Standing Committee On Public Accounts
19 March 2003
Introduction
This document has been prepared to facilitate discussion between SCOPA and SARS on the Auditor-General’s Audit Report for the financial year 2001/2002.
For ease of reference, the original text of the Auditor-General’s report is included. The SARS’ response is enclosed in a block.
Own Accounts
THE SOUTH AFRICAN REVENUE SERVICE RESPONSE TO THE 2001/2002 FINANCIAL YEAR AUDIT REPORT TO THE STANDING COMMITTEE ON PUBLIC ACCOUNTS (SCOPA)
We have detailed below SARS responses to the matters raised in the Audit Report for the 2001/2002 financial year.
REPORT OF THE AUDITOR-GENERAL TO PARLIAMENT ON THE FINANCIAL STATEMENTS OF THE SOUTH AFRICAN REVENUE SERVICE: OWN ACCOUNTS FOR THE YEAR ENDED 31 MARCH 2002
AUDIT ASSIGNMENT
The financial statements as set out on pages 60 to 72, for the year ended 31 March 2002, have been audited in terms of section 188 of the Constitution of the Republic of South Africa, 1996 (Act No. 108 of 1996), read with sections 3 and 5 of the Auditor-General Act, 1995 (Act No. 12 of 1995) and section 28 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997). These financial statements, the maintenance of effective control measures and compliance with relevant laws and regulations are the responsibility of the accounting officer. My responsibility is to express an opinion on these financial statements, based on the audit.
NATURE AND SCOPE
The audit was conducted in accordance with Statements of South African Auditing Standards. Those standards require that I plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement.
An audit includes:
examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements,
assessing the accounting principles used and significant estimates made by management, and
evaluating the overall financial statements presentation.
Furthermore, an audit includes an examination, on a test basis, of evidence supporting compliance in all material respects with the relevant laws and regulations which came to my attention and are applicable to financial matters.
I believe that the audit provides a reasonable basis for my opinion.
3. AUDIT OPINION
In my opinion, the financial statements fairly present, in all material respects, the financial position of SARS Own Accounts at 31 March 2002 and the results of its operations and cash flows for the year then ended in accordance with generally accepted accounting practice.
4. EMPHASIS OF MATTER
Without qualifying the audit opinion expressed above, attention is drawn to the following matters:
Matters not affecting the financial statements
Weaknesses in internal control
Human Resources
Service bonus back pay/Arrear payments
In the previous financial years audit report, it was reported that there were discrepancies relating to the payments made to SARS employees in respect of the Hay grading system. These payments incorporated both basic salary and service bonus back pay elements.
In line with the SARS Management decision to resolve these discrepancies in two stages, basic salary adjustments were successfully resolved in the year under review. Back pay relating to the service bonus will be attended to in the 2002-2003 financial year. An amount of R50 mil has been provided for this purpose.
|
Basic Salary Back pay
The basic salary back pay issues relating to employees who did not consider arbitration have been resolved (all staff except the arbitration cases were paid). SARS Internal Audit was an integral part of the process to ensure compliance with both internal policies and the provisions of the PFMA.
Service Bonus Back pay
Due to the extended time it took to resolve the basic salary back pay issue, the service bonus will be effected during the 2003/2004 financial year from the funds that have been provided for this purpose.
|
Assets
During the previous financial year, SARS implemented a system to register and control fixed assets. A third party is presently engaged to carry out audits to verify all assets. This exercise should be completed towards the end of September 2002.
At the time of this audit it was found that the asset register was not in all instances updated with the physical movement of assets. One of the main reasons for this is that the current asset policy does not cater for large scale movement of assets, for example those resulting from the transformation activities of SARS. The Commissioner has advised that SARS will put policies in place to address this matter.
|
The audit to verify all assets has been conducted with the assistance of a third party vendor. The results have been analysed and where necessary follow-up actions have been instituted. The SARS policies dealing with the control of assets have been revised. The revised policies have addressed the movement of assets and specifically where mass movement of assets occur as is the case with transformation activities. See below the section of the policy that was amended i.e.
Request for the permanent transfer mass/bulk movement of SARS Assets
|
|
Procedure
|
|
Responsibility |
|
Request for the permanent mass/ bulk transfer/ move of SARS assets. |
|
|
|
Timing – when required |
|
|
|
Whenever a SARS building is to be evacuated due to a decision taken by Exco to move to improved/ better suited premises or due to a strategy plan adopted by Exco, the request should be forwarded at the project initiation stage to Facilities and Service Management, Asset Management. |
|
Project manager |
|
Asset Management will request the project plan of the move and liaise with the project team in order to have the dates on which the mass movement of assets are planned. |
1 |
Asset Management: Head Office |
|
Asset Management will plan and finalise the dates and update the movement plan whenever necessary. |
|
Asset Management: Head Office |
|
Asset Management will consider outsourcing the scan of the assets, if sufficient funds on the budget of the project are available. |
|
Asset Management: Head Office |
|
Asset Management will arrange to have the assets scanned on the date of the move out of the evacuated building as well as upon arrival at the new premises. |
|
Asset Management: Head Office |
|
No forms need to be completed for the above as the information scanned will be downloaded on computer upon the completion of the above exercise. |
|
Asset Management: Head Office |
|
Asset Management will have the data transferred to the asset register upon completion of the scan of the assets at the new premises. |
|
Asset Management: Head Office |
|
Inventory lists will be issued to the project leader who will have to verify it for correctness. |
|
Asset Management: Head Office |
|
A sign-off form will have to be completed by the project manager and returned to Asset Management at Head Office. |
|
Project manager |
Computer Audit
Computer audits on the Human Resource and Salary (HR) and General Ledger (GL) systems were carried out during the year under review and recommendations were in each instance brought to the attention of the Commissioner. At the time of compiling this report the comments of the Commissioner were not due yet, but management indicated that various corrective steps had been taken to address the control weaknesses, of which the effectiveness will be evaluated in due course.
The key findings arising from the audit indicated that although controls were in place in the general control environment, control weaknesses existed in some areas. For example, change control standards and procedures with regard to the HR system and users account management procedures were not completely formally documented. Control over the activities of the database administrators was inadequate to prevent and detect unauthorised access to both systems. Furthermore, the Windows 2000 security parameter settings and the password and logical access controls were not optimally utilised to prevent unauthorised access.
HR System:
Change control standards and procedures with regard to the HR system were not completely formally documented.
|
User requests in respect of the HR System changes and new developments are now recorded using the Applix System Program Change Request Form. The allocated change request number is then utilised to keep track of changes and/or the status of new development, as well as to document those changes. Once the necessary changes and/or new development work has been done by the System Developers and tested by the users, a change request is logged for the Database Administrator to implement those changes. Applix System standards and procedures do exist but internal HR change control standards and procedures must be developed.
|
User account management procedures were not completely formally documented.
|
Human Resources creates and administers their own user accounts without involving the Database Administrators. There is an informal process in place for user account management, but documented standards and procedures need to be enhanced / implemented.
Security standards and procedures are currently being developed for user account management for Mainframe, Microsoft, and OpenVMS platforms.
|
Control over database activities, with specific reference to database administrators, were inadequate to prevent and detect unauthorised access.
|
The HR database is managed in accordance with overall database management standards and procedures.
Security standards and procedures have been developed for the following:
1) Securing of database files and tables
2) Securing of database utilities
The implementation of these standards and procedures will limit the possibility of unauthorised access.
|
Windows 2000 security parameter settings, password and logical access controls were not optimally utilised to prevent unauthorised access.
|
By upgrading the HR system to PeopleSoft version 8, enhanced password control features were implemented. The password is set to expire after 30 days (the number of days can be configured very easily) and the standards for password have been set to enforce password length of at least 6 characters of which at least 2 must be numeric digits. Special characters are allowed and the password is case sensitive. The password may also not be the same as the user ID.
The introduction of the above password complexity will take place once all the domains have been moved over to Windows 2000 due to interoperability problems in applying this across a mix of Windows NT and Windows 2000 domains.
Security parameters and password parameters have been activated. Security standards and procedures are also being documented to that effect. There is however a general lack of sufficient user awareness in implementing improved password standards, which is impeding the process.
|
General Ledger (GL) System:
Change control standards and procedures with regard to the General Ledger (GL) system were not completely formally documented.
|
User account creation and administration is managed via a change control process through Applix. Applix System standards and procedures do exist but internal Finance Business Unit change control standards and procedures must be developed.
|
User account management procedures were not completely formally documented.
|
User account creation and file permissions are created by the DBA’s at the request of the Finance Component via Applix and this provides documented change control. Standards and procedures for user account management by the Finance Component are to be enhanced.
Security standards and procedures are currently being developed for user account management for Mainframe, Microsoft, and OpenVMS platforms.
|
Control over database activities, with specific reference to database administrators, were inadequate to prevent and detect unauthorised access.
|
The Database Administrators' (DBA) involvement entails adding new users and running standard routines on request of the Dynamics administrator. These requests are only accepted via Applix calls and thus provide documented change control. The SQL DBA’s also have to administer the database and thus has System Administrator (SA) access. This is necessary to enable database restores and upgrades. These tasks could possibly be done with an SA equivalent account which would have the same rights but would enable further control in that each DBA's server level actions may be logged and thus limit the possibility of unauthorised access. This option is currently being investigated.
|
Windows 2000 security parameter settings, password and logical access controls were not optimally utilised to prevent unauthorised access.
|
The introduction of password complexity will take place once all the domains have been moved over to Windows 2000 due to interoperability problems in applying this across a mix of Windows NT and Windows 2000 domains.
Security parameters and password parameters have been activated. Security standards and procedures are also being documented to that effect. There is however a general lack of sufficient user awareness in implementing improved password standards, which is impeding the process.
|
Administered Revenue
THE SOUTH AFRICAN REVENUE SERVICE RESPONSE TO THE 2001/2002 FINANCIAL YEAR AUDIT REPORT TO THE STANDING COMMITTEE ON PUBLIC ACCOUNTS (SCOPA)
REPORT OF THE AUDITOR-GENERAL TO PARLIAMENT ON THE FINANCIAL STATEMENTS OF THE SOUTH AFRICAN REVENUE SERVICE: ADMINISTERED REVENUE FOR THE YEAR ENDED 31 MARCH 2002
AUDIT ASSIGNMENT
The financial statements as set out on pages 48 to 56, for the year ended 31 March 2002, have been audited in terms of section 188 of the Constitution of the Republic of South Africa, 1996 (Act No. 108 of 1996), read with sections 3 and 5 of the Auditor-General Act, 1995 (Act No. 12 of 1995) and section 28 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997). These financial statements, the maintenance of effective control measures and compliance with relevant laws and regulations are the responsibility of the accounting officer. My responsibility is to express an opinion on these financial statements, based on the audit.
NATURE AND SCOPE
The audit was conducted in accordance with Statements of South African Auditing Standards. Those standards require that I plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement.
An audit includes:
examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements,
assessing the accounting principles used and significant estimates made by management, and
evaluating the overall financial statement presentation.
Furthermore, an audit includes an examination, on a test basis, of evidence supporting compliance in all material respects with the relevant laws and regulations which came to my attention and are applicable to financial matters.
I believe that the audit provides a reasonable basis for my opinion.
While this report has been aggregated to a level I believe to be appropriate in the annual report of the accounting officer, various other reports that address other aspects of my mandate are made public from time to time. This will continue to be the practice.
3. QUALIFICATION
As a result of certain shortcomings in the internal control system in respect of revenue as set out below, it was not possible to fully satisfy myself with regard to the completeness, validity and accuracy of revenue.
3.1 Assurance process
Tax returns are processed via an automated process based on information supplied by the taxpayer. The accuracy and validity of this process are impacted by inaccuracies in the information supplied. Since many of the qualitative assurance measures aimed at ensuring higher compliance and accuracy within the assessment process were only introduced subsequent to year-end, these could not be evaluated during the year under review.
|
The South African income tax system is a "partial self-assessment system". The very structure and foundation of this system is based on the principle that the taxpayer will make full disclosure of income and expenditure (section 65 and 69 of the Income Tax Act) in the income tax return.
Internationally, there are two principle ways in which the amounts declared by the taxpayer are verified:
The taxpayer may request to provide documentary evidence of both income (eg IRP 5) or expenditure (eg medical aid accounts); and/ or,
The tax administration may, manually or electronically, attempt to verify the information provided by the taxpayer. Currently, electronic links exist with the Deeds office and certain credit bureaus. In addition, manual checks are also undertaken, for example, with the car registration system, NATIS.
In addition, SARS does use and will continue to expand the use of, a variety of other commercially available databases.
Because of the (partially) voluntary nature of the disclosure process, the tax administration is required to take a number of initiatives in both the external environment and internal environment to enhance compliance.
The following is an outline of what SARS has and will be doing in this regard:
Education of taxpayers:
Out-reach programmes are being conducted at a branch level where the basic educational needs of taxpayers are addressed.
Annually, prior to the mass issuing of Income tax returns the complexity and user friendliness of returns are revisited to ensure wider acceptance and ease of compliance.
Several media campaigns are conducted annually during specific times of the year to highlight submission dates, the availability of assistance in completion of returns, information and guidance regarding payment dates such as dictated by e.g. provisional tax policy.
Stakeholders are also engaged and consulted regarding issues such as extension dates, proposed legislative changes and the lowering of the cost of compliance e.g. revised VAT registration application for voluntary and compulsory registration.
Quality Assessment:
Tax returns are scrutinised with greater attention and claims made by taxpayers verified and confirmed. The following initiatives have been implemented:
Capacity and skills are ensured with more extensive training and broader assessment exposure.
The decisive break from Face value assessment to quality assessment in the assessment process.
Quality assurance samples have been increased with consistent feedback loops and exposure to root causes regarding the errors.
Manage poor or under achievement by means of Performance management system.
Creation of a compliance climate:
All corporate tax returns are risk profiled by an automated risk profiling and analysis system. Individuals, PAYE and VAT returns are subject to manual risk profiling, with automated systems being introduced over the next 18 months. However, random selection of cases and specific attention to cases in suspension ensure a wider coverage of more than just high risk cases.
Baseline level of voluntary compliance is being established and will be measured annually to determine whether SARS strategies and interventions have impacted on levels of compliance.
All refunds are also subjected to risk profiling and are audited accordingly.
Specific activities are also undertaken such as the auditing of specific high risk categories of taxpayers to ensure compliance as well as industry focussed campaigns and revenue activations programs.
In addition to this, the acquisition and application of the Geographic Interface System (GIS) to assist SARS with the identification of high value properties and high economic growth areas will broaden the tax base and increase compliance.
Lastly, cooperation between Enforcement and external services such as SAPS and National Prosecuting Authority is pursued.
Transformation:
The following is part of the transformation plans of SARS and will be implemented over the next few years:
Intelligent 3rd party interfaces between SARS and the following external systems:
Financial Institutions (Banks and Insurance industries)
Natis (Vehicle detail)
Registrar of Companies
Medical aids
Internally the SARS systems should become integrated between the various core tax systems such as between Income Tax, Employers register (PAYE) and VAT.
A single view of the client has become imperative irrespective the various tax products he may subscribe to.
The establishment of a dedicated, skilled and representative work force that accepts the challenges of becoming a world class revenue administration
The inherent risks attached to the transformation of the organisation from a manual and mechanical process to an automated system, are thus far more complex and comprehensive than initially anticipated.
In spite of this SARS has succeeded in establishing control mechanisms, albeit manual in many respects, to ensure that the risks are minimised.
|
The major control ensuring that pay-as-you-earn (PAYE) deducted by employers is fully disclosed to, and received by, SARS is a performance of reconciliations of the IRP501 forms. Not all reconciliations had been performed for the year under review, however, steps had been taken to correct this.
|
Checking of reconciliations
Considerable progress has been made in the reconciliation of the IRP 501s. There was a backlog due to staff shortages and inadequate processes.
However, there is significantly better control over this process now. Because of a special focus on reconciliation , the backlogs have been substantially reduced ( See table below)
The following table highlights the relevant information for 2000, 2001 and 2002:
Table of reconciliations finalised
|
|
|
|
|
|
|
|
|
|
|
|
Year |
Issued |
Received |
Outstanding |
Finalised |
% of issued |
% of received |
|
|
2000 |
221,843 |
185,313 |
36,530 |
168.511 |
76 |
91 |
|
|
2001 |
220,690 |
174,629 |
46,061 |
149,052 |
68 |
85 |
|
|
2002 |
221,325 |
161,519 |
59,806 |
120,010 |
54 |
74 |
|
|
The new processes introduced through the Siyakha program has also assured that this problem does not recur. In addition, facilitating electronic submission of reconciliations is also well advanced.
|
|
Account Maintenance is being segmented and specialist pipelines have been created in the newly restructured Centres, as well as the War Rooms. Taxpayer Service structures have been created whilst non-core work such as the capturing of provisional tax has been removed from the Account Maintenance function. This means that not only are the manual recons (backlogs) for the previous cycle being addressed with vigour by focused staff, but the present work is being addressed by additional staff segmented to solve the problem.
The automated system for the processing of reconciliations has also been finalised. Manuals have been compiled and training at a branch office has commenced as a pilot. The system is being tested by means of ‘real’ or live cases whilst most of the identified problems are being resolved. The intention is to implement the system in the Johannesburg and Pretoria branch offices where the impact will be the greatest in respect of volume and value.
In an effort to increase the value of reconciliations dealt with as opposed to the volume, a campaign has also been launched to deal with electronically submitted tax certificates. In this regard, the number of employers registered for this method of submission for 2002 amounts to only 24,477 or 11% of the total number of employers on register whereas they collect almost R60 billion or 71% of the R84 billion collected on employees tax.
At present, the employees’ tax reflected on the total IRP5 certificates issued by 13,564 employers, are being checked and balanced with the payments made during the year of assessment. This amounts to 55% of the 24,477 employers. The balance of the 10,913 reconciliations namely 1,736 not dealt with, are still outstanding. Whist queries have and are being raised on numerous cases, the campaign will remain of high priority.
|
Automated processing system
Furthermore, I experienced difficulty in verifying the SARS audit process due to the lack of appropriate working papers.
|
Quality Review and Audit Working Papers
In the past, it was regarded as impractical to keep working papers on all desk audits, particularly those that related to salaried employees. We regard the existence and safekeeping of records as essential, and have made substantial progress in ensuring that sufficient recordkeeping requirements are implemented and met. With new provisions contained in the Administrative Justice Act additional concerted efforts are underway to ensure that our recordkeeping obligation is met. New processes have been developed for implementation on 1 April 2003, which prescribe specific deliverables for each step in the audit process. A formal quality review process, supported by a newly created office inspection capacity in the Compliance Division, has been introduced to ensure that SARS audit policies and procedures are fully implemented and standardised throughout the country
A formal quality review process has been introduced to ensure that SARS audit policies and strategies are fully implemented and standardised throughout the country. One of the main added advantages of quality review standards is that it assists in identifying training needs. The full impact of the implementation of total quality is estimated to take about 3 years. SARS has already developed some tools to assist the quality review process, which currently accounts for about 25% of the total plan. One of these tools is the toolbox referred to below.
|
3.2 Tax administration
SARS is charged with the administration and collection of taxation and is directed by a considerable volume of complex legislation. Not only is SARS required to achieve its mandate within the ambit of this legislation, but it should also enforce those measures necessary to ensure that taxpayers comply with tax legislation, whether voluntarily or otherwise. Certain inconsistencies in complying with income tax legislation have been identified. It is not possible to quantify the financial effect of the non-compliance due to the diversity thereof as well as a lack of information.
|
We are confident that substantial progress is being made in delivering on our mandate of efficient, effective and the widest possible enforcement of the legislation administered by SARS. The development of the Comprehensive Compliance Model and the alignment of the organisation’s strategies and processes in line with this model has been undertaken specifically to ensure that this tax and customs administration fulfils its mandate optimally.
The Comprehensive Compliance Model is a result of intensive research internationally and in SA. It is premised on the principle that the taxpayer behaviour determines tax administration’s response. It is also premised on the principle of "proportionality" - that is, the type of action taken and the extent of the enforcement implemented must be in direct proportion to the level of honesty/ dishonesty or compliance / lack of compliance of taxpayers.
The Compliance Behavioural Model
In addition to the above, SARS is in the process of analysing the tax gap in SA. This will enable SARS to target or focus its compliance efforts better.
In this regard, the Enforcement strategy is premised on principles including optimal coverage of the entire SA geographical area and economic sectors, and that the SARS response to a particular taxpayer is informed by the behaviour displayed by that particular taxpayer.
In order to address potential inconsistencies, we have implemented a number of measures aimed at ensuring consistency and standardisation. These include concentration of numerous functions in the newly rolled out Enforcement Centres, where the appointment of audit specialists and the concept of teaming have contributed greatly to ensuring consistency in our approach. In addition, we have developed standardised processes with specific deliverables for each step in a process. A further advance has been the introduction of a Knowledge Manager for the Compliance Division, and extended use and application of the Toolbox and other knowledge management and optimisation tools. A divisional newsletter is now also communicated to all offices on a weekly basis, in which best practice and concerns from offices are shared. These measures are enhanced by the newly created office inspection capacity in the Compliance Division.
Training
SARS, in partnership with the Association of Certified Chartered Accountants (ACCA), has piloted the SARS/ACCA learnership. The overall developmental goal of this learnership is to ensure that SARS’ Taxation Auditors obtain a relevant auditing and finance related qualification. Learners registered to date include an initial number of 128 SARS taxation auditors from various offices countrywide. The remaining offices will be included as Siyakha rolls out. Tuition officially commenced on 02 April 2002.
Other training initiatives include road shows on topics such as Transfer Pricing and Estate Duty, courses on legislative amendments, external courses as presented by experts and staff attending seminars.
Audit Specialists and Teaming
Audit specialists are being appointed throughout the country in tandem with the Siyakha rollout. In KZN, where specialists have already been appointed, SARS has experienced an increase in the level of professionalism in audits conducted, a significant improvement in on-the-job training and skills transfer. The quality of correspondence and the review process has also improved significantly.
The teaming concept which has been adopted, has resulted in persons with special skills in specific areas being used to deal with their areas of expertise, while other team members are afforded the on-the-job opportunity to see them apply their skills and thereby either learn from them or become sensitised as to when to involve and engage them.
The Toolbox
The toolbox has been piloted in 2002/2003 in some test office sites. The toolbox is a standardised technical aid for auditors which covers audit, criminal investigations and collections across all tax types, and includes inter alia, certain legal information, extracts from manuals and case studies. It also serves as a valuable training aid.
|
3.3 Supporting documentation
The availability of tax records and source documentation was once again problematic at various branch offices, as selected documents or tax records included in the audit samples were not made available in time or at all. SARS has indicated that one of the reasons would be that many of these documents are used in various interactions with the relevant taxpayer and in functions that are performed.
|
SARS deals with a vast number of files, and has implemented numerous control measures to facilitate and control the movement of files. It is envisaged that the implementation of the Electronic Document Management System will greatly enhance our ability to manage the availability of documentation, and will enhance document availability as multiple sources could ultimately access a document simultaneously. In the interim, the new standardised processes that were developed for the Compliance Division will cater for specific deliverables for each step in a process, which will now include aspects of document management, and which are enhanced by the existence of the newly created office inspection capacity in the Compliance Division.
|
3.4 Penalties and interest on customs and excise duties
At various customs and excise offices, penalties and interest charged on certain outstanding duties have been calculated incorrectly or not at all.
|
Penalty guidelines has been distributed to the offices to ensure that there is uniformity in the manner in which penalties are calculated for similar offences and similar circumstances. Controllers are however, allowed a measure of discretion on this matter, and as no circumstances are likely to be exactly the same differences may be encountered in the manner that offices deal with this matter. Penalty review committees have been set up in the larger offices and where there is disagreement with the client the matter is heard by an Appeals Committee at head office level. The Commissioner and the controllers as his representatives also have a discretion to remit the interest charged in terms of the Act. However, a customs course has also been introduced in order to ensure that officers are sufficiently familiar with the provisions of the law in charging penalties and calculating interest on outstanding debt.
|
4. QUALIFIED AUDIT OPINION
In my opinion, except for the effect on the financial statements of the matters referred to in paragraph 3, the financial statements fairly present, in all material respects, the financial position of SARS Administered Revenue at 31 March 2002 and the results of its operations and cash flows for the year then ended in accordance with prescribed accounting practice.
5. EMPHASIS OF MATTER
Without further qualifying the audit opinion expressed above, attention is drawn to the following matters:
Matter affecting the financial statements
Operational receivables and payables
The financial statements were prepared on the cash basis of accounting. In terms of section 91(1)(b) of the PFMA, the Minister of Finance prescribed the standards of generally recognised accounting practice (GRAP), as set by the National Treasury, for the annual financial statements of SARS.
In terms of the requirements of GRAP as promulgated on 30 October 2001, the annual financial statements must, by means of figures and a descriptive report, explain any other matter and information material to the affairs of the public entity. While the operational receivables and payables of SARS are regarded as material, outstanding balances were not disclosed in the annual financial statements due to various structural limitations. The information on collection and debt management presented on pages 20 to 31 of the annual report is presented as additional information and was not audited and no opinion is expressed thereon.
|
The request for utilising the cash base of accounting is as a result of the legacy of separate core tax systems and various structural limitations experienced - as correctly indicated by the AG.
The difficulty in quantifying debtors and creditors was one of the primary reasons for applying for exemption form GAAP.
Omission of the operational receivables and payables from the financial statements is in accordance with the decision of the Minister of Finance to allow SARS to comply with GRAP.
The requirement for a descriptive report relates to the notes to the Annual Financial statements, not quantifying debtors and creditors.
SARS has prepared its 2002 Annual Financial Statements in respect of Administered Revenue in accordance with the GRAP principles as outlined in Government Gazette Number 22797, dated 30 October 2001.
SAP has been chosen as the product of choice for the implementation of the Financial Information Management System (FIMS). The planning and scoping of the project is expected to be finalised in mid-March 2003. Specific deliverables from the scoping exercise include:
Identification of work streams
Appointment of an implementation partner
The compilation of a formal agreement embodying specific milestones
Timelines and budgets
An integral part of the first phase of FIMS is the improvement of current banking and receipting systems within the area of direct collections (i.e. payments at banks). This is a payment facility whereby a taxpayer can pay any of the SARS administered taxes eg, Income Tax, Pay As You Earn (PAYE), Value Added Tax (VAT), etc. at any branch of First National Bank. Pivotal to this is the current strategy of moving towards a complete electronic payment mechanism, the replacement of SARS Payfin system, the elimination/reduction of cash handling at branch office level, and the resolution of State Miscellaneous Revenue (SMR) transactions. This will assist in reducing reporting lead times, the need for adjustments, and the achievement of accrual accounting. Where payments received could not be allocated to a taxpayer’s record on the core tax systems because of insufficient information accompanying the payment, it is allocated to SMR while the payment is followed up manually in order to obtain the relevant information from the taxpayer to facilitate the proper allocation of the payment to the correct tax type and period.
The next phase of the SAP implementation is the most important step in the migration to accrual accounting. Two specific work streams are planned for the 2003/4 financial year, viz:
The consolidation of the receipting platform and the streamlining of the current reconciliation process of collections.
A concurrent process of data clean-up and the programming or building of financial reporting (trial balance) functionality in the core tax legacy systems.
In terms of section 55(1)(b) of the Public Finance Management Act (PFMA), SARS is required to prepare the Annual Financial Statements on the accrual basis of accounting. Given the current limitation within the core tax systems and migration to FIMS, it is doubtful whether SARS will be able to immediately achieve monthly accrual accounting for management reporting to National Treasury from 1 April 2003.
A request is in the process of being submitted to National Treasury and the Accounting Standards Board for relief from the amended provisions of the PFMA. In terms of paragraph 26.1 of the Treasury Regulations, SARS is obliged to report on a quarterly basis to National Treasury on actual revenue and expenditure after taking into account accruals. Although this provision is effective from April 2002, SARS is permitted to account according to the cash basis until 31 March 2003. This means that SARS’ first submission is due within 30 days after 30 June 2003.
The preparation of the Annual Financial Statements on the accrual basis of accounting is still on course for 31 March 2004. Achievement of this deadline is obviously dependant on FIMS and the consolidation of the receipting platform.
|
Matters not affecting the financial statements
Tax evasion
Attention is drawn to note 1.4 of the accounting policy, where SARS acknowledges that incidences of tax evasion and other breaches of taxation laws affect their fiduciary responsibilities. This report does not include a review of measures put in place by SARS to address this matter.
|
Every country has a tax gap that is very difficult to quantify. SARS has developed various initiatives and revenue activation strategies to address the tax gap.
Specific industries are being identified for enforcement action and form an integral part of the business plan for enforcement for the 2003/2004 financial year.
An integral part of closing the gap is to focus on high risk areas and to perform risk profiling. The following progress has been made on risk profiling:
SARS has undertaken a comprehensive study to obtain a greater understanding of the tax gap. In this regard, particular attention was paid to the manner in which the gap manifests itself, the areas of risk posed in respect of the respective taxes administered by SARS and the prevalence of tax evasion in various industries. Based on the extensive research done, activation strategies have been developed in respect of each of the manner in which non-compliance manifests itself. In addition to the work already done, a new initiative is underway to establish a baseline for the current level of voluntary compliance, with the intention of measuring the impact of SARS strategies and interventions on levels of voluntary compliance on an annual basis. Specific industries and manifestations of non-compliance will again be targeted during 2003 / 04.
Manual risk profiling
Manual risk profiling for all tax types has been implemented in the main Compliance centres. Where smaller offices exist, Siyakha 2 provides that their risk profiling needs will be catered for by the larger offices. Some centres had established risk profiling teams more than a year before the introduction of Siyakha in their region.
The use of manual risk profiling still centres mainly on high volume work such as refunds. The percentage of cases audited with a positive result in terms of additional assessments raised increased from an average of 34% for 2001/2002 to 46% for the first nine months of 2002/2003.
Additional assessments of R11.3 billion for the first nine months of the 2002/2003 financial year already exceed the total result of R10.3 billion for the 2001/2002 year. This result is impacted upon positively by SARS risk based approach.
While there is currently a strong emphasis on the audit of VAT refunds, this will change when a special application of SARAP (SARS Automated Risk Analysis Program) has been developed as a "plug in" to be attached to the core VAT system. When this comes on stream in mid 2003/2004, it is anticipated that the load on the manual risk profilers and refund auditors will be significantly reduced, thus freeing them for compliance functions in areas other than VAT refunds. Risk profiling is now a strong and significant component of the Compliance centres.
Automated - SARAP (SARS Automated Risk Analysis Program)
Enhancements to the SARAP system for Corporate Income Tax have been effected during the 2002/2003 year. There are currently approximately 490,000 corporate risk profiles on record. These profiles provide more information than was in existence at the end of 2001/2002 as a result of program enhancements developed during the year. These profiles are being used, as required, by the Risk Profiling teams in the larger offices all over the country. In addition in order to facilitate the selection of taxpayers for audit, the system has highlighted shortcomings in the quality of data within the SARS core tax systems, and as a result, initiatives were put in place to address these.
The development of the system for use within the VAT environment has progressed. A decision has been made to generate two types of Risk profiles, viz. one for analyzing returns and the other for analyzing the Vendor entities. The return element (which is elapsed-time sensitive) is being dealt with as a separate project and will result in a ‘plug-in’ program being developed for inclusion in the VAT core system. The Vendor element will run separately and analyze all relevant vendor data available to SARS within SARS database. The VAT return plug-in should be in place and operational by the end of August 2003 and the Vendor element should be operational by the end of November 2003.
The development of the Individual Income Tax and PAYE applications will commence later in 2003. It is anticipated that these applications will be operational during the 2003/2004 financial year. The Customs modules are in development and certain elements will be in use before the end of the 2002/2003 financial year. The Compliance department is sharing learning experiences to facilitate such Customs projects.
In Kwazulu Natal research has been undertaken to understand the underlying activities within the region and to quantify the tax gap in monetary terms. The major economic centres of the province were identified and allocated to members of the risk profiling team in order to perform an initial assessment of the centres detailing their economic profiles, the leading sectors in the economy, demographic data and to identify suitable candidates for SARS’s further scrutiny and audit action.
An early evaluation of SARS’s efforts has indicated that the level of compliance is low and that the economy is fragile with unemployment levels as high as 40%. This will inform the application of an appropriate audit strategy.
|
Sureties
Guarantees and bonds are issued by financial institutions in favour of SARS for customs and excise duties payable. For some duties, the value of the bond to be held is prescribed. For other duties, the value of the bond has been determined based on operational needs and current or historic policies of SARS. For example, current SARS policy does not require surety in respect of the deferment of VAT. Sureties are not disclosed in the notes to the financial statements. Due to the material amounts involved, SARS should holistically address the need for sureties as part of an overall credit risk management strategy.
|
SARS supports the principle that sureties should be addressed holistically as part of an overall credit risk management strategy. In this regard, the responsibility for credit management for the entire organisation was recently allocated to the Compliance Division, and now incorporates Customs risks. In the coming year greater emphasis will be placed on implementing a standardised approach in respect of sureties, with specific focus on requesting surety from VAT vendors who pose risks to the organisation, and on deferments in respect of customs clients.
Since July 2002, all the required security bonds on new and increased deferments have been moved up to 100% of the monthly deferment amount.
|
Weaknesses in internal control – Bank reconciliation
SARS has made significant progress in implementing proper reconciliation processes. In order to ensure that full benefit is derived from the reconciliation process, reconciling items should be cleared in a more timely manner. Some of the reconciling amounts on the bank reconciliation have been outstanding since 1998. One of the risks associated with long outstanding items is that funds could be misappropriated and the misappropriation might not be detected or corrected in time, negating the purpose of the bank reconciliation.
|
The issue of bank reconciliation is predominantly due to timing differences and inadequate information supplied by the importers.
As the AG points out, very good progress has been made in resolving a substantial part of the outstanding reconciliations.
However, despite all the efforts of the SARS in resolving these issues, SARS has been hindered in their efforts as most of the payments are of a once-off nature and payers are mostly non-residents.
A clear plan has been formulated to credit these amounts to the income statement.
Clear procedures have also been put in place to ensure that bank reconciliations occur timeously and correctly.
Furthermore, in order to add in minimising the risk as identified by the AG, one-on-one training and workshops are initiated and conducted by the Revenue Accounting department of SARS. This is an ongoing process and also contributes to facilitate stability and succession within the relevant branch offices.
|
Computer audit
Computer audits were completed during the period September 2001 to February 2002 and recommendations were in each instance brought to the attention of the commissioner. In his comments, the commissioner referred to various corrective steps, the effectiveness of which will be evaluated in due course.
(i) General controls
The key findings arising from the follow-up audit of general controls within the Value Added Tax (VAT), Pay-As-You-Earn (PAYE) and Income Tax Systems (ITS) indicated that although some controls were in place, adequate general control measures had not been implemented in the computer environment as a whole.
|
In order to be specific and to address the above-mentioned concern, responses are provided on the following weaknesses, identified in the 2001 Report of the Office of the Auditor-General:
|
Program changes are not reflected in program documentation after every program change.
|
Program changes relating to major enhancements are documented and the program documentation also gets updated when maintenance is done on these enhancements. The Rational Unified Process (RUP) is currently the standard methodology for all new application development, therefore all future program changes to new applications will be done by making use of RUP, which will enforce program documentation.
|
No standards and procedures exist in respect of user documentation/instructions:
|
Documentation applicable to users and systems is available on the SARS Intranet under http://sarsintranet/processing. Information can be obtained in respect of forms, media (e.g. notices) and manuals are accessible to application users. A formal process needs, however, to be implemented to ensure that all documentation is available and properly maintained.
|
No formally approved, standardised change control standards and procedures existed for VAT, PAYE or ITS.
|
Program changes on the core tax systems (VAT, PAYE, ITS etc.) follow a formalised process. Requests for changes, fixes, and amendments are recorded on two System Development Life Cycle (SDLC) applications used in SARS (ITS uses the Program Trouble Report (PTR) Application and VAT/PAYE uses the System Change Control (SCC) Application). Within these SDLC applications, control mechanisms exist as the request progresses from initial inception through to migration and production. Steps within the cycle include prioritisation, requirements specification, quality assurance, user test etc. Proper version control is also applied throughout. Although different methods are applied within the two applications, the migration process is stringently controlled. SARS is in the process of implementing RUP (Rational Unified Process) which will eventually replace all the current SDLC applications.
|
On the NATURAL security server it was not possible to generate a report for VAT and PAYE to indicate when user ID’s had last been used. – Procedures should be implemented to ensure that the system management section is promptly notified of staff members leaving the employment of SARS, to enable this section to remove an employee’s logon ID and password timeously.
|
Since December 2001, NATURAL security has been replaced with the Resource Access Control Facility (RACF). Information relating to inactive user ID’s is now being tracked. The problem has therefore being addressed and is resolved.
The process for removing inactive user-ID’s and user-ID’s of persons not employed anymore have been documented in the newly developed standards and procedures, namely:
OS/390 User Identification
Normal Termination of Service
Abnormal Termination of Service
Registration of new users
The management (creation, modification and removal) and control of user security profiles, which includes access rights (i.e. read, write, delete and modification) of users, are clearly specified in the newly developed SARS Security Policies, Standards and Procedures. The SARS Security Policies, Standards and Procedures prescribes that voluntary and/or involuntary termination of service must immediately be registered at the SARS Call Centre, who will submit it to the applicable Information Security Administrator to ensure that electronic access to computer systems are terminated on the stipulated date. Those calls are handled as A-priority, which are also escalated to the Information Security Manager, if such calls are not signed-off within the applicable timeframe.
|
The logon recorded default was set to "Y". When a user logged on to a library, a logon record was therefore written by NATURAL Security to provide an audit trail for VAT, PAYE and ITS. However, these logs were not generated and reviewed to ensure that:
No unauthorized users could gain access to NATURAL libraries.
Users would not log onto a library to which they had not been allowed access.
Password and user identification were not misused.
|
NATURAL security has been replaced by RACF, which generate reports that are routinely scrutinised by Administrators.
|
On NATURAL security the VAT and PAYE programmers still had update access to various production libraries.
|
On NATURAL security the VAT and PAYE programmers never had "UPDATE" access, but the standby programmers are given "READ" access to production libraries.
|
Audit trails in respect of VAT, PAYE and ITS
|
The following audit trails were built into the following applications:
Audit trails for ITS:
On all auditable functions, before and after images are taken.
The following audit information are stored in respect of online transactions:
User ID
Program Name
Program ID
Date
Time.
Daily and monthly batch jobs do not carry separate audit trails. Transactions (certain functions) however, build up a history, which is recorded.
Audit trail for VAT and PAYE:
a. Histogram files are created for each transaction, whether it is online transactions or batch jobs. "Before"- and "after" images are created. The following audit information are stored for online transactions as an audit stamp:
- User ID.
- Program ID.
- Date.
- Time
b. The following audit information are stored for batch (daily and monthly) jobs as an audit stamp:
User ID
Program Name
Program ID
Date
Time.
|
(ii) Application controls
The key finding arising from the follow-up audits of application controls within the Customs Automated Processing of Entries, Deferment and Passenger Systems indicated that some progress had been made in addressing the weaknesses identified during the previous audits. However, some additional weaknesses were also identified during the follow-up computer audits.
|
The Electronic Release System (ERS) computerised system provides for codes to indicate the release status of containers. In the case of "Release of detained/stopped goods" status, the Releasing Office must on issuing the relevant DA74, update the ERS system to indicate that the hold status has been cancelled and that the specific container can therefore be released. If this action is not done by the Releasing Officer, there will be a discrepancy between the release status as recorded in the ERS and the actual containers in the depot, as the container would have been released on the strength of the issued DA74.
Business controls have been implemented to resolve this oversight.
|
