DoT Audit and Risk Committee on Audit Action Plan to respond to issues raised by AGSA

Meeting report

Department briefing on audit action plan

Ms Hazel Masedi, Chairperson: Audit and Risk Committee, Department of Tourism, said the presentation responded to questions from the Portfolio Committee, which include:

• How the Audit and Risk Committee arrived at the audit action plan;
• How the recommendations of the Portfolio Committee were incorporated;
• How the executive management and the Department responded to the work of the Audit and Risk Committee;
• What was contained in the current audit action plan; and
• The progress on the implementation of the plan.

The overall audit outcome of the National Department of Tourism by the Auditor-General of South Africa (AGSA) was unchanged -- financially unqualified, with findings on non-compliance with key legislation. The AGSA had noted that some of the bid documentation for the procurement of commodities designated for local content and production did not stipulate the minimum threshold for local production and content. Effective steps were not taken to prevent irregular expenditure amounting to R1 223 493.

The AGSA had presented the final management letter and audit report at the Audit Committee meeting on 28 July 2021 after it was discussed with the Accounting Officer on 26 July. The Audit Committee had noted the report of the auditors and advised management to develop an action plan that should focus on the root causes of the findings as soon as possible, and that management should ensure that the planned actions addressed the root causes. The Committee also resolved to monitor the implementation of the action plan in planned quarterly meetings.

Management had presented the draft audit action plan to the Audit Committee at a meeting on 17 November. It reported that each finding had been analysed to identify root causes and assured the committee that actions developed were to address the root causes identified. Additionally, it stated that the action plan was a standing agenda item in the management meetings to facilitate monitoring of progress on its implementation. Evidence of the actions implemented was shared with internal auditors who verified the actions implemented.

The action plan contained 117 actions intended to address the 36 findings in procurement and contract management, immovable and movable tangible assets, relief funds of tourism guides, information technology and predetermined objectives. Officials responsible for the implementation of actions, deadlines for the implementation of actions and details of progress made, were also included in the action plan. The audit action plan was a standing agenda item in the audit committee meetings.

The progress report was presented to the Special Audit Committee on 25 February 2022. The progress made up to January was verified by internal auditors, and management also shared the unverified actions implemented in February. Audited progress on the implementation of actions to address material findings reported in January was that no material findings were reported by the auditors, and material findings had subsequently been corrected by management.  Effective steps were not taken to prevent irregular expenditure amounting to R1 223 493.

Overall, 73 out of 117 actions were implemented by the end of January, which was 63% of the action plan list. Management reported that the progress made on the implementation of actions on 25 February was estimated at 70% (82 out of 117 actions).

Mr Mzikayise Dondolo, Chairperson: Risk Management Committee (RMC), Department of Tourism, briefed the Committee on the oversight that the RMC provides to the Department. The role of the committee was to review the Department's system of enterprise risk management, formulate, promote and review its enterprise risk management objectives, strategy and policy, and monitor the process at strategic and operational levels at quarterly RMC meetings.

In preparation for the 2022/23 risk assessments, the Directorate: Risk and Integrity Management, had engaged the various branches to collect documents that would enable a literature review in preparation for the envisaged sessions. The literature review collected included the following reports:

·         Audit management reports;

·         Standard operating procedures;

·         Institute of Risk Management of South Africa report; and

·         Corruption Watch report.

The collected literature was considered in terms of what it says about the tourism environment externally and internally for the committee to be able to identify emerging risks to develop the strategic, operational, fraud, supply chain and information technology risk registers. It should be noted that priority would be to use the AGSA management report to identify all emerging and materialised risks from the identified audit findings, to ensure that the committee looks into harnessing existing and developing controls, to ensure that the Department achieves its set goals. After all the risk registers are developed from assessment sessions held with branches, the RMC considers all the draft registers and recommend them for approval by the Director-General, where after they are handed over to the Directorate: Internal Audit for them to develop an audit plan which is considered at the Audit Committee.

Quarterly risk progress reports were presented at the Audit Committee meetings. The departmental risk management committee meets quarterly to assess and analyse the progress on the implementation of the decided mitigation plans, identify materialised and emerging risks, evaluate the impact of the risk action plans' implementation on the identified risks, and get a deeper understanding of non-implemented action plans per branch, and the remedial action. In addition, the departmental risk management committee meets quarterly to assess the status of implementation of the action plans to address the audit findings, engage management on partially and non-implemented action plans, and evaluate the risk associated with non-implemented action plans in trying to avoid repeat findings.

Discussion

The Chairperson said the Public Finance Management Act (PFMA) requires that departments have an audit and risk committee comprising of three or four members. These committees must have a member from the private sector, and the majority of the members should be from outside the Department to have an external outlook.

Mr M De Frietas (DA) asked about the relationship between the audit and the risk management committees. It seemed that these committees were only reactive to findings by the AGSA, rather than being proactive to prevent findings.

Ms H Winkler (DA) asked what happened if there were repeat findings from the AGSA. She asked if the audit committee was satisfied with its work, and the number of issues not yet addressed by departmental management.

Ms A Gomba (ANC) also felt that the committees were reactive to AGSA findings rather than proactive. She asked how risks were monitored when identified by the AGSA. Were the committees the watchdogs of the Department? The audit and risk management committees sat only four times a year, yet the Department was having repeat findings.

Mr P Moteka (EFF) agreed with other Members that the committees were more reactionary than proactive. They did not find anything before the AGSA. Every year, the Portfolio Committee was exposed to the same irregularities, fruitless and wasteful expenditure.

Mr H April (ANC) said there was assistance to small entrepreneurs that had been stopped by the risk committee when the country was fighting unemployment.

The Chairperson appreciated Mr April's participation from a hospital bed and sent recovery wishes on behalf of the Committee.

Mr K Sithole (IFP) asked if the audit and risk management committees evaluated quarterly reports from the Portfolio Committee to avoid the same findings every year.

Ms P Mpushe (ANC) asked if there were any challenges identified that prevented the Department from implementing audit findings.

The Chairperson was not happy that risks were not identified before they occurred. The AGSA reports for the past two years had noted that the Department was failing to monitor, resulting in repeat findings. The reports had also noted inadequate synergy between action plans and the performance plan by management. The Government Technical Advisory Centre (GTAC) had noted that some projects were unsustainable, but the risk and management committees could not find this.

Responses

Ms Masedi responded that the audit and risk committee did not simply respond to AGSA findings. There was a risk committee whose duty was to identify risks, whether strategic or operational and even functional risks, such as management risk, information communication technology (ICT) risks and fraud risks. It ranked them in terms of likelihood to occur, impact to the organisation and where it wanted them to occur, and then added additional layers of controls. There was a risk register where risks were ranked. Progress in monitoring the risk was provided to the audit committee as part of providing oversight and guidance, and concerns were raised to management where applicable suggestions to improve were given. It should also be observed that all risks may not be monitored because of a lack of resources.

The internal audit used the risk register in coming up with an annual performance plan and three-year strategic plans. The audit committee also analyses AGSA recommendations and recommends action plans to management. It was not as if they waited for AGSA, but there was an internal audit and risk management committee which provided assurances on its behalf. The risk register universe covers all areas of the Department. Repeat findings would always be there because some findings were strategic in nature and took years for the benefits of action plans to be realised. Some of the deadlines for implementing AGSA action plans were after 31 March, and even if they were implemented before AGSA came back to do the audit, the benefits would not have been realised

Ms Mashamaite Ramutsheli, Member of the Audit Committee, Department of Tourism, said the risk management committee was a committee of the accounting officer. Its responsibility was to identify risks and come up with internal controls to address the risks identified. On a quarterly basis, management reported to the risk management chairperson, Mr Dondolo, on progress with the mitigation of risks. Mr Dondolo then presented a report to the audit committee on strategic, operational, fraud and project management risks facing the Department to provide oversight on mitigation. If an action plan was not implemented, the audit committee would then engage with management directly to ask it to account for why there had been no progress in implementing mitigations. If the management was facing challenges, the audit committee then provided advice on alternative ways of mitigating risks. Sometimes it was budgetary constraints or human resource constraints.

The risk management and audit committee play an advisory role -- they were not implementers. They did not do any investigations, but rather the internal audit committee, which was the eyes and ears of the audit committee. The management of the Department were the action owners and were monitored on a monthly basis. If management did not implement any actions, the chair of the audit committee writes a report on a quarterly basis to the Minister indicating if any findings were not being addressed for the Minister to take corrective action. The audit committee role ended with advice, not enforcement. The audit committee was also concerned if certain findings had been identified by the internal audit of the Department and the implementation of action plans may have been unsatisfactory.

Further responses would be provided in writing

Committee minutes

The Committee adopted the minutes of the previous meeting.

The meeting was adjourned.