JECT: AUDIT REPORT FOR THE PERIOD APRIL 2002 TO 31 MARCH 2003
Reference: 0203AUDC04
The role of the RAF Internal Audit department is to provide employees, management and the board with an objective assurance that the risk management, control and governance processes are adequate and operate effectively to ensure the achievement of the objectives and goals of the Fund.
Scope
Internal audit is required in terms of the Public Finance Management Act, 1999, and its Treasury Regulations, to report to the Audit Committee of the Board. In accordance with the Internal Audit Charter as well as IIA standards the department reports functionally to the Audit Committee and administratively to the Chief Executive Officer. This report is intended to communicate the following:
Internal audit should report to the Audit Committee on a quarterly basis. The Internal Audit report for the quarter periods ended June 2002 and September 2002, was only tabled at the Audit Committee meeting held during October 2002. This report therefore, relates to the third and fourth quarters in the 2002/2003 financial periods, while it also serves as the annual internal audit report to the Audit Committee.
Audit Committee Terms Of Reference And The Internal Audit Charter
The Audit Committee adopted the draft Terms of Reference as well as the Internal Audit Charter at the Audit Committee meeting held on 29 July 2002. The documents were submitted to the Board for ratification, at the full Board meeting, held during September 2002.
According to the minutes of the meeting of the Board, the Board has approved both the Audit Committee’s Terms of Reference, as well as the Internal Audit Charter.
Corporate Governance is one of the Strategic Objectives of the organization. Corporate Governance can be defined, in the context of the RAF environment, as an approach to governance of the Fund that seeks to ensure safeguarding of public monies entrusted to its administration, the alignment of the interests of its various stakeholders, viz., the road accident victims, claimants, RAF Board, RAF Management, RAF staff, government, service providers to RAF as well as to the accident victims.
The RAF Board exists in terms of the Road Accident Fund Act, 1996. The Board has, in addition to the Audit Committee, several other Sub-Committees, namely:
It is strongly recommended that Terms of Reference for each of the Board Committees should be documented and formalized. The terms of reference should, at least, cover the following:
The membership of the Audit Committee has, in compliance with both King II and the PFMA Treasury Regulations, been beefed-up with three members who have financial skills including two qualified Chartered Accountants (CA’s).
RAF Management has adopted a draft Code of Conduct in July 2002. The code has been communicated to all the levels of employment.
Fraud Policy
The Fraud policy remains outdated, in that this policy assigns the responsibility for fraud investigations to the Internal Audit Department while Forensics Investigations became as stand alone department during 2001/2002 financial period. The policy therefore needs to be updated with these changes.
Newly recruited employees are now issued a copy of the policy and they are required to sign it.
Fraud Prevention Plan
In addition, the fund has not finalized a fraud prevention plan to date, as requested in terms of PFMA and Treasury Regulations.
THE PUBLIC FINANCE MANAGEMENT ACT, 1999
RAF ACT
Not all formalised
RAF BOARD
RAF BOARD
COMMITTEES
CHIEF EXECUTIVE OFFICER
EXECUTIVE MANAGEMENT
outstanding
OPERATIONAL MANAGEMENT
(SENIOR & MIDDLE MANAGEMENT)
SUPERVISORY LEVEL / SENIOR OFFICERS / OFFICERS / ADMINISTRATIVE STAFF
Compliance with the King II Code of Corporate Governance requires continuous assessment and testing for compliance therewith. Internal Audit’s strategy is to build this into the detailed audit steps of the various audit projects.
In addition, internal audit has prepared a questionnaire as a self-assessment tool on compliance with the code.
A key area of non-compliance with the code, which is also a requirement in terms of the PFMA Treasury Regulations, has been in the delay during the current financial period in conducting a strategic risk management / assessment workshop that would serve to kick-start the full implementation of the risk management process at department level and therefore throughout the organization.
The Minister of Finance has amended the Treasury Regulations issued in terms of the PFMA, as per Government Gazette No. 23463 dated 25 May 2002.
Internal Audit has used a questionnaire (originally prepared by SCOPA), and incorporating the changes to the Treasury Regulations, to assess the RAF’s progress in complying with the PFMA and the amended Treasury Regulations. The questionnaire is attached as Annexure B.
In addition, internal audit covers compliance with the PFMA in its various audit projects, and reports accordingly.
"Risk management can be defined as the identification and evaluation of actual and potential risk areas as they pertain to the (organization) as a total entity, followed by a process of either termination, transfer, acceptance, … or mitigation of each risk." King II Report, 2002
Legislative Requirements (PFMA and Treasury Regulations)
King II Report on Corporate Governance - Recommendations
Definitions of Risk and Risk Management
Defining the Risk Governance Structure and the Responsibility for Risk Management
The Risk Management Framework and Methodology
The Risk Management Process
Risk Management Strategies
Internal Control Framework
Control Self Assessments
Risk Threshold Levels / Acceptable Risk
Common Risk Language
The Executive Management of the Fund, together with the RAF Board, are required to make a decision on the Risk Threshold Levels / Acceptable Risk.
This is the level of risk exposure that in the opinion of Executive Management and the Board is considered acceptable. Any residual risk exposure in excess of these predetermined material levels should be reported to the Board, as well as the Management thereof.
Management at all levels, was requested to identify five (5) key risk areas that the organization is exposed to, and five (5) key risk areas that are inherent in their respective departments, and the measures that in their opinion have been or should be implemented to mitigate these risks.
The various responses have been summarized into one document and a "gap analysis" of associated internal controls was conducted.
Internal Audit recommended that the Board identify a minimum of five (5) and a maximum of ten (10) major risk areas which in their opinion, the RAF is exposed, as well as its opinion as to what extent these risks are being managed or controlled.
The then Acting CIO (June 2002 to December 2002), Mr Malefane Molibeli obtained the approval of the CEO for the appointment of the KPMG IT Risk Management Consultants. The scope of this project was to assist with the IT Risk Assessment. This project commenced during October 2002, and the expected completion date was February 2003. There have been numerous delays in this project due to a number of events that impacted on the progress of the project.
Also, during the execution of this project, the National Intelligence Agency (NIA) advised Management, that IT Security Assessments should ideally have been conducted by the Agency. This was duly reported to the consultants and it was agreed that they would only continue with the IT Risk Assessment and would not cover the IT Security component. Draft reports on the work done to date have been issued to the current Acting CIO, Mr Theo Molamu.
An ICT Risk Assessment is currently being conducted with the assistance of KPMG IT Risk Assurance Consultants.
A strategic risks workshop to conduct a formal risk assessment as required in the PFMA Treasury Regulations initially planned for 3rd December 2002, and subsequently re-scheduled for the 2nd April 2003, did not take place.
Internal Audit had negotiated with the KPMG Risk Consultants to facilitate this workshop, and this was approved by the CEO.
Risk Management workshops / training sessions will be held with the various departments of the organization upon the Board’s approval of the risk management policy and procedures.
It had been envisaged that these would take place in the last quarter of the current financial period 2002/2003. The Risk Management policy however, has not been approved.
The Audit Committee is required to review the effectiveness of the systems of internal controls as implemented by Management, and report thereon to the RAF Board. Internal controls provide reasonable, not absolute assurance, that risk areas are properly managed.
All weaknesses in internal control systems that are identified during the performance of audits are reported in the individual audit reports issued to responsible management. It is only audit findings considered significant and material in nature that are reported to the Audit Committee and these have been summarized in the "Summary of Significant Audit Findings".
Further, the planned implementation of the Risk Management process should reveal and confirm areas of weaknesses requiring management’s urgent attention.
Internal Audit is planning as part of the implementation strategy of the Risk Management process, the introduction of "Control Self Assessments". Management should use Control Self Assessments as tools to enable continuous risk assessment and measurement, in their respective areas of responsibility.
The Summary of audit findings that are considered to be significant ongoing concerns is attached as Annexure A. These are audit findings:
Ideally, these should also have been discussed with the Chief Executive Officer, before the meeting of the Audit Committee in order to ensure that findings reported upon have been brought to his attention. However, the CEO has not been available for an extended period of time.
An Executive Summary of these findings follows in 3.2 (a) below.
3.2 (a) Executive Summary of Significant Audit findings
The significant weaknesses mentioned below, remain to be of audit concern. In some instances, as will be reflected in the detailed audit findings as per Annexure A, Management will have given comments as to how they intend addressing this issues. There are various instances where there is little or no evidence that agreed upon action plans have actually been implemented in full.
Finding 1: Raf Strategic Plan
The RAF’s Corporate/Strategic Plan for the new financial year 2003/2004, either has not been reviewed and updated, or the updated plan has not been communicated to Management. As a result, departmental business plans and the 2003/2004 budget may not be aligned to the overall business plan. Lack of strategic plan and therefore direction for the organization, has exposed the Fund to the risk of continuing with operations which have little or no impact on the sustainability of the organization.
Finding 2: Organizational Structure
The CEO may not be able to focus on the direct responsibilities of his office as he occupies two other Executive positions as Claims Executive and Chief Financial Officer. This may result in inappropriate or incorrect decisions, and/or failure to design and implement adequate, effective and efficient systems of internal controls, due to time constraints.
Finding 3: Departmental Areas of Responsibility
There are instances where areas of responsibilities have not been properly defined and documented. Human and Financial Resources may not be utilized economically and efficiently due to overlap of functions or duplication of work.
Finding 4: ICT Management – Inadequate Segregation of duties
There is inadequate segregation of duties between the Procurement function and ICT Management in that the two departments are headed by one official. The manager is able to initiate, authorize, and process ICT expenditure and also evaluate tenders. The Information Communications Technology Department is one of the departments that has high budgeted procurement expenditure compared to other support departments
Finding 5: Delegation of Authority / Powers
Authority levels have not been delegated to levels below Executive Management. There is no transparent and efficient system in operation over the process to award mandates in the Claims environment. Senior Management in the Claims Departments have unlimited mandates to settle claims. There is no evidence of monitoring controls in place.
Finding 6: Conflict of Interest
The Executive Forensics Committee appointed as Senior Manager Forensics, Mr D Beea, who is founding member of, and at that time of his appointment the CEO of one of the companies that forensics investigation have been outsourced to (Ikanyeng). Mr Beea was suspended during this financial period for alleged irregularities. He was found not guilty at a disciplinary hearing.
Finding 7: ICT Management – New Salaries Application System
The implementation of a new Salaries’ application system was abandoned due to disputes between the software vendors and RAF’s technology partner African Legend Technologies, as well as poor systems development and implementation procedures. When the system was abandoned the RAF had incurred costs in excess in R1m. There is no evidence of any legal recourse taken to address this matter.
Finding 8: ICT / Financial Management
An employee of the RAF’s technology partner, African Legend Technologies, who had access to the claims system live environment manipulated the payment process and misappropriated RAF’s funds, amounting to R38 8000.00. This risk was realized due to inadequate systems of internal control over the claims payments process as well as inadequate application controls.
Finding 9: Citrix Server Implementation
A post implementation review of the new Citrix Server, installed at all RAF’s regional offices and head office, revealed the following user problems:
These problems have a direct negative impact on the ability on daily operations and therefore the Fund’s service delivery.
Finding 10: ICT Security
The RAF does not have a formal approved ICT Security Policy. In addition, logical access controls are generally poor since programmers have access to the live environment, the claims system allows multiple access by a single user, employees share passwords, "special branch" functions are not properly restricted and monitored.
Finding 11: Disaster Recover Planning
The Fund does not have a documented and tested disaster recovery plan in place. In addition, there is no remote / off-site back-up storage facilities. The back-up servers currently reside in the ICT building, Odion Forum.
Finding 12: Recruitment
RAF’s recruitment procedures were not complied with in the appointment of some ICT personnel. There were no Job Descriptions for these positions, no evidence of interviews records, all employees appointed were from SITA (previous employer of Chief Information Officer).
A Manager (also from SITA – Human Resources) without ICT qualifications or experience was appointed to the position of ICT Security Manager and given comparatively higher remuneration package. The high premium does not appear to have been linked to any expertise that this official would be bringing to the Fund’s ICT environment. This Manager was subsequently suspended for alleged irregularities.
Finding 13: Fuel Levy Income – Recognition
The RAF has continued to recognize fuel levies on a cash basis while there is no evidence that prior approval was obtained from Accounting Standards Board.
The financial statements 2002 "reinstatement of responsibility by board of directors" states that the financial statements are prepared according to GAAP (accrual accounting), but the accounting policy in the financial statements says that fuel levies are recognized upon receipt of levies from the oil companies.
Finding 14: Financial Management – Income and Investments
The RAF has continued to disinvest its surplus funds, due to actual spending exceeding cash inflows. While an amount in excess of R500 million was disinvested during this financial 2002/2003 the Fund does not have an approved investment policy and procedure in place, as required in terms of the PFMA Treasury Regulations, paragraphs 31.3.1 and 31.3.2.
In addition, there is no evidence that exemption has not been received from National Treasury from investing the RAF’s surplus funds with the Corporation for Public Deposits.
Finding 15: Financial Management – Budgeting
An analysis of the 2002/2003 budget revealed that the systems in place and over the budgeting process are not adequate. Also, there were no monthly management accounts to assist management with monitoring actual expenditures against their departmental budgets.
Finding 16 Financial Management – Procurement
There was lack of proper monitoring controls or systems over the procurement process and awarding of tenders. For example, no written agreement with Forensics Corporation’s to which the RAF had outsourced Forensic Investigations -NCIB and Ikanyeng.
Finding 17: Procurement Processes
There is no written delegation of authority to employees that are responsible for the procurement process in the Administration and ICT departments. In addition, the internal control systems appear inadequate to ensure that all major capital projects are properly evaluated.
Finding 18: Management of Fuel Levy
There is no evidence that the RAF’s contract with the Central Endergy Fund regarding the fuel levy income assessment and collections has been reviewed in the 9.5 years since it became effective. The RAF has not raised interest accrued on late fuel levy payments by the oil corporations. In addition, audit certificates are not regular.
Finding 19: Expenditure Management / Capital Projects
Detailed policies and procedures relating to purchases are not documented and authorized. Processes are not standardized with various practices existing and different documentation being used to support different expenditure items.
No formal documentary evidence of pre-authorization of expenditure items of significant amounts, for example in excess of R100 000. The certificate of signing authorities is incomplete and thus may be invalid.
Finding 20: Overtime Management
There are instances noted where an employee worked more than 40 hours per month but the indemnity form was not completed, as required in terms of RAF policy. In addition, the organization may be exposed to an increased risk of inappropriately unauthorized overtime activity, due to poor verification procedures in place.
The overtime expenditure could not be traced to the RAF’s budget. However, a total amount of R7, 773,469.35 was incurred during the 2001/2002 financial year.
Finding 21: HR Recruitment
There is lack of adequate documentation evidencing authorization/approval of recruitment of contract as well as permanent employees. There are instances where interview records to support certain appointments made during the year under review could not be made available for audit purposes.
Finding 22: CHRIMS / Health Management System Project
There is no evidence that a proper cost vs. Benefit Analysis was conducted, before the agreement with consultants, Creative Health Risk Management Systems (CHRIMS) was formalized at R20.52 million. The ‘medical cost savings’ claimed by CHRIMS were in fact, adjustments of costs claimed to BHF rates. Since the claimants would still have recourse to claim the full cost of the treatment they would have incurred, there is arguably no real financial benefit accruing to the Fund. While the contract with CHRIMS has since been terminated at the insistence of the Medical Committee of the Board, there is now a legal dispute.
Finding 23: Fast Tracking of Claims Projects
It is not clear, subject to a legal opinion whether the arrangement / scheme entered into with AFCT is a valid agreement in terms of either the RAF Act, 1996, or the Public Finance Management Act, 1999. In terms of the arrangement, the RAF would fast-track the processing of suppliers’ claims lodged by AFCT on behalf of service providers (mainly private hospitals). In addition to the claims being processed and paid by the fast tracking unit in the claims department, the Finance Department would pay lump sums / bridging finance / interim payments to AFCT to administer these claims.
The total amount of lump sums /bridging finance/interim payments made during the five month period April 2002 to August 2002 was R56 million while approximately R9 million was refunded to the RAF. RAF’s net exposure is therefore approximately R47 million.
Finding 24 and 25: New Claims Life Circle Project
While the budget for Claims Life Cycle Pilot Project (YASEBETSA) is R32m, Project Management controls have not been adequate. There is no evidence that
In addition, the system of budget controls and management may not be effective. The project has been ICT driven, with the minimal input from the business or user departments. The medical assessment of claims as one of the functions or phases in the claims process has been excluded in the pilot process.
Finding 26: Claims Management – Re-Opened files
The system in operation over the re-opening of finalized and claims appear to be inadequate. There are no measures put in place to ensure that the requests to retrieve finalized claims files from archives are authorized. Finalized files are re-opened without reasons being provided and/or management having approved such reasons.
Failure to build in measures/controls in places within the current claims systems to ensure that the re-opening of a finalized claim file is at least restricted to the respective Manager in whose section/department the finalized claim file was processed/handled.
Finding 27: Claims Management – Dummy Files
In instances where the claim files cannot be found, either these are lost or simply misplaced, a copy or duplicate of the original claim file is created-termed "dummy file". However, the procedures and guidelines over the creation of dummy files is not standardized within and between the claims regional offices. For example, the authority to create a dummy file rests with a senior claim handler or at some branches only a claims manager can authorize the creation of dummy files. There is no evidence to indicate that once a dummy file has been created, these are properly monitored. As a result, fraudulent or fictitious payments may not be detected timeously.
Finding 28 Claims Management -Fraudulent Claims
Weaknesses have been identified in the claims computer system, the claims handling process, as well as in the payment process:
Finding 29: Claims Management
There are inadequate monitoring controls over the movement of files between departments and within departments. In addition, the security over claim files is inadequate in that they can be found lying all over in the claims department. Claims handlers use individual file tracking registers and this does not allow for continuity.
Finding 30: Claims Computer System – Application Controls
The current claims system application does not take into account basic controls, which should have been programmed into the system. For example, there is no facility to detect incorrect ID numbers that are incorrectly captured either due to human error or intentionally, and therefore, the system is unable to detect/duplicate claims. Also, there is no capacity to detect prescribed claims at time of registration, nor are there automated controls to monitor that become prescribed before they are settled.
Finding 31: Claims Computer System – Utilisation
The claim system is underutilized by the claims department mainly due to lack of adequate training with respect to capabilities of the system. There are various modules in the system that are either not used or are not use consistently.
Finding 32: Claims Offer System
The offer system implemented during 2001/2002 was not properly planned and designed to meet the needs of the business:
Finding 33: East London Branch – Opening
It appears that planning for the establishment of the East London Branch did not address certain critical areas:
Finding 34: Mediation and Arbitration Project
The following weaknesses have been identified in the mediation and arbitration project which was designed as an alternative dispute resolution mechanism in the settlement of claims:
Finding 35: Policies and Procedures
Policies and procedures provide guidelines and are training tools for the employees in their day- to day activities. However, there are key policies and procedures that have not been formalized
3.2(b) Possible ‘fruitless expenditure’ during the financial period
In the attached annexure, there are material / significant audit findings where the RAF is exposed to the risk of or has incurred financial loss which, in terms of the PFMA, could constitute fruitless expenditure:
|
|
Costs / possible financial loss |
|
CHRIMS / MEDICAL PROJECT (After allegations that the consultants were not meeting their legal obligations, the project was abandoned in October 2002. The costs quoted herein are only direct costs – i.e. paid to the Consultants. Other direct overheads are the costs of the RAF’s human resources that were assigned to the project. Excluded are costs like office furniture and stationery, the legal costs incurred on the appointment of a legal firm. |
R 8, 55 million
R 3, 07 million |
|
|
|
|
MEDICAL APPLICATION SYSTEM |
|
|
(The software was leased allegedly on the recommendations of the CHRIMS consultants. Thereafter, it was established that this software could not customized. This resulted in the abandoning thereof. However, the RAF was tied to an agreement with the software vendors and therefore had to honour the obligations arising from this lease.) |
R 1, 44 million |
|
|
|
|
HR SALARIES SYSTEM (Implementation of system was abandoned after direct overhead costs had been incurred, due to a dispute between the software vendors as well as inadequate implementation controls. ) |
R 1, 041 million |
|
|
|
|
EXTENDED SUSPENSIONS OF MANAGEMENT |
|
|
(Two Executive Managers, two Senior Managers, a Middle Manager have been on suspension for extended periods, while they remain entitled to full employee benefits. The total overhead costs (salary) paid to these employees while lawful in terms of the LRA and therefore are not irregular, nor wasteful, are arguably fruitless expenditure.) |
R 2 million (+/-) |
|
|
|
|
FAST-TRACKING SUPPLIERS’ CLAIMS [AFCT]*** (This matter remains unresolved as at year-end March 2003. Lumpsum payments were made to AFCT (on behalf of suppliers), which is neither a supplier of services to road accident victims nor claimant attorneys. This type of partnership between the RAF and AFCT, as well as the nature of the payments made is to be subjected to scrutiny by legal experts as to whether it is allowed in terms of the RAF Act. ) |
R47 million (net) |
|
|
R 61, 1 million (approximately) |
3.2(c) Alleged Wasteful Expenditure requiring a further investigation
A proper feasibility study and cost benefit analysis was not conducted before the decision to implement the new financial/accounting system – AXS One. The cost of the new system is approximately R16 million while an upgrade of the then existing system (ACCPAC) to perform the same functions was quoted at R 800 000,00.
3.2(d) YASEBETSA PROJECT
In addition, failure to properly manage the "YaSebetsa Project" – i.e. the Claims Life Cycle, could result in additional fruitless expenditure with the budgeted capital outlay estimated at R 32 million. There is the increased risk of:
3.2(d)
Leaked Audit Report - Alexander Forbes / Fast Tracking of Suppliers Claims Report ***At the previous meeting of the Audit Committee in November 2002, the members of the Committee resolved that this issue should remain in the agenda until such time that it had been resolved.
Internal Audit had performed an adhoc audit into the project of fast- tracking of suppliers’ claims after a Manager in the Claims Department, Pretoria Regional Office, had raised some concerns. A high level review revealed a scheme / arrangement that the RAF had entered into with a firm Alexander Forbes Compensation Technologies (AFCT). After a draft report was issued to some members of management, and it had been agreed that Internal Audit would discuss the draft audit report with Executive Management, the report was leaked to City Press, a weekly newspaper.
The report was finally discussed and management comments obtained. A summary version of this report has been included in the detailed audit findings, as Audit Finding #
The Board and Management have initiated several strategies aimed at addressing the major risk areas, and reducing RAF’s susceptibility to fraud and corruption. The following are some of the initiatives to date:
|
AREA OF RESPONSIBILITY |
CONTROL IMPROVEMENTS / INITIATIVES |
|
Organisational structure (@ Strategic Level) |
Claims Executive: The RAF Board had embarked on a process to appoint a Claims Executive, one of the key strategic positions in the organizational structure of the Fund.Medical Executive: The Medical Committee of the RAF Board was tasked with the filling of this position, and a specialist – Dr Lekalakala was appointed in with effect from January 2003. The Departmental structures are continuously under review. Procurement Manager: A Procurement Manager was appointed during the financial period, and will be responsible for the design and implementation of procurement procedures. Security Manager: A Procurement Manager has been appointed to head the security function of the organization in compliance with a Cabinet directive. |
|
AREA OF RESPONSIBILITY |
CONTROL IMPROVEMENTS / INITIATIVES |
|
Service Delivery |
The Claims Life Cycle Pilot Project – Johannesburg Regional Office: To streamline the claims handling process, ensure adequate segregation of duties, to improve the quality and speed of service deliveryRedesign of the Claims Computer System: To automate the claims handling process and ensure speed of service delivery. To ensure availability and reliability of management information. Litigation Department and Mediation / Arbitration Department: The Litigation Department set up during the previous financial period, under the control and direction of Corporate Legal Services, has been rolled out to all the branches. The two departments are responsible for handling litigation and mediation mainly on claims related matters. This speeds up the legal process, while improving the speed of service delivery. Medical Department: Medically qualified personnel, were also appointed at the end of the previous financial period. They are now to assist with medical assessments of claims lodged, under the direction of the new Medical Executive (refer above). |
|
Visibility and Accessibility to the Public / Claimants |
Patient Outreach Programme: This is a function staffed with case managers who reach out to claimants with serious / severe injuries and may not understand / utilize the undertakings issued by the RAF for the treatment of future medical expenses related to the road accident. East London Branch: A new branch was set up during the current financial period to service claimants from the Eastern Cape Region. Previously, these claimants could lodge claims either in Durban or Cape Town. Assistance to direct claimants / Corporate Communications: This is a plan to assist claimants who lodge directly with the Fund without using attorneys. Recommended – A proper risk analysis of this function / project should be conducted before the department is set up and staffed. |
|
AREA OF RESPONSIBILITY |
CONTROL ENVIRONMENT |
|
Policies and procedures & Corporate Governance
|
The Manager Budgets and Policies is responsible for both the preparation of the budget, and custody of the policies and procedures of the organization. The key policies that are in place currently, are the RAF Staff manual; Claims Procedure Manual; Fraud Policy / Policy on Deviance. The following key policies are in the process of being or have been formalised:
Internal Audit had prepared a list of recommended policies and procedures that should be documented and be approved. This list was forwarded to the Manager: Budgets and Policies as well as the Executive Assistant- CEO. |
|
Information and Communication Technology |
Computer Systems The existing claims computer system is both unable to meet the business requirements of the organizations and is underutilized due to inadequacy of computer skills. This situation will continue to prevail until the development of the new system is completed, and it is implemented. New Systems Development Several projects to improve the RAF’s computer environment were initiated by the ICT department. A systems development methodology is currently under development under the guidance of the Acting Chief Information Officer. This will assist in mitigating the inherent risk of new computer systems that do not meet the needs of the users. Follow-up: There has been a change in the management of the ICT department. There is no evidence that this process did continue. |
|
AREA OF RESPONSIBILITY |
CONTROL ENVIRONMENT |
|
Information and Communication Technology (cont’d)
|
Offer System The offer system was not properly planned and designed to meet the needs of the business. The Acting CIO has embarked on a project to address the identified weaknesses in the system. The offer system is not fully implemented or used in the Cape Town Regional office. |
|
Human Resources Management
|
Industrial Relations: An Industrial Relations Manager has been appointed to improve employee relations with Management. A recognition agreement with a labour union is being negotiated. As an interim measure a staff representative body has been selected. A Performance Management System for all levels of employment was implemented during this financial period, with the introduction of performance management contracts. However, not all performance contracts have been finalized. Training: Monitoring controls over training are inadequate as a result of the training function being fragmented:
Follow-Up: The two functions have now been integrated. |
|
Sound Financial Management
|
Financial / Accounting System A new finance system, AXS One, has been acquired and implemented in the Finance Department. The first phase has been completed, and other modules will be implemented in the second phase. Budgets and Special Projects Ranking of special projects according to the criticality thereof and therefore the associated benefits; and availability of resources is to be addressed. |
It is important to note that while these initiatives have been highlighted as improvements, there may be significant audit findings relating hereto that have also detailed in this report, Annexure A.
The internal audit department uses a risk based audit approach, and currently uses a combination of the various audit methodologies. As such, the annual audit plans were based on continuous risk assessments.
The department is comprised of three divisions, each headed by a Manager reporting to the Head of the Department / Internal Audit Manager:
The Audit Coverage Plan for the financial period 2003/2004 for each of the three divisions in the department, will be submitted in a separate report.
The audit projects and the timing thereof, will be continuously reviewed / revisited. The purpose hereof is to ensure coverage of risks emerging from new activities and operations, as well as risk areas that had not been identified in existing operations.
Action Plan: Due to the unfavourable capacity variance, priorising audit projects will be in accordance with the risk ratings assigned either by the department or at the risk assessment workshops once these have been conducted.
The annual audit coverage for the period 2003/2004 has been prepared on a three-year rolling plan, as required in terms of the PFMA regulations paragraph 27.2.7 (a).
The planning of the audit activities and the scope of the audits, required a review of the RAF’s Corporate / Strategic Plan as well as the Business Plans of all the departments for the new financial period. However, the overall RAF strategic plan has not been updated nor have the various departmental business plans been updated with the planned activities for the new financial period.
A departmental Business Plan for the current financial period (2002/2003) was prepared as part of an organization-wide exercise that was initiated by the CEO. Internal Audit has subsequently prepared its departmental business plan for the new financial period 2003/2004.
An analysis of available capacity in the department, at the beginning of the current financial period, had revealed an unfavourable capacity variance, i.e. that required hours exceeded the available man hours and therefore the department was under resourced.
Internal Audit Management had scheduled projects from the annual audit plans, for the first six months as well as the six months to end of the current financial period. Staff resources were assigned to each audit project.
It should be highlighted that some of the projects originally scheduled for this financial period, have either not be conducted, or these were started but not completed. There are various factors that can be attributed to this problem, and these include:
In line with the approved Internal Audit Charter, the department performed both consulting and assurance activities during the period. The activities of each of the three internal audit divisions are summarized in the attached annexure:
These are audit projects performed to give assurance to Management and the Board on the adequacy and effectiveness of the risk management, financial management and internal control systems. The list of audit projects conducted reflecting the general status of the projects is attached as Annexure C. Annexure C also details the activities of the department, specifically in the Fourth Quarter Period Ended 31 March 2003.
The department has performed the following consulting activities during the period October 2002 to December 2002
Study Assistance Programmes:
Bursaries in respect of post-graduate studies, continuing education are not allowed in terms of RAF policy / practice. As a result, Internal Audit staff required to qualify as Certified Internal Auditors, have to carry the financial responsibility for these studies.
Performance Management System:
The following Performance Management Contracts have not been finalized:
While the RAF’s Going Concern assertion remains a major concern to the government and the Management of the Fund, management should be seen to be making every effort in addressing the actuarial deficit, and ensuring the proper management of its finances.
The implementation of action plans, internal audit recommendations or management’s alternative action plans, should assist in addressing the identified weak areas thereby ensuring effective management of the operations of the organisation.
We would like to thank members of management for their co-operation during the execution of our duties.
Sinaye Nxumalo
Head: Internal Audit Department