Question:

Answer:

Report of the Auditor-General on the 1999/200 financial year

1.

With regard to the unauthorised expenditure reported in the Auditor-General's report, significant instances of non-compliance with directives and regulations were identified. What steps are being taken to address the trend of serious non-compliance?

2.

In the previous resolution of the Committee, it was recommended that the review of the effect of decentralisation be expedited. Please briefly update the Committee on the outcome of the review.

From the point of view of finance, it has been recommended that the payroll and financial operations functions be centralised prior to the development of a shared service centre. As a generalisation the regional decentralisation was not a success as the regional offices were not given the "tools to do the job" as a result of budget constraints. A detailed response can be obtained from the September PEP Information Pack. Implementation of these suggestions was mapped out on the PEP Gantt Charts but is delayed pending appointment of suitably qualified staff. From a non-financial point of view the deliberations of court services is attached as Annexure A

3.

As in previous audits, documentation not submitted timeously has placed restrictions on the scope of the audit. Please indicate what your instructions as accounting officer are to all staff in this regard, and how you will ensure that the audit information prepared for Parliament is not restricted in any way.

Documentation is often not available for audit as the required documentation is not written up. Whilst a receipts and payments system is maintained the extent of accruals is not accounted for. An extensive backlog reduction project has begun which the CFO calls "Rolling Stone". A report on this project which has recently commenced and is attached as Annexure B. In many offices vacancies exist and the extent of vacancies means that backlogs accumulate. See Annexure C. It is hoped that appointments at head office will begin to be filled shortly. In the Eastern Cape where there is no head of finance nor a deputy head (posts are shortly to be advertised) the head of finance from the North West is relieving on a one week on (in the Eastern Cape) and one week back ( in the North West )on a rotational basis. Instructions are in place requiring that unless documentation has been processed payment cannot be made. The head of finance of the Western Cape is acting as the head of finance for the Masters Office where there is no such post. All warrant vouchers in respect of transactions that are not "on the system" are being returned by the National Treasury

4.

The audit on the Witness Protection Programme has again revealed non-compliance with directives and shortcomings in internal control. (a) What steps have been taken to put the Programme on sound footing? (b) Has the State Tender Board granted ex post facto approval for the non-compliance with State Tender Board Procedures?

(b) Because compliance with Tender Board procedures could jeopardise the safety of witnesses this was not done in the case of the purchase of furniture and the rental of safe houses. A request for a permanent exemption is being dealt with by the executive manager logistics of the NDPP corporate services.

5.

Problems with suspense and disallowance accounts is recurring in audit reports. We understand that a task team has been appointed to clear all amounts in suspense as there are long outstanding amounts in these accounts. What is the brief of the task team and what is the deadline is for the completion of the project?

Task teams are being assembled with the view to visiting all Magistrate’s offices in order to clear the suspense accounts. However, due to the enormity of the task no time limit can be set at this time. A budget of R 2 million has been appropriated for this task and it is highly probable that that money will expended before the task is complete. The CFO has discussed this matter with the Ministers Committee on the budget who have noted the need for an additional allocation in this respect. Because the books of account have, in certain regions, not been fully written up since 1982 it is not possible to estimate how long the unknown will take to complete. See Annexure B.

Regularity audit questions –Part A (VOTE ACCOUNT)

1.

The Auditor-General once again reported that expenditure could not always be verified as a result of non-submission of supporting documentation and information:

(a) What has been done to address this matter

See 3 above. In addition an audit facilitator has been nominated by the CFO who will liase with our staff to ensure that cases where staff refused to assist the A-G to find documentation are swiftly dealt with.

(b) Can assurance be given that the expenditure in question represent valid and that no irregularities took place?

No

2.

(a) What measures were instituted to ensure that all backlogs are cleared as a matter of urgency and to ensure that transactions are recorded in the correct accounting period? (Please provide timeframes in respect of the elimination of the backlogs.)

See project "Rolling Stone" above plus please note that the receipts and payments accounting system in use does not distinguish between financial years in which debts were incurred and paid. Unprocessed prior year unauthorised expenditure taken to the Balance Sheet by the A-G may when processed in the current year be treated as a double payment when the balance sheet amount is written off. This matter is being monitored by the CFO and the A-G.

(b) How will you ensure that the focus by the CFO’s office on the clearing of backlogs will be sustained in order to prevent the build-up of backlogs in future?

Project "Rolling Stone" is so named as, where possible, staff once assisted by the project, will "gather" some "assisted staff" and take them to the next one or two offices visited to entrench their on the job training. In offices where there is insufficient staff to permit a person leave of absence, this will not occur. In addition the training programme in 270 centres will see staff being trained by way of multiple course attendance as on the job trainers to be able to induct new staff at a later stage. Whether all of this will be sufficient remains to be seen as the staff in many sub-offices have serious skills deficiencies. The CFO is of the opinion that staff will require much more training to correct and an option was framed for the MTEF submission for the establishment of a finance training division at the Justice College.

3.

What measures were instituted to recover the excess payments and double payments made? What progress has been made with these measures?

Where we are aware of the errors corrective steps to recover the monies have or are being instituted. Certain system checks such as, no salary payments above R30000 are permitted without special clearance, have been instituted. The proper management of this aspect will depend on control measures that will be more effective once the PEP has been implemented..

4.

Adequate steps were not instituted before the time which would have enabled a split of the transactions between the two departments from the effective date. Many vouchers and payments were presented / paid that were in the name of the NDPP which were for the DSO. This change was effected from 1 April.

Yes, planning was done. From a finance and Human Resources perspective new systems were installed in the NPA from 2 April 2001. This system will allow for separate accounting for the NPA and the DSO. The DG remains the accounting officer for the NPA while the DSO has its own accounting officer. A number of other regulations required for the operations work of the DSO have been drafted and are being considered by the National Director and the DSO Management.

4.3 Briefly explain the purpose of the separation of the DSO and the NPA in terms of their functions and activities.

The NPA ensures that perpetrators of crime are prosecuted and it has the power to institute criminal proceeding on behalf of the state. It also has the power to carry out all necessary functions, incidental to instituting criminal proceedings. It may also intervene in the prosecuting process when policy directives are not complied with. It also has the power to review decisions to prosecute.

4.4 When was the CEO of the DSO appointed in accordance with section 15(3A)(b) of the National Prosecuting Authority Amendment Act, No. 61 of 2000?

The CEO of NPA was appointed CEO of DSO in March 2001 by the Minister of Justice and Constitutional Development.

The National Director will be signing performance contracts with senior management in the NPA, including the CEO, on the 22 November 2001. A copy of this agreement will be forwarded to the committee in due course. Since the CEO of the NPA is also the CEO of the DSO one performance contract will be signed with the National Director. The Minister of Justice and Constitutional Development has directed that the contract should be signed with the National Director.

5.

Personnel expenditure incurred via PERSAL is programmatically updated on the FMS, and therefore a reconciliation was not performed.

Yes

There was a system problem during 1998 that was rectified programmatically by PERSAL. The auditing of leave is currently being done by the Department to compare the system with the actual leave forms on the files and to correct the system where it is necessary.

The judges’ secretaries are not complying with the directives for leave and the matter has been referred to the DPSA as it is viewed as a policy matter of long standing that requires their intervention iro conditions of service.

6.

See 4 (b) above on page 1

See 4 (b) above on page 1

An investigation of this matter has commenced by the Heath Commission and the A-G but this investigation is as yet not complete.

7.

This difference arose because of problems emanating from the old system at the time the information was transferred to the new State Attorney System. Correcting journal entries were made by teams sent down to investigate this problem. However, the old system had already been closed and did not disclose these adjustments.

7.2 Why was uncashed/stale warrant vouchers not written back to revenue?

Personnel shortage – will be corrected by the task teams

A new department known as the Revenue Department has been formed to address this problem. Selection of suitable candidates to fill this position will shortly be made.

In past these claims were made through the Regional Offices and did not function properly. Arrangements have now been made to enable the various State Attorney Offices to effect their own claims.

8.

8.1 (a) Why were project managers not available to assist the auditors?

The Auditor-General’s staff have been requested to identify the managers concerned. To date we have not received a response. It is suspected that this matter arose as the managers concerned were away on project management training in Denmark.

A letter was sent out by the CFO advising all project managers to have valid letters of appointment in hand as soon as possible. These letters will be finalised by this office in the month ahead.

Mr Colin Wright has been appointed to drive the implementation of proper accounting controls and to wrap up backlogs. See project management training course details given above re project managers. In addition weaknesses highlighted at our meeting with USAID were incorporated in a letter circulated to the project managers. One of these problems was the centralisation of original vouchers at National Office. Mr Colin Leeb is project managing project "Rolling Stone" in the rest of the country. The NPA met with Ms. Johnson and Labuschagne and it was agreed that they do their own project management. This is contrary to a Donor stipulation that these funds be administered from a central source. A meeting will have to be arranged to settle this problem with the NPA and a workshop is to be organised to inform the project managers of all requirements of the administration of these funds.

While the cash basis of accounting continues there can be no guarantee that expenses accrued in one year will be accounted for in the same financial year. Only when accrual accounting is implemented can this problem be overcome. The only practical solution at present is for project managers to pay the expenditures incurred as soon as possible.

Many Project Managers were in Denmark at the time and it appears that they were unaware to this requirement.

The NPA did their own project management on the basis that the records were maintained by the DoJ&CD and it was considered that this was a compliant arrangement. In the current year the record keeping is administered by the NPA and the meeting detailed in 8.2 is being arranged to determine if this is required by USAID. The CIDA funding is administered by Business Against Crime on behalf of the NPA which is at the request of CIDA. See question 8.2 above. Another matter, not raised, relates to the requirement that costs are shared as between the Department and USAID on the basis that the Department funds 25% of expenditure. This cost sharing reconciliation is outstanding.

A Treasury Guideline has been issued outlining the accounting steps to be followed in future. National Office staff are in the process of clearing the various suspense accounts and opening new accounts in terms of the Treasury requirements. These instructions were received in September but are being effected as from 1 April 2001.

9.

These task teams are in their early stages of being formed and only a few offices have been visited to date. As momentum increases these problems will be attended to at an every increasing rate.

1. The DSO is incorporated within the NPA. The Public Protector have their own bank account and their transactions are separately recorded
2. Yes.

We have read this to refer to point 2.2.1 (d) on page 5. Yes this matter is receiving attention but is, as yet, not complete.

These have been formulated in the latest Departmental Financial Instructions, dated 28 September 2001 Suspense accounts are now cleared monthly but backlogs remain which as discussed above are being attended to by the task team under Colin Wright at head office. This task team is clearing various backlogs at the head office and consists of seventeen people.

10.

Assurances cannot be given as the matter has not been audited. A task team visited all nine Regional Offices and reconciled the department’s records with those of the various banks. Local staff have been trained on how to maintain this system on a current basis and thus this matter should not be a recurring item.

11.

The amount involved related to five different items from different suppliers. Approval from the DCC together with requisite procurement procedures was carried out in three of these cases out of the five. In the case of the other two payments was approved by the DG.

11.2 Why was this not included in the annual financial statements?

At the time the Financial Statements were prepared expenditure was assumed to be authorised and thus was excluded from the listed unauthorised expenditure – The unauthorised status was determined by the A-G during the audit and hence it was not in the AFS which were prepared before the start of the audit. See comment above.

11.3 What steps have been taken to rectify the situation?

The NPA has established it’s own control committee and/ or Tender Board, depending on the amount to be approved. As the committee does pre-evaluation, submissions found to have not followed procedures are referred back for correction or amendment. A process is embarked upon to ensure that processes are clearly identified and streamlined to eliminate possible shortcomings and duplications. The NPA has started a process of recovering all amounts identified as being fruitless and wasteful and recovering such sums from the salaries of those individuals who incurred such expenditure.

12.

12.1 What measures have been instituted to address the shortcomings in internal control systems?

At this stage the situation is such that adequate internal control measures are not in operation.

12.2 Was all irregular expenditure treated as prescribed in terms of the PFMA and Treasury Regulations

Where such expenditure has been identified it has been so treated. See comments on task teams clearing suspense accounts.

13.

Did the department address all unsatisfactory matters relating to Thefts and Losses as reported by the Auditor-General? Please provide brief details on steps taken as per the listing on page 6 of the audit report.

This matter was referred to the Legal Department who advised that great effort was made to clear the backlogs and currently matters referred to them are being analysed, identified and dealt with in a planned manner. Many of these losses are the result of inadequate accounting and asset management routines.

14.

Please elaborate on the fruitless and wasteful expenditure incurred in respect of the witness protection programme. Has an investigation been done regarding this and were any disciplinary steps taken?

The investigator that placed witnesses in protection has been reported for investigation and has now been charged with fraud as witnesses were put under protection even though no case was brought against them. They thus received free housing etc. Witnesses involved have been given notice to vacate the programme.

15.

Please inform the Committee on the steps that have been taken to address the shortcomings in the audit report. Why hasn’t steps taken earlier to address the shortcomings included in the audit reports of the Auditor-General for the past financial years?

16.

Current checking has revealed instances where physical assets do not agree with the records and efforts are currently under way to bring this matter under control.

16.2 Has a stocktaking been performed for the 2002 financial year?

See above.

17.

This case concerned the over charging of legal fees in a case involving the Defence Department. The amount involved was R 14,775,170. An amount of R 14,006,649 has been recovered leaving a shortfall of R 768,521. The Courts Taxing Master has estimated the "true" legal cost at about R 1,2 million. The shortfall (net legal fee) will be recovered from the Dept of Defence.

We will do so.

18

The CFO sends a monthly report to the Committee. The last of which was a consolidating report of a few thousand pages of reference material on a CD. As promised, at the last hearing of the committee, the CFO has availed himself for "open days" to the committee in Cape Town in order that members are afforded the opportunity to debate the Performance Enhancement Programme and the progress thereon with him. The next report will be made available to the committee next Monday when the CFO visits Cape Town for the Portfolio Committee meeting. The monthly accounts are expected to be completed by the end of the week which is what is outstanding at this time.

18.2 Please also inform the Committee on the progress made with the Financial Management Improvement Plan.

See above

19.

Internal Audit conducts audit throughout the year and reports to the DG. Client satisfaction surveys are conducted at the end of every audit. Positive comments have been received on the work of the Internal Audit component. Shirley Machaba has sent you copies of the latest internal audit report. It is a large bound document (book) and has thus not been attached.

Twenty-four positions have been approved of which twenty-two have been filled. The vacancies have been advertised and the closing date is 3 December 2001.

The Internal Audit Co-sourcing agreement was extended to December 2001 and was approved by the State Tender Board. The CFO is currently of the opinion that the capacity building expansion and extension should be decided upon after evaluating the current training programme. As an alternative he put forward an MTEF option for this matter to be considered for funding to establish a component within the Justice College to train finance officials.

Yes . The Audit Committee consists of four members - all from outside the public service.

Yes. Risk assessment audits were conducted in November 2000 and are being repeated this month

By adequate planning and communication. Internal audit are satisfied with this aspect.

20.

The amount involved consists of five different charges from different suppliers. Approval from the DCC together with requisite procurement procedures was obtained in three of these cases out of five. Payment was approved by the DG In the case of the other two payments.

No, but these expenditures were approved after the fact.

Since the first of April 2001 new procedures have been put into place to ensure that Tender Board requirements are followed. An NPA Control and Tender Committee have been established to manage the process and to ensure compliance with procedures.

With the take over of the procurement functions from Justice, assurance can now be given that these incidents should not occur in the future.

See our comments under question 8.5 The procedural problem will be corrected shortly. The NPA did their own project management as they were incorrectly of the opinion that this was in order.

All findings and recommendations by the Auditor-General are reduced to an action plan with clear time frames for implementation. These processes are also monitored on a regular basis for implementation and a report is tabled at the NPA’s management meetings.

21.

What is the status with regard to the situation where your department is rendering certain administrative and accounting functions on behalf of the office of the Public Protector? Were the terms of such an agreement agreed upon by the parties concerned? What are the terms of the agreement?

In terms of an agreement between the Department of Justice and the Public Protector, the Public Protector has maintained their own bank account and records as from 1 July 2001.

22.

What steps have been taken to address the shortcomings highlighted in the audit report?

Certain Judges act on a temporary basis requiring monthly authorisations and it is these procedures which appear to be causing the problem. This will be taken up with the HR division.

23.

Please provide the Committee with brief details regarding the steps taken to address the various shortcomings relating to the budgeting process.

Exco-members attended a 3 day budgeting training course at Head Office and seventy-four officials attended the same course at a later stage. Currently eight budget coaches are attending an intensive two week course at the UCT GSB in Cape Town and on their return will assist the business units in the preparation and monitoring of their budgets on a full-time basis. In addition the costing, zero based budgeting and right-sizing project has commenced and the Department in conjunction with the University of Cape Town has established a B Com. Hons degree specifically for the Department that will commence in January 2002.

24.

Please provide the Committee with brief details regarding the corrective steps taken to address all the shortcomings highlighted during the audit.

See Annexure D

25.

Personnel expenditure increased as a result of posts being filled at the NPA together with salary increases of prosecutors and magistrates

A detailed analysis of the seven stores has been undertaken during the current financial year. All figures set out below are as at 1July 2001 when the last in-depth analysis of stock was undertaken. Stock to the value of R332,547.64 was held on which no stock movement was recorded for a year. Stock to the value of R1,654,652.67 was considered to be surplus to requirements against normal order cycles. Stock on hand to the value of R36,405.64 is damaged. Shortages amounted to R424.90 against a total stock holding in all classes of R691,725,770.57 We hope to achieve a 0.8% reduction on e-class stock of R2,008,270.57 The value of inventory was R689,664,300.48 The CFO is of the opinion that the focus in this area should be on the more speedy delivery of purchases to speed up service delivery.

If there is a change in plan regarding a project or where a saving in a department has occurred virement may be requested to adjust budget requirements elsewhere.

1. Notes to income statement (bottom of p14):

(a) This was an oversight. However the CFO is of the view that in terms of par 8.5.2 of the Government Gazette 21249 dated 31 May 2000 such institutions as those that we service audited by the Office of the Auditor- General need not provide this certificate. Notwithstanding this the certificates have been obtained in the current year as a result of the audit report highlighting this matter.

(b) With regard to the audit report no written assurance was obtained in the previous year – see comment in (a) above as to the applicability of this clause re the current year.

26.

The financial statements were prepared within the stipulated time limit but the signing of these statements was delayed. The unsigned accounts were made available to the A-G in time but these were only signed at a later stage as the DG was away at the time of submission to the A-G. A valuable lesson has been learnt by our communication services who felt they could edit the A-G’s report in terms of their normal licence to edit copy provided by officials. This was not intentional and they are to deal with this matter in terms of the requirements of the A-G.

This Department currently prepares financial statements on a monthly basis. As such there should be no trouble in meeting the deadlines for the year end submission of financial statements.

Until these positions have been filled the process of micro-managing the everyday process of the Department cannot begin.

4. The CFO makes two observations on training and the skills required to ensure a sustainable turnaround: "Finding solutions to staffing concerns cannot, and indeed has not been underestimated. The short term appointment of sufficient competent staff at approved rates of remuneration to fill numerous advertised vacancies at Head Office, is undoubtedly a pre-requisite to delivery" and "…initial seed funding will be required to enable wide spread forensic auditing, training, testing of competency levels, communication and time if the problem is to be addressed both effectively and holistically".

1. At head office 27 posts were advertised in June 2001 after being cleared by work study. Some five cubic metres of application forms were received at some 4,500 applications for each of the lower grade posts. These have been given due consideration and all short listing will have been completed by the end of November with all interviews for the more senior posts having been completed by that date. With the award of the "Body Shop" tender last month the CFO has been enabled to source key contractors to assist him with the implementation of PEP. These appointments are new and some are still to be made. This interim project management team consists of:

The draft cash hall training manual was included in the CFO’s September information pack. Budget training as outlined above has been provided together with project management training in Denmark. The cash hall traing has been assessed as regards the requirements of IPFA. This detail is available on request. Please request same from the CFO at [email protected]

Regularity Audit Questions: MONIES IN TRUST (FORMER DEPOSIT ACCOUNT) PART B

1.

In the short term the problem is being dealt with by way of a training programme the details of which are attached.

2.

Why had one of the offices not submitted monthly returns for capturing on the financial system and what disciplinary and corrective actions have you taken as a consequence?

This is not a problem restricted to one office. The Northern Cape is the only province that is up to date in terms of record keeping. The Western Cape is close to being up to date in that they are expected to be up to date by the end of February 2002. The balance of the province’s books are in various stages of completion with the worst case being that the books have are not completely written up since 1982. Getting this matter cleared is an enormous task that has begun. As it is difficult to estimate the unknown it is difficult to estimate a completion date.

3.

We are far from being in a position where we are able to quantify differences with any degree of reliability. Funds are held in some six hundred bank accounts in different magisterial districts by individual courts who have generally not written up their books (see above). Our monthly accounts reflect but the bank balances as advised by the respective courts. This may be regarded as the cumulative "cash book balance". The FMS is the computerised accounting package which reflects the "books" as processed. Many sub-offices maintain manual cashbooks which are captured by regional offices with varying lag periods to capture. Given the fact that the "books" are not written up and that the bank accounts will reflect deposited net balances these two should not "agree" given the current circumstances. Once the "books" are written up and known losses etc have been determined then the two should be reconcilable. Currently cheque frauds under investigation in cases where the amounts have been paid out amount to some R10 million. RD cheques that have been accepted as payment against which payments have been made and which an attempt is being made to recover is some R16 million. These amounts are estimates of what is known. The CFO is of the opinion that this matter must be dealt with by writing up the backlogs and then by reconciling differences. Simultaneously the need exists to explore alternative mechanisms for the management of these funds. This is being done.

(b) Has a reconciliation of the difference being done to address the problem?

No – at this stage Project "rolling stone" has started the process of getting the "books" written up.

See comments on cash hall training.

4.

The Auditor-General reported that a misallocation of funds between the accounts took place. Please provide details as to why this happened as well as what has been done to correct this.

At the date of commercialisation on 1April 2000 the total national amounts relative to the bail, maintenance etc accounts was guessed as these had not before been maintained as separate balances. The process of guessing the totals means that a misallocation was effected. This was because the underlying records were not completely maintained. Thus the amount for bail which is reflected as an "overdrawn" balance simply means that since commercialisation that more has been paid out than has been received. This is also the case for the "contribution account" which is some R1.5 million overdrawn as at the send of September 2001. In the October accounts entries have been effected to adjust what seems to be a misallocation re the "overdrawn" balance of the bail account. This adjusting journal entry is too but another estimate that seems appropriate at this stage. Accounting for monies in trust is, at present, not an exact science. Only when the books are written up will we be able to reliably comment on what is known.

5.

The Auditor-General’s report contains various shortcomings relating to bank reconciliations.

(a) Have all staff been properly trained to perform bank reconciliations ?

Not yet, but as outlined above the training process is rolling out to some 1800 people at 270 venues in the next 20 weeks.

Prescripts and procedures not being complied with is a case of either non-compliance or incompetence and the corrective action taken is covered above.

As stated, after training, officials will be required to sign a statement covering their competence. Thereafter disciplinary action will be taken for transgressions. In many offices that are understaffed the question of a recurrence of backlogs is a reality.

6.

Please provide details regarding the steps taken to address the following shortcomings included in the audit report –

7.

Please provide the Committee with details on the steps taken to place internal control on a sound footing.

Achieving a sound system of internal control is a complex process that does not have a universal cheap implementation plan. Internal controls depend on the segregation of functions, such that any one person, should not be able to complete a transaction from start to finish. Correcting this either with more people or with more modern systems is not an affordable option at this stage.

8.

What specific measures were instituted to address the shortcomings relating to charge sheets, maintenance receipts and payments, deferred fines, estates and bail?

We have neither the people nor the systems to address the short comings but we are working on both of these aspects as outlined above.

9.

Weak controls increase the risk of fraud and irregularities. Was any investigations done to identify fraud and irregularities? Please provide details which should include the outcome, steps taken etc.

The plan is to get the books written up so that they can be audited, inspected etc. Any fraudulent activity that is suspected by anyone will be referred to the forensic audit team

10.

Please provide reasons for the documentation not submitted to the office of the Auditor-General. Was this documentation subsequently traced and submitted. Which measures were implemented to prevent this from recurring?

The problem is such that a sub-office was not able to provide the charge sheet written up by the Magistrate thus the auditor could not verify the fine paid in at the cash hall. This audit remark is based on a test sample to substantiate a general comment on this matter as relates to the Department. This "voucher" is needed to write up the books and as such this matter will be addressed as part of project "Rolling Stone". The specific detail of the specific test cases undertaken by the A-G were not conveyed to the Department.

11.

Has the problem of inadequate staffing and segregation of duties been addressed? Please provide brief details of steps taken.

No

12.

Please inform the Committee why adequate control over the use of face value forms were not excercised. What corrective measures have been put into place?

Incompetence or non-compliance. Steps include the training mentioned above.

13.

Why was amounts not paid over to SARS and local councils? Was this subsequently corrected? What amounts are involved?

The banks holding the funds have not been instructed to clear interest to a central account for transfer to SARS as current procedures call for the checking of these transfers by the regional offices which takes time. At 30 June when the last "sweep" of the accounts was done the amount of interest that has thus far been reported is some R35 million. This amount will shortly be paid to SARS once the exercise is complete.

14.

With reference to the statement by the CFO that the management of the Deposit Account has collapsed what reassurance can you give the Committee that this situation has been changed with reference to moneys in trust?

The "Monies in Trust" and the "Deposit Account" are one and the same for it is just an alternative name for the same financial process. The view of the CFO is based on his findings which are outlined above. Given the audit reports on this aspect it is possible for one to see why he came to hold this opinion. What is important is the fact that a huge effort is being mounted to address this matter. What is worrying is the fact that the CFO suspects that he will not have sufficient available funding to complete this process.

Office

Account

Pretoria North:

Agency Services

Bronkhorstpruit:

S&T

Monies in trust

Component/Service/Control

Findings and Exposure

Service Packs

Service packs contained both documented and undocumented security fixes. Systems at service pack level 4 and 5 contained known vulnerabilities, and could be remotely crashed, affecting system availability.

Changes since audit

DOJWEB, BUDGET1, and PRES were upgraded to SP6a. There are still a few servers that are running SP4 and SP5, but most have been upgraded to SP6a.

Action plan

The process of upgrading service packs started after the audit. Machines are being upgraded to service pack 6a, but this process is hindered by a shortage of staff.

Windows 2000 project

All servers will be upgraded to Windows 2000 with SP1. SP2 will be released later this year and will be installed on all Windows 2000 servers once it has been tested in a lab environment.

Audit policies

File and Object Access failure and Use of User Rights failure were logged on PTAHQ domain controllers. The successes and failures of Security Policy Changes were logged on MAIL domain controllers. No other categories were audited. This included Log on and Log Off events, as well as User and Group Management events. Without logging, critical security events could not be traced and system issues that affected availability would also go unnoticed.

Changes since audit

Security Policy Changes – Success and Failure

Action plan

Implemented

Windows 2000 project

The recommendations from the audit report will be implemented during the deployment of Windows 2000 by using Group Policies.

Domain password policies

Changes since audit

Recommendations implemented

Action plan

Done

Windows 2000 project

The recommendations from the audit report will be implemented during the deployment of Windows 2000 by using Group Policies.

Domain account lockout

Account lockout was completely disabled on the BUDGET and MAIL domains, while PTAHQ’s account lockout policy was totally ineffective. PTAHQ users were locked out after five bad log-ons, but were automatically re-enabled after 30 minutes. The lockout monitoring duration was also 30 minutes, after which the bad log-on count was reset to zero. This meant that an attacker could brute force a password for a particular account by attempting four candidate passwords at thirty-minute intervals, without fear of locking out the account or being detected.

Changes since audit

Account lockout enabled with indefinite duration and until a administrator unlocks.

Action plan

Done

Windows 2000 project

The recommendations from the audit report will be implemented during the deployment of Windows 2000 by using Group Policies.

Blank passwords, or passwords equal to username

In the MAIL domain, one user’s password was blank, and two other users had passwords that correspond with their user names. This was an obvious entry point into the domain. Even unprivileged accounts needed to have strong passwords to prevent these accounts from being used in privilege elevation attacks, with the ultimate objective of gaining local administrative access.

Changes since audit

Blank passwords are not allowed on the system any more, but because of the user skill level in the department it is difficult to control password strong passwords

Action plan

All users in the Department will be trained as part of the DNS project implementation. A tender was published to address the problem. (RT1231KA)

Windows 2000 project

When the recommended account password policies are in place in the Windows 2000 environment, users won’t be able to use blank passwords. Users will be educated to use passwords different from their user names.

Null sessions

All four domains controllers examined permitted "null sessions". This essentially allowed an attacker to connect to the server as the null user "with a blank password". The attacker could then extract valuable information, such as user names, group membership, last log-on, etc., which could be used in focused attacks on dormant accounts, to mention one example.

Changes since audit

Null sessions not allowed any more

Action plan

Implemented

Windows 2000 project

In Windows 2000, null sessions are still allowed by default. The same registry key can be used to disallow the use of null sessions as was recommended in the audit report. This setting will be tested in a Windows 2000 lab environment to determine the affect on the use of Active Directory.

Guest accounts

The guest account could be accessed by users who did not have valid log-on accounts, which provided attackers with system information for further targeted attacks.

Changes since audit

The status of the guest accounts of the domains are the same except for the BUDGET domain, which’s guest account is disabled.

Action plan

Windows 2000 project

The guest account of all the Windows 2000 domains will be disabled. Regular audits be conducted to confirm the status of these guest accounts.

FTP

FTP provided another access path into a system, and running an additional network service provided another potential point of compromise. Anonymous access could permit unintentional access to sensitive files, and older versions of FTP could contain security holes.

Changes since audit

FTP service disabled

Action plan

Implemented

Windows 2000 project

FTP will only be enabled on the Windows 2000 servers that requires this service, but anonymous access will be disabled.

SQL Server

Microsoft SQL server was active on DOJWEB, BUDGET1, and PROGRAMMING. The SQL server security administrator (sa) account built into all three of these systems had a blank password. The privileged "sa" account could be used via SQL statements to execute command line commands, such as adding another user to the local administrator group.

Changes since audit

The password for the "sa" account was changed.

Action plan

Windows 2000 project

The architecture design for Windows 2000 for the DOJ does not include any changes to the current SQL implementation. The recommended changes should however be evaluated by the DOJ’s IT staff and implemented as necessary.

Web Servers

IIS contained numerous security holes, and was insecure by default. This could potentially result in system compromise.

Changes since audit

No changes were applied to the IIS services since the audit. The IIS services are used for internal intranet publishing and sharing of information.

Action plan

Windows 2000 project

Windows 2000 servers that will be running IIS will be configured to comply with the recommended security checklists from Microsoft.

Service/Control/System

Findings and Exposure

"User cannot change password" option

The option that disallowed users to changes their passwords was set. Users were therefore not allowed to change their passwords. For example, 95% of PTASTAT users were not allowed to change their passwords. The risk existed that if users were not allowed to change their passwords on a regular basis, passwords would become known to other employees or attackers, leading to system compromise.

Changes since audit

The option that disallows users to change their passwords are still set on certain domains. When running a single domain it is difficult to keep all machines synchronised at all times. This results in users not able to change their passwords if domain controllers are not fully synchronised.

Action plan

The domains that were examined during the audit will become redundant in the Windows 2000 implementation. A tender has been published to address the Windows 2000 implementation. (RT1231KA)

Windows 2000 project

All accounts in all Windows 2000 domains will be configured to be able to change their passwords and users will be forced to change the password every 28 days (as per the audit report’s recommendation). These settings will be enforced by Group Policy.

Accounts with passwords last changed before 2000

Take note that the examples did not include user accounts that were not allowed to change their passwords. These accounts were a minority except for PTASTAT.

Changes since audit

A process has been started to look at users accounts that has not been used for while and password changes. This is a labour intensive exercise and again the shortage of staff is also a problem.

Action plan

The domains that were examined during the audit will become redundant in the Windows 2000 implementation. A tender has been published to address the Windows 2000 implementation. (RT1231KA)

Windows 2000 project

Users will be forced to change their passwords every 28 days (as per the audit report’s recommendation). User accounts that are no longer used will be disabled for a period of a month after which the inactive accounts will be deleted. The task of disabling and deleting user accounts can be delegated to the human resource (personnel) department, which wasn’t easy to do in a Windows NT 4.0 environment.

No password required

In the BUDGET and MAIL domains, blank passwords were permitted and certain accounts with blank passwords were identified. The risk existed that, if users were not required to use a password to log into the domain, they might be tempted to supply a blank password, which could easily be cracked by an intruder and used to gain unauthorised access to the domain.

Changes since audit

Blank password policy have been changed

Action plan

Windows 2000 project

All user accounts (including administrators and service accounts) will be forced to be a minimum of 6 characters long. No blank passwords will be allowed in any domain. These policies will be enforced by Group Policy.

Password expiry date not enabled

In all the above-mentioned domains, except for PTAHQ, more than 90% of user accounts were not required the change of their passwords, as passwords were not set to expire. In the PTASTAT domain with 118 users, only one user account had the password expiry option, "eputter", enabled. If passwords were not set to expire, users would continue to use their passwords indefinitely, which increased the possibility of other employees and intruders becoming familiar with such passwords. Any compromised password could be used by intruders for an extended period of time, since the user was not required to change the password.

Changes since audit

Password expiry has been enabled accept on the mail domain. The mail domain is a single domain for all offices. Initially the password expiry was enabled but caused user frustration and support calls to increase. The reason for this was that one cannot change your password if the domain controller that must authenticate you is not synchronised with PDC. This is a design flaw which we are currently addressing

Action plan

Windows 2000 single user logon implementation

Windows 2000 project

As already mentioned, all user accounts will be forced to change their passwords after 28 days. The only exception will be service accounts. Even administrators should be forced to change their passwords at the time that the passwords expire.

Disabled accounts

The guest user account was disabled in the PROGRAMMERS domain, but was active in all the other domains. In the MAIL domain, the following accounts were disabled: akruger2, AMKruger, Jbrink, Mhorn, SvanTonder and VVandyk. Disabled accounts are usually an indicative of poor housekeeping, and should generally be deleted after investigation.

Changes since audit

From the above mentioned accounts, the account AMKruger is still disabled, the account Mhorn was deleted and all the other accounts were enabled.

Action plan

In enforcing e-mail policies, accounts are disable by administrators when users are not in line with policies. The accounts will stay disable until a written undertaking is obtained from the users supervisor that the problem will not occur again. Accounts will then be enabled again.

Windows 2000 project

The guest accounts will be disabled on all the Windows 2000 domains. A task could be assigned to a person (or team) to occasionally audit these accounts. This can also be accomplished using scripts in Windows 2000. These scripts could be configured to run automatically at a scheduled time and could automatically disable guest accounts that were enabled since the last audit.

Locked-out accounts

The department’s account lockout policy was either not implemented or automatically re-enabled accounts after lockout. Locked-out accounts could be indicative of suspicious activity and should therefore be investigated and followed up.

Changes since audit

Account lockout has been fully enables

Action plan

Implemented

Windows 2000 project

The recommended account lockout settings will be configured in all the Windows 2000 domain by Group Policy.

Accounts never used to log on

At the time of the audit, only a single domain controller could be found for the BUDGET, JHBSTAT, PROGRAMMERS, PTAHQ and PTASTAT domains. The MAIL domain had 1 primary domain controller and 29 backup domain controllers. Several user accounts were identified that had never been used to log onto the PTASTAT and JHBSTAT domains. If intruders compromised such accounts it would go unnoticed and since they generally had a first or initial password these accounts were easy to crack once the password became known.

Changes since audit

A process has been started to look at users accounts that has not been used for while and password changes. This is a labour intensive exercise and again the shortage of staff is also a problem..

Action plan

Windows 2000 project

Regarding domain that only have one domain controller: All domains in the Windows 2000 environment will have at least 2 domain controllers.

Service/Control/System

Findings and Exposure

MAIL domain

Weak passwords such as these allowed attackers easy access to domain resources. Once an attacker had non-privileged access to the domain, he or she would attempt to gain privileged access.

Changes since audit

No changes were implemented since the audit.

Action plan

This issue will be addressed with training and user orientation. A tender was published to address these issues. (RT1231KA)

Windows 2000 project

By using Windows 2000, users will have less user accounts for different systems, which will help users because they wouldn’t have to remember many passwords for various systems.