PwC stated that, to map out Steinhoff’s IT landscape, it had to mostly conduct interviews. File photo.
Nicola Mawson
Steinhoff, which had listings both in South Africa and in Germany, had such a lack of ICT governance systems in place that data, especially financial information, could easily be manipulated or fall into the wrong hands.
An exhaustive investigation into what has become South Africa’s largest corporate scandal by PwC showed that there was a lack of written documentation on the systems and processes, critical process knowledge resided with a limited number of employees, and a “high degree of manual intervention in processes” increased “the risk and actual execution of manual errors and manipulation”.
Steinhoff, which folded following Deloitte confirming there were accounting irregularities in 2017, used several software systems in the accounting process, including Excel, PwC’s investigation showed. Steinhoff also made use of enterprise resources planning software, including SAP and SYSPRO.
By not making full use of the solutions provided in the software, there were inadequate controls in the business process, which “limited traceability and transparency,” PwC stated.
The 7 000-page report into accounting irregularities, which Business Report obtained through a Promotion of Access to Information Act application, included the review of “a large number of transactions” with the advisory firm finding “a substantial number of manipulations and transactions with no economic substance”.
PwC found that, for each fiscal year, there were multiple draft versions of consolidated reporting packs, which were MS Excel-based.
In some cases, account balances were entered manually into the Steinhoff finance consolidated reporting pack Excel document, “which allows for manual errors and adjustments,” it noted.
Other issues the advisory firm identified included that payments flagged as urgent only required one signature, databases entries were manually edited, and all data for the 2015 financial year and for those preceding it was moved back by a year. PwC said it was told “this was done to account for the 15-month period in fiscal year 2016 since SYSPRO could not handle this change otherwise”.
Some database tables containing the descriptions for the account and journal types were incomplete, while it was possible for a single manual journal document within financial consolidation system IDL to be edited by multiple users at different times, the investigation found.
PwC stated that, to map out Steinhoff’s IT landscape, it had to mostly conduct interviews.
“This was due to the lack of documentation describing the environment. Overall, it was noted that there was a limited IT governance,” it said.
In several instances, transactions were executed or deleted based on telephonic or email instructions.
Among other details that emerged was that former CEO Markus Jooste had seven different email addresses. One of these (mjj@steinhoff.co.za) and one used by another former executive (mm@steinhoff.co.za) regularly had their archives folders purged.
Deleting an archives folder results in it being permanently being removed from the system unless it is rescued from trash before being destroyed after 30 days. As a result, there will be no backup of these emails.
Jooste, seen by many as the kingpin behind the fraud that resulted in the company’s collapse, killed himself almost a year ago just before he was set to be arrested in connection with the scandal.
In addition, PwC pointed out that “there was no controlling of decommissioned devices and that company-owned devices could be used for private purposes despite contrary IT policies in place”.
The result of this is that sensitive data could be anywhere, in anyone’s hands, and not necessarily subject to the proper controls.
“In general, the financial systems were in most part disparate with a low level of integration. This creates process and control weaknesses for risk management and internal audit procedures,” PwC stated.
BUSINESS REPORT