SUMMARY OF SIGNIFICANT AUDIT FINDINGS / OBSERVATIONS
|
WEAKNESS IDENTIFIED |
IMPLICATION |
RECOMMENDATIONS |
ACTION PLAN(S) |
|
|
||||
|
The Management of the Fund documented a strategic/corporate plan during April/May 2002. However, the corporate plan remained a draft since there is no evidence that it was formally adopted. The business plan has not been reviewed and updated for the new financial period which commenced 1st April 2003. Alternatively, the updated strategic / business plan had not been communicated to RAF Management at the beginning of the financial period ending March 2004.
|
|
The existing departmental and organisation’s overall business plans should be reviewed and updated for the new financial period ending March 2004, as required i.t.o. paragraph 30.1.3 of the PFMA Treasury Regulations. The RAF’s strategic plan should be formally adopted and communicated to the organisation. The plan should be constantly reviewed for its relevance, and updated accordingly where there are major shifts in the RAF’s goals. |
Responsible Person: Heads of Departments Executive Management CEO Target Date:
|
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Inefficient, ineffective and uneconomical utilization of the Fund’s resources:
Lack of separation of duties.
|
The CEO and the Board should consider either temporary or fixed term contract appointments, for the position of Claims Executive. The person appointed should have the appropriate skills, knowledge and qualifications for the positions. While this position remains vacant, it is recommended that:
|
Responsible P|erson RAF Board Chief Executive Officer
FOLLOW-UP AUDIT: The positon of Medical Executive has been filled with effect from January 2003. The position of Claims Executive remains vacant, and the CEO is acting in this positon. |
|
ORGANISATIONAL STRUCTURE (CONT’D) |
PREVIOUS AUDIT COMMITTEE REPORT |
||
The training function within the organization is fragmented and is not properly structured in that while the Fund has a centralised Training and Development unit within the HR department, the ICT department also has senior and training officers. These officers do not report to the Training and Development Manager, but report to the ICT Security Manager.
|
Difficulties may be experienced in co-ordinating training for employees, for example:
|
It is recommended that Executive Management should consider the option of centralizing the training function to the HR department to ensure proper management and implementation of employees’ development and empowerment strategies. Line Management or Head of Departments should be given the authority to utilize their training budgets subject to the availability of the financial resources. However, this expenditure should be monitored by the HR Training Department to ensure that it is:
|
Reasons for ICT training being part of the ICT division are mainly to ensure that ICT takes full responsibility for training related to core business (claims systems). However, we agree that ICT should consider relocating training to HR. We will investigate the feasibility of relocating ICT Training to Human Resources so we could make an informed decision. Responsible Person: HR Executive (Acting)Chief Info.Officer Target Date: September2002 FOLLOW-UP AUDIT: The training function has now been centralized and presently resides with the Manager: Human Development |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The general areas of responsibilities for some departments have not been properly defined and documented. There may be inadequate segregation of duties at Executive Management, as well as other management levels. (Also, refer 1.2 above)
|
Uncertainties resulting from undefined roles could result in:
|
Executive Management should review and document the general areas of responsibilities for all departments, which must also be informed by the RAF’s strategic objectives and its strategies to achieve these objectives. The assignment of responsibilities to the various departments should ensure segregation of duties and functions. Care should be taken to minimise areas of overlap or to ensure synergies in the functioning of such departments. Management should consider the introduction of service level agreements which will regulate and provide guidelines with regard to service capabilities / delivery of the respective departments within the Fund.
|
Responsible Persons Executive Management Chief Executive Officer
Target Date:
|
|
|
YASEBETSA PROJECT REVIEW, REF. IOP/03/2003 |
||
|
With effect from December 2002, the Procurement Manager was appointed Acting Chief Information Officer (Acting CIO). As the Acting CIO, the incumbent automatically became the co-sponsor of the new Claims Life Cycle Pilot Project and is also the Chairperson of the Project Steering Committee. As he still performs the duties and responsibilities of his substantive position (Procurement Manager), he is able to initiate, authorise and process any or all Pilot Project related expenditure. Such an arrangement has resulted in lack of segregation of duties in that one individual is simultaneously responsible for incompatible duties. In addition, Executive Management’s decision to continue with the arrangement constitute a direct non-compliance with one of the RAF’s Strategic Objectives relating to Corporate Governance, which states its outcome to be "clear separation of responsibilities allowing for accountability and responsibility".
|
|
Segregation of incompatible duties is one of the key characteristics of good internal control and risk management procedures [as prescribed by the PFMA and Treasury Regulations]. Therefore, Executive Management should ensure the implementation of sound control procedures, by separating the functions of CIO / Pilot Project Co-sponsorship and Procurement Management . |
CoSponsor / Acting CIO’s Comment Executive Management should respond
Responsible Person(s): CEO |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The Fund could suffer financial loss as it would be responsible and bound by the actions of its employees and be unable to take any disciplinary actions against them should employees, either intentionally or unintentionally, exceed their authority in:
Abuse of authority in the allocation of mandates. Favouritism and inconsistency in allocation mandates.
|
The draft Policy on Delegations of Authority, previously adopted by the Board should be finalized. Cognisance should be taken of the provisions of the Public Finance Management Act, 1999, and the Road Accident Fund Act, 1996. The delegation of mandates to claims officials should be included in the organization-wide delegation of authority/ approval framework.
|
The Audit Committee has reviewed and adopted the draft policy as well as the Approval Framework subject to ratification by the Board. Responsible persons: Chief Executive Officer Finance Executive
FOLLOW-UP: The policy on delegation is to be implemented. A sub-policy to address the awarding of mandates / mandates levels, in the claims department is under development.
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
The Executive Forensics Committee appointed as Senior Manager Forensics, Mr D. Beea, who is the founding member of, and at the time of his appointment was the CEO of one of the companies that forensics investigations have been outsourced to.
A claim that was repudiated by claims handler, senior and manager was subsequently re-opened by the then Regional Manager. There is no supporting evidence for the reversal of the initial repudiation. An investigation into this claim revealed that there was a conflit of interest in that the Regional Manager had worked as an associate in the claimant attorney’s office. In addition the claimant alleged that they were paid only R250 000,00 and an additional R200 000 invested while the RAF had settled the claim at R1,2 million. |
Non-compliance with the principles of corporate governance. Collusion between RAF officials and third parties (including claimants, service providers) may result in financial losses to the Fund.
|
The referrals of investigations to the forensic companies should be closely monitored. Written agreements between the RAF and its forensic investigators should be formalized, and be submitted to the Board or Audit Committee for ratification. A Register detailing RAF officials’ interests should be maintained. A code of Conduct / Ethics governing the general conduct of employees, inclusive of the measures to manage conflict of interest situations should be formalized.
Management should consider referring the Cape Town matter to a law enforcement agency for further investigations. |
According to the Finance Executive, Mr Anderson, the CIO – Mr Sello Mokale had introduced and motivated for the appointment of Mr Beea to the Executive Forensics Committee.
Responsible Person Mr H. Kgomongwe, CEO Executive Forensics Committee FOLLOW-UP: The Senior Manager Forensics was suspended in May 2002. |
|
IT AUDIT REPORT: REF. |
||
|
During the current financial period, the RAF embarked on a project to develop and implement a new HR – Salaries application (EMSOFT) that would be able to interface with the new Finance and a new claims system. Disputes between the software vendor (supplier) and the RAF’s technology partner (African Legend Technologies – ALT) regarding the manner in which the deal was structured, resulted in the abandoning of the new EMSOFT system. The direct costs/ expenditure on the project amounted to R 1, 041 200. The system was implemented without following systems development and implementation procedures properly.
In addition, the licence fees for the Unique system previously used by the Fund (and which the Fund subsequently reversed to) were not discontinued although the RAF had gone live with the new system. |
Inefficient utilization of the Fund’s financial resources, resulting in possible fruitless expenditure of R 1 m. Incorrect salaries paid out resulting in employees becoming dissatisfied and disgruntled. |
Adoption and implementation of a methodology for the systems development life cycle, which will be in accordance best practice. Invitations for the design and development of new systems should only be conducted once management have fully conceptualized and agreed on management strategic objectives and the expected functioning and therefore use of the system. In instances where a strategic partner has sub-contracted with a third party, the RAF should ensure that the formal agreement enables recourse against non-performance to ensure that the Fund is not exposed to financial losses.
|
Responsible Person(s): Acting CIO HR Executive CEO
Follow-Up: The Fund is continuing with the use of the old system, Unique. Presentations for a new system have been invited, although the user specifications have not been re-visited, and formally documented. |
|
IT AUDIT REPORT |
||
|
An employee of the RAF's technology partner African Legend Technologies, who had access to the claims system live environment manipulated the payment process and misappropriated RAF's Funds, amounting to R38 800,00. This risk was realised due to inadequate systems of internal control over the claims payments process as well as inadequate application controls: Development personnel (programmers and system administrators) have access to the production / live environment including full rights to sensitive applications.
|
Risk of financial loss to the Fund, due to unauthorized changes, manipulation or override of automated procedures. Fraud and theft may be perpetrated. |
Application Development Personnel should not be granted access to the live environment. In the case of system maintenance, change control procedures should be adhered to. |
A task team will be set up to address all the issues and problems raised in the audit report.
Responsible Person; Acting CIO
Target Date: |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
A post implementation review of the new Citrix server, revealed the following user problems:
system response times;
|
Inavailability of computer systems impacts negatively on the speed of service delivery. |
An independent evaluation of the current Citrix environment by a Citrix expert is strongly recommended. |
Technical evaluation planned Responsible Person Keitihetse Teisho Target Date: August 2002 Follow-up(October 2002) Technical Evaluation report issued to ICT management. A process of corrective action as per recommendations of the evaluation report was started. |
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
There is no formal and approved ICT Security Policy in place. In addition, logical Access Controls are generally poor in that
|
Unrestricted access to the live environment by programmers allows manipulation of information or live data, and therefore increases the risk of irregular and unauthorized transactions.
|
An overall IT Security Policy should be drafted, reviewed for adequacy and effectiveness, and approved by the CEO. Programmers’ access to the live environment should be restricted. The allocation of Special Branch Functions should also be restricted to authorized personnel. The Data Owners / Management should formalize user profiles with the assistance of the ICT department and access be granted in accordance therewith.
|
ICT is in the process of drafting an IT Security Policies and procedures. These policies will be benchmarked against best practices (BS7799 and COBIT) before the approval thereof. RESPONSIBLE PERSON: Acting CIO TARGET DATE December 2002 FOLLOW-UP: ICT Security policy is not finalized. There is no evidence of any real improvements in this environment. According to the Security Manager, he will also be responsible for ICT security. |
|
PREVIOUS AUDIT COMMITTEE REPORT: REF. |
||
|
The Fund does not have a documented and tested disaster recovery plan in place. In addition, there is no remote / off-site back-up storage facilities. The back-up servers currently reside in the ICT building, Odion Forum.
|
The organization is exposed to the risk of inavailability of systems due to inability to recover with minimum delays from incidents of disaster, e.g. system crashes, fire. |
The ICT Department, in particular the ICT Security and the Data Base Management functions, should document a Disaster Recovery Plan (DRP). The DRP should be tested for efficiency and effectiveness, and approved accordingly. Immediate arrangements should be made for an off-site back-up storage facility.
|
(i) The Disaster Recovery Plan is currently under development. (ii) The current ICT Risk Assessment Project, with KPMG, includes the investigation and identification of an offsite back-up facility. RESPONSIBLE PERSON Acting CIO Target Date (i) September 2002 (ii) November 2002 Follow-Up: The Disaster Recovery Plan is not finalized. KPMG Risk Assessment project is not completed. KPMG has submitted an interim report. |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Management Abuse of authority:
Negative effect on productivity and service delivery. |
Management should ensure that the principles of transparency and responsibility are consistently adhered to. The recruitment process should be, and be seen to be fair and equitable on any objective test. This will require consistent compliance with laid down policies and procedures. The Human Resources Department should obtain signed job descriptions of all the newly created positions in the ICT department. External consultants who specialise in IT recruitment should grade these job descriptions. A review of all appointments in the ICT department should be considered, and appropriate action taken where employees do not meet the minimum requirements of the job. |
We are currently reviewing the structure of the ICT department. The aim of the review is to determine the resource requirements (skills). Our next goal will be to ensure that we recruit suitable skills for the positions. This process, we agree, will be conducted through the service of an IT recruitment consultant who will advise us regarding the respective job profiles and grades. Responsible Person HR Executive Acting Chief Information Officer Follow Up: The then Acting CIO has vacated this office. The new Acting CIO is now reviewing the structure. The CIO Mr Mokale, and ICT Security Manager Mr Mokgwetsi remain on suspension. |
|
|||
|
The RAF has continued to recognize fuel levies on a cash basis while there is no evidence that prior approval was obtained from the Accounting Standards Board, The Financial Statements 2002, "statement of responsibility by board of directors" states that the financial statements are prepared according to GAAP (accrual accounting), but the accounting policy in the financial statements says that fuel levies are recognized upon receipt of levies from the oil companies.
|
Non-compliance with Generally Accepted Accounting Practice (GAAP) and the PFMA |
The RAF’s Finance Department should either adopt accrual accounting or seek the appropriate authority to recognize its fuel levies on a cash basis. |
Responsible Person: Manager Finance Chief Financial Officer Chief Executive Officer
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
|||
|
The monthly fuel levy income that the Fund receives from the oil companies via the Central Energy Fund appears to be insufficient. The RAF may be overspending in that cash outflows have been exceeding the cash inflows. As a result, the Fund has been disinvesting its reserves with the result that the reserves may be depleted while there is no evidence of a back-up plan to mitigate this risk. In addition,
|
Inavailability of funds may result in the RAF’s inability to meet its day to day financial obligations. The increase in the deficit will render the Fund’s Going Concern assumption inappropriate. |
Executive Management should ensure strict financial control, by ensuring that only budgeted expenditures are incurred and this expenditure is monitored. High expenditure that was not budgeted for should be authorized by the CEO, and communicated to the Board . Mechanisms to closely monitor the Fund’s Asset Managers, and therefore the performance of the RAF’s investments should be put in place. High value procurement contracts, at a level to be determined by the Board’s Procurement committee, should be subject to ratification by the Board. |
Responsible Person Chief Executive Officer Finance Executive
FOLLOW-UP AUDIT: The increase of 3 cents per litre per the 2003/2004 National Budget, should assist in containing the cashflow problems. The amount of funds that have been disinvested to date is about R 500 m, while there is no formal policy and procedures. |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
|||
SPECIAL PROJECTS
|
Lack of prudence in the preparation of the annual budgets. Failure to ensure the effective and economical utilization of the RAF’s available financial resources, will move the RAF financial position from an actuarial deficit to an actual deficit. . |
The Finance Executive should revise the budget figures for the period under review. Each head of department and/or Executive Manager should be required to provide detailed justification for their budget items, rated according to their priority. Ratings can be the minimum requirements to carry out the duties and functions of the department; the standard requirements; and the maximum requirements to operate at full and maximum capacity. Proper cost vs benefit, and impact analyses should be conducted; and these should be submitted to the Finance Department-Executive and Manager: Budgets and Policies for a comprehensive budget. |
Responsible Persons: CEO Finance Executive |
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Other than the Affirmative Procurement Policy to address black economic empowerment initiatives, the Fund does not have an approved procurement policy,. This policy has been in draft format for over two years, however, management has not taken a decision to approve it. There is lack of proper monitoring controls / systems over the procurement process and the awarding of tenders:
|
Failure to formalize effective procurement policy guidelines may result in:
|
Appointment of a Procurement Manager. The draft procurement policy should be reviewed, approved and implemented as a matter of urgency. A permanent procurement committee should be formed, members of which should be rotated regularly. Special powers should be delegated to the procurement committee in terms of a delegation of powers policy. A Procurement Committee of the Board should be involved in the decision making in cases of major capital expenditure. Terms of Reference for this Committee should be formulated. |
A Procurement Manager was appointed with effect from 1st October 2002. A Procurement Committee at management level has been established. The draft Procurement policy has been presented to the RAF Board. Responsible Person Chief Executive Officer Finance Executive Follow-Up Audit: The Procurement Policy was approved by the Board, subject to some amendments being effected. Procurement Committee (Management) has drafted a Terms of Reference / Charter which should still be approved. Procurement procedures are currently under development. |
|
|
FIN & OP AUDIT REPORT: REF. IAFOP 02/2003 |
||
To date the Fund has not adopted and implemented the draft procurement policy.
Procurement in the Fund is currently mainly conducted by the Administration Department and the ICT Department. There is no written delegation of authority in respect of certain employees at these departments.
Internal control systems appear to be inadequate to ensure that all major capital projects are properly evaluated.
Procurement process, as per the system description at ICT, was not adhered to. |
|
|
Refer draft Procurement Policy and draft Delegation of Authority Policy, however, I take note and will ensure that controls are in place. Will also address this with all the managers. M. Molibeli, Acting CIO On behalf of Administration – We will comply once the policy is available. We await Executives’ mandates after which we will implement. B. Furniss, Admin Manager |
|
|
FIN & OP AUDIT REPORT: REF. IAFOP 03/2003 |
|||
The fund has an agreement with Central Energy Fund regarding the fuel levy income assessment and collection. Reviewing the agreement, no evidence was noted that this agreement was reviewed during the 9.5 years since it became effective.
The RAF has not raised an accrual (in the accounting books) in respect of interest income arising due to late payments of fuel levies by the oil companies. Furthermore, recoverability of this amount had not been established.
It was noted that RAF does not regularly receive audited documents as per agreement. |
Contractual Terms and Conditions might no longer be favourable to the Fund.
Irrecoverable Interest income / financial loss to the Fund. Furthermore, Fuel Levy Income is understated.
Non-compliance with agreement Lack of supporting documents to verify fuel levy income received. Possible wasteful expenditure as RAF pays for this service from CEF. |
There should be regular reviews of contracts, to ensure identification and monitoring of deliverables from all role-players. This is when the need to amend, extend or terminate contract could be established.
A provision for the above interest must be raised in the accounting records and proper measures to recover same should be implemented.
It is crucial that the entire process of managing fuel levy income be revisited. As a starting point, the agreement should be reviewed for possible addition or deletion of relevant clauses. We further recommend that the clause of submission of audited statements by CEF be upheld as it is imperative that fuel levy as stated is verifiable. |
The signing of an agreement between the relevant parties CEF as well as the RAF is something that has to be taken up on a high level.
This is followed up with CEF in order to recover the lost interest. The provision will be raised in 2002/2003 financial year
Will follow up with CEF and Department of Mineral Energy to get a new agreement in place and to force them to comply with relevant clause in the contract agreement. |
|
|
FIN & OP AUDIT REPORT: REF. IAFSP 02/2003 |
|||
|
PROCUREMENT POLICIES AND PROCEDURES Detailed policies and procedures relating to purchases are not documented and authorised. Various practises exist and different documentation is used to support different expenditure items. PRE-AUTHORISATION OF CAPITAL EXPENDITURE: No formal documentary evidence of pre-authorisation of expenditure items of significant amounts (eg >R100 000).
CERTIFICATE OF SIGNING AUTHORITIES (MISSING CLAUSES): The certificate of signing authorities is incomplete and thus may be invalid or considered not in existence as certain crucial clauses are missing
INCORRECT EXPENDITURE CLASSIFICATION An expense of R 250 204.42 on Security Equipment was incurred and paid on 21 December 2001. This amount was however incorrectly allocated to a maintenance account. |
Lack of accountability and standardisation. Unnecessary expenditure may be incurred.
Invalid expenses may be incurred on behalf of the Road Accident Fund due to inadequate authorisation and possible lack of value-for-money analysis being conducted. This may result in financial loss to the Fund.
Unauthorised individuals may incur/authorise expenditures on behalf of the Road Accident Fund. Expenses may be authorised by individuals with the inappropriate level of authority. The fund is exposed to increased financial risk.
Fixed Assets may be understated. The result is incorrect and unreliable financial reporting. |
Policies and procedures relating to purchases/expenditure should be formulated, documented and communicated to the appropriate employees.
It is recommended that the Certificate of Signing Authorities should be updated / completed in line with delegated authority mandates.
Each expense should be carefully considered before account allocations are made. |
Mr J Rabie: "I agree to the recommendations made by Internal Audit. Will supply updated list of signatures on both EFT and cheques accounts."
Mr J Rabie: "This is a disputable point. The decision on the capitalization of the particular asset or not was that of the Fixed Assets department that is reporting to the Admin. Manager. |
|
|
|
FIN & OP AUDIT REPORT: REF. IAFOP 05/2003 |
||
|
INDEMNITY FORM: EXCESSIVE OVERTIME It is RAF policy that, where an employee works more than 40 hours per month an indemnity form must be completed. Instances were noted where overtime exceeded the maximum but the indemnity forms were not completed by the respective individuals. OVERTIME AUTHORISATION (SPECIMEN SIGNATURES) It was noted that the organisation may be exposed to an increased risk of inappropriately authorized overtime activity. The salaries department does not keep a list of signature specimen to verify managers signatures for authorization on overtime application forms. Instances of processed unauthorised overtime were noted. OVERTIME EXPENDITURE BUGDET
|
Non compliance to the applicable legislation.
Unauthorised overtime expenditure
Non-payment of overtime expense, which can bring about industrial relation Unauthorised expenditure |
No overtime in excess of 40 hours per month should be paid where the appropriate documentation is missing.
Human Resource Department should ensure that only duly authorised overtime claims are processed
Management should ensure that overtime budget forms the basis of all authorisation for such activity. Appropriate analysis should be performed which will inform adequate overtime expenditure budget |
This is a policy matter, which needs to be discussed with Manager Human Resource who will addressed it accordingly
Directive will be send to all the branches stating that there must be a pre-approval for every overtime worked especially where overtime will last for a longer period.
There wasn’t a budget office prior to November 2001 budget was done by taking 1% of total remuneration expenditure. Since the establishment of the budget office all activities are budget for and detail budget is prepared |
|
|
FIN & OP AUDIT REPORT: REF. IAFOP 07 & 08 / 2003 |
|||
|
Authorisation/Approval Of Recruitment Lack of adequate documentation evidencing authorisation/approval of recruitment. Interview Records No interview records interviews to support certain appointments made during the year under review could be made available for audit purposes.
Also, refer finding # 12. |
Unauthorised commencement of recruitment and selection activities with regard to vacant positions.
Disputes arising due to lack of common understanding regarding the terms and conditions of employment; and lack of documented evidence to support appointments should an investigation into those appointments be incited. |
All documentation in support of the authorisation /approval of vacancies should be filed in an orderly manner, which will enable future easy reference, to clear any queries and/or disputes.
The HR dept should follow-up with the responsible officials and obtain the interview records for all new appointments/transfers/promotions before their approval. |
All memoranda and pre-approved documentation are available in the separate files where such information is kept.
The CEO used his prerogative in terms of the chosen recruitment process as regards the Senior Manager Forensics as well as ICT Managers.
|
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Consultants (CHRIMS) were appointed to assist the RAF with the implementation of health management systems. This contract became effective in December 2001. There is no evidence that a proper cost vs. benefit analysis was conducted. The ‘medical cost savings’ per CHRIMS are in fact, cost adjustments. There is no real financial benefit accruing to the Fund as these adjustments are not necessarily realizable. The original operational mode of the CHRIMS PROJECT has now been changed, as they were not adding value according to the Finance Executive. Therefore, it appears that:
may be ‘fruitless expenditure’. PFMA section 51.
|
Inefficient and uneconomical utilization of the RAF’s financial resources due to uncertainty that the Fund will derive economic benefits. In terms of the PFMA this may constitute fruitless expenditure amounting to a minimum of R3, 42 million as at April 2002, (R 7, 695 million: September 2002). |
The CHRIMS contract, the deliverables, expected outcomes, the management thereof and the costs of these services should be revisited. A proper cost vs. benefit analyses should be conducted and the results hereof should be submitted to the Board’s Medical Committee for their review and appropriate action plan. Wasteful and fruitless expenditure should be reported as prescribed in the PFMA. |
Responsible Person: Chief Executive Officer Finance Executive Follow-Up Audit: The CHRIMS project was abandoned in November 2002. Total direct costs incurred on the project are R8,55 million. As at April 2003, the Medical department under the direction of the Medical Executive appointed wef January 2003, has embarked on a project to document policies and procedures. Internal Audit has also been requested to review the organizational structure and functions of the Medical Department |
|
COMPLIANCE AUDIT REPORT: REF. NO. IACSP 07/2003 |
||
|
It is not clear, subject to a legal opinion, whether the arrangement/scheme entered into with AFCT is a valid agreement in terms of either the RAF Act, 1996, or the Public Finance Management Act, 1999. In terms of the arrangement, the RAF would fast-track the processing of suppliers’ claims lodged by AFCT on behalf of service providers (mainly private hospitals). In addition to the claims being processed and paid by the fast tracking unit in the claims department, the finance department would pay lump sums/bridging finance / interim payments to AFCT to administer these claims. While the intention of this arrangement was the avoidance of summons against the RAF and therefore management of litigation costs, the RAF ‘s Finance department originated and made lump sum payments/ bridging finance / interim payments to AFCT, totaling R56 m in addition to payments made by the claims department responsible for the fast –tracking of the said suppliers’ claims.
|
|
This opinion should influence/form the basis for Executive Management’s appropriate action plan the principles of fairness are consistently applied, and the associated risks are mitigated (e.g. attorney firms requesting similar treatment or arrangement) |
Finance Executive /CFO The fast-tracking is ID13 under Roushal Moodliar. The conclusions and the recommendations do not tie to the objectives Where is the constructive approach? Is audit here to assist or what? Exec: Corporate Legal Services
|
|
FAST-TRACKING OF CLAIMS (AFCT) - CONTINUED |
|||
|
CEO - Comments The relationship between the Fund and AFCT was supposed to be a working arrangement based on practicalities on the ground with no contract envisaged. However, a directive as been issued to the effect that all payments to AFCT should be stopped. Executive Management has decide to engage an external person of repute, Prof Gutto, to analyse aspects of the matte, including issues raised in the internal audit report as well as in the newspaper report. After the external consultant has finalized his work, Executive Management will consider setting up a committee to undertake a proper risk analysis with regard to this issue. Follow-Up: March 2003 Internal Audit not yet consulted with the legal expert, Prof. Gutto, appointed to analyse the scheme. |
|||
|
|
COMPLIANCE AUDIT REPORT: REF. IOP/03/2003 |
||
|
The RAF has embarked on a key "Yasebetsa Project" to pilot the new / re-engineered claims process with the objective being to improve the quality and speed of service delivery while ensuring effective controls to mitigate against risks inherent in the claims handling process. The budgeted costs of the project is approximately R32 million. A review of the management of the project has revealed the following:
|
Also refer finding # 4.. |
The co-sponsors should ensure that Executive Management formally approves the YA-SEBETSA project charter, levels of authority delegated to the Project Sponsors, provided these are in line with Executive’s expected outcomes. Executive Management should implement measures to stabilize the position of the ICT co-sponsor, in order to ensure the success of the project. The Project Steering Committee should ensure that the project budget is centrally managed, closely monitored and any changes motivated and authorised accordingly. The Steering Committee should consider assigning the responsibility of project accounting to a single individual; and the status of the budget should form part of the Agenda at the monthly Steering Committee meetings. |
Comments by the project co-sponsors: A project plan and charter has been submitted to EXCO for approval. Regarding continuity in the management of the project, Executive Management should respond The Corporate Communications department will deal with internal and external communications regarding the project.
Responsible Person(s) Project Co-Sponsors Acting Claims Executive /CEO |
|
|
COMPLIANCE AUDIT REPORT: REF IOP/03/2003 |
||
|
There is no evidence of approval of the new business processes. The new business processes implemented and tested out in the pilot project differ from the recommendations of Project Lesedi. There is no evidence that was presented to validate that either Executive Management or the Management of the Johannesburg Branch have accepted the changes and accordingly the new business processes. The medical assessments of claims as one of the functions or phases in the new claims handling process has been excluded. The factors mentioned below suggest that the pilot project is owned, driven and managed by ICT Management instead of the business:
|
As at January 2003, the pilot project had resulted in a backlog of +/- 5000 claims thereby increasing the risk of summons against the Fund and therefore an increase in litigation and costs of delivery. |
Executive Management should ensure that the new business processes currently tested at the Johannesburg branch are formally accepted and approved by all stakeholders. The new business processes should be updated with the results of the pilot project. The approval should be a formal documentation sign-off by all stakeholders. Executive Management should ensure that this project is owned, driven and managed by the business with the full co-operation, assistance and support from ICT. |
Regional Manager: JHB Lesedi recommendations were never furnished to Johannesburg management. The Regional Manager is representing the business as delegated by the CEO / Claims Executive. However, problems were caused by the fact that the project is IT driven. Acting CIO This has been changed, Ms Messiah is driving the project team and all matters that could not be resolved are forwarded to the Steering Committee to make a ruling or escalate to the Executive
Responsible Person(s) Project Co-Sponsors Acting Claims Executive /CEO
|
|
|
COMPLIANCE AUDIT REPORT: REF. IA COP 07/2003 |
||
Inadequate system controls
No evidence of monitoring of re-opened claim files
Password Security In some instance we noted that certain Personal Assistants to the Claims Managers are able to re-open finalized files on behalf of their Managers. However, the audit trail would reflect as if it was the Claims Manager concerned who re-opened the particular claim file because he/she had in fact furnished the PA with his/her username and password. |
Finalised claim files could be re-opened for invalid reasons. Thereby exposing the Fund to financial loss. Claims personnel and management could intentionally and illegally re-open finalized claim files and effect fraudulent/fictitious payments. In addition, the integrity and accuracy of information could be compromised as unauthorized changes could be effected Problems and/or trends may not be identified and resolved timeously. In addition, fraudulent and/or fictitious payments could be effected, exposing the Fund to financial loss. |
Management should consider upgrading the system with a view of at least restricting the re-opening of finalized claim files to the Manager in whose section the file was processed and finalized. Management need to ensure compliance with whatever measures that they have put in place. Furnishing or revealing of ones password to another person posses some security risks for any organization and the Fund is no different. The general accepted business practice demands that passwords be confidential and should not be revealed to any other person. Monitoring controls/measures should be incorporated in the policies and procedures / guidelines to be compiled. |
East London Branch: Agreed with Findings.
Responsible Person(s) Regional Managers (5) Acting Claims executive |
|
COMPLIANCE AUDIT REPORT: REF. IACOP 10/2003 |
||
|
There are instances where claim files can not be found, either these are lost or simply misplaced. On such occasions a copy or duplicate of the original claim file is created – termed "dummy file".
|
|
The Executive responsible for the Claims Environment should formulate, document and communicate throughout the claims environment the policies and guidelines on the creation of dummy files. Monitoring controls / measures to ensure compliance with the laid down guidelines should be incorporated in the policy and procedure document. |
The Cape Town Regional office, a Manager at the Durban branch; the East London regional office; and two Managers at the Johannesburg R/Office agreed with the findings and recommendations. The Cape Town Regional office will however, continue to adhere to their local directive until it is replaced with a uniform national directive. No response from the Pretoria Regional office. Responsible Person(s): Regional Managers Acting Claims Executive |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Weaknesses have been identified in the claims computer system; the claims handling process, as well as in the payments process:
In addition, there has been reluctance by the employees to report irregularities by fellow colleagues for fear of victimisation. |
High exposure to fraudulent activities. Payments on fraudulent claims have resulted in substantial cash outflows and therefore financial losses to the Fund. The high incidents of fraud create negative perceptions about the Fund; its management and staff
|
The Fund should devise more preventative measures or controls to mitigate the risks of fraudulent payments. Incompatible functions should be identified and segregated. Executive Management should seriously consider the possibilities of increasing the staff complement in the claims handling departments. All the Regional Offices should be equipped with the following, in order to assist with the earlier detection of fraudulent claims:
|
A project to streamline the claims process is running at the Johannesburg branch. A finalisation department has been introduced to conduct quality checks. A new offer system has been implemented in the Regional Offices. An increase in the staff complement will be included in the 2002/2003 budget. Links with NATIS and Home Affairs population register are being arranged. Responsible Persons: CEO Executive Management Follow-Up Audit: Refer Audit Findings # 24 &25 |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
There are inadequate monitoring controls over the movement of files between departments and within departments. In addition, the security over claim files is inadequate in that they can be found lying all over in the claims departments. Claims handlers use individual manual file tracking registers and this does not allow for continuity. The RAF has a ‘file tracking system’ which has not been in use due to its alleged inefficieny and ineffectiveness. Refer Audit Finding on « Dummy Claim Files » above. |
This exposes the Fund to the risk of files being deliberately destroyed or lost inorder to conceal fraud or irregularities. The Fund could subsequently suffer huge financial losses as well as lose critical information. |
Management should look at all possible safety measures including:
A policy and procedures should be formulated to control and monitor the movement of files outside the RAF premises. Management should consider incorporating a file tracking system into the new claims system that is currently under development. |
One feature in the system that is to be developed is the imaging / scanning of claims documentation and other correspondence. Therefore, claims will be processed using the imaged documents. All original documentation will be held in storage. Responsible Person: Chief Information Officer
Follow-Up: The new claims system is still under development. Manager Security has been appointed and will be responsible for overall security including document security. |
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The current claims system application does not take into account basic controls which should have been programmed into the system. For example
|
Irregular and/or fraudulent transactions can not be detected timeously. Inadequate audit trails, and therefore, inability to follow-up fictitious data that is captured into the system. This could result in failure to provide substantive evidence for criminal / civil cases. Unreliable information from the database is used to prepare the Fund’s statistical information on which high reliance is placed for decision making. Failure by the claims system to detect duplicate false claims has resulted in financial losses to the Fund. Falsified offers and discharge forms can not be detected resulting in financial loss to the Fund. |
The claims handling process and therefore the claims system should be revisited so as to identify problem areas at each step of the claims handling process from the time that the claim is lodged and registered to the stage where the claim file is archived.
|
The following issues were already addressed during the design phase of the new claims life cycle.
Responsible Persons: Claims Executive (Acting) Chief Information Officer Follow-Up audit: A new claims system is currently under development. The design hereof is based on the new claims life cycle that is being piloted at the Johannesburg branch.
|
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The claims system is underutilised by the claims department mainly due to a lack of adequate training with respect to the capabilities of the system. There are various modules in the claims system that are either not used or are not used consistently.
|
Information which may be considered vital for decision making purposes may not be available from the system. This was evidenced by the inability of the Fund to furnish the RAF Commission with information that the commission has requested. The incapability of the claims managers to use the system as a management tool results in their failure to detect fraudulent claims or payments timeously, if ever.
|
MIS software should be made available to Claims Management, and they should be trained on the use thereof. The ICT department should adopt and introduce a Systems Development methodology that will ensure the involvement of the Claims Management and other end-users in the redesign and development of the new claims system. This will assist in ensuring that basic and necessary controls are built into they system.
|
Responsible Person Claims Management Chief Information Officer Follow-Up audit: A new claims system is currently under development. The design hereof is based on the new claims life cycle that is being piloted at the Johannesburg branch. |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The offer system was not properly planned and designed to meet the needs of the business:
|
The system appears to be failing to drive processes. The weaknesess and errors in the system can result in the manipulation thereof, and therefore inability to detect irregular activities timeously. Delays in processing claims as a result of system inavailability. |
Management should institute a corrective action where user departments (i.e. business process owners) and Application Services should work together to get the systems working properly.
redefine the business rules and functionalities to suit the business requirements.
applications that are relevant to their areas of responsibility. |
We acknowledge failure to adhere to the system development life cycle methodology. However, the task team, which was made up of users and development staff, has completed an investigation. Specific changes and enhancement to the system are already in progress. The following policies are being drafted, and we will be presenting the initial draft during the beginning of September 2002. ● Disaster Recovery plan ● IT Security Policy Responsible Person (Acting) Chief Information Officer Claims Management Follow-up audit: The documentation of the policies has not been finalized. |
|
|
|||
|
One of the Strategic objectives of the Fund is to be accessible and visible to the public by providing extra delivery channels. Executive Management therefore opened a new branch in the Eastern Cape Province as the Fund was not represented in this region. However, planning for the establishment of the East London branch did not address certain critical areas:
|
Delays in processing of claims, will result in a backlog, and therefore expose the Fund to the risk of increased summons and legal costs. Inefficient and ineffective utilization of human resources. |
Project Plans should be developed and communicated to all the role-players, whenever major operations or activities are undertaken. Critical paths should be identified and a project manager be appointed and assigned to co-ordinate these activities. It is recommended that the issue of mandates in the branch be attended to as a matter of urgency.
|
Mr Donald Diale an experienced Claims Manager has been appointed to head the Branch.
RESPONSIBLE PERSON: Acting Claims Executive
Follow-Up: A Claims Manager was appointed to provide support to the Branch Manager in December 2002. The Branch Manager is addressing the issue of the archives function. |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
The following weaknesses in the Arbitration Project have been identified:
|
The objective of settling claims without unwarranted delays is being achieved. However, the cost of settling the claims may far exceed the associated benefit. The increase in settlement amounts without any apparent justification thereof may have adverse financial implications for the Fund. Incorrect Arbitration fees may be paid out. It is difficult to monitor the fees that are recoverable from the Arbitration Forum. Inability to determine amounts due and payable to, as well as refundable by, the Arbitration Forum, may result in overpayments and therefore financial loss to the Fund.
|
Management should ensure that the weaknesses identified during the pilot project are either eliminated, resolved or appropriate measures are in place for the management thereof; before the mediation and arbitration project is rolled out. The purpose, policies and procedures of the Arbitration Unit should be documented and communicated. There should be proper documentation of the workflow between the responsible departments, claims, arbitration, legal costs. A computer system should be designed to support the mediation and arbitration process.
|
The responsibility to oversee the roll-out of the mediation and arbitration section has been assigned to the Senior Litigation Manager, and the Executive Corporate Legal Services. Responsible Person Executive Corporate Legal Services
FOLLOW-UP AUDIT: The Mediation and Arbitration function has not been rolled out to all the branches. This function remains in the Cape Town Regional Office where it was originally piloted. |
|
|
PREVIOUS AUDIT COMMITTEE REPORT |
||
|
Policies and procedures provide guidelines and are training tools for the employees in their day to day activities. However, there are key policies and procedures that have not been formalized.
|
Employees are either ignorant of the procedures that should be followed, or they may deliberately ignore to follow the correct procedures. As a result of the lack of documented policies and procedures, the Fund has not been able in some instances to hold employees accountable for their ignorance, gross negligence or non-conformance. |
The documentation of the policies and procedures should be considered as high priority and Senior and Executive Management should drive this process. The list of recommended policies and procedures that was compiled by internal audit should be updated and used as a checklist of all outstanding policies.
|
The Manager Budgets and Policies has been assigned the responsibility over policies and procedures of the Fund. A code of Conduct was adopted at an Executive and Senior Management meeting – July 2002. Responsible Persons Finance Executive Manager Budgets and Policies FOLLOW-UP: Other Several key policies remain either undocumented or in draft (not formalized), e.g.:
|