The Weak OBRS
The New Zealand Ministry of Business Innovation and Employment (MBIE) is providing online business registry technical assistance to Africa under the Ministry of Foreign Affairs and Trade (MFAT) New Zealand Aid Programme. The overarching goal of this programme is to achieve faster, cheaper, and more accurate business registration in selected African countries through the introduction or upgrading of online business registration systems to international standards.
At the Companies and Intellectual Property Authority (CIPA) in Botswana, the OBRS project involved developing a new system to replace the old Companies and Business Names Registration System launched in August 2007. The exercise included amending the Companies Act, registering the Business Names Act, and re-registration Acts for companies and business names. The project also required business process re-engineering and the provision of e-commerce (online payment services).
The New Zealand government funded the project, including provisional out-of-scope items due to law reforms, at P7.3 million. CIPA contributed P8 million towards IT equipment, stakeholder engagement, temporary staff employment, training, and call center services.
During its investigation, the DIS scrutinised the CIPA Registrar General’s progress update (dated 3 December 2019) to the Board of Directors on CIPA operations, the Foster Moore CIPA Project status report of 1 November 2019, the OBRS Executive Status Report of November 2019, the Foster Moore order form signed by the Registrar General on 1 June 2019, and the Foster Moore (OBRS) software support agreement signed by the Registrar General on the same date.
In its findings, the DIS discovered that the CIPA Registrar General had stated that the Foster Moore contract “was signed under duress.” Foster Moore reportedly threatened not to proceed with the contract launch unless it was signed within one week of submitting the draft. Additionally, the CIPA Management Tender Committee had not ratified the system’s procurement when the contract with Foster Moore was signed and committed.
Botswana became the second country, following Lesotho in 2014, to implement the Foster Moore system as part of the New Zealand Aid Programme. However, the Lesotho implementation has faced numerous issues, including extended periods of system downtime, resulting in an inability by the Lesotho government to serve its customers for a protracted period.
The DIS investigation revealed that the system has weak user access controls, which led to an incident where a CIPA employee exploited the system’s weaknesses to steal P74,930.00. This problem was compounded by the OBRS lacking daily reporting functionality, which would have enabled the finance team to detect the fraud earlier.
There is a recommendation for an immediate independent technical review of the Foster Moore Catalyst System to identify the full extent of its deficiencies, weaknesses, and gaps to mitigate further risks to CIPA. The process of selecting Foster Moore as the preferred software vendor should also be probed to ensure that governance and compliance were not compromised to take advantage of the New Zealand Government’s Aid Programme. Furthermore, the technical assistance provided by the New Zealand Companies Office to CIPA should be governed by a documented Memorandum of Understanding as government-to-government assistance.
The CIPA Francistown Branch Fraud
On 22 August 2019, a CIPA Accounts Officer in charge of revenue, Kabo Molalawesi, reported an incident to his superiors. He discovered the issue during his daily reconciliation duties. An initial inquiry was conducted, and CIPA decided that the Finance Manager at the time and the Accounts Officer Revenue should travel to Francistown to gather more facts about the incident.
The preliminary investigation revealed that the incident occurred over three days, from 19 to 21 August 2019. Further fact-finding indicated that it happened between 17 and 21 August 2019. The incident took place in the Revenue Unit under Finance from the Corporate Services Department. According to Molalawesi, he realised that the individual reconciliation reports from Foster Moore included three individual collection reports from Lizzie Makosha (a CIPA employee) for 19, 20, and 21 August 2019. An inquiry was lodged with Foster Moore via email to clarify why Makosha’s account appeared on the finance reports, as she was not part of the CIPA finance team collecting revenue. A detailed revenue collection report for Makosha’s account was also requested from Foster Moore.
The DIS discovered that Makosha’s account was used to credit several customer deposit accounts between 19 and 21 August 2019. The money collected during those dates was never deposited into CIPA’s accounts, as it did not reflect in the organisation’s bank statements.
Further inquiries with CIPA Francistown Branch Manager Nlashiki Mpuchane revealed that he was unaware of any non-finance officer collecting revenue at his branch. Mpuchane promised to investigate the matter. He confronted the revenue officers, who denied knowledge of the incident. However, Cedrick Pako Kewamodimo later confessed. On 22 August 2019, Mpuchane informed the DIS that Kewamodimo, an Accounts Clerk, admitted to using Makosha’s account to collect revenue.
Makosha, an intern at the Francistown office at the time, stated that she was not initially given a username and password when the OBRS system was launched. Her credentials were later created as kiosk-05cipa.co.bw by Keletso Lenchwe, which she used for three weeks. Subsequently, she was issued new credentials under lmakosha@cipa.co.bw, which she immediately changed upon receipt. Makosha claimed in her statement that she did not share her password with anyone and suspected that Kewamodimo might have seen her password when she logged into the account in his presence. However, the DIS established from the system developers that Makosha’s account had rights to finance functions, contrary to her claims.
Another intern, Tshepo Gareitsanye, was found to have the rights to change passwords for other officers. Gareitsanye stated that he was trained with other officers on profile creation, company/business registration, and customer service. He claimed he was unaware of the misappropriated funds. Kewamodimo, in his statement, admitted to knowing Makosha’s login details as they were sent to him via email by Sumi Falesu. He later learned her updated password when training her on checking customer codes. He confessed to exploiting Makosha’s account for unauthorised transactions, which he used to build a house for his grandmother and a poultry house for himself.
The OBRS deficiencies
The DIS investigation revealed that OBRS user access rights were granted to individuals who were not finance officers. According to system developer Sumi Falesui, at least 12 officers were given finance functionalities. Among these, only Makosha was a non-finance officer. Falesui explained that scripted logins were created for new users as a temporary measure while the development of account creation functionality was still in progress.
The DIS found that the system lacked controls, such as authorization for transactions involving customer accounts. Many users, including administrators, had access to functions like recording and maintaining transactions, which should have been restricted to finance officers. The Francistown branch’s cash handling process also lacked proper documentation and reconciliation practices.
Disciplinary action has been recommended against Kewamodimo in line with CIPA’s Conditions of Service. Recommendations for CIPA include standardizing cash-up and reconciliation processes across all branches, revoking unauthorized finance functions, introducing preventive controls in the system, limiting administrators’ rights, and installing CCTV cameras in offices. Additionally, revenue officers should be adequately trained on the OBRS system and daily cash reconciliation processes.