Portfolio Committee on the Department of Police

Auditor’s General perspective

2 March 2010

2

Reputation promise/mission

The Auditor-General of South Africa has a constitutional mandate and, as the Supreme Audit Institution (SAI) of South Africa, it exists to strengthen our country’s democracy by enabling oversight, accountability and governance in the public sector through auditing, thereby building public confidence.

33

RISKS IDENTIFIED & FOCUS AREAS

FOR 2010/11

44

SUPPLY CHAIN MANAGEMENT

55

SUPPLY CHAIN MANAGMENTOur approach:

– To determine whether legislative requirements for fair, equitable, cost-effective, transparent and competitive procurement have been adhered to.

– The subsequent management of contracts and whether payments are made only for goods and services received.

– To identify and report possible fraud indicators to those charged with governance. The approach addresses expenditure and the disclosure of irregular, fruitless and wasteful expenditure

66

The objectives of the approach:

– To ensure that significant risk due to fraud in procurement processes is appropriately and consistently responded to;

– To ensure correct and consistent compliance testing and identification of irregular expenditure;

– To ensure correct and consistent reporting of weaknesses;

SUPPLY CHAIN MANAGMENT

77

SUPPLY CHAIN MANAGMENT

Risk – Significant

– Such risk will translate into a significant risk that affects the:– completeness assertion for the

disclosures of irregular, fruitless and wasteful expenditure

– The occurrence and compliance assertions for the expenditure classes of transactions affected by the types of procurement and transactions that give rise to such risk

88

SUPPLY CHAIN MANAGMENTSelecting our sample (including but not limited) to:

– All awards from follow-ups / previous audits– All awards from employees having interest– All awards to possible fictitious suppliers– All awards to companies that are liquidated /

deregistered– All awards that were registered within the past 12

months– All transactions not procured through a competitive

bidding process (> R500k) or not through inviting 3 quotations (< R500k)

– At least 2 suppliers with the highest number of contracts

– At least 2 contracts awarded for construction projects that are significantly behind schedule

99

PRE-DETERMINED OBJECTIVES

1010

PRE-DETERMINED OBJECTIVESOur approach:

– 2010/11 – Opportunity to get ready for Predetermined objective opinions

– Understanding and testing of the internal policies, procedures and controls related to the management of performance information.

– Understanding and testing of systems and controls relevant to collecting, monitoring and reporting performance information.

1111

Audit criteria

Main criteria Sub-criteria

1. Compliance with reporting requirements

Existence

Timeliness

Presentation

2. Usefulness Measurability

Relevance

Consistency

3. Reliability Validity

Accuracy

Completeness

1212

RISKS FOR PRE-DETERMINED OBJECTIVES• Lack of effective, efficient and transparent systems and

internal controls regarding performance management (applicable at an overall performance management level)– Reliability of reported performance information– Not all supporting source information provided to validate

the completeness of the reported target– Completeness of reported targets could not be verified– Reported indicator not reliable, as no supporting source

information was provided– Inadequate performance management systems

• Management at station and unit levels responsible for visible policing and investigating organised crime, does not exercise oversight responsibility over reporting of predetermined objectives to ensure that entries have occurred, are authorised and all entries have been captured.

1313

• Audit and confirm:

- Existence of performance information - Consistency of performance information between:

• Strategic/annual performance plan, quarterly reports and annual performance report

- Presentation in annual report - Reliability of reported performance information - The performance management systems • Audit and compare reported performance information to

relevant source documentation and conduct procedures to ensure validity, accuracy and completeness of reported performance information.

FOCUS AREAS OF PREDETERMINED OBJECTIVES

1414

FOCUS AREAS OF PREDETERMINED OBJECTIVES• All indicators on programs:

- Program 2 - Visible Policing

- Program 3 - Detective Services

- Program 4 - Crime Intelligence

- Program 5 - Protection and Security Services

• National Intervention Unit (PTA)• Public Order Policing Service (Welkom)• Forensic Science Laboratory (PTA)• Criminal Record Centre (JHB)• Crime Intelligence (KZN)• Ports of entry (JHB, KZN and FS) • 24 Police station that’s been selected for the region audits

1515

PURPOSE OF IT AUDITING

To assist our financial auditors by reviewing the adequacy of

controls implemented by management over the financial and

performance information systems

1616

RISKS IN THE IT ENVIRONMENT

The following risks were identified:

• Lack of information technology (IT) governance framework and controls, which provides for the structures, policies and processes through which departments ensure that IT supports the organisation’s strategies

• Lack of department business continuity that will ensure that IT disaster recovery process is aligned to business requirements

• Lack of user access controls on the database and application systems, through which the department will ensure that only valid and authorised users are allowed access the systems and that user access is adequately separated when transactions are initiated, captured and approved (CAS and OPAM)

1717

RISKS IN THE IT ENVIRONMENT

• Lack of change management controls that will ensure that changes to the existing information system environment are coordinated, scheduled, authorised and tested prior to implementation (CAS and OPAM)

• Inadequate management information system that will assist in confirming that only authorised people are allowed access to Numerus data centre (where department critical systems are hosted)

1818

FOCUS AREAS FOR IT AUDITING

The following management processes will be audited:

• IT governance • Business continuity and disaster recovery • Security and user access management • Change management • Physical and environmental

1919

DISCUSSION AND QUESTIONS

2020

Auditing to build public confidence