PSIRA Audit Committee on audit action plan

Meeting report

PSIRA Management Action Plans to Address Audit Findings

Mr Manamela Chauke, PSIRA Executive Director, took the Committee through the presentation beginning with the entity’s historical audit information in terms of audit opinion, emphasis of matter, reports on legal and regulatory requirements and irregular and fruitless expenditure stemming back from 2011/12. Key achievements of the Authority included:

-Improvement of ongoing concerns

-Unknown and allocated deposits

-Irregular expenditure eliminated through controls

-Finalisation of the Security Industry Alliance (SIA)

-Review of annual fees on an annual basis after not having the fees change for nine years – PSIRA was solely dependent on the annual fees as it was not funded through a parliamentary vote

-94% of planned targets achieved

-Review of code of conduct

Key controls implemented included:

-Risk management and combined assurance model – management was the first line of defence against risk. Also important to ensure action was not duplicated – management, internal audit and audit committee should be in sync

-Risk based audit plans

- Consequence management such as warnings and deductions following due processes in terms of labour relations

-Document management system

-Performance management framework

-Establishment of key oversight structures such as:

• Council
• Finance and Investment Committee (still to have its first sitting)
• Audit and Risk Committee
• Internal Audit
• Risk Management Committee (EXCO)
• Operation Clean Audit Committee (EXCO)

Looking at the 2015/16 audit report, matters affecting the audit report included material misstatements in the financial statements (section 55 (1)) of the Public Finance Management Act (PFMA). This included:

- Correction of prior year misstatements: reinstatements of suspended and previously withdrawn Service Provider (SP)

-Understatement of commitment disclosure with the IT contract

Emphasis of matters was placed on:

- Restatement of corresponding figures: restatement of suspended SPs

-Material impairments: provision of impairment for trade debtors

-Significant uncertainties: law suits and demolition costs for the Arcadia building

Mr Chauke then took the Committee through predetermined objectives for programme two, law enforcement, and programme three, communication, registration and training, in terms of usefulness and reliability – the only qualified finding was for programme three which was as a result of one Key Performance Indicator (KPI) discrepancy with calls logged and resolving of complaints. 

Additional, more generic, matters were found with non-compliance with legislation in terms of:

-Lack of effective, efficient and transparent system of financial and risk management and internal controls (section 51 (1) (a) (i) of the PFMA)

-Financial statement not fully compliant with prescribed financial reporting (GRAPP)

-Consequence management not implemented

-Internal controls implemented not fully effective

-Inadequate oversight role regarding financial performance information

-Proper controls were not implemented over daily and monthly processing, reconciling and reporting of financial and performance information

Ms Mmatlou Sebogodi, PSIRA CFO, then took Members through 2015/16 audit action plan beginning with the summary of audit findings –58 audit findings emanated from:

-Accounts receivables

-Registration

-Supply Chain Management

-Asset management

-Finance

-Business information technology

-Human capital

-Communications

-Law enforcement

With the status of the action plan, there were 17 outstanding findings to be addressed while 41 findings were resolved. The presentation then looked at the audit action plan in more detail in terms of the responsible official for the actions, action to be taken and the target date. Some outstanding audit actions included:

-Preparers of annual financial statements will attend GRAP refresher course

-FMCMM implemented to assess and improve internal controls

-Exception report will be done on a monthly basis

-IT governance register to be developed

-Problem management policy will be developed and implemented

Ms Sebogodi outlined the accounting authority commitments towards achieving a clean audit included:

-Leadership:

• Exercise oversight authority
• Ensure effective human resources practices
• Approve and monitor implementation of appropriate policies and procedures
• Approve and monitor the implementation of action plans to address internal control deficiencies

-Financial and performance management:

• Ensure proper record keeping of all transactions
• Maintain effective controls over daily and monthly processing and reconciling of transactions
• Produce regular, accurate and complete financial and performance reports
• Review and monitor compliance with applicable legislation

-Governance:

• Ensure risks periodically identified, assessed and effectively mitigated
• Maintain an adequately resourced and functioning internal audit unit
• Maintain an audit committee that performed its legislated duties and promoted accountability and service delivery

Discussion

The Chairperson congratulated PSIRA on an excellent presentation which met all the requirements of the Committee. It was detailed and to the point compared to the other departments in the police portfolio. PSIRA was top of the class in terms of financial management. The presentation set a good case study for the other departments in the police portfolio. From the audit committee, he wanted to get a sense of the review of the financial statements before they were submitted to the AG – what engagement was there in this regard as audit committee level? Was the audit committee able to pick up on material issues? Cognisant that some of the auditing of projects was done externally, if there were no restrictions in terms of time and budget, would internal audit be able to pick up on some of the issues?

Mr A Mhlongo, PSIRA Audit Committee Chairperson, outlined that when it was required, the audit committee disagreed with management and did what it believed was right. The committee also reported to the Council in terms of disagreements and recommendations from the side of the audit committee. Disagreements were not only limited to management but included auditors and the AG. In terms of the review of the annual financial statements where the AG found material adjustments on the financials, it was true that there were adjustments however the audit committee did review the annual financial statements thoroughly. However, the review was limited to the statements themselves and these statements were not the beginning and end of the financial status of the entity – the statements were compiled from many files, ledgers and supporting documents. Because of time constraints, the audit committee could not look at or audit all these supporting documents. This did not mean the review was not adequately done. It was possible that one or two things could be omitted with management often under pressure especially if the statements were not audited before coming to the audit committee. The internal audit was of course risk based which meant matters were prioritised in terms of the risk it posed – some of the bigger issues in PSIRA had been around revenue, debtors and going concerns s internal audit would ensure these areas were addressed and prioritised. The AG then also had his own, slightly different risk assessment to ensure there was fairness in the financial statements. This explained how areas picked up by AG would not be picked up by internal audit and visa versa. Because of time constraints, internal audit did not consider the annual financial statements before submission but this was something to consider going forward. The external audit was at times restricted with the budget and the plan so this did hinder the process. Specialist expertise was required in internal audit – PSIRA was not that big and so there were gaps in terms of some of these skills.

Ms A Molebatsi (ANC) also commended PSIRA for a very good presentation – the entity had come a long way with the Committee. She asked if there was a particular reason for PSIRA paying SIRA the amount that the court did not say it should pay in terms of the court case. How was the audit fees determined of the AGSA? She asked for the audit committee to explain the method it used to conduct follow ups.

Mr Mhlongo explained that management presented the detail of the AG’s findings to the audit committee and an action plan was provided for each finding in terms of timelines and what was to be done to fix the finding. If the audit committee was pleased with the action plan provided, management implemented the plan. Each quarter, the progress made was presented to the committee. Over and above that, internal auditors were also requested to do a follow up audit on the action plans implemented by management. The process was carried out each year. With the AG audit fees, the AGSA prepared an audit strategy and plan. The plan contained risk assessment – the strategy and plan were presented and costed accordingly with specific rates based on what the AG proposed be done. The audit committee then reviewed this based on the activities AG proposed it do taking into account the level of internal controls in PSIRA, internal audit and findings. AG and the audit committee would then engage – if the audit committee was pleased, the fees would be recommended for approval otherwise the plan and fees were adjusted. The emphasis was on value for money based on what needed to be done.

Mr Chauke outlined that with the court case, the issue had lasted for four years which was related to fees. Ultimately the Supreme Court of Appeal ruled against PSIRA and said it failed to adequately consult and there was an error in law so the Court declared the regulations implemented at the time were invalid. No decision was taken by the Court on PSIRA paying back the money but there were those that adhered to the regulations and paid the fees – PSIRA, in the interests of being taken back to court and not increasing the fees hugely, refunded on condition that the fees would be paid. PSIRA paid R80 million but this was almost completely recovered within in three or four months because of industry sticking to the agreement to pay the fees.

Mr R Mavunda (ANC) echoed the sentiments of the Members for commending the entity on a thorough presentation. With the consequence management, he asked what happened in the case of employees leaving PSIRA, and were employed elsewhere, before they could be disciplined when misconduct was committed - was follow up made with these individuals or the new employer?

Mr Chauke said that with the employees who had left the Authority before consequence management could be implemented, PSIRA did not interfere with the affairs of other entities. The assumption was that the employer would ask the employee to disclose if there were any disciplinary issues in the previous employment and the assumption was the employee would be honest in the disclosure. If PSIRA was approached to verify what the employee disclosed, the Authority would then get involved but generally there was no follow up because it was difficult to implement consequence management if the employee had already left the Authority. If PSIRA suffered financial losses, action would be taken against the employee even if he/she had left.

Ms M Mmola (ANC) asked how registers were monitored to enhance the quality of the annual financial statements especially in terms of fruitless and wasteful expenditure. What procedure would be followed by the asset management team and how would it contribute to improvement in asset management and control? Monitoring of reconciliations had been a particular challenge – clarity was required on how this monitoring task would be conducted. She then asked which institution would present the GRAPP refresher course and the number of personnel which would attend this refresher training.

Ms Sebogodi replied that one of the registers used was the deviation register which assisted PSIRA in disclosing materials instead of it being picked up by the AG. With asset management, a framework was established by Treasury to deal with properties and plants for use by CFOs. The requirements of the framework would have to be adhered to – from it, PSIRA developed a checklist to ensure the requirements of Treasury were met and was used as a framework for PSIRA. Numerous reconciliations were done monthly and daily. Reconciliations were also used as a mandatory tool to improve internal controls. Learning and development, under PSIRA’s human capital division, were responsible for arranging training. Six officials were identified to undergo the GRAPP refresher training from senior managers and the key preparers of financial statements.

Mr Z Mbhele (DA) heard Mr Chauke mention that PSIRA was looking for possible alternative funding sources in the future to move away from the fee-based revenue model – he was interested in knowing what alternative models were being explored. He then wanted to know if the audit committee was satisfied with the quality of the work of outsourced internal audit, if the work was up to standard and what was expected. While he did not have a problem with outsourcing the internal audit function, he did hope it was linked to ongoing capacity building within PSIRA i.e. for the outsourced auditors to phase themselves out over the medium to long term so the capacity could exist in the entity itself – was this part of the approach?

Mr Mhlongo said the audit committee was pleased with the report provided by the outsourced internal auditors and the assurance provided in many areas like ICT etc. taking into account some of the constraints he mentioned earlier. In terms of capacity, no strategic decision was taken on having the function based in-house in the long term or if the function would continue to be outsourced – this would require further discussion and analysis to weigh up the pros and cons of both.

Mr Chauke responded that with the alternative sources of income, regulation and collecting money from industry needed to be balanced to avoid regulatory capture or over regulation. It was best for industry to reduce the burden of fee payment by creating a sustainable model of collecting revenue to fund operations of PSIRA, as the regulator. With benchmarking, various models of fee collection were looked at to make the task easier for the regulator – of the areas looked at was establishing a guarantee fund to ensure the industry was well funded in terms of operations and liability but this was something for further discussion in the nearer future.

The Chairperson questioned “operation clean audit” in terms of when it was established, members it comprised of and how it operated.  

Mr Chauke answered that operation clean audit was implemented in the second quarter of this year. The members of the committee, which was a sub-committee of EXCO, included senior manager: human capital, senior manager: business information systems, manager: risk, manager: supply chain, manager: finances, manager: accountant, manager: law enforcement, manager: customer relations, manager: training and manager: leaning and development i.e. all managers and business units were represented in the operation. Duties of the sub-committee included identifying and addressing possible deficiencies which might adversely affect a clean audit, ensure internal audit findings were addressed, provide solutions to prevent reoccurring findings, develop and enhance internal controls to address the root causes of findings, assist with the effectiveness of existing controls, improve audit outcomes by creating an environment that was conducive for sound financial management, review and monitor action plans to address all significant internal audit deficiencies on a continuous basis. The “operation clean audit” committee was chaired by the PSIRA CFO.

Mr Mavunda asked what disclosure of fruitless and wasteful expenditure meant – did PSIRA making the disclosure itself make the expenditure no longer fruitless and wasteful? Did the self-disclosure make it justifiable? Either way the fruitless and wasteful expenditure did not change so greater clarity was needed on this disclosure.

Ms Sebogodi explained that it would it would be very bad for a department or entity to not know what was happening in terms of fruitless and wasteful expenditure – if the AG picked up on that fruitless and wasteful expenditure on behalf of the department/entity it would be material. It was best for the department/entity to know what was happening as it showed there were internal controls in place to detect. Consequence management was then implemented to ensure the occurrence of fruitless and wasteful expenditure was eliminated – this was through discipline, improving internal control and the action plan to reduce the root causes. Progress was being made in this regard.

Mr Mhlongo added that whether this was identified by the AG or the entity itself, it was still bad and would still need to be investigated. If the entity or department did not disclose the fruitless and wasteful expenditure it would create the impression that the entity was trying to hide it. Non-disclosure by the entity itself would not necessarily mean that consequence management was implemented – disclosure would put the matter out there and ensure that follow-up was conducted.

The Chairperson asked if there was interaction between the PSIRA Board and AG on the outcomes of the audit and, if so, when this interaction took place. The audit committee report from the Annual Report stated that management did not compile regular and accurate financial and performance reports to support, be used as evidence and reliable information – in some instances this was a line function. What measures did EXCO undertake to ensure the supporting evidence was there?

Prof N Mazibuko, Chairperson of the PSIRA Council, replied that the AG did provide her with a copy of the condensed report on 8 October and it was circulated amongst Council members on 10 October. Discussion thereon took place at the Council meeting on 27 October together with the initial draft management action plan and it was decided that this would be a standing item on all Council meetings.

The Chairperson asked if there was interaction between the Council and the unit manager from the AG’s office.

Prof. Mazibuko answered that there was no direct interaction this year between the two.

Ms Sebogodi responded to the question on management not preparing accurate and complete information noting that there was a document management system in terms of key controls to ensure there was a portfolio of evidence. With the quarterly reports, there were registers of what had been achieved in terms of each and every KPI and these registers were reviewed every quarter – this was her responsibility as it fell under the budget section.

Ms Molebatsi asked if PSIRA would no longer experience issues with non-compliance. She then asked why tenders were not published in the government tender bulletin or PSIRA website as required by Treasury. More information was needed on the audit risk committee assessment on the quality of the internal audit charter and audit plan.

Ms Sebogodi said with the tenders, PSIRA did not comply with section 32 which explained why the matter was flagged. There was a checklist to rectify this deficiency and ensure the tender notices were published within 30 days. She was confident the checklist would address deficiencies noted in this regard.

Ms Mmola asked in what manner the audit and risk committee monitored the implementation of the recommendation made by the internal audit component and AGSA. Greater elaboration was required on the risk management strategy of PSIRA in the audit and risk committee.

Mr Mhlongo outlined that the audit committee met with the AG and without management and this was reported accordingly with the Board. This was similar with internal audit findings where management would draft action plans in terms of what would be done – this was presented to the audit committee to review and if the committee was satisfied, management went ahead with implementing the plans. Each quarter, management presented progress made against the action plans. With AG and internal audit findings, internal audit would then be requested to audit the actions implemented to rectify the findings to confirm what management had done – this was how monitoring took place. The audit committee assessed internal audit annually in terms of quality and work done etc.

Mr Mbhele found that, in his opinion, the most serious findings of non-compliance by the AG were around line management function i.e. the basics one hoped happened optimally on a regular, daily and weekly basis such as adequate controls, oversight of financial and performance information etc.  Line management was the first line of defence in creating assurance, ensuring there was compliance and picking up on risks. If the outsourced internal audit was not envisaged to be phased out, was there still scope to use the outsourced function to build capacity in key links in the management chain? This would ensure there was more substantive investment of their knowledge and expertise in the line management function thus aiding PSIRA in the long run instead of merely conducting a tick-box, audit exercise.

Mr Mhlongo responded that there were some challenges – transferring skills required resources to be available. It was also challenging because there was no one to transfer the skills to. This transfer of skills would also need to be included in the contract with the outsourced internal audit. Perhaps not having this transfer of skills was an oversight on the side of PSIRA management and audit committee.

Mr Mbhele clarified he was more referring to transferring the understanding in a way that pre-empted problems before they were picked up. He used the metaphor of cholesterol as being the problem – a capacitated line management function would then be eating healthy, a strong internal audit function would take medication and the AG was the heart surgeon. Most of the work was at the healthy eating stage (i.e. line management function) so that internal audit did not have too much to do. This was transferring understanding and knowledge to prevent the problem.

Mr Mhlongo replied that this was termed combined assurance – this was in place in the risk management unit in managing the parties. Risk management was the starting point of the chain of combined assurance.

Ms N Tshobeni, Deputy Chairperson: PSIRA audit committee, added that it was important to highlight the separation of powers between the first line and second line of defence in terms of independence – risk management was expected to advise management more than the outsourced internal audit.

The Chairperson wanted to know what the progress was with Council reviewing policies.

Prof. Mazibuko replied that Council was attending to the matter. The Executive Director did indicate the process had begun on reviewing policies at the last meeting of the Board. The Board would get the list of policies to be revised once management had completed the internal process.

In closing, the Chairperson highlighted that progress was made and the Committee welcomed the commitment to obtaining a clean audit – the Committee supported these efforts. It was important that this process was also driven on the side of the Board – the Board was to meet with the AG annually in terms of good governance so that external view of PSIRA performance was presented. The Committee welcomed the comprehensive action plan but noted that proof lied in the implementation – if the issues were addressed a better outcome could be created moving forward.

The meeting was adjourned.