Report: Gov’t risks ‘unauthorised purchases’

A previous lack of proper controls over the Cayman Islands government’s computerised financial records system has left the public sector open to the risk of unauthorised transactions and potential “inappropriate actions” by its employees, according to an internal audit seen by the Caymanian Compass.

The review was completed in February 2011 by the government’s Internal Audit Unit, which looked at how the Integrated Resource Information System or IRIS was being used by government workers who are responsible for handling inventory and purchase orders. All government entities are required to use the IRIS system to record their financial activities unless specifically exempted by the financial secretary.

The audit found that a total of 125 people in government had the ability to create and approve purchase orders for government inventories; while a total of 161 people could validate invoices for payment.

In some cases, auditors found that the same people creating the orders were approving them. In most cases, the purchases were limited to between $500 and $25,000. Some of the people who had approval ability in the IRIS system were not management-level government employees.

“Review of the relevant configuration settings reveal that self-approval [of purchase orders] is allowed,” the review noted. “The ability to self-approve [purchase orders] and invoices increases the risk of unauthorised purchases through the abuse of authorisation privileges.”

The auditors’ report did not point to any specific examples of unauthorised activities occurring or give views on whether this had occurred at all. However, they did make recommendations to correct the issue, which government managers accepted and acted upon in 2011.

The Treasury Department ordered government chief officers to route approval for access to the IRIS system to senior financial managers.

“Ministries and portfolios will need to make arrangements for [purchase orders] and invoices to be approved by an officer other than the person initiating the transaction,” the government’s response read.

Auditors noted that the number of people in government who had computerised access that allowed them to change, add to or maintain records for government vendors “appeared excessive to us”. Some of those 31 employees across various government agencies did not require access to those vendor record functions, the report found.

There were also reported problems with the quality of the data kept on government vendors. “There is … no validation of legitimacy of vendors,” auditors wrote.

“The collective issues of inappropriate user access, duplications, agency-requesting authority and vendor non-validation make overall vendor set up controls and the current integrity of the vendor master file unreliable,” the report stated. “This may compromise the validity of payments made.”

Also increasing the potential risk of government making unauthorised purchases and in some cases overpayments, were certain computer settings in the IRIS system which essentially limited how much of an item could be ordered on an invoice. These ‘invoice tolerances’ – as they were described by auditors – were set at ‘zero’, which means invoice details had to exactly match government purchase orders.

“However, a final override can occur when entering the purchase order if the employee has access,” the auditors’ report noted.

The government Treasury Department stated it would review all user limits in the IRIS system “which should be determined and set based on the roles and services provided by the department and the officer’s position and responsibilities”.

“This exercise is expected to be intensive and time-consuming,” department management stated in its response to the audit, adding that the Treasury Department could not give a specific timeline for the completion of its review.