PCJ – No ICT Policy or Business Continuity/Disaster Recovery Plan; No Dedicated HR Function

Auditor General's Findings

The 2023/2024 Auditor General’s Annual Report covered the audit of the Pharmacy Council of Jamaica’s (PCJ) 2020/2021 financial statements, under the Ministry of Health and Wellness.

The audit reaveled shortcomings in the Council’s information technology (IT) controls. Even though the Council does not have much automation, it is important for organisations to have strong controls to protect their information from unauthorized access and manipulation. However, the review found that the Council was at risk because it did not have an ICT policy, procedures, or a formal business continuity or disaster recovery plan. Without these policies and plans there is a high risk that the Council’s data could be accessed or altered without permission, which could affect the accuracy and reliability of their financial information as well as the PCJ’s ability to continue its operation seamlessly in the event of a disaster (3.2.155).

On HR matters, the audit found PCJ had no dedicated HR function; personnel matters were instead handled by the Accountant, raising the risk of unauthorized access to service records, lost documentation, and staff overpayments. This risk materialized in practice: a retired officer was overpaid $108,267.82 after receiving a full month’s salary despite retiring mid-month, and $7.4 million was paid between May 2018 and March 2021 to three contract officers whose contracts had expired. At the time of reporting, PCJ had not confirmed recovery of the overpayment or regularization of the contracts.

The absence of payroll controls was found to breach the Section 9.6.1 (1) of Financial Instructions 2017 requiring accountable officers to have in place a proper system of internal control to prevent and detect overpayments.