The Democratic Alliance (DA) has obtained a copy of a document detailing a forensic investigation carried out by Deloitte and Touche into two incidents of fraud committed at the Tshwane and Durban offices of Metrorail respectively. The fraud involved the illegal electronic transfer of approximately R8-million in total from Metrorail's bank account into a number of privately held accounts. The report revealed that the fraud occurred within an inadequately protected IT environment at Metrorail. According to the report, no-one has been brought to book for the crime.

The report can be downloaded in two separate parts from the DA Media Centre's Documents Vault. (Download File 1; Download File 2)

The incidents of fraud occurred during June and July 2008. It involved the transfer of electronic funds from the Metrorail bank accounts within a private bank. Approximately R4-million was transferred on each occasion. The parent company of Metrorail, the Passenger Rail Agency of South Africa (PRASA), assigned the bank to conduct an investigation into the frauds. However, due to dissatisfaction with the results of the investigation undertaken by the bank, PRASA appointed Deloitte to conduct a full forensic investigation. Following this, and prior to the forensic investigation being fully completed, the CFO of PRASA requested that Deloitte finalise their forensic investigation and highlight all outstanding matters as "...PRASA intended to pursue those via internal processes."

Because the forensic audit was not completed, a number of questions remain unanswered and therefore require further, independent investigation. The Democratic Alliance (DA) will be issuing parliamentary questions on the matter and will also be writing to the Public Protector requesting such an investigation.

Further investigation is particularly necessitated by the fact while PRASA has been able to recover most of the money from insurance, no one has seemingly been brought to book for this theft. This is particularly disturbing in light of the nature of the fraud that was committed -- according to the report, the nature of the incident in question was of a "sophisticated and complex level, indicating the involvement of more than one crime syndicate and collusion between PRASA staff and external parties."

Deloitte further noted that the greatest challenge during the investigation was an alleged lack of co-operation from the Manager at the private bank responsible for the investigation. The logs to the firewall breach that occurred when the fraud was committed were allegedly overwritten and subsequently lost by the bank. An investigation on determining why it did not properly secure these logs in anticipation of an investigation needs to be carried out. PRASA also needs to be subjected to a similar investigation in that the report noted that they too failed to preserve firewall logs for the investigation.

This incident indicates a lack of financial prudence, specifically within Metrorail, but also in its parent company PRASA more generally. This general lack of financial prudence within state-owned entities has had the result of compromising the service delivered to all South Africans. Train commuters particularly have been subjected to having to travel in aging and unsafe coaches and the constant threat of crime on trains due to an insufficient number of security guards on trains. PRASA, should like its counterpart in freight rail, Transnet, consider forming partnerships within the private sector in order to remedy these problems.