A summary of this committee meeting is not yet available.
PUBLIC ACCOUNTS STANDING COMMITTEE
5 June 2002
COMPENSATION FUND: HEARING
[This is a transcript of the meeting, produced by the Public Accounts Committee Secretariat.]
Chiba, Mr L
Gerber, Mr P
Gumede, Mr. D
Kannemeyer, Mr B
Mothoagae, Ms. K
Nair, Mr. B
Smith, Mr V
Bruce, Mr N
Beukman, Mr. F (Chairperson)
Koornhof, Mr G
Ndou, Mr R S
Woods, Dr. G
Hlangwana, Ms N L
Dudley, Ms C
Lowe, Mr C
Mr. C Botes
Mr A Van Dyck
Ms L less
Mr N Marais
Mr R Ramashia, Director-General: Department of Labour
Ms B Magojo, Compensation Commissioner
Mr G Dreyer
The Chairperson welcomed members of the Committee, the Auditor-Generals Office, National Treasury and the Department of Labour. He confirmed the agenda and it was adopted as circulated.
Mr R Ramashia, Director-General: Department of Labour
Ms B Magojo: Compensation Commissioner
Mr G Dreyer
[Chairperson] We welcome everybody here today. Mr B Nair will focus on audit matters.
[Mr B Nair] There were certain issues raised with the Unemployment Insurance Fund (UIF). The necessity for a separation of these funds will do different to ensure greater efficiency. I do not want to probe the issue any further, but unless you have got any new points to raise. If we are going to await the views of ILO or any concerned agencies on the feasibility, especially after we probably would have to investigate there are no doubt that it carry out to various countries it would take some time before it materialises. One of your projections that it would take the whole system of computerisation and then your interaction with the Department of Labour, Home Affairs and other departments where you can get an effective computerised system. It will take between five to ten years. Taking all that into account and the time lag, you see you are faced with problems now: the question of staffing - you required a dedicated staff to handle your affairs. There are a whole lot of lapses that are taking place in both the funds, but I am concentrating on the work of the Compensation Fund. The Auditor-General has picked up to say that there was impossible they have difficulties in tracing funds or when claims are made, for instance, you have problems retracing them quickly enough in order to address those claims. The independence of the Fund, therefore, from the Department of Labour with a dedicated staff may go a long way, as you already admitted, to resolving some of the problems, both in the UIF and the Workman's Compensation Fund. I am now going to deal with the first question that flows from this problem. The fixed asset register does not reconcile with the general ledger. For instance, there is a difference of R1.25 million in the 2000/2001 financial reports. This was a problem the year before as well. Are the fixed assets bar coded? When do you expect to change to an accrual system from cash accounting, because of depreciation etc quite a number of factors that flow from proper accounting of the fixed assets. These can be corrected if the asset register is bar coded and properly registered.
[Mr R Ramashia] I think that the Member was right that the same principle apply to the Compensation Fund as it does to the UIF in terms of the long-term solution that we would arrive at after this study with the ILO. He is also right that in the interim we need to do something to deal with issues that we are experiencing presently. I would like the House to note that we have introduced a system called FYI, which moves us from reliance on physical documents, and files as a result of which we use an electronic system to register the claims. I will ask the Commissioner to explain how this system works. We are not waiting until the long-term problem has been dealt with without dealing with the current situation, but there are some interventions, which are already in place. The computerisation would go a long way in order to ensure that files are traced quicker. The ten years that I was referring to earlier during the UIF Hearing was the contract of the Public Private Partnership (PPP) that it would assist us during that period, so that after it there would be the transfer of skills etc where we would be able to manage the system ourself. Waiting for the PPP, we have instituted some other intervention of which details the Commissioner would provide. I would ask Mr Dreyer to also comment on the issue of the fixed asset register. What you would note is that in both the 2000/2001 Report that problem recurred, but the problem has now been dealt with and Mr Dreyer will explain what is it that we have done which when the Auditor-General looks at the subsequent Report would be able to certify that that problem has been dealt with.
[Ms B Magojo] The Director-General has asked me to explain how the FYI works. I think I will do that by just explaining what the problems were and how the FYI is addressing those. In the past for each claim we would have about three files. Looking at the one that would be the employer file, the file of the beneficiary and a file for the medical information. Now with all these separate files that are kept as papers and after about four years of the last transaction the file will have to be destroyed and the information will be stored on a micro fish and while the file was still active but no longer making payments to the claim, it will be taken off the premise to the archives. That was very difficult to access the information in the file in order to answer the queries or any information that we needed to get on the files, because of the nature of the whole filing system. So what we did with the electronic system was to try and get the information that will be on the files and put it onto a computer file so that it is immediately accessible. What that involves is that with the current files that already existed they have to now be scanned and indexed into the computer to make them accessible. So obviously that would take a long time if we were going back. We have decided with the Fund that we will go back as far as possible, but we have decided that maybe we need to stop with 1999 going forwards. In other words, do not go back before 1998. So on the queries that comes now, we can immediately access the information and give the answers to that. But on the old files, and the oldest one has been in 1953 and payment will still be made even today where it would still be difficult to access that information. We have said that we need to focus on the current claims in going forward and those are available immediately. It is not really that the files are lost, but the accessibility of the information on those files that was a problem and we are trying to address them with the computer system.
[Mr G Dreyer] I will deal very shortly with regard to the issue of the fixed assets. The first part of the question was whether the fixed assets are all bar coded? Yes, we do bar code all the fixed assets as they are purchased. The problem that happened with regard to fixed assets, which were deployed in the building before it, was bar coded and recorded in the fixed asset register. That caused then the difference between the fixed asset register and the general ledger. Since then we started with an exercise to reconcile the general ledger and the fixed asset register. During this 2001/2002 financial year we managed to get it 100% in line with each other for the last financial year ended up till February 2001. We are still moving on with it and continue with the process of reconciling the two and get it in line with each other. With regard to the question of compliance with generally accepted accounting practices (GAAP) - it was reported in the 2000 Report of the Auditor-General that we depreciate our furniture and equipment up till a book value of R1 immediately in the year of purchase. That we have changed. We have implemented a new accounting policy with regard to that and it is now in line with GAAP whereby we do write off our fixed assets over the expected lifetime, which is in the region of 16% to 33% of the cost price of the fixed asset that we are going to write off.
[Mr B Nair] You have already said that it is based on the GAAP, the accrual system, not the cash based system, because that is when you reduced the value of the assets to R1. Is it now based on the accrual system?
[Mr G Dreyer] Yes, it is now based on the accrual basis and in accordance with GAAP. The reason why it was still reported in the 2000/2001 Report is that because of the new system that we have implemented which enhance compliance with GAAP there was still some teething problems when we implemented the new system. It did still happen that some of the invoices for fixed assets were recorded in the general ledger only by the date of payment and not by the date when it was ordered and it was not done 100% in accordance with the accrual basis at that point in time. It is now running on the accrual basis in accordance with GAAP.
[Mr B Nair] With regard to what Mr Dreyer have said there will be a further question later. Thank you for the answer given. I suppose it was my fault. I jumped the gun. I was just illustrating the point in regard to the tracking of files. With regard to the SEBO Accounts - you will recall that the total amount of R70 million odd that was outstanding and only R68 million was received from SEBO leaving a balance of R2 million odd. You have informed us that there was a directive from the Director-General of Labour or rather a state advocate actually approved the considering that this is write off, because it was irrecoverable. Could you provide us with a copy of the document in this regard, the opinion of the State Advocate? Do you agree whether it is acceptable to National Treasury that this amount is being considered irrecoverable? What of the books?
[Mr G Dreyer] With regard to that document received from the State Attorney - yes, we can forward a copy of that document to the Committee. With regard to whether approval was obtained or whether National Treasury were informed about this write-off of irrecoverable - no we did not inform them at that point in time, because this whole thing happened before the PFMA was fully implemented. It is all with regard to expenses, which occurred, or the take over and the amalgamation took place during 1996 already. So it was long before we were required to inform Treasury on that regard, but at that point in time we did not obtain Treasury approval before we signed it off. We signed it off in accordance with the Regulation indicating that the accounting authority of the entity can approve that.
[Mr B Nair] Treasury, do you think this is legitimate and above board to extradite off this as irrecoverable?
[Mr N Marais] I do not think I should go as far as to say if I am satisfied with everything. I think we have got to abide with the State Attorney's advice at this stage. What he said and the power to write off is still in the hands of the Director-General, either as Director-General of the Vote or the Accounting Authority. At the time that the amount was written off there was the question about him having the power to write off the amount.
[Mr B Nair] Our problem is that Parliament will actually have to approve of the authorizing and the writing off of this amount. Of course we can go by the State Attorney's and the Treasury's approval should you ultimately.
[Mr N Marais] As I have said, the power is in the hand of the Accounting Authority to write off in terms of the PFMA. That was at this stage that an amount was written off. It can go further, but in normal circumstances the Accounting Authority or the Accounting Officer will look at the facts at hand. As I have said the recommendations of the State Attorney and within his power he could write off that amount.
[Mr B Nair] If you could supply us with the document from the State Attorney, then we will consider it. This is an issue that was broached with you, but then payments that were received from various employers could not be identified, because of files missing etc. This has been corrected only after the particular employers or firms that they had received statements from the Compensation Commissioner made queries that certain amounts were outstanding. Trying to retrieve the files and make corrections. Although you have said that the problem has been resolved as of the year 2000. Is it now properly documented that all monies received or payments made by employers to the Fund has been properly recorded? Of course you have naturally send out statements subsequently asking employers to pay the unpaid amount. It is then that they queried it and you now have to search for files. I think you have already answered the question and you have got the system now computerised. Are you altogether satisfied that that system itself is functioning and you would not have this problem recurring?
[Ms B Magojo] What actually happened with the receipts that cannot be traced immediately - is receipts that are actually put in the bank. When they are put in the bank and there is no reference number to link it to the employer that paid it means we would have the actual cash, but we will not be able to trace the amount. So it just take some time and sometimes it is after we have issued a final reminder and then the employer comes forward. The other source of the problem is where employers have not given us the return of earnings in time and we therefore use provisional information to actually raise the assessment. It is when they get the provisional assessment then they complain and then we correct the situation. So it has to do with the way the information is passed on to us. What we do is in the assessment form we attach a deposit slip, which has the reference number of the employer and if the employer use the deposit slips that we use it would be immediately identified. Sometimes the sources are used by the provincial officers in order to make payments and that would take a bit of time between the time the employer pays in the province and the time that we recorded the books. It is just a lapse of time between actual payment and identifying where the payment came from.
[Mr B Nair] You say there is reconciliation between the creditors and the record this is a perennial problem. Now creditors control accounts do not reconcile with the creditors balances in the creditor's ledger. Then the Auditor-General also found that the supporting documents to substantiate the transactions were also lacking. What is the status of the reconciliation now? What we are dealing with now is the Report of the year 2000. You have just presented the Report of 2001 to Parliament today. You have also made certain corrective measures in the current year. The problem is, just in broad terms, these reconciliations, which have been a recurring problem over the years - have they been resolved? Will we still find the same discrepancies? You have appointed in other instances two insurance consultants. The consultants have done a good piece of work, but it certainly cost more consultants to employ. This has also been the problem with the Minister of Public Service and Administration for consultant experts are brought in at a colossal cost. In the meantime do they leave a legacy? Have they trained people within the Department to deal with this thing on an ongoing basis rather than consultants coming in, being employed there at a colossal cost of R500 an hour or even more. Our main point is have they in the process trained anyone to tackle issues that have arisen, like the reconciliation of creditors or debtors on an ongoing basis?
[Ms B Magojo] I take the question relating to the consultant and Mr Dreyer will deal with the creditor control. On the consultants - what we have is different consultants dealing with different areas within the Compensation Fund. That is not a very desirable situation. What we have done in the Department is that we have appointed a PPP where we say that we need to have at least some uniformity in the systems that are used. We need some centralisation that we all can understand and have uniformity of the systems used and the sharing of information between the UIF and the Compensation Fund. What we have at the moment are the different consultants. Before the end of the next financial year we should have one provider at the Department that is not only looking at the integration of the databases, but that is looking at all the work in the Department that are related with unemployment, compensation and the different units in the Department.
[Mr R Ramashia] Let me add by saying that it is not our preference to ask consultants to do some of this work, which should normally be done by officials of the Compensation Fund. The appointment of consultants is a desperate intervention aimed at dealing with what we see as an intractable situation. If we were to pay consultants now to make an intervention which with time would turn things around. We thought that it would be properly fitting that we should take that route. One of the requirements of that intervention is capacity building of staff that at any case should be able to do that work. Our experience demonstrate that in the way that most consultants work that they want to perpetuate dependence, because they are in the business of consulting and if they impart skills then they would be replaceable. The requirement is that when they do that work that we actually build the capacity within the Department to be able to do the work ourselves. So the concern that was raised by the Minister of Public Administration in that regard is something that we are particularly concerned about. We see this as an interim intervention and that with time people should be able to trained within the Department. I think that the other challenge linked to that relates to the kind of packages that we pay officials who do certain specialized functions. We are looking at identifying areas which requires scare skills, so that we are able to pay more or less market related rates for people who have skills in respect of which we compete with the private sector to keep. It is something that is not a key only to the question that you have raised, but that it permeates the whole Department in terms of auditing, financial management, IT and those kinds of areas that there is a broader strategy to deal with that problem.
[Mr Dreyer] I want to respond with regard to the creditors account balances. I will try to explain what is the purpose of these control accounts. Ninety percent of these amounts in these control accounts consist of tax, which are avoided from the financial system. In other words, stale cheques after six months is written back. That is done automatically and it ends up in this clearing account. Only when follow-up is then been made to make sure that why was the cheque not cashed within six months, confirm the address of the person who should receive the cheque. Only then we can make the correction out of this control account by issuing a new cheque. Taking that into account it is important to note that the amount in these control accounts does not mean that much, because it depends on what was the value of the stale cheques, which were written back. You can get a fluctuation in these control accounts from year to year, very low then much higher etc. What is of more importance is the time that the stale cheque is in that account before it is cleared out and reconciled and a new cheque is issued, or written back. So we have started a process on that side as well to try to clear the old cheques and things that are still lying in those control accounts. Taking also into account that there are literally thousands of stale cheques, which are written back per month, which needs to be followed up every month to ensure that we can issue the next cheque to the lawful owner.
[Mr B Nair] In the case of stale cheques - they should rather be put into the suspense account, because if you are clearing constantly either a debit or a credit in the suspense account then the creditors control account, which has to be reconciled with the creditors ledger. It is two different things, because naturally until the persons to whom you issue those cheques until those cheques are cleared totally, those will remain in balance and they will fluctuate eventually. Rather the suspense account, which has to be cleared as quickly as possible within six months, but in less than a year. Otherwise, you will be carrying this for years. It should not be mixed up with the creditors account and they have to be reconciled. Now this issue was raised when we were dealing with the UIF. Here it was not possible for the auditors or anyone to evaluate whether all the employers in the country who were due to pay levies to the Compensation Fund have actually been brought to book, because you do not have a database. Then in terms of the Compensation for Occupational injuries and Diseases Act (COIDA) they are compelled to pay compensation, but many have failed to do so. Have you now taken positive steps to bring all the employers to book in the same way as the UIF? The collective of this is the employment of inspectors. Now it is important that you are independent and that the Department of Labour handles this thing, but you have a dedicated staff. From the Reports that we have had from the Auditor-General quite a number of corrective measures have been taken and things have improved and so has the Compensation Fund, but we find there are a whole lot of inadequacies. With regard to the inspectors - I think it is quite a formidable section. I have written a few important points here. Some I will ignore, for instance, the provision for future claims, whether it is adequate and the recoverability of debtors. It is massive. If you go through it you will see it. I am not asking for more time, but we will have to deal with this thing fairly adequately. Let us do it in a question and answer session so as to save time. About inspectors - we want the timeframe by which you will be able to effectively get all the employers to book. Then you will find quite often incorrect tariffs have been registered against employers. The Commissioner has made reference to provisional assessments being raised. In the process incorrect tariffs have been employed against certain employers.
[Mr R Ramashia] I will try to be brief, but it is a broader issue and I do not think that there will be a time where we would say with all certainty that all employers who should contribute to the Fund are contributing. It is an impossible task to ensure that everybody comes into the net, because some of the employers are not even registered for tax and with the Register of Companies and there is no mechanism to ensure that all of that does happen. Some of them operate in their backyard etc. For example, where workers have died in a locked up factory in Lenasia some two and a half years ago, that when we went to investigate that accident we also investigated whether the employer contributed to the UIF and the Compensation Fund. We found that the employer did not. The employer did not even register as a company with the Register of Companies. You will find those kinds of employers who are outside of the net and through the inspections we are able to bring some in, but we hope that also with the intervention of the debt reconciliation of the databases that we will be able to bring more into the net. I do not think that at any point we would safely say every employer who should be registered is registered, but we can always improve on what systems that cannot be water tight, especially in the informal type of industry. The most recent one is that there was a funeral undertaker who had not contributed to the Fund and we picked it up through an inspection. That undertaker said no, he had not been operative. He started only a year ago, but that is the undertaker who buried Chris Hani so many years ago. Despite the fact that this person was operating, but he was not registered. There are those kind of problems that we experience from time to time. I think with all these different interventions we should be able to bring more into the net. I think that the disclaimer will continue, but they cannot say that everybody who should contribute does indeed contribute.
[Mr B Nair] With this interface with the Department of Labour, DTI and Home Affairs etc - would you not be able to pick up information fairly rapidly so that you can solve your problems?
[Mr R Ramashia] I think there is going to be a remarkable improvement, because of the reconciliation of the database. What I am cautioning the House on is to absolutise the issue and makes an amicable declaration that there shall come a time when every employer who should be in the net will be in the net. I do not know how we can possibly do that. In the same way as not everybody who must pay tax pays tax, but SARS tries to open his net and make all sorts of interventions to bring everybody in the net. So we will stop at nothing in ensuring that it happens. I do not think we would be honest to make an undertaking that we would reach that. It is a desired goal, which I do not think, is fully achievable.
[Mr B Nair] We have got a legal opinion. It is with regard to debts going for more than two years, rather the prescription and rules that apply. With regard to levies, unemployment levies for workman's compensation or any other levies owned to the State you have got a thirty-year prescription period regarding to a legal opinion so that you can sit on them for thirty years and recover the monies. That is levies owned by employers, any levies, workman's compensation, unemployment insurance levies you can recover that in thirty years. The three-year prescription period does not apply. It is thirty years.
[Mr R Ramashia] I will regard that as a comment.
[Mr B Nair] The impression has been created that over three year the prescription applies here in this instance and therefore you cannot recover the levies. So you can in accordance with the legal opinion that we obtained. That is merely a comment, which I do put for advice. There is a question about the reconciliation between the debtor's ledger and the general ledger. I am just trying to race this through. The provision for future claims - whether there is adequate provision that is being made. How do you verify the information? The issues that you regard as important and taking into account the future claims. For instance, it is purely subjective at the moment. How do you evaluate the future claims? On what basis do you employ actuaries? You did employ actuaries in two instances. One table of the actuaries differed with the other, with a result that you have two separate amounts. One being R1.8 billion and the other R1.8 million do you now employs a third actuary to verify it? How did they arrive at the figures and then you pay millions to the actuaries?
[Mr G Dreyer] In the 2000 Audit Report it was reported that there is a problem with regard to the basis that we use internally to calculate those provisions. We have then decided that let us get an actuary to do this for us, which was then done for the 2001 financial year. As part of the audit procedures the Auditor-General then get an independent actuary to look at the provisions and the calculations that were done by the actuary of the Compensation Fund. I think we need to understand that it is still an estimate and a provision and the only thing that you can use to calculate this is historical figures and statistics that you can use. I think it is just the difference of interpreting and evaluating the statistics that you have and making certain assumptions for what will happen in the future in order to do that calculation. So the Auditor-General did make available to us the comments from their actuary. We did refer it to our actuary to look at it. In his comments our actuary indicated that there are certain of those comments that he will take into account for the next calculations. There are also others that he does not believe is correct. So it is a difficult situation and we believe that we should get the two actuaries together and try to sort it out.
[Mr B Nair] It would appear that duplicate payments were made. According to the 2001 audit 33% it would appear some duplicate payments. Has the electronic document management system prevented duplicate payments? Our information is that duplicate cash payments have increased rather than decreased. Is it fact or fiction?
[Ms B Magojo] Under duplicate payments and the use of the computer to make actual payments - I think what happens here is there was something wrong with the programme in the 2000 financial year. That was corrected in the following years. There was a programming error. I think a problem arose where we developed the system and the auditors were not involved in some of the things that came out there in pointing out some of the issues. We then said that it was something significant and if we develop a new system we will have to make sure that the Auditor-General and his auditors are involved in the development of those systems to make sure that some of the errors that could be picked up could be picked up at the development stage. Other than that, it is also how the claims are processed. Sometimes when we look, for instance, at a group of hospitals you would make an advanced payment just to say we are acknowledging that the calls of the processes would be running the two systems the manual and the electronic one, that we have now owed people for quite a long time. What we then do is give them an advance payment, but that is done for the whole group. We then take the accounts and reconcile it for individuals and medical providers make the payments against them instead of the payments that are made against the advanced payment. One of the things that would happen there are that you may find that the doctor has been given an advance and in the process whilst that is being processed the staff in the office has processed other claims. So what we then do is as we get more claims from that medical provider we try again to recover the money. So there have been problems with the programming and there have been duplicate payments, but we have actually recovered the money.
[Mr B Nair] I will stop there. Thank you very much.
[Chairperson] Thank you very much. We then go to the next section. Ms K Mothoagae will handle the computer audit.
[Ms K Mothoagae] My question is on page 8 and 9 of the Auditor-General's Report, which is around the weakness as was identified. Could you advise the Committee of the progress that has been made with respect to passwords of the UNIX environment? Please concentrate on the measures implemented to prevent unauthorised access to the UNIX environment?
[Ms B Magojo] We have taken into consideration the problems that we experienced with the computer audit. That was what I was referring to earlier on that the problems we had with auditors in doing their selections for computer auditing and what they have found. We have taken into account the comments relating to off-site storage and the password control and all the physical security around the computer system. What we intend to do is that we have a disaster recovery plan. That plan should take into account all the problems that we should identify around the computer environment. On the off-site backup - it is just up the road from the Compensation Fund. It was actually said within the Compensation Fund that it is too close and if we have any problems within the area where we are and where the backup is then, for instance, if we had to close it off, we might be closed off with them. We needed to identify all the different areas where there could be problems and the disaster recovery plan tries to address all those.
[Ms K Mothoagae] The Commissioner has not answered my first question, because I was saying how do they prevent unauthorised persons in the environment of the UNIX.
[Mr R Ramashia] If the question has not been adequately answered I would ask the Commissioner to focus on the specificity of the question and answer it appropriately.
[Ms B Magojo] I think we are talking about unauthorised access to the computer room rather than just the UNIX environment. We have the front room of the computer then we have the computer room itself where all the equipment is kept. And into the main computer room there is very restricted access and only if you use the only permitted medium for access in that room would you be able to do it. On the front room, which is where you have people that sit and operate the computer, where the operators sit, not where the main network equipment is, there you also need to use an access card. The access card is only given to the people that work in the computer room. What happens sometimes is that the door to the room itself is left open. We have taken measures to ensure that the room is locked all the time and even the staff in there have been informed that they need to keep the room closed all the time. They have also been informed of the importance of keeping it closed all the time and what the risks are around that. They have to take that into account.
[Ms K Mothoagae] Given the security can the system detect if an unauthorised person has entered into the system?
[Ms B Magojo] What we also have to detect any unauthorised access is that we have got cameras all over the building and specifically we have cameras that are focused on the computer room. We have security staff that mans the computers 24 hours. Anybody that accesses the room that is not suppose to be there - it will be captured on camera and the video is viewed by management that is responsible for the computer room. The people concerned will be informed. It was not accessed by anybody from outside. The people that we are talking about as unauthorised walking in there would mainly be staff that are not computer staff that should not be there, but usually within the building. It is difficult to access the building itself.
[Ms K Mothoagae] I am still not yet convinced that there is that security that can pick up that somebody who was not suppose to get access has had access, because we are talking about physical people. I think we need to get further information on that one, because we do not understand for now. My second was asked. My last question is around the computer changes on the database, which I think is connected to the first point. If there have been changes to the database - are the other users of the computer aware? How are they made aware, so that we try to and control corruption?
[Chairperson] You make a valid point. The mere fact that the room are closed or blocked, that we can get a key from somebody else to open the room, I think, is there an electronic access control? Is there a register? I think that is maybe the things that Ms Mothoagae is looking for.
[Ms B Magojo] I think on the changes to the computer information and the database - there are procedures in place to get authorization for changes to be made to the database. I would just ask Mr G Dreyer to expand on those.
[Mr R Ramashia] I am concerned that the House thinks that the other question was not adequately answered. I would like to make an undertaking that we provide a written answer dealing with more than just the physical security, but the concerns that the Committee has raised.
[Mr G Dreyer] It is most important that we need to give more attention to the improvement and formulation of change control procedures for the database. We did implement a new change control system whereby we are keeping strict control. Whenever one of the different consultants that needs to make certain amendments or changes to the system or to the database, there is a change control form that needs to be completed. That goes through the processes and through a Technical Committee that will consider whether it is really necessary to make this change in the database and then it will get formally approved before the change will be done. It is normally also the procedure that any amendments or changes on the system will be done, but before implementation it will be properly tested on a testing environment and fully signed off by the users before it will be implemented in the live environment.
[Ms K Mothoagae] I understand that there is this control that there is a form to be filled. If the computer user goes into the computer can they pick it up from there that there has been changes?
[Mr G Dreyer] The best way to manage this is by means of a password protection. So when everybody is going into the system they need to put in their password. What we did after this, subsequent to this Report, is that we make certain changes to the system to ensure that the system automatically forces the users to change their passwords at least every month. On the financial system and on some of the other systems it is every third month. So that is basically what we have in place to ensure that there is no unauthorised going into the system. The system also gives you the necessary information where a person was repeatedly trying to get into the system or into the database. That information the system does provide it to us.
[Ms K Mothoagae] Do we have one official responsible for the database or can anybody change the database?
[Ms B Magojo] We do not have one person that is responsible only for the database. One of the things that are considered with the contract of the PPP that is going to kick in a few months is that we are going to have to look at the whole staffing of the computer environment. However, what also have been decided is that the whole control of the computer environment is going to be handed over to the PPP provider, including the IT staff of the Department.
[Ms K Mothoagae] I am not sure. I will rely on the Auditor-General's Report in the next Report. I am not a computer guru, but if anybody can do anything on the computer, I think we can experience problems.
[Mr S Fakie] In the light of the concerns that the Committee raises on the IT side, I would probably undertake to do a follow-up audit on some of these serious concern around the computer environment and perhaps put in our next Report to what extent these issues have been addressed. I just want to re-iterate one point. Perhaps we need to consider whether we will do it by writing to the Members - it is around the database changes, which the Member was trying to interrogate. It was does your computer system, in addition to the physical forms that must be filled and the Committees that must approve changes to the database, print a report on a monthly basis saying these were the database changes that were made? And someone physically goes through and say yes, we authorised that database change and that one, because if that is not happening, you have got a physical control system here which you are approving, but nobody is checking to make sure that what changes are actually taking place on the computer system is being reconciled to what you have approved. I will perhaps guide the Committee in terms of some further questions regarding that and make the commitment that we will do some follow-up on this.
[Chairperson] Thank you to the Auditor-General for that input. Thank you very much.
No related documents
- We don't have attendance info for this committee meeting
Download as PDF
You can download this page as a PDF using your browser's print functionality. Click on the "Print" button below and select the "PDF" option under destinations/printers.
See detailed instructions for your browser here.