An audit of the software procured by the Catanduanes State University for use in the enrolment and “learning management” starting in 2022 has raised questions about its integrity and the supplier’s failure to fully provide the items included in the contract.
The report stated that in 2022, the university entered into an P8 million contract with the Digital Software Technology Consultancy for the “Procurement of Learning Management System with Student Information System SY 2021-2022 & 2022-2023 for Unlimited Number of Enrolled Students.”
Upon the expiration of the contract’s validity that same year, the university again entered into contract witn the same company for a one-year subscription at a cost of P7 million.
According to the report, LMS is a software application for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs, or learning and development programs.
The audit team found that the personal information of around 13,000 students and less than 1,000 instructors and staff was accessed by the system.
As such, the system as well as the private service provider is covered by Sec. 33 of Republic Act 10173 (the Data Privacy Act of 2012) which required government agencies entering into any contract that involves accessing or requiring sensitive personal information from 1,000 or more individuals to register their personal data processing system with the National Privacy Commission (NPC).
RA 10844, or the Department of Information and Communications Technology (DICT) Act of 2015, also requires the conduct of Security and Protection Assessment for all Critical Information Infrastructures to be conducted by any of the 70 Cybersecurity Assessment Providers recognized by DICT.
Verification of the CatSU documents covering the software purchase and subscription in 2022 and 2023 showed that it did not have an attached proof of the Digisoft software’s registration with NPC.
“Instead, there was an attached Data Privacy Policy Statement signed buy the owner/lead programmer of the company,” the audit team stated. “It appeared as a self-serving statement and cannot be considered as proof of registration with the NPC.”
Likewise, there was no attached report that showed there were no critical vulnerabilities in the system through a Vulnerability Assessment and Penetration Testing (VAPT) conducted by a DICT provider.
“Instead, there was an attached certificate showing that it was the same contractor, the Digital Software Technology Consultancy, which conducted the vulnerability and penetration testing of its own system,” the COA discovered.
These are not in accordance with Sec. 33 of RA 10173 and Sec. 2 (m) and (n) of RA 10844, thereby affecting the integrity of the SIAS-LMS, it emphasized.
In response, the CatSU management, through then President Patrick Alain Azanza, explained that the IS provider submitted equivalent documents in compliance with the requirements of the bidding documents.
The audit team, however, pointed out that the Terms of Reference of the contract was not properly prepared and did not allow the submission of any equivalent, thus, “the equivalent documents in lieu of what are required by existing law are not admissible.”
The lack of proper review of the TOR, the COA report stressed, resulted in incomplete supporting documents due to laxity in asserting strict compliance with law, rules and regulations.
Auditors also found that CatSU released P1.5 million in retention money to Digital Software Technology Consultancy and did not forfeit its performance security despite the company’s failure to provide all 110 items or specifications under the contract or correct deficient items.
A test of the supplier’s compliance with the contract TOR indicated that 14 items or specifications were not supplied by the contractor while 10 items were considered deficient.
The results showed that the CatSU accounting office tried using the Biometric Attendance and Payroll System of the SIAS-LMS but stopped because some functions were not available.
The software was likewise not user-friendly and the layout is not very responsive, the test done by the audit team in coordination with the CatSU ITS Department which administers the system.
The supplier did not properly schedule system updates while the 24/7 online technical and user support team was not responsive to queries, failing to address concerns until now.
It was learned that the ITS Director had already written the then president on April 24, 2023 expressing concern about the result of the satisfaction survey, with a recommendation to explore other options for the SIAS-LMS that are more user-friendly, efficient and effective and will provide the faculty and staff the tools needed in the job.
The same official also communicated to the president of Digital Software Technology Consultancy the “multiple issues that have significantly affected the daily operations and caused inconvenience to faculty, staff and students,” especially during enrolment period.
On March 14, 2024, the audit team received a letter from the ITS Director informing that about the contractor’s non-compliance with the TOR: failure to provide a backup, this posing a significant risk to the integrity and security of the institutional data; inadequately responsive help desk and technical support services; system limitation, including inability to upload videos directly for online meetings; lack of responsive design, limiting access to the system and hindering its usability and effectiveness; and indirect generation of reports required by CHED, with the ITS Department resorting to a labor-intensive process of exporting and importing data into an in-house system to provide the required format.
Despite the persistent concerns with the TOR, the management released the P1.5 million retention money in two batches in August and November 2023, with neither the performance bond or surety bond forfeited, thus depriving the university of the legal remedies on account of the contractor’s failure to perform its obligation under the contract.
To justify the matter, the CatSU management explained that the supply officer issued certifications stating that there were no claims filed against the supplier and that the end-users – the ITS Director and the Registrar – issued certifications that the SIAS had been tested with 100 percent system implementation and that the items mentioned have already been complied.
In response, the audit team noted that the certifications issued by the ITS Director and Registrar pertained only to five modules and not the other components of the system.
Another finding showed that 53 items or specifications in the TOR were supplied by the IS provider but not used by the faculty and students, partly because they feared their files would be accessed by the owner of SIAS since it is on a subscription basis. Seven (7) other items supplied by the provider were not utilized due to lack of device or equipment.
The ITS Director explained that most of the underutilized functionalities of the system pertained to the LMS and that there was a lack of confidence in the security of the data stored in the system, it being only subscribed and not agency-owned.
Worse, the COA learned, collections and remittances from collecting officers and subsequent deposits totaling P95 million were not recorded under the SIAS-LMS.
In previous years, CatSU used an in-house system created by its own programmers and developers to cater to the reportorial needs of both Accounting and Cashiering Services.
In July 2022, the university procured the SIAS-LMS with one of its purposes to help improve reportorial duties of the accounting and cashiering services.
However, the audit showed, the accountable officer still maintained her records using a logbook as she had a hard time navigating the SIAS-LMS.
Transactions for 40 accounts were recorded using the old system, as 38 of the transactions, including payments of tuition fees, were unavailable in the SIAS-LMS.
“This reliance on the old system indicates a failure to transition entirely to SIAS-LMS,” the COA bared. “Consequently, the full potential and benefits of the SIAS-LMS remain unrealized due to this partial adoption.”
In another adverse finding, the COA flagged six (6) Income Generating Projects (IGP) of the university’s Corporate Business Operation (CBO) for incurring a total of P2 million in net loss in 2023.
At the main campus where the focus was mainly on non-agriculture businesses, the CBO sustained a net loss of P845,166.71 in its poultry and egg venture.
At the Panganiban campus, all five ventures – crops and cereal production, fishpond and hatchery, horticulture, livestock and poultry production, and fruit trees – suffered a total net loss of P1,254,241.16.
The low production of eggs was blamed on delayed procurement of inputs like layer mash, vitamins and other supplies while the weather and higher expenses for labor and salaries contributed to the increase in operating costs for crop and cereal production.
Bad weather conditions and costs of security services also affected the margins of the other IGPs, the report stated.
On the other hand, while four non-agricultural IGPs at the main campus showed a net income of P2.1 million for the year, the photocopying services, rental services, ID production and merchandising services were mainly operating for profit and students who were involved in the operation of the IGPs may not have gained much learning experience or hands-on activity.
Under the guidelines, CBO projects are supposed to serve as venues for students, faculty members and others to enhance business acumen, skills and other values.
The review of the university transactions also uncovered the payment of overtime services amounting to P384,282.68, including payment for accomplishments which are considered regular or routing work activities.
At least six officials and employees received overtime pay ranging from P5,902.56 to P94,738.67 in certain months for such work, which the audit team said affected the propriety of the payments.
The university also paid a total of P19,000 in honoraria to a representative of the Commission on Higher Education (CHED) official who acted as resource person in the conduct of regular and special Board of Regents (BOR) meetings.
The CHED Regional Director received P5,000 monthly honorarium, the same given to BOR members, during three regular meetings and one special meeting.
“Pursuant to DBM Budget Circular No. 2007-1, the board meetings cannot be categorized as seminars, conferences, symposia, training programs, and/or similar activities to justify the grant of honorarium to him as a resource person in the meetings held,” the audit agency stated.
In like manner, the COA noted that the honoraria paid to the chairpersons and members of the Board of Finance Committee (BFC) and the Board Academic Research and Extension Committee (BAREC) amounting to P49,800.00 for their respective meetings was not in accordance with CHED Memorandum Order No. 7, series of 2022, and the Revised IRR of RA 8292.
Created through a memorandum by CHED Commissioner Aldrin Darilag in SUCs in Bicol, the two committees’ members are all from the BOR, except for the BFC chairperson.
Citing a Supreme Court decision, the audit team said the BOR’s authority to disburse money, especially from the Special Trust Fund, is qualified.
“Any income generated by the SUC from tuition fees and other charges must be allocated solely for instruction, research, extension, or other programs or projects, excluding the payment of additional compensation such as honoraria or per diems,” it pointed out.
Travel expenses amounting to P2.1 million were processed and paid without complete documentation such as travel order, official receipt of the plane ticket, certificate of appearance, and certification as to the absolute necessity of actual accommodation expenses exceeding the prescribed rate, the COA report also said.
A claim for travel expenses totaling P230,000.00 was paid through cash advance by the cashiering services despite the fact that the CA did not identify the names of the claimants.
The university also paid for the airfare and ferry tickets of officers/employees from CHED amounting to P80,000.00 but without attached certification that they did not claim the same from CHED.
Documentation was also lacking in the payment of over P850,000 to the Philippine Association of State Universities and Colleges (PASUC) as contribution/share for various activities.
Audit also indicated that CatSU’s biological assets composed of livestock and breeding stocks amounting to a total of P772,567.00 could not be accurately verified for lack of records.
It also showed that while two animals died during the year, 10 roosters, 70 Muscovy ducks, 10 native chickens and a carabull were slaughtered during the CatSU Family Day In October 2023.
During the Christmas Party on Dec. 18, 2023, a carabull and 50 ducks were slaughtered and given away as raffle prizes to officials and employees.