Department of Social Development 2011/12 Audit Report: Auditor General comments

Meeting report

Auditor-General South Africa (AGSA) briefing
Mr Musa Hlongwa, Business Executive, Auditor-General South Africa, briefed the Committee.

Audit opinions included the Department’s entities: South African Social Security Agency (SASSA); National Development Agency (NDA); Social Relief Fund; State President Fund; Refugee Relief Fund; and Disaster Relief Fund.

Audit outcomes were for the years 2008/09; 2009/10; 2010/11 and 2011/12.
For the financial year ended 2011/12 the Department of Social Development (DSD) received an unqualified audit report with findings. In 2009/10 and 2010/11 the audit was qualified, showing improvement over the previous two years. There were findings of non-compliance with laws and regulations for 2008/09, 2010/11 and 2011/12.

SASSA received a clean audit for the first time in four years. In 2009/10 it had a disclaimer and an unqualified report with findings in 2010/11, which meant a dramatic improvement for SASSA for 2011/12.

The NDA received an unqualified opinion with findings in 2008/09, 2010/11 and 2011/12. Findings related to non-compliance with laws and regulations.

The four Funds all received clean audits for the past three years but for 2011/12 it was downgraded to unqualified reports with findings. The findings were related to non-compliance with laws and regulations.

Mr Hlongwa turned to the key focus areas:
The DSD had problems with supply chain management, areas such as suppliers not disclosing the required information and there were previous findings that might have excluded them from supply chain management. There were still findings on predetermined objectives and HR management, including vacancies at senior level not being filled. Findings about IT control were due to absence of governance structures in place and other issues.

SASSA had findings on supply chain management, predetermined objectives, HR management and IT controls, where the Auditor General was not entirely happy but there had been some improvement.

The NDA received adverse audit findings for supply chain management due to uncompetitive practices relating to bids, and due to other findings. Findings under predetermined objectives were due to the performance indicators and targets not being suitably developed during the strategic planning process. The Auditor General was not entirely happy with IT controls and there were material errors in the annual financial statements and a lot of changes had to be implemented. There was under spending of the budget and creditors were not paid in time.

The Social Relief Fund, the State President Fund, the Refugee Relief Fund and the Disaster Relief Fund all had material errors in their financial statements and they were not done according to the PFMA (Public Finance Management Act) framework of GRAP (Generally Recognised Accounting Practice). They had used GAAP (Generally Accepted Accounting Practice). The financial health of the Disaster Relief Fund was dormant as the intention to close down the fund.

Mr Jaco Meintjes explained the findings in detail.

▪ Supply Chain Management:
A. DSD had two findings:

- Awards were made to suppliers who did not make declaration with regard to past supply chain practices such as fraud, abuse and non-performance as prescribed by National Treasury regulations. The root cause was lack of oversight responsibility regarding compliance with applicable laws and regulations and related internal controls; lack of review and monitoring of compliance with applicable laws and regulations; and internal control deficiencies not identified and communicated in a timely manner for corrective action to be taken. It was recommended that management should ensure that winning bidders/suppliers completed and signed the declaration of the bidder’s past SCM practices, and that management should ensure all internal control deficiencies were addressed.

- Awards were made without declaration on whether the bidder was employed by the state or connected to any person employed by the state, as required by Treasury regulations. The root cause was lack of oversight responsibility regarding compliance with applicable laws and regulations relating to internal controls; lack of review and monitoring of compliance with applicable laws and regulations; and internal control deficiencies not identified and communicated in a timely manner to allow for corrective action to be taken. It was recommended that management should ensure that winning bidders/suppliers complete and sign the declaration of interest, and that management should ensure that all internal control deficiencies were addressed.

The NDA procured goods and services of a transaction value above R200 000 without inviting competitive bids as required by Treasury regulations. It was recommended that irregular expenditure should be disclosed in the financial statements as per the requirements of the PFMA, and that all procurement must follow the NDA procurement policy and procedures.

▪ Predetermined objectives:
A. DSD had two findings:
1. Of the 217 planned targets, 46% were not achieved in the year under review. This was mainly due to indicators and targets not suitably developed during the strategic planning process. The root cause was a lack of review and monitoring of compliance with applicable laws and regulations in terms of disclosure. It was recommended: That targets should be developed in order to adhere to the SMART (specific, measurable, achievable, relevant and time bound) criteria as set by Treasury.

2. In terms of material adjustments to the report on predetermined objectives, after auditing material adjustments were made to the performance report, specifically relating to Programame 4: Welfare Service Policy Development and Implementation Support, a 29% adjustment was made to the reporting on the predetermined objectives that was then corrected by management.

The root cause was a lack of oversight responsibility regarding performance reporting and related internal controls; a lack of procedures in place to enable and support understanding and execution of internal control objectives, processes and responsibilities. Regular, accurate and complete performance reports were not always prepared, and internal control deficiencies not identified and communicated in a timely manner to allow for corrective action to be taken.

It was recommended:
- The department must ensure compliance with the National Treasury Framework;
- The department must ensure that outcomes of performance targets were reported based on actual performance that could be substantiated with supporting evidence.
- Management should ensure that all internal control deficiencies were addressed.

B. SASSA had two findings:
1. Material misstatements (50% in Grant: Administration and 56% in Branch: Finance) of the report on predetermined objectives were corrected by management after audit of predetermined objective information.

Recommendations were:
- Management should exercise oversight responsibility for performance reporting and internal controls.
- Management should establish and communicate policies and procedures to enable and support understanding and execution of internal control objectives, processes and responsibilities regarding accurate, valid and complete performance information.
- Management should implement proper record keeping.
- Management should implement controls over daily and monthly processing and reconciling of control totals used to calculate the total value of the achievement.
- Management should prepare regular, accurate and complete performance reports supported and evidenced by reliable information.
- Management should review and monitor the controls in place to report on performance information.
- Those charged with governance should ensure that there was an adequately resourced and functioning internal audit unit to identify internal control deficiencies and recommend corrective action effectively.
- Those charged with governance should ensure that the audit committee promote accountability and service delivery through evaluating and monitoring responses to risks and providing oversight of the effectiveness of the internal control environment, including performance reporting and compliance with laws and regulations.

2. Of the 59 planned targets, 27 were not achieved during the year under review, representing 46% of the total planned targets not achieved. That was mainly due to indicators and targets not suitably developed during the strategic planning stage.

Recommendations were:
- Management should exercise oversight responsibility for monitoring of performance achievements and setting of targets.
- Management should implement proper record keeping in a timely manner to ensure that complete, relevant and accurate information was accessible and available to support performance reporting.
- Management should implement controls over daily and monthly processing and reconciling of control totals used to calculate the total value of the achievement.
- Management should prepare regular, accurate and complete performance reports supported and evidenced by reliable information.
- Management should review and monitor the controls in place to report on performance information.

C. The NDA had five audit reports regarding the predetermined objectives:

1. Reported performance information was not valid. 67% of actual reported performance relevant to the respective selected objectives was not valid when compared to the source information and/or evidence provided. This was due to a lack of standard operating procedures for the recording of actual achievements. The root cause was performance objectives; indicators and targets were not appropriately approved by the relevant executive authority and supported by relevant supporting documentation. It was recommended: All targets should be approved and disclosed with actual achievements and should be supported by relevant supporting documentation.

2. Reported performance was not accurate. 67% of the actual reported indicators for the respective objectives were not accurate when compared to source information. This was due to a lack of standard operating procedures for recording of actual achievements. Performance objectives, indicators and targets were not appropriately approved by the relevant executive authority and supported by relevant supporting documentation. It was recommended: All targets should be approved and disclosed with actual achievements and supported by relevant supporting documentation.

3. Source information supporting actual performance not complete. 67% of the actual reported indicators for the respective objectives were not accurate when compared to source information. This was due to improper document management system with regard to actual performance achievements. Performance objectives, indicators and targets were not appropriately approved by the relevant executive authority and supported by relevant supporting documentation. It was recommended: All achievements should be supported by relevant supporting documentation.

4. 31% of planned targets were not achieved in the year under review. This was a result of the institution not considering relevant systems evidential requirements during the annual strategic planning process. Approved targets were not appropriate/achievable and there was insufficient monitoring of targets. It was recommended: Management should ensure that processes were in place to achieve to achieve all targets.

5. Material adjustments to the annual performance report. 50% amendments were corrected by management, those that were not corrected were included in the conclusion paragraphs. Management did not exercise adequate ongoing monitoring and oversight. It was recommended: All information should be adequately reviewed and monitored to ensure no errors existed in the final information.

▪ Human Resources
Nothing specific was reported for the department or any of the entities.

▪ Information Technology Controls
A. DSD findings:
The department’s continuity plan was not yet finally approved. The IT governance framework was not yet approved, awaiting the Department of Public Service and Administration (DPSA) framework. Information Management & System Technology (IMST) management had still not approved the IT governance and controls framework as the department was awaiting DPSA guidance. Recommendation: Management should address all relevant IT risks and controls within the department.

B. SASSA findings:
1. Security Management responsibilities of the information security officer were not adequately implemented. Management did not appoint staff to assist the IT security officer in supporting the head of institution by performing the required IT security responsibilities.

Recommendation: Information and communication technology (ICT) management should appoint staff in the information security unit to assist the IT security officer in the performance of his formally delegated responsibilities in respect of IT security.

2. User access control for the Oracle System, the user account management standards and procedures were not adequately designed. Basic Accounting System (BAS) user account management standards and procedures were not adequately designed and implemented. Social Pension System (SOCPEN) user account management standards and procedures not adequately implemented. Appropriate key controls (policies and procedures) were lacking. This could be attributed to the failure to assign the task of monitoring compliance with the user account management procedure manual.

Recommendations:
- User account management standards and procedures should be updated and formally approved by ICT management.
- Periodic checks must be carried out to ensure that users’ current level of access was in line with their job responsibilities. The frequency of such reviews should also be specified in the user account management standards and procedures.
- The regional manager should assign the task of monitoring compliance with the user account management procedure manual to ensure adherence thereto.
- The security activity and access violation logs as well as change requests should be reviewed and followed up to allow timely direction of unauthorised access. Regular, independent reviews should be undertaken to confirm that all user ID maintenance activities performed by the SYSCON and GROUP SPECIAL users related to valid and approved user ID requests.
- An audit trail of the pursuant actions taken should be maintained and all reports kept as evidence of review.

Weaknesses were identified in access control privileges on SOCPEN. Appropriate key controls (policies and procedures) were lacking. This could be attributed to failure to assign the task of ensuring that the powerful access control privilege was correctly allocated to an appropriately skilled/competent staff member. A system clean up had not been performed recently.

Recommendations:
- The general manager should ensure that users to whom access control privileges had been assigned were reviewed to ensure that those rights were commensurate with their job functions.
- The number of accounts with privileged access should be kept to a minimum and those accounts should only be used for access control functions.
- Users with access control privilege should use a separate account for normal day-to-day duties.

3. SOCPEN programme change management controls not adequately designed and implemented. The root cause was lack of appropriate key controls (policies and procedures) users did not comply with the approved change control procedure manual. Appropriate key controls (policies and procedures) were lacking, which could be attributed to failure to assign the task of monitoring both the PAC migration event authorisation list report and segregation of duties between the different PAC environments to an appropriate staff member.

Recommendations:
- ICT management should ensure compliance with the standards.
-ICT management should ensure that the change control board was actively involved in managing, monitoring and prioritising all changes. Furthermore, management should ensure that all users consistently complied with the approved change control procedure manual.
- ICT management should establish a formal process to ensure that the PAC migration event authorisation list reports were regularly reviewed by comparing them to the approved change requests by allocating the responsibility for monitoring to an appropriately trained independent staff member.

4. Information technology continuity and disaster recovery: Information technology service continuity not adequately designed. Root cause was lack of management oversight to test the Disaster Recovery Plan (DRP). Recommendation: DRP tests should be undertaken and a DRP coordination team identified.

C. NDA findings:
1. There was no formally documented and approved user account management process to manage the granting of access to users of various application systems. This was due to a lack of capacity to develop user account management policies and procedures to regulate the access to financial systems.

Recommendation: Comprehensive user account management procedures dealing with procedures to be followed when creating new user accounts, modification and termination of user profiles and management of inactive user accounts should be drafted, approved and implemented.

2. The NDA did not have a documented IT governance framework to support and enable the business, deliver value and improve performance. Recommendation: The NDA should design an IT governance framework together with the strategic plan to support the business requirements of the entity.

▪ Material Errors/Omissions in AFS submitted for Audit
A. NDA finding:
Material misstatements were identified by the auditors in the submitted financial statements, which were subsequently corrected, resulting in the financial statements receiving an unqualified audit opinion.
The root cause was lack of adequate review of AFS by those charged with governance. Recommendation: The AFS should be reviewed by management and the governance structures in place.

Disaster Relief Fund, Social Relief Fund, Refugee Relief Fund & State President Fund:
The financial statements submitted for auditing were not prepared in accordance with the prescribed reporting framework as required by section 55(1)(b) of the PFMA. The root cause was a lack of oversight over financial reporting and compliance with laws and regulations.

Recommendation: Management should ensure that the Annual Financial Statements were prepared in accordance with GRAP.

▪ Financial Health Status
A. NDA finding:
Various creditors were not paid within 30 days. The root cause was that the appropriate level of management did not regularly review interim/monthly reporting in terms of best practice and as required by the PFMA. Recommendation: The NDA should ensure that payments were made within 30 days.

▪ Other Compliance Matters
A. DSD findings:
1. Expenditure management. Effective and disciplinary steps were not taken against officials who made and/or permitted irregular expenditure and fruitless and wasteful expenditure, as required. Root cause was a lack of oversight responsibility regarding compliance with applicable laws and regulations and related internal controls. There was a lack of review and monitoring of compliance with applicable laws and regulations. Internal control deficiencies were not identified and communicated in a timely manner to allow for corrective action to be taken.

Recommendations:
- Proper processes should be implemented to ensure that possible irregular expenditure was investigated in the year that it was identified.
- Cases relating to prior years irregular expenditure should be finalised as a matter of urgency in order to ensure the effective and appropriate disciplinary steps were taken timeously against any official in the service of the department who contributed towards incurring irregular and fruitless and wasteful expenditure.
- Management should ensure that all internal control deficiencies were addressed.

2. Transfer of funds. Social assistance grants were paid to beneficiaries that did not always comply with the requirements of the Social Assistance Act and its most recent regulations. Root cause was skilled and continuous supervision was not provided to ensure that internal control objectives were being met.
- Management did not exercise oversight responsibility regarding financial and performance reporting and compliance and related internal controls.
- Management did not implement effective HR management to ensure that adequate and sufficiently skilled resources were in place and that performance was monitored.
- Management did not implement proper record keeping in a timely manner to ensure that complete, relevant and accurate information was accessible and available to support financial and performance reporting.
- Management did not prepare regular, accurate and complete financial and performance reports supported and evidenced by reliable information.
- Management did not review and monitor compliance with applicable laws and regulations.

Recommendations:
- All staff that overrode or ignored internal controls, which was a non-compliance with approved policies and procedures should be investigated and disciplined. Staff must be held accountable for their actions.
- As a compensating control, management should implement a cyclical review of beneficiaries that not only included life certification and contact details update, but also information update and collation of required information to ensure that files were updated to comply with the current regulations. In-depth reviews would resolve many legacy issues.

B. NDA finding:
Expenditure management. The accounting authority did not take effective steps to prevent irregular expenditure as required by the PFMA. Root cause was a lack of review and monitoring of compliance with applicable laws and regulations. Recommendation: Proper processes should be implemented to ensure that possible irregular expenditure was investigated in the year that it was identified.

During an AGSA engagement with the Minister on 31 July 2012, the Minister made a commitment towards clean administration and achievement of action plans.

No unauthorised expenditure was reported for the year under review.

Fruitless and wasteful expenditure:
DSD showed an improvement on fruitless and wasteful expenditure with none being identified for the 2012 financial year.
SASSA regressed from R148 155 in 2011 to R209 571 reported for 2012.
NDA regressed from 0 in 2011 to R373 087 reported for 2012.

Irregular expenditure:
DSD regressed from R1 322 000 in 2011 to R19 871 000 reported for 2012.
SASSA regressed from R1 550 972 in 2011 to R10 412 124 reported for 2012.
NDA regressed from R2 551188 in 2011 to R9 456 180 reported for 2012.

No AGSA investigations were currently underway and no performance audits were conducted for 2011/12.

During the year under review a performance audit was conducted on the Readiness of Government to report on its performance. The focus of the audit was on how government institutions were guided and assisted to report on their performance, as well as the systems and processes they had put in place. The audit was currently in the reporting phase and findings would be reported in a separate report.

Discussion
Ms Tshwete thanked Mr Hlongwa and Mr Meintjes for the presentation.

Mr M Waters (DA) asked whether the auditors looked at last year’s recommendations as to how many action steps had been fulfilled.

Mr Waters asked why the Central Drug Authority had been left out of the entities.

Mr Hlongwa said he would follow that up.

Mr Waters referred to media reports on fraud within the SASSA system, yet they received a clean audit. Social assistance grants were paid to beneficiaries that did not always comply with the requirements of the Act. He asked for more information on that.

Mr Hlongwa responded that SASSA did get a clean report in terms of the Public Audit Act on the financial management of the entity. The AG also reported in terms of compliance with laws and regulations and predetermined objectives. The findings on the two entities were not material, which was why the two entities were unqualified. The audit was done in terms of financials submitted and did not find serious matters to report upon.

Mr Waters asked why transfer of those funds was reported under the DSD and not SASSA?

Mr Waters understood that it was a court case, but early in the year SASSA awarded a R10 billion contract for the payment of grants and there were reports of the bid evaluation committee not having been properly constituted. He asked whether the auditors had looked at that contract, as there were clouds around that.

Mr Hlongwa responded that in the audit report it was raised as an emphasis of matter and referred to the litigation the department was currently undergoing. After the judgment, the auditors re-looked at the report. He understood that the case was still on appeal so the audit officials could not work on the judgment and satisfy themselves that there were no material findings.

Mr Meinjtes added that from the audit procedures, no material non-compliance areas were picked up. The audit could not be based on the court judgment. That specific tender process was included in the audit and sufficient evidence was found that all the supply chain management processes had been followed. The AG had reported on the pending litigation where there was an emphasis of matter paragraph which referred to this specific case. It indicated that at the time of reporting, the possible non-compliance that might flow from that was still unknown at that stage.

Mr Waters noted dramatic increases in fruitless and wasteful expenditure by two entities and one department; he asked for an explanation of the irregular expenditure.

Mr Hlongwa clarified that irregular expenditure was expenditure not in line with procedures and where policies were not followed.

Mr Meintjes added that the majority of the irregular expenditure for SASSA, the NDA and the DSD, was due to supply chain management processes not followed throughout. National Treasury required that bids must be advertised in the State Tender Bulletin, and that did not take place. The main contributor to irregular expenditure was procurement and contract management processes that were not always followed. This then resulted in irregular expenditure.

In the case of fruitless and wasteful expenditure, NDA’s R373 000 was mainly due to late payments to SARS that resulted in the NDA paying penalties and interest. In the case of SASSA’s R209 571, this was for exhibition stands paid for but not used, and for flights and accommodation paid for but not used.

Mr R Bhoola (MF) reported that he had recently had occasion to visit a South African Police Station and noted there was a huge influx of people to sign affidavits that they had been collecting fraudulent grants. Something was being done. The funds that would now not be paid to those ghost beneficiaries would have an impact on funds transferred and also budgets.

Mr Bhoola was also interested to know if the report was measured against the previous financial year’s recommendations.

Mr Hlongwa responded that reporting should be done according to the National Treasury framework. He recommended Members familiarise themselves with that framework in preparation for departments presenting their annual reports. The AG did measure programmes and based the audit on the framework prescribed by National Treasury.

Mr Bhoola was concerned about the accountability of managers and asked what could be done to improve the situation?

Mr Hlongwa responded that their mandate was only to audit and report and try to escalate reporting as far as possible to oversight bodies. Under the leadership of the Auditor General, Mr Terence Nombembe, there had been increased communication with stakeholders and he himself presented the overall outcomes to National Assembly to ensure everyone was involved in the process of achieving improvement in the way that departments were run, to ensure clean administration and proper reporting so that the policy makers and decision makers had credible information. The auditors only reported the outcomes and ensured that financial reports were reliable. It was up to the oversight structures to ensure implementation of these recommendations.

Mr Meintjes added that it was part of the audit process to look up the prior year and where an entity had not addressed a matter, it would be reported on again. The AG also had interaction with the department and entities called dashboard reporting, where it focused on – leadership, financial and performance management and governance – giving feedback as to how they were performing in those areas. Key controls had to be in place under those three areas otherwise it would result in an unqualified audit opinion.

Mr Bhoola suggested that compliance tests should be incorporated and rectified in strategic planning.

Mr Hlongwa responded that the AG reported to the relevant authority to ensure they were aware.

Mr Bhoola referred to fruitless and wasteful expenditure and was concerned in terms of value for money.

Mr Bhoola asked about supply chain management and fraud and abuse, and recovery of that money in terms of the PFMA. What happened to that money?

Mr N Kganyago (UDM) noted that for 2012 the DSD received an unqualified report with findings on Pre-Determined Objectives (PDO) and compliance. He asked what happened if for 2013, it received a disclaimer. And if after SASSA receiving a clean audit, it regressed and received an unqualified opinion with findings for 2013? How would that regression, in spite of the recommendations, be addressed?

Mr Kganyago was concerned that there were cases where officials paid elderly beneficiaries incorrect amounts because the notes were folded and beneficiaries only noticed that after they had left the pay point.

Mr Hlongwa said it was a matter for concern but the AG had not yet come across such a case in their audit.

Ms F Khumalo (ANC) noted with concern that generally under the DSD, the root cause was a lack of capacity, management did not do their oversight responsibility. What measures were in place to correct the situation?

Ms M Mafolo (ANC) said last year the DSD received a qualified audit opinion due to SASSA’s problems. This year SASSA received a clean audit and the DSD an unqualified report again; she required an explanation.

Ms Pretty Ngubeni-Maluleka (ANC) noted that departments and entities did not use the recommended PFMA framework of GRAP and were not submitting financial statements in the manner required. Did the AG advise use of GRAP?

Mr Hlongwa explained that National Treasury was the authority responsible for setting up the framework that each entity should report on and prescribed what the framework for each department would be. During the audit it was discovered that in terms of the prescribed framework, the Funds should have reported using GRAP but they used GAAP.

Ms Tshwete supported Ms Mafolo in asking why the DSD now had an unqualified audit and SASSA a clean audit, it seemed strange.

Mr Meintjes responded that there was a misunderstanding. DSD did not get a qualified audit opinion. It got an unqualified audit opinion with findings on PDO and compliance. DSD received qualified opinions for 2009/10 and 2010/11 due to findings of certain limitations on the grant payments.

Ms Tshwete asked why the four Funds were dormant, with the intention that they be closed down.

Mr Meintjes responded that of the four funds the only movement was some payment from the Disaster Relief Fund, the money was just lying in those funds. The purpose of the funds were no longer relevant. They were run under the Fundraising Act so legislation had to be repealed in order to close down those funds. He understood that the department wished to channel the money back to the provinces for certain projects.

Mr Hlongwa added that they were dormant because they had to be closed down but the process of closing them was slow as the Act had to be changed.

Ms Tshwete asked Mr Hlongwa and Mr Meintjes to follow up the issue of the Central Drug Authority as an entity that should have been reported on.

Ms Tshwete thanked Mr Hlongwa and Mr Meintjies for their time and wished them well in the work that they did for South Africa.

Fourth Term Committee Programme
Members considered the Draft Fourth Term Committee Programme. The Programme was adopted with the amendment that the date for the adoption of the BRRR report would be changed from Friday, 19 October as many Members would not be able to attend on a Friday..

Adoption of Minutes
Minutes of Committee meetings held on 24 April 2012, 12 June 2012, 25 July 2012 were adopted without amendments.

Ms Tshwete read the recommendations contained in the minutes of 11 September 2012:
- The Department to provide the Committee with a report of the implementation plan of the Prevention and Treatment for Substance Abuse Act.
- The Department should provide the Committee with a report containing the costing of Prevention and Treatment for Substance Act, as well as a report on the oversight visit conducted at Early Childhood Development Centres and old age homes around the country.
- The Committee emphasised that the Department should put more focus on the aftercare and reintegration services.

The minutes were adopted without amendments.

The meeting was adjourned.