2. Audit Opinion History4

2012-13

CONTENTS

1. Introduction2

2. Audit opinion history4

3.Key focus areas7

4.Drivers of internal control20

5.Other matters of interest21

6.Other reports 23

7.Combined Assurance on Risk Management in the Public Sector23

8.Commitments 24

9.Feedback on previous resolutions 24

Introduction

1.1Reputation promise of the Auditor-General of South Africa

The Auditor-General of South Africa has a constitutional mandate and, as the Supreme Audit Institution (SAI) of South Africa, exists to strengthen our country’s democracy by enabling oversight, accountability and governance in the public sector through auditing, thereby building public confidence.

1.2Purpose of document

This document contains a brief summary of the audit outcomes for the Department of Mineral Resources and its entities.

1.3Overview

The mandate of the department is to ensure that there is equitable access to, and sustainable development of, the nation’s mineral resources and to provide regulatory framework for the regulation of the mining sector. The department is organised into four branches as follows:Administration (Corporate Services and Financial Administration), Promotion of Mine Health and Safety, Mineral Regulation and Mineral Policy and Promotion.

The mineral resources portfolio consists of the Department of Mineral Resources (DMR) and the following entities which reports to the minister of mineral resources i.e. Council for Geoscience (CGS), the South African Diamond and Precious Metals Regulator (SADPMR), the State Diamond Trader (SDT), Mine Health and Safety Council (MHSC) and The Council for Mineral Technology Research (MINTEK). These entities play a supporting role to the mandate of the department as follows:

Name of entity / Legislative mandate / Financial relationship / Nature of operations
The Mine Health and Safety Council (MHSC) / Established in terms of section 42(1) of the Mine Health and Safety Act, 1996 (Act No. 29 of 1996). / Co-funding in terms of establishing act / Research and advisory function to the minister in terms of mine health and safety, as well as promoting a culture of health and safety in the mining industry.
The Council for Mineral Technology Research (MINTEK) / Established in terms of the Mineral Technology Act, 1989(Act No. 30 of 1989). / Co-funding in terms of establishing act / Provides research, development and technology that foster the development of businesses in the mineral and mineral products industries.
The Council for Geoscience (CGS) / Established in terms of the Geoscience Act, 1993 (Act No. 100 of 1993). / Co-funding in terms of establishing act / Development and maintenance of the national geosciences knowledge infrastructure for both the onshore (land) and offshore (oceans) environment of South Africa.
The South African Diamond and Precious Metals Regulator (SADPMR) / Established in terms of the Diamonds Act 1986 as amended and the Precious Metals Act, 2005 (Act No.37 of 2005). / Co-funding in terms of establishing act / Regulation of the diamond, platinum and gold sectors.
The State Diamond Trader(SDT) / Established in terms of the Diamond Act, 1986 (Act No. 56 of 1986). / Co-funding in terms of establishing act / Promote equitable access to, and beneficiation of, diamond resources, address distortions in the diamond industry and correct historical market failures to develop and grow South Africa’s diamond cutting and polishing industry.

1.4Organisational structure

1.5Funding

The Department of Mineral Resources had a budget allocation of R1175533000
(2012: R1 038 965000) during the 2012-2013 financial year. Included in the R1175533 is an amount of R525110 000 which was transferred to entities that fall under the department. The transfers to the entities were made as follows:

2012-13 financial year
Recipient / Actual transfer / Purpose of transfer payment
R'000
Mine Health and Safety Council / 4 531 / Core funding in terms of establishing act.
South African Diamond and Precious Metals Regulator / 41 601 / Core funding in terms of establishing act.
Council for Geosciences / 223 006 / R184,625 million –core funding in terms of establishing act. R18,381 million – research to prevent ingress of water into underground holdings. R20,000 million –mine rehabilitation projects.
Council for Mineral Technology Research / 253 531 / R223,531 million –core funding in terms of establishing act. R30,000 million –mine rehabilitation projects.

Audit opinion history

Description / 2009 / 2010 / 2011 / 2012 / 2013
Audit opinions
DMR / N/A / N/A
CGS
MINTEK
MHSC
SDT
SADPMR
DMR – Findings on compliance with laws and regulations
Revenue management – The accounting officer did not take effective and appropriate steps to collect all money due to the department timeously, as per the requirements of Treasury Regulations 11.2.1 / X / X / X
Material adjustments to financial statements – The financial statements submitted for auditing were not prepared, in all material respects, in accordance with the requirements of section 40(1)(a) of the Public Finance Management Act, 1999 (Act No.1 of 1999) (PFMA). Material misstatements of contingent liabilities and key management personnel identified by the auditors in the submitted financial statements were subsequently corrected, but the uncorrected material misstatements resulted in the financial statements receiving a qualified audit opinion. / X / X / X
Human resource management – Employees received overtime compensation in excess of 30% of their monthly salaries, in contravention of Public Service Regulation I/V/D.2(d). / X / X
Non-compliance with the enabling act – Mining rights holders did not submit progress reports to the director-general, as required by section 28(2)(a) of the Mineral and Petroleum Development Act (MPRDA). Mining rights holders did not submit audited financial statements and annual reports to the director-general, as required by section 28(2)(b)(c) of the MPRDA. Compliance with the above sections of the act was not enforced, as required by section 93 of the MPRDA. / X
AUDIT OPINION
CLEAN AUDIT OPINION: No findings on predetermined objectives (PDOs) and compliance
UNQUALIFIED with findings on PDOs and compliance
QUALIFIED AUDIT OPINION (with/without findings)
DISCLAIMER/ADVERSE AUDIT OPINION

2.1Significant emphasis of matters

DMR

The corresponding figures for 31 March 2012 were restated as a result of an error discovered during 31 March 2013 in the financial statements of the Department of Mineral Resources at, and for the year ended, 31 March 2012.
The financial reporting framework prescribed by the National Treasury and applied by the department is a compliance framework. The wording of my opinion on a compliance framework should reflect that the financial statements have been prepared in accordance with this framework and not that they “present fairly”. Section 20(2)(a) of the PAA, however, requires me to express an opinion on the fair presentation of the financial statements. The wording of my opinion therefore reflects this requirement.

MHSC

Material losses to the amount of R1,7 million were incurred as a result of a write-off of irrecoverable trade debts.

SADPMR

The corresponding figures for 31 March 2012 were restated as a result of an error discovered during 31 March 2013 in the financial statements of the South African Diamond and Precious Metals Regulator at, and for the year ended, 31 march 2012.
Significant additional matters

DMR

Of the total number of 160 targets planned for the year, 33 targets were not achieved during the year under review. This represents 21% of total planned targets that were not achieved during the year under review.

CGS

We identified a material misstatement in the corporate scorecard during the audit, which was subsequently corrected by management.

SDT

Of the total number of 36 targets planned for the year, 11 of the targets were not achieved during the year under review. This represents 31% of total planned targets that were not achieved during the year under review.
Qualification paragraph

DMR

Basis for qualification

The Department of Mineral Resources doesnot have adequate system to manage and value receivable for departmental revenue. The outstanding balance relating to prospecting fees and royalties as generated by the system in place isincorrect. Consequently, the balance for receivable for departmental revenue and provisions, as disclosed in notes 23 and 27 to the financial statements,ismisstated by R151,194 million (2012: R110,629 million).

Key focus areas
Predetermined objectives

Entity / Finding / Root cause / Recommendation
DMR,SADPMR,SDT,CGS and MINTEK / No issues identified.
MHSC / The information presented with respect to the objectives mentioned below was not reliable when compared to the source information and/or evidence provided.

Promote the improvement of the health and safety culture in the mining industry.

Provision of advice reports that influence mining health and safety performance.

Strengthen tripartite partnerships through communication and promotion of the MHSC programmes.

Implement summit agreement.

Misunderstanding of the framework for reporting performance information.

Confusion over the roles and responsibilities of the council and other stakeholders.

Lack of review of validity of reported achievements against source documentation.
The policies and procedures did not cover/explain how to develop performance indicators and targets.

The leadership should be trained on reporting on performance objectives.
Information included in the strategic plan should be clear and should relate to the planned objectives and indicators.

3.2Supply chain management

Entity / Finding / Root cause / Recommendation
DMR, SDT, SADPMR,MINTEK / No issues identified.
CGS / Awards were made to bidders who did not submit a declaration on whether they are employed by the state or connected to any person employed by the state, which is prescribed in order to comply with Treasury Regulation 16A8.3. / Management did not review and monitore compliance with applicable laws and regulation relating to the submission of SBD 4 declarations. /

All prospective suppliers must sign an SBD 4 to ensure that CGS complies with Practice Note 7 of 2009-10.

A checklist should be implemented to ensure that all the relevant documents have been obtained prior to awarding services to suppliers.

MHSC / MHSC incurred fruitless and wasteful expenditure ofR59169,96 and irregular expenditure of R3 442 656,80 which was identified through the audit process. / Compliance with laws and regulations was not reviewed as the MHSC did not prevent the fruitless and wasteful expenditure. Ineffective controls over supply chain management. / Management should put measures in place to preventthe irregular and fruitless and wasteful expenditure, as required by section 51(1)(b)(ii) ofthe PFMA.
Irregular and fruitless and wasteful expenditure must be disclosed in the annual financial statements, as required by Treasury Regulation 28.2.1.
Quotations were awarded to suppliers whose tax matters had not been declared by the South African Revenue Services to be in order, as required by Treasury Regulation 16A9.1 (d) and the Preferential Procurement Regulations / Financial and performance management – Lack of review and monitoring of compliance with applicable laws and regulations. / Original tax clearance to be submitted with bidding documentation.
Invitations for competitive bidding were not always advertised for a minimum of 21 days, as required by Treasury Regulation 16A6.3(c). / Lack of oversight responsibility for ensuring compliance regarding the SCM function. Lack of adequate supervision and monitoring of policies and procedures. /

Management should maintain a register that records all approved tenders.
The register should record all the tenders approved to be advertised, date approved, date advertised and closing date of tender, date cancelled if there were any cancellations, re-advertisement dates and a column for comments. This register will allow management to detect any deviations from the required number of days.
The register should be signed by both the preparer and the reviewer as evidence of review.
Management should also set time frames of how often the register will need to be reviewed to ensure compliance with policies and procedures.
The memo for approval of advertisement should state the dates, especially the number of days to closure of tender so that any days less than 21 days can be approved by the person with the designated authority.

3.3Human resources

Entity / Finding / Root cause / Recommendation
DMR / Employees received overtime compensation in excess of 30% of their monthly salaries, in contravention of Public Service Regulation I/V/D.2(d). / The accounting officer did not review and monitor compliance with applicable laws and regulations.
Internal controlsand overtime policywere designed and developed but officials at management level did not implement them as overtime compensation was more than 30% of monthly salary, asstipulated in paragraph D(c) of the Public Regulation and paragraph 4.8 of the policy on compensation for overtime. / Management should monitor compliance with applicable laws and regulations and if there are capacity constraints, management should address them timeously so as to avoid non-compliance.
SADPMR, SDT, CGS, MINTEK and MHSC / No issues identified.

3.4Information technology controls

Entity / Finding / Root cause / Recommendation
DMR / IT management did not implement some of designed security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. As a result the department did not update the IT usage policy. / The internal control deficiencies identified were categorised as design and implementation of formal controls over IT systems to ensure the reliability of the systems and the availability, accuracy and protection of information and could be ascribed to the following:

Management overlooking the importance of reviewing the information and communication technology (ICT)usage policy.

/ Management should ensure that the ICT usage policy is reviewed regularly (annually) to ensure that they remain current and relevant. A policy change record should be completed as evidence of review and change in the policy.
Management did not design formal controls over IT systems to ensure the reliability of the systems and the availability, accuracy and protection of information. The IT continuity plan for the department was not in place. / The internal control deficiencies identified were categorised as design and implementation of formal controls over IT systems to ensure the reliability of the systems and the availability, accuracy and protection of information and could be ascribed to the department not complying with the IT continuity strategy due to the department’s moving from its old offices to its new location. / Management should develop and implement an IT continuity plan according to the IT continuity strategy. The relevant employees should be trained to execute the plan. The plan should also be subject to regular testing to ensure its effectiveness.
IT management did not formally design user access controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate / Lack of capacity has resulted in developers providing first-line support to users of the system as there were no resources to assist users with this.
The development of the security module on the system is still in progress. / It is recommended that users only be granted system access rights that are in line with their job responsibilities, i.e. access should be granted on a need to have basis in order to enforce segregation of duties on the system. Developer’s access to the production environment should be revoked after resolving the incident that has been reported.
The revenue system should be enhanced to enforce strong passwords, as required by the ICT usage policy.
SADPMR / IT management had not formally designed security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate. / Management did not implement segregation of duties for the role of the system administrator due to the current capacity within the IT department.
The policy committee did not approve the IT security policy.
Reviews of administrators were not conducted as management did not allocate responsibility for the reviews. / The ICT manager should re-allocate responsibilities within the IT department to ensure effective segregation of duties. Those who perform the activities should not be responsible for reviewing and monitoring the activity.
Where the functions cannot be separated due to small size and lack of skills in the department, the ICT manager should implement additional monitoring and review controls over the activities of the system administrator.
Where it is commercially viable to employ additional resources, the IT department should employ sufficiently skilled resources to enable the effective segregation of duties.
The functions of the security officer should not be carried out by an IT administrator. The responsibility should be assumed by a member of management who is not involved in an administrative role.
The policy committee must prioritise the finalisation of the IT security policy. The policy must be formally approved, adopted and thereafter circulated to all users of the applications, including those of the service providers and IT management. The IT management must ensure that the required implications in terms of the new policy are implemented on the systems.
The activities of all privileged users must be reviewed on a regular basis by the ICT manager. An increased emphasis should be placed on monitoring controls in smaller IT environments where incompatible functions cannot always be segregated. The security policy should make reference to this review and the related procedures.
Review of user access lists by the IT department and business was not conducted on a regular basis. While a physical and electronic list was provided, there was no evidence of review to suggest that the control exists and is being performed.
There is also a risk that possible inappropriate or unauthorised access might not be identified timely and inappropriate or unauthorised changes to transactions could be made. / The internal control deficiencies identified were categorised as design and implementation of formal controls over IT systems to ensure the reliability of the systems and the availability, accuracy and protection of information and could be ascribed to the following:
Evidence of user access reviews was not available. / The access rights of all users must be reviewed on a regular basis by IT and business. The security policy must make reference to this review and the related procedures for both the applications and the network. The review must be carried out by business and must also be reviewed by management. The timing of the review should be based on the frequency of changes to user access rights in the organisation.
SDT / IT management did not formally design security management controls (policies, procedures, guidelines) to mitigate the risk of unauthorised access to the network and information systems. Informal controls were in place, but were inadequate / Management was dependent on third parties for the system administrative functions and there was a lack of internal skills to extract password configuration settings from the application.