Audit: Mismanagement, fraud identified at Dunn's River

The audit report into the operations at the St Ann-based Dunn's River Falls and Park has found significant and long-term fraud-control failures, financial mismanagement, insufficient processes and gaps in information technology controls.

The Urban Development Corporation (UDC) released a redacted version of the report on Wednesday evening "in the spirit of transparency and accountability".

The report notes that the related exposure to the UDC can be estimated from US$500,000 to more than US$1 million in annual revenue loss if the recom-mendations are not materially implemented.

The UDC says the short-term plan to address issues at Dunn's River will be enacted within the next two weeks, and that the actions from the medium-term plan will span a period of at least three months.

Material findings

- Documentation and related controls are not sufficient to substantiate material transactions related to revenue/sales. Processes, controls, and documentation requirements are not structured to detect fraud and corruption; instead, the control environment enables theft, misappropriation, and abuse of assets. Specifically, a lack of documentation and controls governing resident tickets, free tickets, cruise tickets, tour operator contracts, and events was noted.

- Resident ticket sales have grown by 67 per cent year-over-year vs seven per cent for non-resident and prepaid ticket sales, without evidence to validate the accuracy of the resident classification. Further, resident ticket sales were higher than non-resident sales for the first time in August 2017, with nearly 55,000 sold.

- A tier structure exists to discount tour operator tickets based on ticket volumes. However, management indicated that the discounting structure and tiers have not been updated in 14-15 years; volume requirements appear to be artificially low, with 96 per cent of prepaid tickets sold at the most discounted tier. Additionally, actual purchases are not monitored to ensure volumes are achieved to earn the related tier.

- Event pricing is not documented and approvals are not required. Attendance for events and costs are not tracked against revenue to evaluate profitability. A log or tracking mechanism for events is not consistently maintained.

- The existing control structure is not sufficient to prevent or limit fraud and corruption in the distribution of free tickets and tickets; issued for ORBB. Approval controls are not consistently enforced or monitored for free tickets and documented authorisation, even when obtained, is not consistently retained. Cashiers do not rely on business operating system to account for wristbands-related revenue for Ocho Rios Bay Beach; per discussion with management, all tickets are printed as free and reconciled at the end of each day.

- UDC and St Ann Developmentr Company Ltd information technology (IT) systems are not configured in a manner to support transparency, accuracy, and completeness of financial data. Additionally, we noted instances of individuals with administrative IT access attempting to impede this investigation and the activities of internal audit. Significant systems-control gaps exist, including a lack of interface/integration, generic user IDs and shared passwords, and inadequate change processes.

- Governance and oversight structures are not sufficient to mitigate fraud risk. Internal audit does not follow up on findings, UDC management is not provided with detailed financial information from the point-of-sale system, and whistle-blower and incident reports are not maintained or consistently investigated.

Next steps

- Implement financial and operational processes and controls to mitigate the risk of fraud, corruption, and missed revenue potential.

- Implement IT recommendations including access and process controls, interfaces, monitoring, and workflows.

- Independent Project manager officer to drive change.

- Design a more robust governance structure and culture of oversight and transparency.

- Execute an ongoing monitoring programme.