FINANCIAL & OPERATIONAL AUDIT SECTION

ANNEXURE B

In line with the approved Internal Audit Charter, Internal Audit performed both consulting and assurance activities during the period under review.

This section is therefore comprised of the lists audit projects that were conducted by the department during the period April 2002 to March 2003.

FINANCIAL & OPERATIONAL AUDIT SECTION

NO.	AUDIT PROJECT NAME	STATUS
	FINALISED AUDIT PROJECTS
	PROCUREMENT	ISSUED
	Overtime Management
	Recruitment
	Contract Employeees
	Fuel Levy
	Capital Expenditure Review
	Audit Project
	Cell Phones Administration	DRAFT REPORTS
	Training & Development
	Contract Management
	Policies and Procedures
	Current Audit Project (March and April 2003)
	Cash Management	CURRENT
	Status of Records
	Payroll Adiminstration
	Review of Staff Manual
	Pension Fund

COMPLIANCE (CLAIMS) AUDITS SECTION

AUDIT PROJECT NAME	AUDIT ENTITY
Audit Report Issued
1. Fast-tracking of Suppliers’ Claims Lump-sum Payments to AFCT]	Head Office - Finance
2. Yasebetsa Project	Johannesburg
3. Dummy Files	All Regional Offices
4. Pilot Project - Streamlining of the Claims Environment	Johannesburg
Draft Audit Report –
5. Special Branch	All Regional Offices
6. Transformation - Appointment of Assessors	Pretoria
	Durban
	Cape Town
7. Finalisation	Pretoria
8.	Durban

9. Branch Relocation to the CBD	Pretoria
10. Opening of the New Regional Office [East London]	Head Office
11. Arbitration - Payment of the Forum Fees	Cape Town
12. Re-opened Files	All Regional Offices
13. Duplicate Claims	All Regional Offices
Current Projects (March and April 2003)
14. Mediation & Arbitration – Roll out	All Regional Offices
15. Claims Lodgement & Registration	All Regional Offices
16. Litigations/Summons	All Regional Offices
17. Finalisation	Cape Town
18. Finalised Claims	Pretoria
19. Finalised Claims	Johannesburg
20. Legal Cost	Johannesburg

IT AUDIT PROJECTS STATUS

No.	PROJECT SENIOR	AUDIT PROJECT	PROJECT No.	STATUS	DATE	COMMENTS
1.	Anneline Claasens	Unix Database Security		Planning
2.		Unix CDAA Feasible Studies		Planning
3.		Data Change Management Workflow		Drafting Memo
4.		STORED Procedures		Drafting Memo
5.		Data Change Control Procedure		Issued to Manager for review
6.	Michiel Jonker	KPMG		Fieldwork		Responsibilities limited to coordination and monitoring the project Rest of the security reviews suspended awaiting National Intelligence Agency’s proposal
7.		Linking Cobit, BS7799 and Infosec Best Practices		Fieldwork
8.		Disposal of ICT Hardware		Memo Issued	31/10/2002	No official client response received
9.		Logical Access Control Policy		Memo Issued	06/11/2002	No official client response received
10.		Data Backup Retention Periods		Memo Issued	06/11/2002	No official client response received
11.		Incident Management		Memo Issued	22/10/2002	No official client response received
12.		Information Security Policy		Memo Issued	23/01/2003	No official client response received
13.		Unauthorised ICT Policies on the Intranet		Memo Issued	19/11/2002	No official client response received
14.	Themba Thusi	Project Luft		Planning
15.		Undertakings Analysis		Planning
16.		Finance System Implementation		Fieldwork
17.		PAYE Audit		Abandoned
18.		Review of MIT invoices and price reasonableness		Abandoned
19.	$$$$	Claims Payment Analysis	IOP /13/2002	Draft Report Issued	28/01/2003	No official client response received
20.		HR Systems	IOP/03/2002	Final report Issued	15/11/2002
21.		Offer System User Group		Abandoned
22.		Payments Cancellation	IOP/05/2002	Final report Issued	29/07/2002
23.	Sindi Mabizela	Hardware and Software Management	IOP/02/2003	Planning		Awaiting confirmation with Acting CIO to finalise Planning Document
24.		Third Party Services	IOP/09/2002	Planning		Put on hold to attend to urgent requests
25.	$$$$	Claims Payments Analysis	IOP /13/2002	Draft Report Issued	28/01/2003	No official client response received
26.		Programme and Project Management	IOP/11/2002	Draft Report Issued	03/02/2003	No official client response received
27.	*( see compliance audit section – report finalized)*	YA-SEBETSA	IOP/03/2003	Draft Report issued to IA HOD for review	04/02/2003	Awaiting confirmation with Acting CIO to discuss and obtain Management Comments
28.		Medsys Acquisition and Implementation		Abandoned		Executive Management decided to abandon the acquisition of the system until the appointment of a Medical Executive.
29.		Re a Soma User Problems	IOP/11/2002	Final Report Issued	11/11/2002
30.		Re a Soma Post Implementation	IOP/11/2002	Final Report Issued	11/11/2002
31.		IT Security Policy		Memo issued	11/11/2002
32.		East London Branch Visit	IOP12/2002/03	Memo issued	11/11/2002
33.		MSP Work-session Recommendations		Memo issued	11/11/2002
34.		Service Centre Tender Evaluation	IOP/12/2002	Final Report Issued	11/11/2002
35.		Post Implementation – Offer System		Final Report Issued		Audit performed and finalized by Refiloe Ramaphakela

This Internal Audit report seeks to appraise the Chief Executive Officer and the Board on the activities of the department during the quarter January to March 2003. The 1^st quarter has been more challenging in that the department was completing a year since it became properly staffed and fully functional. It remains even more of a challenge that the organization still needs to be educated on the value and benefits that this department could add.

The activities are divided per the three units / sections within the department.

The overall objective of all the audit projects are/were to express an opinion on whether key management controls are/were adequate and effective to provide reasonable assurance that the organizations’/ management objectives will be achieved.

1. COMPLIANCE AUDIT SECTION

This section conducts audits which focus on the RAF’s core business; compensation of road accident victims, the Claims Process.

The following are the activities for the first quarter:

1.1 COMPLETED PROJECTS (Draft reports are in the process of being finalized):

Dummy Files

Specific Audit Objectives were as follows:

Dummy files were created in accordance with the accepted organization’s practices;

The system in place over the creation of dummy files were adequate and effective;

The reasons for the creation of dummy files were valid and legitimate; and

Dummy files were properly managed and monitored.

Duplicate Claims

Specific Audit Objectives are:

The system of control in place relating to duplicate claims is adequate and effective;

No payments have been effected on any duplicate claims; and

The duplicate checking of claims is done throughout the claims handling process.

Re-Opened Files

Specific Objectives:

Finalized claim files are re-opened in accordance with the accepted organization’s practices;

The system in place over the re-opening of finalized claim files is adequate and effective; and

The reasons for the re-opening of finalized claim files are valid and legitimate.

ICT Pilot Project [Claims Life Cycle]

Specific audit Objectives:

That the Claims Life Cycle Pilot Project implemented at the Johannesburg regional office meets the management overall objectives;

That the risks inherent in the Claims Life Cycle and inherent in the Pilot Project have been identified; and

The associated internal controls are effective, efficient and adequate.

1.2 CURRENT PROJECTS

Finalized Claims [Jhb & Pretoria]

The specific Audit Objectives are:

All possible risks associated with the processing of claims are appropriately identified and properly managed;

Controls in place relating to the processing of claims are adequate and effective; and

Claims are processed in accordance with the Road Accident Fund Act and Claims Procedure Manual

Summons Administration / Management Pretoria

Specific Audit Objectives:

All possible risks associated with the administration/management of summonses have been identified and are properly controlled; and

The controls in place are adequate and effective.

Legal Costs Johannesburg

Specific Audit Objectives:

All possible risks associated with the administration/management of legal costs have been identified and are properly controlled;

Payments made are valid, accurate and properly authorized;

Legal costs department receives claim files timeously in order to avoid summonses; and

There are adequate and effective controls in place over outsourced work.

Claims Lodgement & Registration

Specific Objectives

Adequate controls in the claims lodgement and registration systems are effective to ensure timely processing of claims;

Associated inherent risks are appropriately identified and managed;

Access to the registration system is restricted to the authorized officials; and

Integrity of operational information after claims are registered is reliable.

Finalization Cape Town

Specific Objectives:

To establish whether claim files for which offers have been accepted are timeously forwarded to Finalization unit;

Payment of compensation to claimants or their legal representatives is done timeously; and

Consider other general business issues, which are relevant and/or have the potential of impacting negatively on the achievement of the Fund’s objectives.

2. FINANCIAL & OPERATIONAL AUDIT SECTION

This section conducts internal audits focusing on the support functions within the organization.

Activities for the first quarter are as follows:

2.1 COMPLETED PROJECTS – draft reports in the process of being finalized

Recruitment

The specific audit objectives were to ensure:

Compliance with policies, plans, procedures, laws and regulations governing recruitment and selection of staff;

Recruitment and Selection of staff is properly authorized;

The recruitment and selection process is fair and transparent;

The recruitment and selection process is based on accurate, complete and valid information;

Confidentiality of information within the recruitment and selection process; and

Adequate custody of documentation relating to recruitment and selection process.

Contract Workers

The Audit Objectives for this project are similar to those of The Recruitment Project. Focus in this respect was on the temporary / contract workers.

Recruitment policies and procedures have been complied with;
Recruitment of contract employees is properly authorized;
Recruitment & resignations of employees is in line with the Basic Conditions of Employment Act; and
Recruitment & resignation of employees is done on fairly and transparent basis.

Fuel Levy

The overall objective of the audit was to express an opinion on whether the system of internal control over the Fund’s management of fuel levy income is adequate and effective, specifically to establish whether Fuel Levy income is complete and accurate.

Cash Management

The specific audit objectives are to ensure that:

Cash and cheque receipts are properly recorded, classified, and reported;

Cash and cheque receipts are deposited timely as required Public Finance and Management Act and Treasury regulations;

Appropriate supporting documentation exists in respect of all payments;

Payments are made for purposes that are in the ordinary course of business;

Payments are properly approved and authorized;

Unused cheques and chequebooks are properly controlled and accounted for; and

Adequate controls exist to safeguard cash/receipts from loss, errors and irregularities.

2.2 Current Projects

Status of Records

The specific audit objective is to express an opinion regarding:

Compliance with applicable Legislative and other requirements;

The reliability and integrity of financial information;

Allocation of account balance to correct accounting periods; and

Identified management actions, which will attempt to mitigate identified inherent risks.

Payroll Administration

The specific audit objectives are to ensure that:

Payroll system is functioning effectively;

Salaries are paid to the genuine employees of the Fund (Occurrence);

All salary expenses incurred have been correctly accounted for (Completeness);

All salary expenses and any other salary related expenditures have been properly accounted for at the correct rand value (measurement), and allocated to correct accounts;

Compliance with relevant laws statutory deductions other necessary deductions have been correctly calculated deducted and paid over accordingly.

Undertakings Department – Organizational Structure Review

2.3 Planned Projects

Effectiveness of Professional Consultants

Audit objective is to obtain reasonable assurance that the internal control procedures are adequate and effective to ensure that the Professional Consultants present the Fund with reasonable fee structures; that there is effective monitoring and evaluation of services rendered to ensure adherence to deliverables.

3. COMPUTER AUDIT SECTION

Hardware and Software Controls

The Audit is focusing on Maintenance contracts, ICT related expenditure with the objective of determining reasonableness of prices in relation to industry norms. This is to ensure that possible abuse is curbed and added value is derived by the organization.

ICT: Data Warehouse

Evaluation of control procedures within the environment.

Review of Security Policy

Objective to ensure that it is adequate, effective and is in accordance with best practice.

Ongoing Systems Development Review

To ensure that the designed systems will be adequate, effective, value adding and will support the achievement of desired management objectives.

4. HIGHLIGHTS AND LOWLIGHTS OF DEPARTMENT

The following are the highlights and the lowlights within the internal audit department for the 1^st quarter

Highlights:

Approval of the Strategic Risk Workshop to be conducted during the first week of April 2003.

Recruitment of the Senior Computer Auditor, who had previously been with the employ of the Auditor General.

Demographic Profile of the department is in terms of the RAF’s EE Plan.

Lowlights:

Continued vacancy of Claims Executive has a direct impact in as far as claims related audit projects are concerned. We believe the Claims Executive is the best person to secure appropriate actions to be taken in this critical and core department of the organization;

Compliance Audit Manager’s (Mr Bongi Dlalisa) resignation with effect from 31^st March 2003;

Long outstanding consultation with Professor Shadrack Gutto on AFCT arrangement;

Inability to fill vacant positions within the department due to perceptions that the department is overstaffed;

Staff remuneration, which is currently below market levels. We await CEO’s decision on recommended adjustments per the PE Corporate’s salary survey.

As at date of this report, there are no specific mandates required from the board.

The following recommendations are for consideration by the Board. The same had been raised by Internal Audit during various meetings with the Fund Management as well as raised in various reports issued by the department.

1. CLAIMS LIFE CYCLE

Following the recommendations of the Lesedi Project, the Executive Management took a decision to implement a new claims section, which was based on the principle of "separation of powers". The implementation of the Lesedi recommendations has a significant impact of the Fund’s internal processes regarding the processing of claims. The estimated funding requirements for this project amounts to R 34 million which is a significant capital outlay. According to recent reports, it is planned that the newly developed system will go live in August 2003.

We therefore recommend that the Board should review progress of the Claims life Cycle project with the view of obtaining assurance that the project objectives will be met before going live.

2. DIRECT CLAIMANTS: RISK ANALYSIS

The fund is in a process of establishing a fully functional unit whose objective will be to assist claimants regarding the lodging of claims directly with the Fund, without the assistance of an attorney.

We recommend that a detailed risk analysis should be performed, the results of which should form a basis for a decision to fully implement this function.

3. AFCT ARRANGEMENT

As a result of the arrangement the Fund has/ had with AFCT, it is currently exposed to a possible financial loss of R 47 million.

We recommend that the Board should therefore obtain an opinion and review the legal implications of this arrangement.

4. POLICIES

We recommend that the Board should look at the following policies, which are at different stages of completion, and are required in terms of the Public Finance Management Act and Good Governance.

Delegation of Authority and Approval Framework

According to the provisions of the Public Finance Management Act, a formal "Special Delegation of Powers" Framework should be designed and documented. The framework set out in detail the powers and duties delegated to the office of the CEO and Executive Management. Thereafter, the CEO further sub-delegates accordingly. This policy was formulated but remains a draft and requires finalisation.

Risk Management Policy

The Road Accident Fund (RAF) as a public entity is required in terms of Chapter 6, Section 51, of the Public Finance Management Act, to implement and maintain, effective, efficient and transparent systems of financial and risk management and internal control …". The Risk Management Policy still remains a draft pending approval hereof.

Investment Policy

The Fund, as a Public Entity listed under Schedule 3a of the PFMA, is required in terms of the Treasury Regulations, to have an Investment Policy. Taking into account the value of the RAF’s investments, it is recommended that this policy be formulated as a matter of urgency.

Budgeting and Management Accounts

It is our observation that the budgeting process in the Fund requires improvement. Furthermore, no monthly management reports are produced to encourage Executive Management to take a profound interest in the financial matters of the organization.

5. ORGANIZATIONAL STRUCTURE

It is recommended that the Board reviews the organizational structure at top management level taking into account the current vacancies, some of which are as a result of extended suspensions; as well as that of the Claims Executive, which has remained vacant for more than two years.

The continued vacancies expose the Fund to an increased risk of a poor control environment and therefore the inability of the organization to implement good internal control systems and procedures.