Auditor-General asks Hawks to investigate R158m social grant theft at Post Office, Postbank

The Hawks are investigating three cases of theft amounting to R158 million at the SA Post Office (Sapo) and Postbank after Auditor-General Tsakani Maluleke became unhappy with how the matters were dealt with by the entities.

In her 2024/25 audit reports for both Sapo and Postbank, Maluleke said she has been assured by the Directorate for Priority Crime Investigation (DPCI), the Hawks' official name, that the investigation is in progress after the material irregularity was referred to the law enforcement agency.

The cases were opened with the Garsfontein, Tshwane police in August 2023 and two others at Pretoria Central and Park Road, Mangaung in June last year.

Maluleke said in October last year the Hawks informed her that the docket was still with the prosecutor for decision making and in April the crime fighting body submitted a status update indicating that the matter is still under investigation.

"I will follow up on the progress made on the next audit," she undertook.

The Hawks have revealed that the ongoing cases involve individuals identified as SS Massoa and BL Mbatha, a former manager and teller at the Stretford Post Office in Orange Farm.

Massoa, who was arrested in June last year, is accused of making misrepresentations on the SA Social Security Agency (Sassa) manual payment list that he had paid legitimate beneficiaries in the period between May 2020 and January 2021, which was not the case, and the investigation revealed that some of the transactions were done outside normal working hours and involved an amount of nearly R2.24m.

Mbatha also made misrepresentations on the Sassa manual payment list that she had paid legitimate beneficiaries between May 2020 and August 2020 when it was not the case and Sapo lost over R1.6m. She was arrested in July last year and is expected to return to court later this month.

The cases relate to the lack of implementation of effective controls on the Sassa grants beneficiary payment system.

Sapo, which is currently under business rescue, failed to maintain an effective system of internal control over safeguarding of customer bank cards issued.

Postbank failed to maintain an effective internal control system over the cards, an actual loss of R68.76m was written off for the 2018/19 financial year. It is believed the cards were stolen and fraudulent transactions were processed.

Also at Postbank, the DPCI is probing the failure to maintain an effective system of internal control on the card management and Sassa beneficiary payment process which resulted in the agency's cards to the value of R13.58m being written off due to a SA Reserve Bank directive.

Maluleke said Sapo failed to ensure that the integrated grants payment system (IGPS) had sufficient controls and risk management processes to prevent possible fraudulent activities and also implement effective controls on customer bank cards as required by the Public Finance Management Act (PFMA).

In November 2020, the Auditor-General notified the then acting Sapo accounting authority of the material irregularity and provided them with an opportunity to respond, which Maluleke received in February the following year.

In its response, Sapo indicated that they were not the appropriate accounting authority, and therefore cannot take any action as an agreement had been reached to transfer ownership of the IGPS system from the post office to Postbank from January 2021, which was around the same time the transfer of the financial institution to be a stand-alone entity took place.

Maluleke said Sapo's response was assessed in terms of the PFMA and was found to show that indicators of fraud were prevalent in the internal control deficiencies identified and the matter was reported to the Hawks in accordance with the Public Audit Act.

In addition, she stated that several IGPS control environment concerns had been reported which had a severe negative impact on the institution in the form of cyberattacks, which allowed fraudsters to perform fraudulent transactions resulting in significant material losses for Postbank.

"The IGPS report submitted for audit purposes estimated the financial loss to be R89m, but follow-up audit work suggested the actual amount could be even higher.

Due to significant weaknesses in the system and processes, the full extent of all losses could not be determined, and management was urged to quantify the complete losses suffered," reads the Auditor-General's Postbank audit report.

The cyberattacks on Postbank were reported to have been staged in October 2022.

loyiso.sidimba@inl.co.za