The Special Investigating Unit (SIU) has identified flaws and weaknesses in the IT systems of the National Student Financial Aid Scheme (NSFAS), resulting in overpayments, underpayments and payments to ‘ghost students’ over the years.
This is based on preliminary findings of an investigation of corruption and maladministration at NSFAS. The SIU has so far uncovered that the scheme incorrectly funded some 40 000 non-qualifying students to the tune of more than R5.1 billion.
President Cyril Ramaphosa authorised the investigation last August, with the SIU saying it will be in two parts, and will examine the management of NSFAS finances and the allocation of loans, bursaries and any other funding payable to students in terms of the NSFAS Act.
The investigation covers the period from 2017, to date.
Presenting before Parliament’s Standing Committee on Public Accounts (Scopa) yesterday, Leonard Lekgetho, SIU chief national investigations officer, said the organisation’s investigation commenced on 2 September 2022, estimating it will take 18 months to complete.
He explained the focus of the ongoing investigation is on incorrectly funded students, NSFAS financial management systems and close out reports per institution – overpayments to institutions.
Looking at the various IT systems used by NSFAS in its mandate to fund students, including the Celbux system and use of vouchers and voucher services, the lead investigator said the SIU has so far identified flaws and weaknesses, including the susceptibility to hacking and other abuse and risks related to these systems.
In this regard, the SIU is considering the extent of the investigation ahead, which is still at a very early stage, he stated. “Over and above identification of flaws in the system, the investigation will entail identification and quantification of damage potentially suffered; that is, thousands of vouchers issued and voucher services rendered to thousands of students over an extensive period of several years.”
In terms of overpayments to institutions, he revealed NSFAS failed to design and implement controls to ensure there is an annual reconciliation between the funds disbursed to the institutions and the allocation of those funds to the students.
“This control weakness led to overpayments and underpayments of funds to the different institutions for the period 2017 to date; however, they have recently appointed a service provider to assist them to perform this reconciliation in a process called close out reporting.”
Based on observations so far, Lekgetho told Scopa that inherent weaknesses and flaws in IT systems have prevailed.
“Systems are vulnerable and can be hacked with relative ease, resulting in (inter alia) the creation of fictitious students, payments being made to such fictitious students and/or to unauthorised persons.”
In addition, he stated that in the past, it was difficult for NSFAS to identify fraudulent applications for student loans and/or bursaries, as it did not have access to systems such as SARS, home affairs and credit bureau check ITC.
“At this stage, it seems there is an improvement in their access to such information, which puts them in a better position to verify the accuracy of the representations made in the application; for example, representation pertaining to income, family relationships, etc.”
To address some of these challenges, the SIU made several recommendations, including the development of a comprehensive security policy.
“Once the areas of weaknesses are identified, it is important to develop a comprehensive security policy that outlines the security controls that need to be implemented. This policy should cover everything from user access control, to password management, segregation of duties, user activity logs (server logs) and data backup. If such a policy exists at present, it should be reviewed as part of effective ICT governance.
“[It must] implement role-based access control (RBAC) as a security model to restrict access to resources based on the roles and responsibilities of individual users within an organisation. Implementing RBAC can assist in controlling access to sensitive data and limit the damage caused by unauthorised access.”
Furthermore, the SIU urges educating NSFAS employees about security best practices, in order to maintain a secure environment that can assist with the risks associated with poor user-control and help them identify potential security threats.
Share