The National Student Financial Aid Scheme (NSFAS) has come under scrutiny due to systemic weaknesses identified within its Information & Communication Technology (ICT) and Forensic Data Analytics departments. An investigation led by the SIU Cyber Forensics Laboratory ("CFL") has shed light on critical flaws in NSFAS's systems and processes.
The CFL conducted interviews with various stakeholders, including NSFAS employees and personnel from universities and TVET colleges. Their focused areas included assessing risks to ICT systems and processes.
Interviews were conducted Chief Information Officer (CIO) who started working at NSFAS in May 2021 and became permanent December 2021, the lone Cyber Security and Network Administrator, Software Development Administrator, Data Warehouse Custodian, Database Administrator Database Operator and Several other NSFAS administrator and employees.
The SIU said these interviews revealed discrepancies among NSFAS ICT staff indicating a lack of coherence in communication. Significant concerns were raised regarding system flaws, inadequate user and systems control and unclear segregation of duties.
It was also revealed that the Database Administrator's lack of knowledge about legitimate system users led to their suspension in 2023. A previous Penetration Test also exposed vulnerabilities within NSFAS's systems.
The SIU said the absence of mandatory submission of parental and guardian information has created an incomplete financial assessment system. This lack of information hinders NSFAS's ability to accurately determine household incomes which could lead to them funding undeserving students.
It is estimated that the total expenditure of NSFAS on ineligible students between 2018 and 2021 amounted to more than R5,1 Billion.
There is also an existence of user registration loopholes which allows for the registration of "ghost users" within the system. These users lack associated employee details, potentially providing a gateway for the manipulation of sensitive student funding data.
In addition, the SIU said NSFAS faces challenges in remittance record-keeping. Remittance record-keeping involves carefully recording and managing all financial transactions linked to transferring or assigning funds.
This means noting down payments sent to students, recording the amounts, dates, and reasons for each transaction, and keeping everything organised for checks and reports.
The SIU said the inadequate documentation of funds allocated to institutions or colleges between 2017 and 2022 poses a significant obstacle. They added that the lack of comprehensive data hinders NSFAS's ability to provide a clear account of financial transactions.
They believe the absence of an automated system exacerbates inefficiencies in the confirmation of student registrations by institutions. This manual process not only consumes more time but also lacks a real-time tracking mechanism, making it challenging to promptly identify and recover overpayments.
The SIU said a notable weakness lies in NSFAS's failure to engage directly with the Department of Social Development (DSD) to obtain parental/guardian information. This oversight results in a data gap in student profiles, undermining the completeness and accuracy of the aid distribution process.
They believe that addressing these identified weaknesses is imperative for NSFAS to uphold transparency and integrity in its financial aid operations.