Department of Justice and Constitutional Development Audit 2011/12: Auditor-General comments

Meeting report

DJCD and entities audit outcomes 2011/12: Auditor-General briefing
Mr Yusuf Essack, AGSA Senior Manager, stated that there were certain key focus areas around which the audit had revolved and had been conducted. The findings of AGSA were based on these key focus areas as identified below.

Supply Chain Management
In respect of the Department of Justice and Constitutional Development (DJCD), the finding of AGSA was that goods and services with a transaction value below R500 000 were procured without obtaining the required price quotations, as required by Treasury Regulation TR 16A6.1. It was also found that goods and services of a transaction value above R500 000 were procured without inviting competitive bids, as required by TR 16A6.1. Deviations were approved by the accounting officer even though it was not impractical to invite competitive bids, in contravention of TR 16A6.4. Employees of the Department performed remunerative work outside their employment in the Department without written permission from the relevant authority as required by section 30 of the Public Service Act. The root cause was that reviewing and monitoring of compliance with applicable laws and regulations was not performed which resulted in the procurement process not being followed. AGSA’s recommendation was that management should ensure that the prescribed processes were complied with and disciplinary steps were taken where necessary.

In respect of the National Prosecuting Authority, AGSA’s finding was that employees of the Department performed remunerative work outside their employment in the Department without written permission from the relevant authority as required by Section 30 of the Public Service Act 1994. The root cause was that leadership did not effectively communicate policies and procedures to enable and support understanding and execution of internal control objectives, processes and responsibilities. AGSA’s recommendation was that the mentioned cases should be investigated and the necessary action should be taken. The requirement of the Public Service Act should be enforced and communicated on a regular basis by means of awareness sessions. Management should conduct Companies and Intellectual Property Registration Office (CIPRO) [Companies and Intellectual Property Commission (CIPC)] searches on a regular basis in order to identify officials performing remunerative work outside of their employment and ascertain if it was approved and disclosed appropriately.

In respect of the Criminal Assets Recovery Account, no finding was made. In respect of the Guardians Fund, no finding was made.

In respect of the Special Investigating Unit (SIU), AGSA’s finding was that consultants' expenditure was incurred outside of the approved deviation period as set out in the deviation certificate. Preferential procurement policy was not implemented in the appointment of temporary staff. An award had been made to a supplier whose tax matters had not been declared by the South African Revenue Service (SARS) to be in order as required by TR 16A9.1(d) and the Preferential Procurement Regulations. Weaknesses were also identified in the procurement of forensic data analysis software. The root cause was that management did not adequately review and monitor compliance with applicable laws and regulations. The Leadership did not exercise oversight responsibility regarding compliance and related internal controls. There was lack of adequate understanding and communication of the requirements of supply chain management in the human resource unit. AGSA’s recommendation was that the accounting authority should ensure all units within the SIU comply with the procurement policies. The requirements of supply chain management prescripts should be observed for each submission requesting appointment of temporary employees. Management should ensure that the prescribed processes were complied with and disciplinary steps were taken where necessary. The SIU should sign contracts for all suppliers from which goods were procured.

In respect of Legal Aid South Africa, AGSA’s finding was that awards were made to suppliers whose tax matters had not been declared by the South African Revenue Services to be in order as required by TR 16A9.1(d) and the Preferential Procurement Regulations. The root cause was that management did not regularly review and monitor compliance with laws and regulations on supply chain management. The policies of the entity were not aligned to the Supply Chain Management (SCM) regulations. AGSA’s recommendation was that the supply chain management regulations should be followed for procurement of goods and services. The SCM policies ought to be revisited and aligned to the prescripts.

In respect of the Public Protector of South Africa, there was no finding.

In respect of the President’s fund, there was no finding.

In respect of the South African Human Rights Commission, AGSA’s finding was that an award was made to a supplier whose tax matters had not been declared by the South African Revenue Services to be in order as required by TR 16A9.1(d) and the Preferential Procurement Regulations. Contracts and quotations were awarded to bidders who did not submit a declaration on whether they were employed by the state or connected to any person employed by the state, which was prescribed in order to comply with TR 16A8.3. Sufficient appropriate audit evidence could not be obtained that contracts and quotations were awarded to bidders based on points given for criteria that were stipulated in the original invitation for bidding and quotations, as required by TR 16A6.3(b) and Preferential Procurement Regulations. The root cause was that management did not regularly review and monitor compliance with laws and regulations on supply chain management. There was inadequate training to SCM officials to ensure familiarity with SCM regulations. AGSA’s recommendation was that the supply chain management regulations should be followed for procurement of goods and services. SCM officials must be trained and the entity must be familiar with all the latest developments in regulations to ensure total compliance.

Predetermined Objectives
In respect of the DJCD, AGSA’s finding was that of the total number of 72 planned targets, only 20 were achieved during the year under review. This represented 72% of total planned targets that were not achieved during the year under review. Material misstatements in the annual performance report were identified during the audit, all of which were corrected by management. The root cause was that this was as a result of the Department not adequately monitoring performance against predetermined targets on an ongoing basis to take appropriate steps timeously in ensuring achievement of targets. Action plans were inadequate or not implemented correctly to address prior year matters reported. AGSA’s recommendation was that performance against predetermined objectives should be monitored on a quarterly basis and compared to actual supporting documentation to ensure validity of actual achievements. Achievements of targets should be monitored continuously throughout the year to ensure achievement of financial and performance results and targets.

In respect of the National Prosecuting Authority, there were no findings.

In respect of Criminal Assets Recovery Account, there were no findings.

In respect of Guardians Fund, there were no findings.

In respect of Special Investigating Unit (SIU), AGSA’s finding was that the entity did not report on all strategic objectives as set out in the strategic plan. There was also late submission of strategic plan, lack of performance management policy and lack of accuracy and validity of reported information. The root cause was that policies and procedures had not been established to enable and support understanding and execution of internal control objectives and processes. There were inadequate documented policies and procedures in place to monitor compliance with all the relevant legislation and requirements in the performance management division. AGSA’s recommendation was that all strategic objectives contained in the strategic plan must be reported in the report against pre-determined objectives. The strategic plan was the basis of reporting as stipulated in Treasury regulation (TR) 30.1.3 (g). Management should going forward assess its current objectives. Based on this assessment management could reduce or increase its objectives. This assessment should take into account the mandate of the SIU. The strategic plan should only consist of the strategic objectives which the entity had concluded were its strategic goals for inclusion in the annual report. It should be noted that the budget allocation would be based on the planned objectives. For all strategic objectives; management should formulate performance indicators and targets in order to enable SIU to measure performance against planned objectives. A checklist of all the critical legislative requirements on performance information should be developed and monitored on a regular basis. Management should also study the requirements of the framework for strategic plans and annual performance plans and put processes in place to ensure compliance for the forthcoming financial year. This framework would be effective in full during the 2012/13 financial year. SIU should report on compliance on a regular basis to the executive committee (EXCO) and the audit committee.

In respect of Legal Aid South Africa, there were no findings.

In respect of the Public Protector of South Africa, AGSA’s finding was that of the total number of planned targets only 37 were achieved in the year under review. This represented 24% of the total planned targets that were not achieved during the year under review. The root cause was that this was due to targets not being suitably developed during the strategic planning process. AGSA’s recommendation was that Key objectives should be prioritised in the strategic plan to ensure proper focus on delivery. Achievements of targets should be monitored continuously throughout the year to ensure achievement of financial and performance results and targets.

In respect of the President’s fund, there was no finding.

In respect of the South African Human Rights Commission, there was no finding.

Human Resources
In respect of the DJCD, AGSA’s finding was that appointments were made in posts which were not approved and funded, as required by Public Service Regulation (PSR) 1/III/ F.1(a) and (d). Employees were appointed without following a proper process to verify the claims made in their applications in contravention of Public Service Regulation (PSR) 1/VII/D.8.The accounting officer did not ensure that all leave taken by employees were recorded accurately and in full as required by PSR 1/V/F(b).Some senior managers did not have signed performance agreements for the year under review as required by PSR 4/III/B.1. The root cause was that the accounting officer did not exercise oversight responsibility over financial and performance reporting, compliance with laws and regulations and internal control. Management did not monitor leave as required by the DPSA’s “Determination on leave of absence in the public service” and the “Procedure manual: leave management”. Leave forms were not filed timeously in the employee files or captured on PERSAL. Signature of senior managers’ performance contracts were not followed up. AGSA’s recommendation was that detailed verification checks should be performed on all appointments. Management should ensure that all leave were approved in advance, leave was captured timeously and that all leave forms were filed. A detailed reconciliation should be done for all employees to ensure leave balances were correct. Management should ensure that all performance agreements for senior managers were signed before 31 May each year as stipulated by the PSR. Proper communication and collation of signed contracts should be instituted, which would also ensure that all employees had been accounted for.

For National Prosecuting Authority, there were no findings.
For Criminal Assets Recovery Account, there were no findings.
For Guardians Fund, there were no findings.
For Special Investigating Unit, there were no findings.
For Legal Aid South Africa, there were no findings.
For Public Protector of South Africa there were no findings.
For President’s Fund, there were no findings.
For South African Human Rights Commission, there were no findings.

Information Technology Controls
In respect of the DJCD, AGSA’s finding was that information technology (IT) management had designed IT governance controls, which had been documented and approved, but the controls were not adequate as the Department had not adopted an Information Technology (IT) governance framework for their IT environment. There was non-compliance with controls designed by management to adequately mitigate key financial risks. As a result, the activities (with regard to user account management) of the system controller in the Personnel and Salary system (PERSAL) environment were not monitored by an independent person. IT management had not formally designed, approved and documented user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the applications and information systems; however, informal measures were in place and provided some control. The informal controls, although not enforceable, were found to be adequate to address the key risks applicable to the Basic Accounting System (BAS).There was non- compliance with controls designed by IT management to adequately mitigate security vulnerabilities risks. The system logs were not regularly reviewed to detect unauthorised access attempts on the operating system. The activities of the database administrator were not reviewed.

The root cause was that the Department of Public Service Administration (DPSA) had not finalised the guidelines for the government-wide IT governance framework to be implemented by all the departments as per Programme 4: Information and Technology Management. As to non-compliance with the Departmental Policy for PERSAL Access Security page 9 paragraph 3.4.5.2(l), the policy was still being finalised by the Deputy Director: Finance and would be submitted to appropriate levels of management for approval. Due to a virus attack that resulted in several users experiencing account lockouts every minute, there was an increase in password reset requests and the staff constraints of Tactical Software Systems (TSS) meant that it was to possible to handle such an increase in requests. AGSA’s recommendation was that whilst awaiting the approval of the draft DPSA IT governance framework, the Chief Director: Risk Management should ensure that the governance framework of the Department was aligned to the DPSA draft framework and that good governance practices were introduced or implemented at the Department. The Deputy Director: PERSAL and Information Management should enforce the responsibility for reviewing system controller’s activities at regular intervals to ensure compliance with the Departmental Policy for PERSAL Access Security. Management was to ensure that the user account management policy was finalised and submitted to the appropriate levels of management for approval. Follow-up should be made to ensure the policy was approved. The following control measures to be implemented:

Investigate possible anti-virus coverage available to ensure that the virus attack was dealt with. Thereafter, reduce the number of incorrect login attempts as per best practice requirements.

Investigate the possible functionality available to be implemented, that would enable the Department to log, track and report on the login and access violations to the network and systems.

A process should be implemented to ensure that the activities of the database administrators were reviewed to identify exceptions and to ensure that these were acted on in a timely manner.

In respect of the National Prosecuting Authority, AGSA’s finding was that there were inadequate controls over security management which was caused by the fact that systems and tools that were used to periodically review/ monitor user activities on the network (in the past) were neglected after the third party/contractors who used to administer the systems were replaced and no continuity thereof was undertaken. The user access on domain or active directory was not being consistently reviewed which was caused by the lack of adequate communication between the Human Resources department and the information and communication technology (ICT) department. Furthermore, there were inadequate forums for engagement between HR and ICT to ensure that communications of staff movements were consistent and accountability could be established.

AGSA’s recommendation was that the Acting Senior Manager: Infrastructure should ensure that formal procedures and tools for monitoring of the network were put in place. This might also include network load/ traffic assessment tools, access and activities log reviews and intrusion detection systems that were widely available on the market. The Executive Manager: Information Management Service Centre (IMSC) should engage more effectively with the HR division to ensure that ICT administrators were consistently updated of any changes in the NPA staff establishment. Forums of engagement such as ICT governance committees should be used to formally assign and monitor responsibilities for user access management among other things. The Executive Manager: Information Management Service Centre (IMSC) should expedite the establishment of a disaster recovery site and ensure that the disaster recovery plan (DRP) was periodically tested to familiarise the DRP team with their roles and responsibilities and align it with the operating environment at the NPA. Furthermore management should take proactive steps to ensure that funding was made available for the implementation and testing of the DRP.

In respect of the Criminal Assets Recovery Account, there were no findings.

In respect of Guardians Fund, AGSA’s finding was that IT management had designed IT governance controls, which had been documented and approved, but the controls were not adequate as the Department had not adopted an Information Technology (IT) governance framework for their IT environment. There was non-compliance with controls designed by IT management to adequately mitigate security vulnerability risks. IT management had designed IT service continuity controls, which had been documented and approved, but the controls were not adequate to mitigate the risk of inability to resume normal business operations following a disaster event or disruptions.

AGSA’s recommendation was that whilst awaiting the approval of the draft DPSA IT governance framework, the Chief Director: Risk Management should ensure that the governance framework of the Department was aligned to the DPSA draft framework and that good governance practices were introduced or implemented at the Department. The Director, Information Systems Management should ensure that control measures were implemented.

In respect of Special Investigating Unit, AGSA’s finding was that there was a lack of formally documented and approved process to manage user access to financial systems (VIP, Navision, Legal Suite). The programme change management procedures were not formally documented. There was a lack of design of the IT security policy. There was also a lack of formal patch management process. The responsibilities of an information security officer were not formally delegated. There had been a lack of design of the disaster recovery plan and IT continuity plan. There had also been a lack of design of a backup and retention strategy. The root cause was that there had been no approved/formalised policies and procedures to provide guidance on the processes to be followed. Capacity constraints in the ICT unit had limited the time devoted to the development of the policies and procedures. The SIU did not have the required skills to develop the change management policy due to vacancies with the IT Department. There were no formalised policies and procedures to assist and provide guidance on the processes to be followed. The State Information Technology Agency (SITA) was currently assisting the SIU in developing an IT governance framework. Part of this process was to develop policies and procedures as per the requirements of the governance framework. Only once the framework was approved and implemented would the policies be formally documented and approved.

AGSA’s recommendation was that the Chief Financial Officer (CFO) and the Head of ICT should ensure that the user account management policies or procedures which addressed all the system environments were documented and approved. These procedures should also require the appropriateness of user access to be reviewed on a regular basis as well as the monitoring of activities performed by users with controller privileges. Users should also be required to request access to the systems through forms that would be retained for future and audit references. These controls should be implemented within the next two months. The Head of the SIU with the Head of ICT should ensure that program change control standards and procedures were developed and should include key elements such as ensuring that updates were approved and tested prior to implementation. Management should approve the change control standards and procedures document and compliance with the procedures and standards should be monitored regularly. These controls should be implemented within the next three months. The Head of the SIU should speed up the process of approving the ICT Governance Framework within the next three months which would pave the way for the development of the IT security policy. The Head of ICT should ensure that the IT security policy was approved within the next six months. Once documented and approved, it should be implemented accordingly. Compliance to the policy should be monitored on a regular basis. The Head of the SIU should ensure that a formally documented and approved patch management process, including the testing of patches before deployment into the production environments was documented and implemented by the Head of ICT within the next three months. Once approved, the patch management process should be implemented accordingly. The main duty of the security officer would be to support the Head of the SIU by performing his formally delegated responsibilities in respect of IT security. The responsibilities of the IT security officer should be formally delegated to an individual with the required IT security knowledge and experience by the Head of the SIU and should at least include the following:

Develop and maintain an IT security policy, as well as security procedures and standards for the SIU. It was noted that the policy had been developed but was not yet approved.

Conduct reviews of all systems to ensure that effective IT security policies were in place for each system.

Conduct annual assessments of the operating unit's IT security program to confirm the effective implementation of and compliance with established policies and procedures.

Ensure that system owners established processes to ensure that IT personnel received specialised training and access privileges were revoked on time.

Establish a process for identifying, tracking and reporting on security patch management.

Ensure that the institution’s policies and practices allowed for the account management controls such as account creations, account termination, review of user access rights, etc.

Monitor security and investigate security violation attempts.

The Head of the SIU should ensure that the IT governance framework was formally approved within the next three months. An assessment should be made of the time required to replace hardware and software to resume normal processing after a disaster. The users, who would need to develop their own operating strategies until such time as normal processing could be resumed, should identify all critical systems. The IT Continuity Plan and DRP should be compiled into one document and be formally approved. Adequate provision should be made in the IT Continuity Plan and DRP to cover all possible disasters. The IT Continuity Plan and DRP should be tested on a regular basis and be updated as necessitated by circumstances. A copy of the IT Continuity Plan and DRP should also be retained off site. This should be completed within the next six months. The Head of the SIU should ensure that the ICT Governance Framework was formally approved within the next three months. The Head of IT should then ensure that the backup and retention strategy was formally documented, approved and implemented. The document should include the following minimum requirements:

- The data, systems and application software to be backed up
- Backup schedules (monthly, weekly and daily)
- Retention periods (monthly, weekly and daily)
- Backup reports and registers
- Monitoring and review of backups
- Process handling of unsuccessful backups
- Off-site backup arrangements
- Testing of backups

In respect of Legal Aid South Africa, AGSA’s finding was that security management controls were not adequate to address risks identified. There was non-compliance with controls designed by IT management to adequately manage IT continuity risks. The root cause was that the reviewing of users rights was not performed. There was ineffective human resource management due to vacancy of the second IT administrator. AGSA’s recommendation was that access to powerful profiles should be restricted. Systems, applications, documentation and data should be maintained and successfully backed up.

In respect of The Public Protector of South Africa (PPSA), AGSA’s finding was that IT management had not formally designed security management controls to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. As a result the following key security management issues were not addressed:

Administrator password management procedure document not yet approved.

The general IT policy did not include some key password management processes as a result the minimum password length, password complexity and account lock threshold settings were not adequately set.

IT management had not formally designed user access controls to mitigate the risk of unauthorised access to the network and information systems of PPSA. Informal controls were in place, but were inadequate. IT management had not formally designed IT service continuity controls to mitigate the risk of being unable to get back to normal operations subsequent to a disaster or major disruptions. The following informal controls were in place. IT management had not formally designed IT governance controls to mitigate the risk of IT not being aligned to the business objectives of PPSA. The root cause was that the password parameters (group policy settings) were relaxed due to operational requirements. PPSA Risk and Security Management had not approved and adopted a formal Physical Security Policy to govern physical access to sensitive areas. PPSA IT management had not included key aspects regarding Business Continuity Planning (BCP) and DRP in the Disaster Recovery (DR) Strategy Document.

AGSA’s recommendation was that management should ensure the process of finalising, approving, implementing and communicating formal administrator password management procedure. Management should develop, approve and implement a comprehensive User Access Account Management policy and implement a formalised process of monitoring and reviewing user access activities including any violation attempts. The IT management was encouraged to develop a DRP which should be aligned with the BCP for PPSA and be informed by a business impact analysis, which should identify all the critical systems and components and set time frames for the recovery of these systems and components and all the details as stipulated above. The backup activities should also be given adequate attention. The PPSA IT Management should ensure that the following were addressed: It should adhere to the principles and procedures as stipulated in the IT Governance Framework by keeping appropriate attendance register, minutes of meeting indicating details of discussion as it involves the IT functions. The evidences of adoptions and approvals likewise, should be kept all through the year. The persons appointed in the positions must have the required IT management knowledge and experience. Once the positions were filled, the head of the Department should formally delegate the roles and responsibilities incumbent on this position to the appointee. The development and implementation of adequate service level management process would allow the levels of IT services rendered by service providers to be identified, monitored and reviewed, on a regular basis, against those specified in the service level agreements (SLAs).

In respect of the President’s Fund, there were no findings.

In respect of the South African Human Rights Commission, there were no findings.

Material Errors/Omissions in AFS submitted for Audit
In respect of the DJCD, AGSA’s finding was that the financial statements submitted for auditing were not prepared in accordance with the prescribed financial reporting framework and not supported by full and proper records as required by sections 40(1) (a) and (b) of the PFMA. Material misstatements of current liabilities, revenue, expenditure and disclosure items identified by the auditors in the submitted financial statements were subsequently corrected, but supporting records relating to the Third Party Funds, that could not be provided resulted in the financial statements receiving a qualified audit opinion. The root cause was that there was lack of adequate review of AFS by management, those charged with governance and internal audit. AGSA’s recommendation was that management should ensure that AFS were prepared regularly (monthly vs quarterly). These AFS should be reviewed by the governance structures i.e. management, internal audit and audit committee. The AFS prepared should be adequately supported by substantiating evidence to corroborate validity, accuracy and completeness thereof. AFS which were submitted should be the final set approved by the leadership and supported as referred to above.

In respect of the National Prosecuting Authority, AGSA’s finding was that the financial statements submitted for auditing were not prepared in accordance with the prescribed financial reporting framework and supported by full and proper records as required by sections 40(1)(a) and (b) of the PFMA. Material misstatements of non-current assets, revenue and disclosure items identified by the auditors in the submitted financial statements were subsequently corrected and the supporting records were provided subsequently, resulting in the financial statements receiving an unqualified audit opinion. The root cause was that there was lack of adequate review of AFS by management, those charged with governance and internal audit. AGSA’s recommendation was that management should ensure that AFS were prepared regularly (monthly vs quarterly). These AFS should be reviewed by the governance structures i.e. management, internal audit and audit committee. The AFS prepared should be adequately supported by substantiating evidence to corroborate validity, accuracy and completeness thereof. AFS which were submitted should be the final set approved by the leadership and supported as referred to above.

In respect of the Criminal Assets Recovery Account; Guardians Fund; Special Investigating Unit; Public Protector of South Africa; South African Human Rights Commission; the findings, root causes and recommendations were the same as the position in respect of the National Prosecuting Authority.

In respect of the President’s Fund’s, there were no findings.

Financial Health Status
In respect of the DJCD, AGSA found that included in accruals were payments that exceeded the payment term of 30 days from receipt of invoices. The root cause was that the Department did not implement controls over daily and monthly processing and reconciling of transactions. There were delays within the Department for payment of invoices indicating inadequate budget and financial management. AGSA’s recommendation was that management should monitor receipt and payment of invoices and should ensure that payments were made timeously as per the regulations. The Department must have processes and procedures in place that would enable the tracking of each invoice from date of receipt from the various service providers to the payment date. Invoices which were not paid within 30 days must be reported to National Treasury on a monthly basis.

In respect of the National Prosecuting Authority, AGSA’s finding was that the Department was not monitoring its compliance with the regulations with respect to payments to creditors within 30 days of receipt of invoices. The impact of the accruals amount would have an unfavourable effect on the subsequent years funds to be received and the negative cycle would continue, which would put pressure on the Department’s budget. It was recommended that, should there be valid reasons for delaying a payment, such reasons should be documented on the supporting documentation and approved by a relevant senior official. Should the delay be caused by the NPA, action should be taken against the relevant officials where necessary.

In respect of Criminal Assets Recovery Account,, there was no finding.

In respect of Guardians Fund, there were no findings

In respect of Special Investigating Unit, AGSA’s finding was that the inability to invoice state institutions for services rendered a negative impact on service delivery and ability to pay creditors as they fell due. The Special Investigating Unit had to significantly reduce its budgeted expenditure on forensic consultants due to uncertainty regarding the funding model. Furthermore, the SIU was in a net current liability position, which was an indicator that it might not pay creditors as they fell due. Steps were under way to amend the Special Investigating Unit and Tribunals Act (No. 74 of 1996), to provide for invoicing. The root cause was that SIU might no longer charge for investigations conducted, consequently the funds received from DJCD were no longer sufficient to fund its operations. Even though a process had been initiated to develop a new funding model, it had not been finalised. AGSA’s recommendation was that amendments to the enabling legislation, which should include the funding model, should be finalised as a matter of urgency.

In respect of Legal Aid South Africa, there were no findings.

In respect of The Public Protector of South Africa, AGSA’s finding was that creditors were not paid in a timely manner. Total current liabilities exceeded total current assets. More than 10% of the intangible assets were impaired. The root cause was that the entity did not implement controls over daily and monthly processing and reconciling of transactions. Delays within the entity for payment of invoices indicated inadequate budget and financial management. AGSA’s recommendation was that greater budgetary control and cost saving measures to be implemented. If funding constraints impacted on the ability of the entity to effectively perform its work, National Treasury should be consulted in order to motivate for additional funding.

In respect of the President’s Fund, there were no findings.

In respect of the South African Human Rights Commission, there were no findings.
(See presentation documents for full details; see also Annual Report)

Discussion
Ms D Schafer (DA) asked if AGSA audited the statistics which were referred to by the Department in its annual report.

She asked how the AGSA determined whether money was recoverable or not.

She further asked the AGSA to enlighten the Committee concerning third party funds. This was because it was simply unacceptable for the Department to have third party funds for eight years in a row.

Adv S Swart (ACDP) observed that a lot of information had been given by AGSA which the Committee had to deal with within a short while. He asked if it could be assumed from this information that the Department was improving in its performance and services.

He further observed that AGSA that had stated that the NPA was becoming a trading concern. He asked if this was an opinion from a governance perspective and wondered how the NPA could be a trading concern.

He asked the AGSA what it would advise the Department to do in order to ensure that it did not get any qualification with its third party funds audit. He further asked the AGSA to advise the Committee on what it should look out for in the quarterly reports of the Department concerning the third party funding. This advice was necessary because it appeared that everyone seemed to have a different idea concerning how to address the problem with no particular idea being the right one.

He further asked about the issue of outstanding financial statements not being available and asked what would happen in respect of the situation.

The Chairperson asked for the relationship between poor financial health and poor performance against predetermined objectives. He asked for a repetition of the comments concerning this relationship.

Mr Essack responded to the question concerning whether the AGSA audited statistics. He replied that if the statistics fell within the area of performance information then AGSA would audit it but not all the entire performance information would be audited.

Ms Schafer interjected and asked if AGSA was satisfied that the statistics accurately represented the true situation in the Department.

Mr Essack explained that he was not specifically involved in audit and that he would have to get back to the Committee later on the issue.

Mr Essack replied to the question concerning whether money was being recovered. He stated that AGSA would question how long the money had been outstanding, what steps had been taken to recover the money and why the money was not recoverable.

He responded to the issue of the NPA. He stated that the reference to the NPA as a trading concern was an error on the part of AGSA and that the NPA was actually a constitutional institution.

Concerning the question relating to whether AGSA was of the opinion that the Department was improving, he replied that that there was improvement; however, the recurring findings were still there and this was an issue that had to be taken into serious consideration. The Department had to take a serious look into the issue of compliance.

In relation to the question concerning the relationship between poor financial health and poor performance, he replied that the act of making late payments to creditors had a direct impact on cash flow as well the financial management which could affect the performance of the Department.
 
The meeting was adjourned.