Auditor-General (A-G) Tsakani Maluleke has found that Passenger Rail Services of SA (Prasa) lost more than R30 million through a cybersecurity attack and theft by an employee in the 2022/23 financial year.
“A R14.8 million loss was incurred as a result of a cybersecurity attack.
R21.2 million was embezzled by an employee of the organisation who was subsequently dismissed,” Maluleke said.
Prasa had procured the services of an independent digital forensic service provider to assist with an investigation into alleged fraudulent activity following the alleged cyber breach during the financial year under review, she said.
“This investigation was concluded on May 31, 2023 and pointed to critical weaknesses in the Prasa cybersecurity environment.
“Management is in the process of addressing the findings of the report as part of its ITC project plan, to be fully implemented by March 31, 2024.”
In her qualified audit report, Maluleke said Prasa has inadequate and insufficient controls over information security management and information technology systems. It was necessary to ensure the reliability of the systems and the availability, accuracy and protection of information relating to user access management, programme change control and IT service continuity.
Maluleke also found that Prasa did not take effective and appropriate steps to prevent irregular expenditure totalling more than R4m.
“The majority of the irregular expenditure was caused by non-compliance with laws and regulations pertaining to procurement and contract management.”
Effective steps were not taken to prevent fruitless and wasteful expenditure, she said.
Maluleke added that particulars of irregular, fruitless and wasteful expenditure balances included in the annual report were materially inconsistent with audit evidence obtained during the audit.
“This is due to Prasa not having revisited the irregular and fruitless and wasteful expenditure incurred in financial years prior to March 31, 2021, to ensure the completeness thereof, in light of previous audit qualifications stretching as far back as the financial year ended March 31, 2017.”
Maluleke said she was unable to obtain sufficient appropriate audit evidence that disciplinary steps were taken against officials who had incurred irregular expenditure or fruitless and wasteful expenditure.
However, in its annual report, Prasa revealed that it identified that one of its employees embezzled R34.5m of which R9.5m was returned by the employee last October.
“The remaining total loss to be recovered is R24.9 million of which R21.2 million (included in note 42 for the current year) and R3.7 million relates to the 2022/23 and 2023/24 financial years respectively.
“A criminal case and criminal proceedings are instituted against the employee to recover the proceeds of crime,” reads the annual report.
Prasa said the employee was dismissed after a disciplinary hearing and an urgent application to freeze the assets of the dismissed employee was also lodged.
Maluleke noted with concern that Prasa’s financial statements were not submitted for auditing within the prescribed period after the end of financial year, as required by the Public Finance Management Act.