News / National
Hackers snatch US$100 000 from NatPharm
03 May 2022 at 11:01hrs | Views
THE National Pharmaceutical Company of Zimbabwe (NatPharm) lost more than US$100 000 to hackers when its computer system was attacked, Auditor-General Mildred Chiri (pictured) has revealed.
In her report for the year ended 31 December 2020, Chiri reported that NatPharm's server was reportedly down during the period under review. An employee used their private email to communicate with a supplier, leaving the computer system vulnerable, hence the attack.
"The company lost funds amounting to US$104 760. Upon enquiry, management indicated that their information technology system was hacked and the hackers diverted funds which were meant to pay a certain supplier. Management further advised that the email server at National Pharmaceutical Company was down at the time and a clerk used his personal account to communicate with the supplier," read the report.
Chiri warned that the company risks unprecedented financial loss if crucial data is not protected and recommended that NatPharm ensure that official business is conducted via company email servers.
"Management should ensure all business communication is done via the company's email servers and minimise use of personal email accounts," she said.
The company also has an outstating arbitration award of US$2.7 million that it is refusing to honour, arguing that the burden should be carried by the ministry of Health and Child Care. This is despite evidence that the contract was violated by NatPharm.
"The company did not provide for an amount of US$2 733 480 arising from an arbitration award made in favour of a supplier. This unfavourable award arose after National Pharmaceutical Company had terminated a US$20 million contract with the supplier for illegality. The matter was subsequently sent for arbitration and the claimant abandoned the larger portion of its claim, but was awarded a sum of US$2 733 480 in respect of medicines and sundries already supplied. Management insists on not providing for the arbitration award on the basis that it was the ministry of Health and Child Care (MoHCC) that entered into contract with the supplier in question in the first place, as such, it is the MoHCC who should honour the arbitration award," reported Chiri.
NatPharm also acquired masks without supporting requisition forms, this was in breach of internal control mechanisms which could also lead to financial loss.
"The procurement of face masks at a cost of ZW$54 600 on May 19 2020 from Sacred Heart Pharmaceuticals was done without raising a purchase requisition. Thereafter the delivery notes and confirmation of receipt of goods was done by the same person. There was no segregation of duties and minimum procurement controls were not applied," reported Chiri.
The masks were not delivered to NatPharm, but were instead sold to the Zimbabwe Medical Association without an invoice or quotation, contrary to the set down control measures.
"In addition, these goods were not delivered at the warehouse as is the normal practice at Nat Pharm. These face masks were instead sold and delivered to Zimbabwe Medical Association for ZW$68 000 and no quotation or invoice was raised by the Strategic Business Unit which is responsible for the company's retail functions," reported Chiri.
She fears the likelihood of financial loss as management seems to be overriding set internal controls.
"Those charged with governance should discourage management from overriding internal controls. Compensatory controls will need to be put in place where management find it necessary to divert from normal procedures," she urged.
In her report for the year ended 31 December 2020, Chiri reported that NatPharm's server was reportedly down during the period under review. An employee used their private email to communicate with a supplier, leaving the computer system vulnerable, hence the attack.
"The company lost funds amounting to US$104 760. Upon enquiry, management indicated that their information technology system was hacked and the hackers diverted funds which were meant to pay a certain supplier. Management further advised that the email server at National Pharmaceutical Company was down at the time and a clerk used his personal account to communicate with the supplier," read the report.
Chiri warned that the company risks unprecedented financial loss if crucial data is not protected and recommended that NatPharm ensure that official business is conducted via company email servers.
"Management should ensure all business communication is done via the company's email servers and minimise use of personal email accounts," she said.
The company also has an outstating arbitration award of US$2.7 million that it is refusing to honour, arguing that the burden should be carried by the ministry of Health and Child Care. This is despite evidence that the contract was violated by NatPharm.
"The company did not provide for an amount of US$2 733 480 arising from an arbitration award made in favour of a supplier. This unfavourable award arose after National Pharmaceutical Company had terminated a US$20 million contract with the supplier for illegality. The matter was subsequently sent for arbitration and the claimant abandoned the larger portion of its claim, but was awarded a sum of US$2 733 480 in respect of medicines and sundries already supplied. Management insists on not providing for the arbitration award on the basis that it was the ministry of Health and Child Care (MoHCC) that entered into contract with the supplier in question in the first place, as such, it is the MoHCC who should honour the arbitration award," reported Chiri.
NatPharm also acquired masks without supporting requisition forms, this was in breach of internal control mechanisms which could also lead to financial loss.
"The procurement of face masks at a cost of ZW$54 600 on May 19 2020 from Sacred Heart Pharmaceuticals was done without raising a purchase requisition. Thereafter the delivery notes and confirmation of receipt of goods was done by the same person. There was no segregation of duties and minimum procurement controls were not applied," reported Chiri.
The masks were not delivered to NatPharm, but were instead sold to the Zimbabwe Medical Association without an invoice or quotation, contrary to the set down control measures.
"In addition, these goods were not delivered at the warehouse as is the normal practice at Nat Pharm. These face masks were instead sold and delivered to Zimbabwe Medical Association for ZW$68 000 and no quotation or invoice was raised by the Strategic Business Unit which is responsible for the company's retail functions," reported Chiri.
She fears the likelihood of financial loss as management seems to be overriding set internal controls.
"Those charged with governance should discourage management from overriding internal controls. Compensatory controls will need to be put in place where management find it necessary to divert from normal procedures," she urged.
Source - NewsHawks