PRESENTATION TO PARLIAMENTARY PORTFOLIO COMMITTEE A-G AUDIT FINDINGS Joseph A Mutungama Chief Audit Executive National Home Builders Registration Council Email: josephm@nhbrc.org.za Bryanston, South Africa 22 February 2013 1 BACKGROUND • NHBRC received a qualified audit opinion in the financial year ended March 2012. • In addition to the qualified audit opinion, numerous matters of emphasis were raised by the Auditor General. • In response Internal Audit facilitated a workshop with NHBRC Management to review the report, perform root cause analysis and develop an Action Plans to address identified control weaknesses as raised by the Auditor General. • Progress in implementing the action plan is reported on to the NHBRC Exco monthly and to both the NHBRC Audit and Risk Committee and Council quarterly. BACKGROUND… (CONTINUED) As per the A-G report the areas below had the most material control deficiencies reported on: BUSINESS AREA REMARKS SUPPLY CHAIN • Irregular Expenditure exceeded R200m • General non compliance with PFMA and SCM policy. IT • The current legacy systems cannot support or enable the NHBRC in a consistent manner • Issues of system and data security, availability and integrity. PERFORMANCE INFO • Problems in identifying SMART KPIs. FINANCE • GL and Payroll Reconciliations issues and controls over the EFT system. NHBRC REMEDIATION STRATEGY The Action Plan to address the A-G reported issues adopted the following implementation timeframes: CATEGORY TIME TO ADRESS THE FINDING Immediate Immediately Short Term Within 30 DAYS Medium Term Within 3 MONTHS Long Term Within 6 MONTHS PROGRESS TO DATE • Progress To Date is as Follows: TOTAL RESOLVED PARTIALLY RESOVED UNRESOLVED DISAGREED IMMEDIATE 38 36 0 2 0 SHORT TERM 13 3 9 1 0 MEDIUM TERM 3 2 0 0 1 LONG TERM 9 1 2 6 0 TOTAL 63 42 11 9 1 CATEGORY PARTIALLY RESOLVED UNRESOLVED DISAGREED 7 - BUSINESS MANAGEMENT SOLUTIONS (IT) 2 – HUMAN CAPITAL 1 - FINANCE 1 - PERFORMANCE INFORMATION 2 - SUPPLY CHAIN 1 - SUPPLY CHAIN 1 – HUMAN CAPITAL 4 - FINANCE 2 - BUSINESS MANAGEMENT SOLUTIONS (IT) 9 0 11 1 GRAPH-PROGRESS TO DATE OUTSTANDING FINDINGS 0 1 DISAGREED 0 0 6 0 UNRESOLVED 1 2 2 0 PARTIALLY RESOVED 9 0 1 2 RESOLVED 3 36 0 5 10 15 20 25 30 35 40 RESOLVED 1 PARTIALLY RESOVED 2 UNRESOLVED 6 DISAGREED 0 MEDIUM TERM 2 0 0 1 SHORT TERM 3 9 1 0 IMMEDIATE 36 0 2 0 LONG TERM 6 A-G ACTION PLAN NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 1. Irregular Expenditure. Immediate Unresolved Immediate Unresolved NHBRC faces an irregular expenditure amount of over R100m as at end of third quarter mainly due to Forensic Consultation fees and Rectification contractors. This expenditure emanates from contracts entered into in the previous financial year. As above Immediate Resolved Goods or services with a transaction value of more than R 500 000 were not procured by means of a competitive bidding process. 2. The accounting authority did not take effective steps to prevent irregular expenditure. In terms of section 51(1) (b) (ii) of the PFMA the accounting authority must take effective and appropriate steps to prevent irregular expenditure. The irregular expense declared in the financial statements decreased from R400 255 in 2010/2011 to R202 223 991 in 2011/2012, furthermore additional irregular expenditure was identified through the audit process. Management circumvented the compliance requirements by awarding contracts/quotations without following applicable laws and regulations pertaining to supply chain management. Evaluation of tender for points and functionality not performed. 3. The root cause for this non-compliance was that buyers were buying from historically disadvantaged suppliers on the approved supplier database, but they did not understand that they had to print out the document to prove that they considered those elements. The non-compliance with the applicable laws, rules, regulations and practices resulted in irregular expenditure. 7 A new matrix system has been implemented and approved by Management. The preferred service provider is selected due to highest score points. The matrix system includes name of the service provider, tender price, points for price, BEE scoring and ranking. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 4. Tax Clearance certificate not obtained. Immediate Resolved The supplier has submitted the tax clearance certificate. National Treasury Practice Note 8 of 2007/08 and Treasury Regulation 16A9 require the winning supplier to submit an original Tax Clearance Certificate from SARS certifying the tax affairs of that person to be in order or that suitable arrangements have been made with SARS. The following supplier did not submit a tax clearance certificate: Supplier Name: Surestream Property Investments Pty Ltd Supplier No. 2944 The owner of the building leased by NHBRC changed and the new owner did not submit a tax clearance certificate. This resulted in irregular expenditure of R3 641 147 and due to the fact that management did not identify and disclose this as irregular expenditure in the financial statements submitted for auditing purposes on 31 May 2012 this will contribute to the modification in the audit report on the completeness of irregular expenditure. 8 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 5. Internal Audit Function: Non Compliance with Treasury Regulations. Immediate Resolved Annual operational audit plan 2012/2013 which includes the evaluation of compliance weaknesses and regulations has been approved by Council and is being implemented. Immediate Resolved The finding has not occurred in the current financial year. Finance section has not received extensions to contract exceeding 15% of the original value in the current financial year. In terms of Treasury Regulations 27.2.6 Internal Audit must be conducted in accordance with the standards set by the Institute of Internal Auditors. Through testing performed on the Internal Audit Function it was found that the Internal Audit Function did not adhere to all standards set by the Institute of Internal Auditors. In terms of Treasury Regulations 27.10(e) internal audit should evaluate the compliance with laws and regulations. Through testing performed on the Internal Audit Function it was found that the Internal Audit Function did not evaluate the compliance with laws and regulations. 6. Extensions to contracts exceeding 15% of the original value not approved by National Treasury. In terms of the NHBRC procurement policy the extensions of contracts exceeding 15% of the original contract value should be approved by the CEO. The extensions were approved by the CEO in terms of the NHBRC policy but were not approved by National Treasury in terms of Treasury Regulations. This was as a result of management circumventing the requirements of treasury regulations. The non-compliance resulted in irregular expenditure and a modification under the compliance section will be included in the audit report. 9 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 7. Invitations to bid not advertised as per Treasury Regulations. Immediate Resolved The policy has been drafted to align with Treasury Regulations. New tenders published currently are Revision of Home Building Manual and Forensic Engineering Services. Immediate Resolved The finding occurred is no longer applicable. The process occurred only once in the previous financial year. Per management the urgency of transactions resulted in minimum advertising time not being followed. The non-compliance resulted in irregular expenditure and as a result this will contribute to the modification in the audit report pertaining to the completeness of irregular expenditure. 8. Non-compliance with Treasury Regulations. The scope of the work was increased and more quotations were sourced for completing other renovation tasks. Additional work was then performed by Bougart Building Construction CC. In terms of Treasury Regulation 16A3.2 the supply chain management system must be fair, equitable, transparent, competitive and cost effective. In terms of instruction note 32 expansions / variation orders should not exceed the following limits without prior approval by the national/ provincial treasury: For construction contracts: - The lesser of R20 million or 20% of the original contract amount. For other goods/ services: - The lesser of 15% or R15 million of the original contract price. In terms of the NHBRC procurement policy the extensions of contracts exceeding 15% of the original contract value should be approved by the CEO. 10 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 9. More than 20% of planned targets not achieved. Short Term Partially Resolved There are new targets to be attained by the organization for 2012/2013 financial year. The performance of sections is monitored by Strategy Section to ensure that targets are achieved as set out in the organizational Balanced Scorecards. Medium Term Resolved A list of all bank accounts was sent through e-mail to National Treasury by the Personal Assistant to the Chief Financial Officer on 24 April 2012. During the audit of the performance information, it was noted that 24% (13 out of 54) of the targets set by the NHBRC as per annual performance plan were not achieved as at 31 March 2012. This matter will be included in the audit report in the section relating to predetermined objectives. 10. A list of all bank accounts not submitted to National Treasury. As per the Treasury Regulations section 31.2.1 the Accounting Authority should submit a list of all bank accounts to National Treasury annually by 31 May. We obtained correspondence between NHBRC and National Treasury where the Main bank account details were sent to treasury on 19 April 2012. However no record could be found that banking details were submitted during the 2011/2012 financial year. 11 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 11. Bank reconciliations not prepared on a weekly basis. Long Term Unresolved 12. It was noted that bank reconciliations are performed on a monthly basis instead of a weekly basis as required in terms of Treasury Regulations. Treasury Regulations 31.1.2 (j) states that sound cash management includes preparing bank reconciliations on at least a weekly basis. However management does on a daily bases clear receipts and payments even though there is no formal reconciliation prepared. Upon enquiry as to the reason for this management indicated that the Oracle system does not allow for management to evidence that reconciliations are done on at least a weekly basis. Payment not made within 30 days of receipt of invoice. The Oracle platform is not configured to handle reconciliation and posting weekly; this can only be done monthly. The bank reconciliation is prepared on a monthly basis as transactions occur on a monthly basis. Short Term Partially Resolved The delay in payment is due to business not receipting goods and services timeously, business has the obligation to check all invoices to ensure that all goods and services were delivered, in certain instances the receipting of these invoices is delayed, however once the invoice is receipted they are paid within two weeks of receipt It was noted during the inspection of a sample of payments made during the period, where certain payments were not made within 30 days of receipt of invoice. In terms of Treasury Regulation 8.2.3. "all payments due to creditors must be settled within 30 days from receipt of an invoice". This amounts to noncompliance with the Treasury Regulations 12 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 13. Exception (Variance) Reports not reviewed by management. Immediate Resolved The current Human Capital Manager was appointed end of February 2012 and started reviewing the work in March 2012. HC Manager is reviewing the variance report on a monthly basis. Immediate Resolved The reconciliations are cleared timely by the Financial Accountant. Long Term Partially Resolved Human Capital is in a process of sourcing a Tax Consultant to assist and advice on matters of tax. The Payroll Specialist has prepared the Terms of Reference document for submission with regard to sourcing a Tax Consultant. It was noted that for the months of September 2011, November 2011 and March 2012, the spike/variance reports that were prepared were inspected for material & unusual movements by the Payroll Specialist, however the reports were not reviewed by senior management. Furthermore the September 2011 ACB Report was not reviewed by management. 14. Reconciling items not cleared timely. It was noted that reconciling items/differences between the Payroll Oracle system and the general ledger were not cleared on a month to month basis. This finding was caused due to human resources constraints. 15. Fringe benefits not subjected to PAYE. The PAYE deducted from employees may be understated due to the non-inclusion of a petrol card allowance received by 107 employees (specifically High Users) of R4400 that is used for both business and private purposes, as no travel log is maintained. Staff is required to be taxed on fringe benefits in term of schedule 7a of the Income Tax Act. This was caused by staff not fully understanding the implications of tax on fringe benefits. 13 Matter to be resolved by 31 March 2013 . A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 16. Findings on Predetermined Objectives. Immediate Resolved The reporting of performance information and targets are clearly indicated in the performance report of 1 April 2012 to 30 June 2012. The reporting of amounts collected from debtors is included in the quarterly report. KPI’s have also changed in the first quarter of 01 April 2012 to 30 June 2012 and it is no longer a performance indicator. Immediate Resolved Nine quality assessors have been appointed in all nine provinces. Inconsistencies in the reporting of amounts collected from debtors. It was noted that there were inconsistencies with regard to the amounts reported in the quarterly reports for the indicator “R 72 million to be collected from the NHBRC debtors” This indicator was only reported in the first quarter. An amount of R 11 million was reported as collected in the first quarter and nothing was reported from the second quarter up to the fourth quarter. In the annual report an amount of R348.3 million was reported for this indicator. Management did not define the objectives clearly in the prior year, which resulted in inconsistent reporting. 17. Inconsistencies in the reporting of assurance structures implemented in the provincial departments of Human Settlements. It was noted that there were inconsistencies with regard to the quarterly reporting of the indicator “Quality assurance support structures strengthened in the Provincial Departments of Human Settlements”. This indicator was only reported in the fourth quarter. A total number of 2 support structures were reported as achieved in the fourth quarter and nothing was reported from the first quarter to the third quarter. Through inspection of the number of structures reported as implemented in the annual report, we noted that 9 support structures were reported. 14 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 18. Management does not ensure the completeness of the indicators or targets reported in the annual report. Immediate Resolved The matter has been taken into consideration in the KPA’s and KPI’s 2012/2013. Immediate Resolved The matter has been addressed in the 2012/2013 NHBRC balance scorecard. The copy of the balance scorecard is accessible on the intranet. It was noted that management does not have any controls to ensure that indicators/targets reported in the annual report are complete. Completeness of targets is important since it ensures that all the activities relating to a particular indicator/target has been reported. Note that management did report on all the indicators included in the strategic plan for the entity. Management did not define the objectives clearly in the prior year, which resulted in matter above. Inconsistencies between the quarterly and annual reports for the indicator of “20% of all houses under construction inspected to be audited” 19. It was noted that that there were inconsistencies with regard to the quarterly reporting of this indicator “20 of all houses under construction inspected to be audited”. The following has been reported in the quarterly reports: Management did not define the objectives clearly in the prior year, which resulted in matter above. The final amount reported in annual report could be substantively audited. Thus this matter highlights the control weaknesses that exist during quarterly reviews of data that is reported. Through inspection of the annual report, we noted that management reported that a total of 20% of the houses that were inspected have been audited. This is not consistent with what has been reported in the quarterly performance reports. 15 Objectives are clearly defined in the performance report 01 April 2012 to 31 March 2013. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 20. Inaccurate reporting of technical services revenue. Immediate Resolved The matter is no longer a performance indicator in the current financial year. It was noted that the amount reported in the quarterly reports does not agree to the amount disclosed in the management accounts. Through inspection of the fourth quarter performance report, we noted that management disclosed that they have collected nothing from technical services revenue, but through inspection of the management accounts, we noted that a total of R 22 642 545 had been collected from technical services, resulting in a difference of R 22 642 545 between the management accounts and quarterly performance reports. Note that the amount that is reported in the annual report agrees to the annual financial statements and the above issue relates to a control deficiency on reviewing of data reported on quarterly bases. 16 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 21. The register for the “Reduction in the number of days taken to produce a legally enforceable contract from 3 weeks to 7 working days” does not have the date the request was received and the date the request/contract was completed. Immediate Resolved The matter is no longer included in the 2012/2013 financial year. Short Term Resolved IT section has programmed the Oracle system not to allow duplication of suppliers. The system does not permit the capturing of the same Co. registration number or Vat number. Test suppliers have been deactivated from Oracle system. The Contract register does not include dates on which the request for contract was received and the date on which drafting thereof was completed. Through inspection of the quarterly reports submitted to the National Department of Human Settlement, we noted that this target was indicated as achieved/met. It was not possible to assess if a legally enforceable contract was issued within 7 working days. Management did not define the objectives clearly in the prior year, which resulted in the matter above. Note that the misstatement of indicators that could not be tested is less than 20% and thus will not have an impact on the opinion on predetermined objectives. Duplicate suppliers 22. The NHBRC entered into business with suppliers duplicated on the supplier database. 17 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 23. The declaration of bidder’s past supply chain management practices (SDB8) form not completed for the winning supplier. Immediate Resolved This was an isolated incident where the NHBRC had a dispute with the supplier which was subsequently settled. Long Term Partially Resolved The new CEO has been appointed and will commence on 1 March 2013. Long term Unresolved HCREMCO resolve to put a moratorium on the appointment of all senior officials until the appointment of the CEO is finalised. The National Treasury Practice Note 4 of 2006 and Treasury Regulation 16A9 require the winning supplier to complete and sign the bidder’s past SCM practices on the SBD 8 form. This information furnished by the builder should be used to ensure that when goods and services are procured or disposed of, all reasonable steps are taken to combat the abuse of the supply chain management system. 24. Senior managers acted in positions for more than 6 months The CEO position was acted in for longer than 6 months by J Mahachi, due to pending investigations on S. Mashinini. Position was approved in minutes of meetings by the Council as well as on the approved acting allowance forms. 25. Senior management vacancy rate increased from prior year The senior management vacancy rate increased from 43% in the previous year to 60% in the current year. This was due to a decrease in total positions available from the prior year. 18 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 26. Payments made in excess of contract value. Medium Term Disagreed Management still disagrees with the finding. NHBRC entered various contracts with ICM. Balance score cards, strategic planning and training of consultants’ facilitation were part of the SLA’s entered into with ICM. The R 1, 615.461 was allocated for different services with ICM in addendum to the agreement entered into with NHBRC. The total payment of R 1, 065. 607 that was paid to ICM, instead of paying the total value of R749 696 that was agreed upon, it was for another contract that was entered into with the organization for R 315, 911. Medium Term Resolved Signing of the SBD9 form is implemented. Every supplier is required to complete and sign the SBD 9 form. In terms of treasury regulations 8.2, the total payments made under the contract/ quotation should not exceed the original contract / quoted amount. 27. The certificate of independent bid determination (SBD 9) was not completed and signed by the winning supplier. National Treasury Practice Note dated 21 July 2010 and Treasury Regulation 16A9 requires the winning supplier to complete and sign the certificate of independent bid determination on the SBD 9 form. This information furnished by the bidder should be used to ensure that when goods and services are being procured or disposed of, all reasonable steps are taken to combat the abuse of the supply chain management system. Management did not believe it to necessary to obtain certificate if they did go out on tender and contract was entered into before practice note came into effect. 19 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 28. Construction Projects not registered on the CIDB database. Immediate Resolved Management disagrees as this was a partitioning exercise. In terms of the Construction Industry Development Board (CIDB) regulation 24, an invitation to tender or calls of expression (in the case of a two stage building process) should be advertised in the CIDB website. Bogart Building and Construction CC was awarded a contract without the contract being registered on the CIDB database. 20 This was a once off project. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 29. Employees’ declaration of interest not in line with NHBRC policy. Immediate Resolved SCM practitioners have completed their declaration of interest forms. 30. No reference made to the list of restricted suppliers and tender defaulters when adding new suppliers to the supplier database. Immediate Resolved Tender defaulters are checked by Supply Chain through a list of tender defaulters as published by National Treasury. This is attached to each supplier’s application form. Through testing performed on additions to the supplier database it was noted that no reference is made to whether a prospective supplier are listed on the Restricted supplier database or List of tender defaulters as published by National Treasury. In terms of the Treasury Regulations Section 16A9.1(c) the evaluation criteria for prospective providers should include the disallowance of providers whose name appears on the National Treasury’s database as a person prohibited from doing business with the public sector and in terms of The Prevention and Combating of Corrupt Activities Act sec 29 the evaluation criteria should include the disallowance of providers whose name appears on the National Treasury’s register of tender defaulters. An additional audit procedure was performed to check on a sample bases that none of the suppliers were listed on the restricted supplier data base. This was an oversight by management. 21 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 31. Investment disclosure not in compliance with IFRS. Immediate Resolved The investments disclosures have been reassessed. The annual report 2012/2013 will be in compliance with the IFRS disclosure requirements. Short Term Resolved The control has been implemented as per management response. This control has been implemented to assist with management reporting. The NHBRC was behind with invoicing for the EC Department of Human Settlements, this has been resolved and the funds have been received. Per the inspection of the Annual Financial Statements we noted that the IAS 39 Investments were not in compliance with IFRS 7 disclosure requirements. 32. No reconciliation of technical services revenue accounts to technical services expenses. This is necessary as the revenue recognized in the financial statements should be directly proportional to the expenses recognized in the financial statements. This reconciliation was performed after year end prior to 31 May submission of financial statements. Note that the necessary adjustments were processed to correct the revenue recognized compared expenses that was recognized in the general ledger. Thus no material misstatement exists. This was not performed as management did not consider it necessary at that point in time. 22 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 33. Trade Receivables outstanding for longer than 30 days Long Term Unresolved Management is in process of clearing the long outstanding amounts. Trade debtors relating to government Departments included in the age analysis that are outstanding for longer than 30 days. This is contrary to the PFMA regulations as these departmental debtors had to pay the NHBRC within 30 days. The accounting authority did not take effective steps to collect all money due to the NHBRC as required in terms of section 51 (1) (c) (ii) of the PFMA. 34. Unidentified and unapplied receipts not cleared. Our testing of unidentified and unapplied receipts revealed long outstanding amounts in unidentified and unapplied receipts. Receipts in the bank account are not identified and captured in a form and time frame to support financial reporting. This issue was also reported in the prior year. The unidentified receipts’ balance at year end was R 3 306 994 (R 5 815 003: 2011) and the unapplied receipts’ balance at year end was R 23 481 286 (R 41 386 698: 2011). Note: comfort has been obtained that all receipts entered in the system are allocated to accounts or allocated to unapplied or unidentified cash, Furthermore additional procedures were performed over the allocation of the amounts moving out of these accounts. 23 Resolution of finding targeted for 31 March 2013. Long term Unresolved Finance in process of addressing unidentified and unallocated receipts. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 35. Unrecorded liabilities identified. Long term Resolved All liabilities are recorded in the period in which they are incurred. Accruals are raised at each month end to ensure that the NHBRC complies with IFRS. Long term Unresolved Busy Addressing the Financial policy and doing upgrades on the Oracle system. The total amount for invoices that were tested and not accrued for were R 4,067,627. These items were selected through target testing a no extrapolation was done, but the sample was extended to include more items from the misstatement identified. Proper systems to identify all accruals that should be made at year-end are not in place. 36. Assets with a zero book value held on the fixed asset register. In terms of GRAP 17, paragraph 61, the residual value and the useful life of an asset shall be reviewed at least at each reporting date and, if expectations differ from previous estimates, the change(s) shall be accounted for as a change in an accounting estimate in accordance with the Standard of GRAP on Accounting Policies, Changes in Accounting Estimates and Errors. This resulted because a rigorous exercise to evaluate the residual value and useful life of all assets was not performed at year-end. The current value of fixed assets does not represent the economic benefit of the assets as they are still in use. 24 Upgrades may be completed by 31 March 2013. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 37. Unexplained difference on bank reconciliation. Immediate Resolved Bank reconciliations differences are attached with supporting documentation by the Financial Accountant. Immediate Resolved Bank reconciliations are prepared by the Accounts Clerk and reviewed by the Financial Accountant on a monthly basis. Immediate Resolved The petty cash reconciliation is prepared by the Accounts Clerk and reviewed by the Financial Accountant on a monthly basis. A bank column was added to the petty cash reconciliation to agree to the amount as per bank statement to the petty cash control general ledger. As per inspection of the bank reconciliations for December 2011 for the Main bank account of the entity (account number 62081366520), there was an unexplained difference between the balance as per bank statement, and the balance as per general ledger amounting to R27, 235.76 (December 2011). The finding was a result of taken balance errors from JD Edwards. 38. Bank reconciliation not prepared on a timely basis. It was noted that the Trust bank account bank reconciliation as at 31 October was only prepared and reviewed on 8 December 2011. This was a result of management oversight. 39. Ineffective preparation and review of petty cash reconciliations. It was noted during inspection of bank confirmations that the amount as per the bank confirmation for the petty cash accounts, does not agree to the amount as per the general ledger. Upon further investigation, it was noted that no petty cash reconciliation is prepared to reconcile the physical petty cash bank account, and the general ledger account. 25 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 40. Authorized signatories includes employees no longer employed by the NHBRC Immediate Resolved With reference to the bank, the signing arrangements have been updated with the bank for change of signatories in Free State and Gauteng. All documents for the Petty Cash Account and Council-Trust Account are signed by two signatories, the Acting CEO, Chief Financial Officer and a list of authorised signing officers. Petty Cash Account has been updated. It was noted through inspection of the bank confirmations received that the signatories listed on the bank confirmation are no longer employed by the NHBRC. We inspected the change mandate form sent to the bank on the 11th of May 2012, and noted that change of signatories had been requested for the Main Account and Trust Account. However, no change of signatories had been requested for the Gauteng and Free State Petty Cash Accounts. Furthermore, the following signatories were identified in the prior year as signatories which were not valid and not belonging to current employees, but still appeared on the bank confirmation as authorized signatories: Management relied on the bank updating their request for signatory changes, with the exception of LD Less and S. Mashinini. 26 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS 41. Allowance for doubtful debts policy not in line with IFRS. Immediate Resolved In terms of IAS 39 paragraph 64 and entity should assess whether objective evidence of impairment exists individually for financial assets that are individually significant and for financial assets that are not individually significant. If an entity determines that no objective evidence of impairment exists for an individually assessed financial asset, whether significant or not, it includes the asset in a group of financial assets with similar credit risk characteristics and collectively assesses them for impairment. It was noted that management provided for all invoices older than 120 days at year end. This is not in line with the requirements of IAS 39 as debtors were not assessed for impairment on an individual basis. Furthermore there debtors’ policy does not make reference to what is required by the standard. Note that the provision has not been misstated as a result of the above. Management never considered the impact IAS 39, due to fact that they consider government of be one debtor with one risk profile. 27 COMMENT Resolved: The Allowance for doubtful debt procedure has been updated to be in line with IFRS and the requirements of IAS 39. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 42. Reconciliations of accounts receivable control account to age analysis were neither prepared nor reviewed on time. Immediate Resolved Reconciliations for accounts receivable account age analysis to General Ledger are prepared by Accounts Clerk and reviewed by the Financial Manager. 43. Bad debts written off, policy not followed We noted that management did not follow the procedures as per the Financial Policy and Procedures document; Procedure 9.4.2. which states that the “Executive Director: Finance must recommend to the Chief Executive Officer overdue accounts that cannot be collected and recommend writing off...” Bad debts written off of R1, 101,783 were with regards to the dispute between the Mpumalanga Department of Human Settlements and the NHBRC over a quantum that had to be used for a project enrolment. These invoices where incorrectly raised. As per our inspection of the correspondence (email) between Thobeka Khubisa (DoHS: Mpumalanga) and Tamlyn Bouwer and Mabel Afrika (both NHBRC) on 24 November 2011. Immediate Resolved This was a once off incident in the prior year, and this has not happened in the current financial year. However, this particular write off did not follow the policy per the Financial Policy and Procedures. 28 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 44. No Fraud prevention plan in place that includes specific measures for preventing and detecting fraud in the procurement process. Immediate Resolved Fraud prevention plan has been approved on 18 July 2012 at Executive Committee meeting. Immediate Resolved Gift register template was circulated to all staff in December 2012. Through enquiry a Fraud Prevention Plan could not be found The plan would include specific measures for preventing and detecting fraud in the procurement process. This was as a result of oversight by management. 45. No gift register could be located where employees can declare a gift or award received. In terms of the “Gifts to NHBRC Employees Policy” all gifts should be declared and registered in the Gift Register which can be found at the Human Resources department. Through enquiry from employees in Human Resources the gift register could not be located. 29 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 46. Names of successful bidders not published on NHBRC website or Tender Bulletin. Immediate Resolved The new tenders published currently are: Revision of Home Building Manual and Forensic Engineering Services. The tenders were published on the government bulletin and Sunday Times newspaper; however they were not advertised on the NHBRC website. In terms of Instruction Note 32 the details of the winning bidder, contract number and description, preference claimed and contract price should be published in the government tender bulletin or website of the auditee. The names of the successful bidders for the following awards were not published on the tender bulletin or the NHBRC website: • • Tenders to be published on the NHBRC website by next tender advert. Hydrotek - KZN Water Tanks Motswako Office Solutions This matter arose due to the NHBRC’s website being under construction. 47. Test suppliers included in the supplier listing. Test suppliers included in supplier’s listing. During our procurement testing of conflicts of interest, we noted a supplier by the name of "TEST" that was included in the listing. Controls should be established to mitigate the creation and maintenance of supplier details on the system. No test journal entries should be processed on a live system 30 Immediate Resolved Test suppliers are deactivated; therefore transactions cannot be conducted under their names. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 48. Rental expenses not appropriately classified Immediate Resolved Rental expenses are appropriately classified in consolidated management accounts such as water and electricity, sewage, cleaning services, insurance, etc. Immediate Resolved The Annual report has been amended in “other non-cash items” in the Cash Flow Statement. Non cash items are no longer reflected in the notes to the Cash Flow Statement. It was noted in our testing of leases that the amount posted to the Rental of premises (4624) account included other expenses such as water and electricity, sewage, cleaning services, insurance, etc., which should be posted to separate accounts. Note that none of the disclosable line items in the financial statements have been misstated thus matter is considered to be administrative of nature. 49. Other non-cash items on the cash flow statement are not supported by any documents. It was noted that the “Other non-cash items” amounting to R 3,324,183 disclosed in the notes to the Cash Flow Statement do not have any supporting documents. This balance was included in the notes to the cash flow statement as a balancing figure. 31 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 50. Incorrect capitalization of additional costs associated with assets. Immediate Resolved The finding will never occur in future. NHBRC is presently not charging VAT and not paying VAT. Capex and Opex expenses are acquired VAT inclusive. Total 163,483 Immediate Resolved The assets have depreciated on Oracle financials system by the Accounts Administrator. The Oracle financial system indicates the useful life of the asset, original cost, accumulated depreciation, net book value, depreciation amount and remaining useful life of the asset. It was noted that the cost of four air conditioners were incorrectly reflected in the fixed asset register due to the incorrect capitalization of costs to each asset. The total value of the invoice was agreed to the total value of the sum of all four air conditioners capitalised, however the costs to bring the asset into a condition ready for use to relative component were incorrectly split. Note that the overall value as per the fixed asset register is not misstated, only a misallocation per individual assets exist. This does not result in a material misstatement in the financial statements. 51. Assets that are ready for use not depreciated. It was noted that the following assets are ready for use but are not depreciated on the system. However this is not material. 32 Asset number Date purchased Amount ( R) Total Depreciation (R) 17714-CBT205 FLEX 14-Jan-10 205,974 34,329 17715-CHT4106 STA 14-Jan-10 460,108 76,685 17793-YAW4206 MTS 25-Mar-10 314,815 52,469 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 52. Non-compliance to EFT payment controls. Immediate Resolved The payment batch is signed by the preparer and has signatory A and Signatory B being the Financial Accountant and Management Accountant before a payment is released. Immediate Resolved FNB new access requisition form has been designed for new user access requests to the EFT application. There was non-compliance with controls designed by management to adequately mitigate key financial risks. As a result, the following were not implemented: At the time of the audit, the following EFT payment controls were not complied with: One payment batch had not been signed by the preparer; One payment document within a payment batch had not been signed by releaser 1, but was signed by releaser two; and Ten occurrences existed were supporting documentation had not been cancelled. The non-compliance to EFT payment controls could result in erroneous and unauthorized payments. 53. Inadequate controls exist to manage the process regarding new user access to the EFT application. Management had not formally designed user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorized access to the network and information systems. Informal controls were in place, but were inadequate. As a result, the following key financial risks were noted: It was noted at the time of the audit, that no formal process had been implemented to control the new user access requests to the EFT application. The informal new user access process to the EFT application could result in unauthorized user gaining access to the EFT application. 33 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 54. Inadequate controls exist relating to the periodic review of activity logs on the EFT Application. Long Term Unresolved User Access policy and procedures are currently in draft. Management had not formally designed user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorized access to the network and information systems. Informal controls were in place, but were inadequate. As a result, the following key financial risks were noted: It was noted that no formal periodic review of user activities on the EFT application is currently performed. 34 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 55. Inadequate controls exist relating to the password parameters on the EFT application. There was non-compliance with controls designed by management to adequately mitigate key financial risks. As a result, the following were not implemented: It was noted that no expiry is set for general users' accounts on the EFT application. The EFT application provides the functionality to enforce password expiration after 30 days, it was noted that this functionality is not enabled. Furthermore, it was noted that the log of unsuccessful login attempts is not periodically reviewed. No password expiration and no formal periodic review of unsuccessful login attempts on the EFT application may result in unauthorized users gaining access to the EFT application. Short Term Resolved There was a request to FNB bank on availability and functionality of password expiration. Management site profile has been sent to the Financial Accountant that can be changed on site profile of a password expiry. After 30 days, password expires; the user will be reminded to change the password and FNB will lock the user out of the system for failure to change password. 56. Inadequate design and non-compliance regarding user access controls for the Linux operating system environment. Short Term Partially Resolved A procedure manual has been developed to address this finding. IT management had inadequately designed user access controls (policies, procedures, guidelines) to mitigate the risk of authorized access to the network and information systems. Informal controls were in place, but were inadequate. There was also non-compliance with controls designed by IT management to adequately mitigate key user access risks. 35 The manual will be submitted to the policy task team in the beginning of 2013 for review. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 57. Inadequate design of user access controls defined for the Oracle database environment. Short Term Partially Resolved A procedure manual has been developed to address this finding. IT management had inadequately designed user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. If the controls for the user access control processes are inadequate, users might obtain access to system functions without proper approval, which might lead to employees having rights not related to their job descriptions. 58. Inadequate design and non-compliance regarding user access controls for the Oracle E-Business Suite application environment. IT management had inadequately designed user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. There was also noncompliance with controls designed by IT management to adequately mitigate key user access risks. If the controls for the user access control processes are inadequate, users might obtain access to system functions without proper approval, which might lead to employees having rights not related to their job descriptions. 36 The manual will be submitted to the policy task team in the beginning of 2013 for review.. Short Term Partially Resolved A procedure manual has been developed to address this finding. The manual will be submitted to the policy task team in the beginning of 2013 for review. A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 59. Lack of design regarding user access creation and removal controls on the Oracle E-Business Suite and Siebel applications. Short Term Partially Resolved The external users have been removed. User access forms are already in use. The long term solution will be to delete the user however the user is currently linked to a number of concurrents that would adversely affect functionality if the user were to be deleted. IT management had not formally designed user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorized access to the network and information systems. Informal controls were in place, but were inadequate. On the Siebel and Oracle E-Business Suite application it was noted that the user account management processes such as new-user registrations, terminations of access, regular reviewing of access rights and changes to user profiles were not formalized. There is an increased risk is of unauthorized users gaining access to the Oracle E-Business Suite and the Siebel applications without going through the formal new users’ approval process. Furthermore, there is an increased risk of unauthorized access to the environment as user IDs belonging to users who left the organization or department can be targeted for malicious use by users with a reduced risk of discovery. 37 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 60. Inadequate IT security controls designed for the Linux operating system environment. Short Term Partially Resolved Root logs are now abled but have not been reviewed. Review frequencies and responsibilities still to be assigned. A procedure manual has been developed to address this finding. The manual is in draft and will be submitted to the Policy Task Team for review. FTP (File Transfer Protocol) has been disabled, only using SFTP (Secure File Transfer Protocol). Short Term Partially Resolved Review frequencies and responsibilities still to be assigned. A procedure manual has been developed to address this finding. IT management had not formally designed security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. As a result the following key financial risks were not addressed: • The privilege account “root” usage has not been logged and therefore no auditing has been enabled. • No independent formal review of audit logs is being performed on a periodic basis. Data transfer is in clear text (unsecure protocol running is “FTP”). . 61. Inadequate IT security controls designed for the Oracle EBusiness Suite application environment. IT management had inadequately designed security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. Therefore, no Independent formal review of audit logs, generated from the Oracle E-Business Suite application environment, is being performed on a periodic basis. Without adequate security controls, unauthorised access to the organisation’s network and possibly IT systems can be gained, which could result in data integrity being compromised. 38 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 62. Inadequate IT security controls designed for the Oracle database environment. Short Term Partially Resolved Encryption has been investigated and management has decided that it is not required in our environment. Release 11.1.0.7.0 is still supported by Oracle and patches are loaded based on Oracle recommendations, therefore an upgrade is not necessary. A procedure manual has been developed to address this finding. The manual is in draft and will be submitted to the Policy Task Team for review. IT management had not formally designed security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. As a result the following key financial risks were not addressed: • Encryption has not been configured. • Connection strings, which provide privileged access to the Oracle database without the need of a password, were active. • The current Oracle security patch loaded (Release 11.1.0.7.0) on the database server is outdated. Parameters (listener) have been inappropriately configured. An unprotected listener could lead to the shutdown of the listener, denial-of-service and the database being compromised. 39 A-G ACTION PLAN…CONTINUED NO FINDING TIMEFRAME PROGRESS STATUS COMMENT 63. Non-compliance to change management controls designed. Short Term Unresolved Procedure will be enforced. There was non-compliance with controls designed by IT management to adequately mitigate key financial risks. As a result, the following were not implemented: Six out of the 30 change management request forms selected for testing, could not be provided. No version control is used to control the migration of source code from development to production. There is an increased risk of unauthorised or erroneous changes being made to the Oracle E-Business Suite and Siebel application. Furthermore, these unauthorised changes may have a negative impact on the transaction processing environments. 40 Irregular Expenditure WASTEFUL EXPENDITURE Condoned by Council Nature Interest paid to suppliers 2012 Responsible Amount Division Manager 575 Finance Action Taken Responsible Division Manager Action Taken 2013 Completion Effect on the Date Current financial year N/A IRREGULAR EXPENDITURE Condoned By Council Nature Rebahale Consulting (Pty) Ltd Amount 5 411 627 Audit Chief Audit Executicve Contract Terminated Council appointed a task team to review the appointment of Rebahale Consulting (Pty) Ltd, and a quality assurance review was performed by the Institute of Internal Auditors on the work done by Rebahale Consulting (Pty) Limited. The reports from the Institute of Internal Auditors and the Task team were presented to Council and the Service Level Agreement with Rebahale was terminated. The appointment of Rebahale was considered irregular due to a conflict of interest during tender evaluation. 41 Completion Effect on the Date Current financial year A Provision for R 1.8 million raised as well as a contigent liability of Arbitratration R 20 million Irregular Expenditure Condoned By Council Nature Non Subsidy Inspectorate appointments 2012 Amount 47 732 066 2013 Responsinle Division Manager CEO CEO Action Taken Council Resolution Completion Effect on the Date Current financial year Expenditure will be reported in the current 31 May 2013 financial year (Dec R 24 million) Inspectorate Tender was advertised for a period of one year, on award of the tender the contracts were extended to a period of three years. This was in contravention of the SCM policy. Hydrotek International Executive 17 273 848 Technical Manager Expenditure will be reported in the current None taken 31 March 2013 financial year The period for the advertising of this tender did not comply with the Treasury Regulations, which require a period of 21 days. Subsequent tenders have been advertised in line with the Treasury Regulations. 42 (Dec R 3.4 million) Irregular Expenditure Not Condoned by Council Nature Ms V Somiah 2012 Amount 1 300 000 Responsible Division Manager CEO CEO 2013 Action Completion Effect on the Taken Date Current financial year Empoyment contract terminated Complete None The appointment of Ms Somiah was irregular, the appointment was not within the Delegated Authority of the CEO. Rectification and Forensics appointments 129 586 693 Technical CEO CEO Dismissed The appointment of the Forensics companies contravened the procurement policy, the appointments were above the delegated Authority of the CEO. 43 Expenditure will be reported in the current 31 May 2012 financial year (Dec R 112 million) THANK YOU