after remediation, owing to vendor and platform dependencies that extend past the 12-month plan window.

§5B.2Risk concentration — where exposure clusters

Three systems carry roughly 73% of the total annual loss exposure. Any remediation budget that doesn't address RPTAS, eBPLS, and the backup infrastructure first will leave the bulk of the City's risk untouched.

Figure

Annual loss exposure — concentration by system

Each block sized to its share of total ALE. The three left-most blocks together account for 73% of exposure.

Source · Auditly ALE model · WP-RSK-008

§5B.3Risk trajectory — twelve months out

The composite risk index combines residual likelihood and impact across all twelve findings. Without intervention, the index drifts upward — driven mainly by the slow EOL of RPTAS infrastructure (F-05) and the compounding probability that a backup restore (F-04) will be needed before being tested. The dashed line shows the trajectory if the §09 roadmap is executed on schedule.

Figure

Composite risk index over 12 months — do nothing vs roadmap

0 = no exposure · 100 = certain critical loss event within the next 12 months.

Source · Auditly composite risk model · WP-RSK-011

§5B.4Tail-risk scenarios

Three named scenarios illustrate how the findings interact when stress is applied. Each is plausible within the next 18 months on current evidence; the cascade column shows which other findings amplify the original event.

Scenario

MIS Chief resigns Monday

Trigger

F-08 + key-person concentration (§08)

Cascade

Loss of M365 admin → vendor lockout (F-03) → no patching cadence (F-05) → backup unverified (F-04)

Modelled impact

₱8.4M

Scenario

RPTAS ransomware Friday EOD

Trigger

F-05 unpatched Win 2012 R2 + F-04 backup untested

Cascade

RPT collection halted Mon–Fri → media coverage → DICT-CERT report → COA inquiry on §F-06

Modelled impact

₱12.6M

Scenario

NPC complaint filed

Trigger

F-02 (no DPO) + F-09 (no read-audit on eBPLS)

Cascade

NPC compliance order → ₱1.75M fine → 90-day data-processing freeze → eBPLS and Civil Reg portal taken offline

Modelled impact

₱4.2M

Chapter 06Financial Exposure

§6.1Annual loss exposure (ALE) and remediation cost

ALE estimates use a single-loss-expectancy × annualised-rate-of-occurrence model, with figures benchmarked against comparable PH LGU incidents reported by the DICT-CERT (2022–2024). Remediation costs are bottom-up estimates from current local market quotes.

Ref	Finding	ALE	Remediation
F-01	eBPLS source code custody	₱2,840,000	₱120,000
F-02	DPO designation lapsed	₱1,750,000	₱25,000
F-03	Credentials in Viber group	₱640,000	₱60,000
F-04	Backup restore untested	₱3,120,000	₱240,000
F-05	Windows Server 2012 R2 EOL	₱4,400,000	₱1,900,000
F-06	Sole-source procurements	₱1,400,000	₱40,000
F-07	No 4-eyes on DB changes	₱380,000	₱35,000
F-08	COI declarations	₱220,000	—
F-09	No read-audit on eBPLS	₱290,000	₱80,000
F-10	WCAG non-compliance	—	₱90,000
F-11	Cloud cost drift	₱180,000	—
F-12	AUP outdated	₱60,000	₱50,000
—	Total	₱15,280,000	₱2,640,000

Benefit-to-cost ratio: ₱15,280,000 ÷ ₱2,640,000 ≈ 5.79×. Excludes intangible reputational and citizen-trust impacts.

§6.2Where the money is — and where it isn't

Figure

Annual loss exposure vs cost to remediate

Each finding ranked by ALE. The slate bar (remediation) is in most cases a fraction of the red bar (exposure) — the right-most column expresses that ratio.

RefAnnual loss exposure (red) vs Remediation cost (slate)Ratio

F-05

Win Server 2012 R2 EOL

₱4,400,000

₱1,900,000

2.3×

F-04

Backup restore untested

₱3,120,000

₱240,000

13.0×

F-01

eBPLS source custody

₱2,840,000

₱120,000

23.7×

F-02

DPO designation lapsed

₱1,750,000

₱25,000

70.0×

F-06

Sole-source procurements

₱1,400,000

₱40,000

35.0×

F-03

Credentials in Viber

₱640,000

₱60,000

10.7×

F-07

No 4-eyes on DB changes

₱380,000

₱35,000

10.9×

F-09

No read-audit on eBPLS

₱290,000

₱80,000

3.6×

F-08

COI declarations

₱220,000

—

∞

F-11

Cloud cost drift

₱180,000

—

∞

F-12

AUP outdated

₱60,000

₱50,000

1.2×

F-10

WCAG non-compliance

—

₱90,000

0.0×

Source · ALE: Auditly model · Remediation: bottom-up local quotes (Mar 2026) · WP-FIN-007

Chapter 06·BFinancial Exposure — Deep

§6B.1Multi-lens loss model — point estimates lie

§6.1 expressed loss as a single ALE figure. In practice, each finding has a range of plausible annual outcomes. The bars below show the 10th–95th-percentile band of modelled annual loss per finding; the dot is the most-likely (median) value. The right-hand label is the 95th-percentile worst case — what the City should plan to absorb in a bad year.

Figure

Modelled annual loss per finding — 10th–95th percentile range

Distribution generated by 10,000-iteration Monte-Carlo across SLE, ARO, and contagion factors.

Source · Auditly loss model v2.4 · WP-FIN-014

§6B.2Five-year cumulative loss — the cost of standing still

Compounded year-on-year, the “do nothing” trajectory accumulates ~₱99.6M of loss exposure over five years. Executing the §09 roadmap caps that figure at ~₱13.5M — a net improvement of ₱86M for ₱2.6M of one-time remediation spend.

Figure

Cumulative loss exposure — Y0 to Y5

Red: status quo. Green dashed: post-roadmap residual.

Source · Auditly loss model · 5-yr forecast · WP-FIN-015

§6B.3Hidden cost ledger

Cost line	Source	Annual ₱
License true-up exposure	Deployed-vs-owned seat gap	₱1,180,000
EOL hardware replacement debt	RPTAS, GIS servers, switches	₱4,400,000
Cloud cost drift (untagged AWS)	Cost Explorer CY24–CY25	₱720,000
Procurement leakage (sole-source premium)	Estimated 18% above market on ₱8.4M	₱1,512,000
Technical-debt interest (eBPLS, RPTAS)	Maintenance multiplier 1.6×	₱980,000
Depreciation cliff (FY27–FY28)	Asset register fall-off	₱6,900,000
Subtotal — hidden costs	Excludes ALE in §6.1	₱15,692,000

§6B.4Cost-of-inaction calendar

Every month the roadmap is deferred, expected loss accumulates at roughly the rate shown below. By Month 12 of inaction, the cumulative loss exceeds the entire ₱2.6M remediation budget by a factor of nearly six.

Cumulative loss exposure if remediation is deferred. Monthly burn ≈ ₱1.27M based on the ALE model in §6.1 prorated across 12 months.

§6B.5Budget reallocation — current vs proposed

The current FY2026 IT spend mix is dominated by hardware refresh and license carryover; security, training, and personnel — the three line items most strongly correlated with audit findings — together command less than 20% of the budget. The proposed FY2027 mix shifts roughly 12 points of share into those areas without increasing the envelope.

Figure

IT spend mix — FY2026 actual vs FY2027 proposed

Same total envelope; reallocation shifts ~12 points of share toward security, personnel, and training.

Current FY2026

→

Proposed FY2027

Hardware38% → 26%
Licenses28% → 22%
Cloud14% → 16%
Personnel12% → 16%
Security5% → 14%
Training3% → 6%

Source · Budget vs actual register · WP-FIN-009

§6B.6Revenue-at-risk from digital channels

Revenue service	Annual fees	Down-prob.	Revenue-at-risk
Real Property Tax (online)	₱142,000,000	8%	₱11,360,000
Business Permits (eBPLS)	₱38,400,000	12%	₱4,608,000
Civil Registry online fees	₱4,200,000	6%	₱252,000
Treasury counter (DTS-linked)	₱21,800,000	3%	₱654,000
Total	₱206,400,000		₱16,874,000

Revenue-at-risk is computed as annual fees × probability-of-extended-outage based on the SLA history in §OP.1.

§6B.7ROI by initiative — what to fund first

Ref	Initiative	B/C ratio	Payback
F-02	Re-file DPO designation with NPC	70.0×	< 1 mo
F-08	Collect outstanding COI declarations	∞	immediate
F-01	eBPLS source-code turnover	23.7×	< 1 mo
F-04	Backup restore drill + offsite	13.0×	2 mo
F-03	Retire Viber credential sharing	10.7×	1 mo
F-06	Procurement ratification + workflow	35.0×	1 mo
F-07	Four-eyes on DB changes	10.9×	1 mo
F-09	READ-event audit on eBPLS	3.6×	3 mo
F-05	RPTAS Win-2022 / SQL-2022 migration	2.3×	9 mo
F-10	WCAG remediation (vendor warranty)	—	n/a

Chapter 07Compliance Matrix

§7.1Mapping of findings to statutes and standards

Framework	Related findings	Status
RA 10173 (Data Privacy Act)	F-02 · F-03 · F-09	Material gaps
RA 9184 (Government Procurement Reform Act)	F-06	Material gaps
RA 6713 (Code of Conduct for Public Officials)	F-08	Partial compliance
DICT MC 2020-011 (Cloud-First & Cybersecurity)	F-01 · F-03 · F-04 · F-05	Material gaps
NPC Circular 16-01 (Security of Personal Data)	F-02 · F-09	Material gaps
COA Circular 2020-006 (IT Audit Guidelines)	F-01 · F-04	Partial compliance
ARTA MC 2022-03 (Digital Service Accessibility)	F-10	Partial compliance
ISO/IEC 27001:2022 alignment (informational)	F-03 · F-04 · F-07 · F-12	Not certified; gap analysis only

Chapter 07·BCompliance Posture — Quantified

§7B.1Per-statute attainment

Compliance is rendered here as a percentage of applicable controls satisfied, weighted by control criticality. The two lowest readings — Data Privacy Act and NPC Circular 16-01 — are the same two regimes carrying the largest direct fine exposure for the City.

RA 10173 — Data Privacy

RA 9184 — Procurement

DICT MC 2020-011

NPC Circular 16-01

COA Circ. 2020-006

ARTA MC 2022-03

§7B.2Regulator exposure (₱)

Regulator	Exposure path	Annualised exposure
NPC	Adm. fines + per-record damages (RA 10173)	₱1,750,000
COA	Notice of Disallowance on FY2025 IT POs	₱2,200,000
DICT	Loss of accreditation for cloud-first programmes	—
ARTA	Citizen complaints under EODB Act	₱340,000
Ombudsman	Procurement integrity referrals	—

Exposure figures use mid-band penalties published in 2024 NPC and COA decisions involving comparably-sized PH LGUs.

Chapter 08Insider-Threat Appendix

§8.1Why we look here

Conventional IT audits are perimeter-oriented. Auditly's methodology layers an additional examination focused on the people who hold operational keys — recognising that, in PH government practice, the most consequential disruptions in the past five years have not come from outside attackers but from the unmanaged departure, dispute, or under-supervision of an internal or contracted technical worker.

Key-person concentration map

System	Sole holder of critical knowledge	Cross-trained backup?
eBPLS v2.3	R. Aguilar (contracted)	No
RPTAS	Engr. M. V. Dizon (plantilla)	Partial — one staff with read-only
Civil Registry System	Ms. A. R. Bautista (plantilla)	No
GIS-MIS Map Server	Mr. R. Abello (JO)	No
Network core (Cisco stack)	Mr. J. P. Salonga (plantilla)	Partial
Microsoft 365 admin	Engr. M. V. Dizon	No

Of the six (6) most critical systems, four (4) have no cross-trained backup. This concentration is the single highest non-financial risk identified in this engagement.

§8.2Dependency map — people to systems

The bipartite graph below visualises that concentration. Each red line connects a single person to a system on which the City would be operationally dependent in their absence. Mission-critical systems are flagged on the right.

Figure

Key-person dependency map

Red lines connect to mission-critical systems; slate lines to high/medium-criticality systems.

Source · Plantilla register × system roster · WP-INS-004

§8.3Integrity scorecard — procurement and dev oversight

Sole-source reviews — independent panel

2 of 7

Ex-plantilla cooling-off respected

5 of 7

Ultimate Beneficial Owner disclosed

1 of 7

Annual COI declarations on file

9 of 14

Dev workstations on EDR + MDM

3 of 5

Source code in org-controlled repo

4 of 9 systems

Annex M·1 — Confidential · Office of the Mayor · Eyes Only

Engaged work-product

Loyalty & insider-threat brief — for the Principal

This annex is prepared at the express engagement of the Office of the Mayor as the protective intelligence component of the audit. It is not intended for institutional distribution. Its purpose is to give the Mayor a clear-eyed view of where, in his own technology and admin stack, hostile or non-cooperative behaviour during a political transition could materially harm the administration, citizens, or the continuity of governance.

§M.1What we look at — and what we do not

We do not collect, infer, or store party affiliation. What we surface are operational and public-record signals that, taken together, indicate where the Mayor's directives could be quietly resisted, slowed, or sabotaged through the IT stack. These are facts the audit is entitled to examine.

Hire vintage

Date-of-hire, endorsing official, appointment paper (public record under CSC rules).

Patronage indicators

Whose recommendation letter is on file at HR; cross-checked against publicly disclosed political endorsements.

Vendor-relative overlap

Procurement-integrity register × COI declarations; ultimate beneficial owners cross-referenced with public corporate filings.

Off-hours privileged access

Admin-account login times near politically-sensitive dates (election eve, budget cutoff, audit windows).

Shadow-channel risk

Personal email / Messenger used for official work — content the Mayor's office cannot subpoena or preserve.

Public posture

Public social-media statements only; no private monitoring, no DMs, no covert collection.

Procurement loyalty patterns

Sole-source awards clustered toward vendors aligned with prior administrations.

Source-code & key custody

Who can withhold the City's own systems from the City.

§M.2Trust-tier classification — privileged-access roster

All fourteen (14) IT and admin staff with privileged access to mission-critical systems have been classified into four trust tiers, based exclusively on the operational and public-record signals catalogued in §M.1.

Tier A4

Mayor-aligned

Appointed or endorsed under current administration. Clean COI on file. Full operational cooperation observed during fieldwork.

Tier B6

Career-neutral

Plantilla, long tenure, professional conduct. No political signals either way. The institutional backbone.

Tier C3

Watch

Prior-administration appointees with mixed signals. Retain for continuity, but rotate credentials and apply two-person rule on destructive actions.

Tier D1

High-risk

Active hostile signals AND single-point-of-failure on critical systems. Requires immediate mitigation, not eventual replacement.

Tier-D profile — for the Mayor's awareness

Engr. M. V. Dizon, MIS Chief. Holds sole admin credentials on RPTAS, M365 tenant, DNS registrar, and GIS. Source code for two custom systems resides only on his personal devices. Annual COI declaration overdue by 14 months. Brother is the registered representative of one of three IT vendors awarded sole-source contracts in the last 24 months. Hired 2017 under prior administration; appointment endorsed by the then-incumbent. No public hostile statements, but operational cooperation during fieldwork was passive-resistant (delayed credential handover, refused screen-share for two systems).

§M.3Loyalty distribution across critical systems

The bipartite map below shows which staff (left, colour-coded by tier) hold operational reach into which systems (right). Red lines indicate Tier-D access — the visualisation makes the structural problem unmistakable: a single Tier-D staff member controls four of the eight systems on which the City's continuity depends.

Figure

Trust-tier × system reach

Tier A (green) · Tier B (slate) · Tier C (amber) · Tier D (red, thick). Mission-critical systems flagged in red on the right.

Source · Privileged-access register × plantilla register × COI declarations · WP-MAYOR-001

§M.4Mayor's Day-1 defensive playbook

The following sequence is engineered to be executed without legal exposure, without optics damage, and without operational downtime. Each step uses controls already authorised under existing LGU policy — no new ordinance required.

Within 24 hours of inauguration

Rotate all admin credentials currently held by Tier C and Tier D staff. New credentials issued under two-person custody (Mayor's appointed cybersec officer + an independent witness). Old credentials revoked the same hour.

Within 7 days

Independent custody of (a) source code for all custom systems, (b) DNS / domain registrar, (c) official social-media accounts, (d) cloud-tenant break-glass account. Each item attested in writing, evidence filed under WP-MAYOR-002.

Within 30 days

Fresh COI declaration cycle for all 14 privileged staff. Vendor UBO disclosure required for all awards >₱500k. Two-person rule activated on payroll, RPTAS write actions, and any destructive command (DROP, disable service, delete user).

Election-eve protocol (T-30 to T+30 days from any election)

Code-deploy freeze on all custom systems. Off-site backup verification with restore test. Snapshot of all admin-action logs to write-once storage. Severance script pre-prepared for any Tier-D staff transition.

Severance protocol (any departure, any tier)

60-second checklist: revoke SSO, rotate shared secrets, expire VPN, transfer file ownership, attest source-code custody, exit interview logged. Executed by HR + cybersec officer jointly, never by departing staff's direct manager.

§M.5Tail-risk scenario — modelled, not predicted

Scenario: Election eve, May 2028

The Tier-D MIS Chief withholds source code and DNS credentials, citing “ongoing personal review.” The Tier-C payroll administrator files sick leave covering the 14th–16th payroll cutoff. A complaint is lodged with the NPC alleging unauthorised disclosure of citizen data — sourced, the complaint claims, from a database snapshot only the MIS Chief had standing access to. Local media picks up both stories within 48 hours.

Cascading impact

₱8.4M

Operational recovery

6 weeks

Avoidable if M.4 executed

~92%

Modelled using the Auditly cascading-impact engine against the current control posture documented in §08 and §M.2. The 92% avoidance figure assumes the Day-1 and 30-day items in §M.4 are executed in sequence.

Confidentiality & methodology footer

This brief is engaged work-product prepared for the Principal. Distribution is restricted to the Office of the Mayor and persons designated in writing by the Principal. The trust-tier classifications above are inferences from operational facts and public-record signals; no protected-attribute data (party affiliation, religion, voting record) was collected, requested, or stored. Should the Principal elect to act on any item herein, Auditly recommends those actions be executed under existing LGU authority and documented through ordinary administrative channels.

Chapter OPOperational Health

§OP.1Service-level attainment by month

Twelve-month rolling SLA attainment per mission-critical service. Cells in the <75% band indicate sustained breach territory and warrant management attention; the RPTAS row tells the story of a system slowly degrading as its underlying platform ages out.

Figure

SLA attainment heatmap (services × months)

Green ≥ 95% · amber 85–94% · orange 75–84% · red < 75%.

Source · Service desk export · WP-OPS-014

§OP.2Citizen-facing performance

Helpdesk MTTR

11.4 h

+38% vs FY24

First-contact resolution

52%

Target 75%

Citizen satisfaction (CSAT)

3.2/5

Down from 3.7

Channel abandonment (online)

23%

Industry: 8%

§OP.3Helpdesk load vs staffing

Tier	Headcount	Tickets / mo	Per-staff load	Benchmark
L1 — frontline	3	612	204	Healthy ≤ 180
L2 — escalation	2	188	94	Healthy ≤ 60
L3 — engineering	1	41	41	Healthy ≤ 25

Chapter STStrategic Posture & Forward View

§ST.1IT maturity — current vs target

Eight-axis maturity assessment scored 1 (ad-hoc) to 5 (optimised), benchmarked against the COBIT 2019 process capability scale and adapted to PH LGU realities. The shaded interior is the City's present capability; the dashed perimeter is the 18-month target consistent with the roadmap in §09.

Figure

IT maturity radar — 8 capability domains

Scale: 1 ad-hoc · 2 repeatable · 3 defined · 4 managed · 5 optimised.

Source · Auditly maturity scorecard · WP-MAT-001

§ST.2Capex pipeline vs depreciation cliff

The City faces a 2027–2028 replacement wave: ₱69M of hardware crosses end-of-useful-life inside that window, but only ₱32M of capex has been programmed against it. Without an early reprioritisation, mission-critical systems will be operated past their support horizon — the same condition that produced finding F-05.

Figure

Asset EOL fall-off vs programmed capex (5-year)

Red bars: book value of assets reaching end-of-useful-life that year. Slate bars: capex line items already in the AIP.

Source · Asset register · AIP 2026–2030 · WP-FIN-021

§ST.3Project portfolio health (RAG)

Green

On budget, on schedule, benefits tracked

Amber

Schedule slip 1–3 months OR cost +10–25%

Red

Material slip, cost overrun, or PIR overdue

Of 12 active IT projects, 4 are Red. Two of those four have no documented Post-Implementation Review owner — a governance gap separate from the technical issues.

§ST.4DR posture — declared vs tested

System	Declared RTO	Last tested RTO	Gap
RPTAS	4 h	Untested in 18 mo	Unknown
eBPLS	8 h	26 h (Aug 2024)	+18 h
Civil Registry	4 h	Untested	Unknown
HRMS	24 h	11 h (Aug 2024)	Within

Chapter 09Remediation Roadmap

§9.1Twelve-month phased plan

The following plan sequences the twelve findings against capacity and dependencies. Items in the 0–90 window are intended to close the two Critical findings and the highest-leverage High items.

Figure

Roadmap timeline — 12 months from contract signature

Bars show the working window for each remediation item, colour-coded by severity (Critical · High · Medium · Low).

Task

M1M2M3M4M5M6M7M8M9M10M11M12

90-day180-day365-day

F-01 Repatriate eBPLS source code
F-02 Re-designate DPO; file with NPC
F-03 Rotate creds; deploy secret vault
F-04 Test backup restore + offsite copy
F-05 Migrate RPTAS off Win Svr 2012 R2
F-06 BAC re-review of FY25 sole-source
F-07 Enforce 4-eyes on DB changes
F-08 Collect outstanding COI declarations
F-09 Implement read-audit on eBPLS
F-10 WCAG 2.1 AA portal remediation
F-11 Cloud cost-allocation tagging
F-12 Refresh Acceptable Use Policy

Source · Auditly remediation plan · WP-PLN-002

Days 0–90Stop the bleeding

—F-01 (a)–(d) — execute eBPLS source-code turnover, mirror to City Git, rotate secrets
—F-02 — file updated DPO designation with NPC
—F-03 — rotate all production credentials, retire Viber sharing, deploy Bitwarden
—F-05 — isolate RPTAS network exposure pending OS migration
—F-08 — collect outstanding COI declarations

Days 91–180Stabilise and modernise

—F-04 — first end-to-end restore drill; specify cloud offsite procurement
—F-06 — prepare ratification documentation for the three FY2025 procurements
—F-07 — adopt change ticket workflow with named second approver
—F-10 — remediate top 12 WCAG violations under vendor warranty
—F-11 — implement minimum AWS tag set; reclaim unused M365 licenses

Days 181–365Mature the practice

—F-05 — complete RPTAS migration to Win Server 2022 / SQL Server 2022
—F-09 — extend eBPLS audit logging to capture READ events
—F-12 — adopt revised AUP through IT Steering Committee
—F-04 — operationalise cloud offsite backup; second restore drill
—Cross-cutting — institute quarterly IT governance review reporting to the City Mayor

Chapter AAnnex A · Evidence Register

All evidence items below are retained in the engagement working-paper repository (ATL-WP-2026-0142) for a period of seven (7) years in accordance with Auditly retention policy and PH professional standards.

Ref	Item	Finding
EV-014	Email thread re: GitLab access request (Aug 2024)	F-01
EV-015	PO 2022-IT-0089 (full document)	F-01
EV-016	Screenshot — eBPLS deploy script on developer's laptop	F-01
EV-021	NPC public registry print, 13 Mar 2026	F-02
EV-022	Internal Memo dated 09 Dec 2023 (acting DPO designation)	F-02
EV-031	Viber group screenshots (3 pp.) — credentials	F-03
EV-032	List of "MIS Tech Team" Viber group members	F-03
EV-041	Backup logs export, Sep 2024 – Mar 2026	F-04
EV-042	Photograph — USB drive in office drawer (with consent)	F-04
EV-043	HRMS restore drill report, 24 Aug 2024	F-04
EV-051	RPTAS server screenshot — winver, 12 Mar 2026	F-05
EV-052	Missing-patches scan output (Nessus)	F-05
EV-053	RPTAS hardware/firmware inventory sheet	F-05
EV-061	PO 2025-IT-0034 procurement file	F-06
EV-062	PO 2025-IT-0061 procurement file (BAC reso missing)	F-06
EV-063	PO 2025-IT-0078 procurement file	F-06
EV-064	BAC minutes index, FY2025	F-06
EV-071	RPTAS dbo.aud_ddl export, CY2025	F-07
EV-072	Sample change-request emails (5)	F-07
EV-081	HR COI register vs MIS access roster reconciliation	F-08
EV-091	eBPLS code excerpt — permit_view.php	F-09
EV-092	eBPLS audit_log table schema	F-09
EV-101	axe-core scan report — Civil Registry portal	F-10
EV-102	Manual keyboard-walk notes	F-10
EV-111	AWS Cost Explorer export, CY2024–CY2025	F-11
EV-112	M365 license assignment report	F-11
EV-121	IT Acceptable Use Policy, eff. 14 May 2019 (PDF)	F-12

Chapter BAnnex B · Interview Log

Ref	Date	Interviewee	Duration
INT-01	10 Mar 2026	Hon. R. P. Mendoza, City Mayor (entrance conference)	35 min
INT-02	10 Mar 2026	Atty. C. Villaruz, City Administrator	1 h 10 min
INT-03	11 Mar 2026	Mrs. E. Tagle, City Treasurer	55 min
INT-04	11 Mar 2026	Engr. M. V. Dizon, MIS Chief	2 h 20 min
INT-05	12 Mar 2026	Mr. J. P. Salonga, Network & Infra Lead	1 h 30 min
INT-06	12 Mar 2026	Ms. A. R. Bautista, Application Support Officer	1 h 05 min
INT-07	13 Mar 2026	Atty. S. Ramos-Tan, Acting DPO	50 min
INT-08	13 Mar 2026	Mr. R. Aguilar, eBPLS Developer (contracted)	1 h 15 min
INT-09	14 Mar 2026	Mrs. L. Ortega, HRMO IV	40 min
INT-10	14 Mar 2026	BAC Secretariat (Mrs. F. Lim and 2 staff)	1 h 25 min
INT-11	17 Mar 2026	City Accountant (Mr. D. Reyes) — financial walkthrough	1 h
INT-12	18 Mar 2026	MIS Tech Team group session (5 staff)	1 h 45 min
INT-13	19 Mar 2026	Civil Registrar (Atty. M. Santiago)	45 min
INT-14	20 Mar 2026	Exit conference — Mayor, City Admin, MIS Chief, DPO	1 h 30 min

Chapter CAnnex C · Glossary

ALE: Annualised Loss Expectancy. Expected monetary loss per year from a given risk.
ARTA: Anti-Red Tape Authority of the Philippines.
BAC: Bids and Awards Committee, constituted under RA 9184.
BLGF: Bureau of Local Government Finance, Department of Finance.
COA: Commission on Audit.
COBIT: Control Objectives for Information and Related Technology, ISACA framework.
DICT: Department of Information and Communications Technology.
DPO: Data Protection Officer, designated under RA 10173.
EOL: End of Life — date after which a vendor no longer issues security updates.
IPPF: International Professional Practices Framework of the Institute of Internal Auditors.
NPC: National Privacy Commission.
PIA: Privacy Impact Assessment.
RPO / RTO: Recovery Point Objective / Recovery Time Objective.
RPTAS: Real Property Tax Assessment System.
WCAG: Web Content Accessibility Guidelines, W3C.

Chapter —Sign-off

We have conducted this engagement with due professional care and have based our findings on evidence obtained during fieldwork from 09 March to 03 April 2026. The conclusions expressed are those of the engagement team and have been reviewed in accordance with Auditly's quality control system.

Andres N. Calingasan

Engagement Partner

CPA PRC 0114-237 · CISA 24-019887

Signed at Makati City, 14 April 2026

Patricia I. Velasco

Lead Auditor

CISA 21-105442 · CRISC 22-008371

Signed at Makati City, 14 April 2026

— End of Report · ATL-2026-LGU-0142 —