• A well-written report “tells a story”. A report must answer the following questions: who, what, when, where, why, how and how much.
• Facts is stated accurately
• Explain the regulations and apply it to the facts.
• Report must stand alone
• List the interviews and documentation you reviewed in the report.
• Provide responsible authority the information they need to get a fair decision.
• A report must be complete
• Address all allegations and emerging allegations during the investigation.
• Explain how you addressed these allegations.
• Discuss all evidence
• Thoroughly discuss and analyze the rule and regulations pertaining to the investigations.
• A report must be clear and logical. A person that has no knowledge of the case must be able to understand how you reached your conclusion.
• Use direct and clear language.
• Present all information in a logical manner (from facts to conclusion)
• You must convince the reader that you r conclusion are supported by the facts you gathered.
• Make a clear distinction between facts, assumptions, conclusions and
opinions.
• Avoid emotional, judgmental or value-laden words.
• Use a simple, direct approach.
Monday, October 25, 2010
Common Report Writing Mistakes
• Completeness: Failing to have all its parts an support as expected in the report format
• Independence: Not enough information to help the reader understand it by oneself.
• Timeliness: Reports that are given in later than expected.
• Accountability: Failing to deliver according to specific disciplinary actions for subjects. Facts that are incorrectly used or in the inappropriate format and sentences.
• Forwarding the report: Failing to use the Post-Investigation checklist to conduct a quality review of the report before forwarding it to the authority.
• Independence: Not enough information to help the reader understand it by oneself.
• Timeliness: Reports that are given in later than expected.
• Accountability: Failing to deliver according to specific disciplinary actions for subjects. Facts that are incorrectly used or in the inappropriate format and sentences.
• Forwarding the report: Failing to use the Post-Investigation checklist to conduct a quality review of the report before forwarding it to the authority.
Report Writing
• A report is a formal statement of the result of an investigation.
• In academic writing there are two main types of reports;
o Investigation report (e.g. case study)
o Evidence based report (e.g. evaluation report)
• You must know the purpose of the report.
• Is it a case study report for an ethnographic research report?
• Is it an investigation or an evaluation about something?
• Is it an assignment for your course?
• Must know who will be reading the report and why; because it will clarify the purpose of the report to you and to identify an appropriate form.
• Is it intended to shed light, and if so the findings from the data evidence is crucial.
• Is it reporting on something observed, and if so the findings will relate to conclusions and possibly recommendations.
• What is the report subject or focus, title or question?
• Describe your research in several sentences to define your focus.
• What are the main questions that define your research?
• Draft several working titles and choose the one which will help you keep to the point.
• In an observation report you have to make recommendations and check your focus with them.
• In an investigative report you need to know whether, your findings based on data analyses, what your aims or rationale are and whom your key authorities are.
• Make sure of what guidelines or information have been given for the report.
• Planning is crucial, experiment with the most logical order of presenting the information you have collected.
• There is 5 stages of a report:
o Introduction
o Methods
o Research
o Summary (abstract) and
o Discussion
• The 4 stages of writing a report:
o Outlining
o Drafting
o Revising and editing
o Presentation
• Make sure that your:
o Introduction still reflect on your findings
o Aims are rationale
o Literature review support your arguments
o Bibliography and references is up to date
o Methodology is used correctly
o Results in findings should be presented in a way that draws the readers attention
o Discussion includes conclusions and recommendations/ evaluations
• Structure of a report:
o Title – avoid overlong and snappy or newspaper style titles.
o Contents – useful for lengthy reports.
o Summary / abstract – usually written after initial draft on main report.
o Introduction – is the problem or issue that is the subject of the project.
o Main Body includes – Purpose, Literature review, Methodology / data collection, what you found out and discussion.
o Conclusions – what your conclusion is,
o Bibliographical references – List of material used in the report.
o Acknowledgements – mention people who helped you
o Appendixes – extra material which you referred to
o Glossary –
• Linguistic feature of report writing:
o Topic sentences
o Tense
o Cohesion
o Acronyms
• The main consideration for both style and language is clarity.
• In academic writing there are two main types of reports;
o Investigation report (e.g. case study)
o Evidence based report (e.g. evaluation report)
• You must know the purpose of the report.
• Is it a case study report for an ethnographic research report?
• Is it an investigation or an evaluation about something?
• Is it an assignment for your course?
• Must know who will be reading the report and why; because it will clarify the purpose of the report to you and to identify an appropriate form.
• Is it intended to shed light, and if so the findings from the data evidence is crucial.
• Is it reporting on something observed, and if so the findings will relate to conclusions and possibly recommendations.
• What is the report subject or focus, title or question?
• Describe your research in several sentences to define your focus.
• What are the main questions that define your research?
• Draft several working titles and choose the one which will help you keep to the point.
• In an observation report you have to make recommendations and check your focus with them.
• In an investigative report you need to know whether, your findings based on data analyses, what your aims or rationale are and whom your key authorities are.
• Make sure of what guidelines or information have been given for the report.
• Planning is crucial, experiment with the most logical order of presenting the information you have collected.
• There is 5 stages of a report:
o Introduction
o Methods
o Research
o Summary (abstract) and
o Discussion
• The 4 stages of writing a report:
o Outlining
o Drafting
o Revising and editing
o Presentation
• Make sure that your:
o Introduction still reflect on your findings
o Aims are rationale
o Literature review support your arguments
o Bibliography and references is up to date
o Methodology is used correctly
o Results in findings should be presented in a way that draws the readers attention
o Discussion includes conclusions and recommendations/ evaluations
• Structure of a report:
o Title – avoid overlong and snappy or newspaper style titles.
o Contents – useful for lengthy reports.
o Summary / abstract – usually written after initial draft on main report.
o Introduction – is the problem or issue that is the subject of the project.
o Main Body includes – Purpose, Literature review, Methodology / data collection, what you found out and discussion.
o Conclusions – what your conclusion is,
o Bibliographical references – List of material used in the report.
o Acknowledgements – mention people who helped you
o Appendixes – extra material which you referred to
o Glossary –
• Linguistic feature of report writing:
o Topic sentences
o Tense
o Cohesion
o Acronyms
• The main consideration for both style and language is clarity.
Visual Aids for Reports
Visual aids help to make a report more attractive and exciting to read. A visual aid helps to express the image that you want to create with the data. This can also enhance or clarify the explanation of the report. Different types of visual aids can be used for the type of you report image you want to create.
Visual aids help the reader understand the case. They are especially helpful when there are multiple witnesses, events or other complex relationships involved.
The visual aids that can be used to make a report more presentable are:
• Time flow diagrams: to show the chronological flow of events.
Interview memoranda constitute the bulk of the investigative report. Upon completion of the investigation, it is necessary for the examiner only to assemble the notes in order, prepare an index, list of exhibits and a synopsis in order to complete the paperwork. Clear and concise language is the hallmark of a good memorandum of interview. Avoid using the third person, that is, “the interviewer” instead of “I”. Also, don’t use stilted or pretentious wording.
• Matrix diagram: to illustrate the association of persons or things.
In addition to the facts of the case, fraud examiners should include several other items in the memorandum of interview that can help to make the visual aid more effective and complete.
Such as:
The witness’s name and contact information.
The investigator’s identity
Evidence provided, such as documents
A statement that the interview was voluntary
The date of the interview
The date the memorandum was prepared
How the interview was conducted (ie. In person or by phone)
If the interview was tape-recorded.
• Charts:
o Column chart: it is a good way to make data visual so that one can clearly see where values differ from one another.
o Line chart: In some cases you don’t just want a direct visual of data, but especially know where values have changed over a time period.
o Circle chart: can be used when you want to see which part each item makes out in total.
• Maps: can be used to illustrate the geographical position where certain events occurred. You can link a series of events and see what they all have in common or where a certain hot spot is.
• Building plans: can be used to illustrate place of events within a building. You can then have clarity of what is where or to see if the witnesses statement given is truthful and in accordance.
• Drawings/sketches: can be used to illustrate position of persons, items where crime took place. A simple drawing can be used to identify certain characteristics that can be useful for explaining the image you want people to understand.
• Video presentation: this can help the people to visualize the occurrences in the format that it happened. Videotape electronically carries both a picture and a sound track. Its features of sound, movement, vivid image, color, and variety hold an audience's attention the way film does. Videotape can be used to program an entire presentation, or to support a speaker's remarks by highlighting certain topics. By using this visual, it helps people to understand the situation with more ease.
• Photos: Actual pictures taken at the scene of the crime can help to put it all together. Photos will visualize what the data is saying and then it is easier to understand and to interpret for oneself.
• Posters: are prepared graphic devices that can be made of a variety of materials and media - photographs, diagrams, graphs, word messages, or a combination of these. Each poster should contain one message or theme. Words, charts, diagrams, and other symbols must be penned in a large enough size to be seen by everyone in the room.
• Organization chart: can be used to illustrate hierarchical relationships, such as department managers and employees within a company. You can organize all your data into headings, subheadings so that it can be easy understandable and neat. The audience will then be able to see the whole report clearly and understand how everything fits in where.
Visual aids help the reader understand the case. They are especially helpful when there are multiple witnesses, events or other complex relationships involved.
The visual aids that can be used to make a report more presentable are:
• Time flow diagrams: to show the chronological flow of events.
Interview memoranda constitute the bulk of the investigative report. Upon completion of the investigation, it is necessary for the examiner only to assemble the notes in order, prepare an index, list of exhibits and a synopsis in order to complete the paperwork. Clear and concise language is the hallmark of a good memorandum of interview. Avoid using the third person, that is, “the interviewer” instead of “I”. Also, don’t use stilted or pretentious wording.
• Matrix diagram: to illustrate the association of persons or things.
In addition to the facts of the case, fraud examiners should include several other items in the memorandum of interview that can help to make the visual aid more effective and complete.
Such as:
The witness’s name and contact information.
The investigator’s identity
Evidence provided, such as documents
A statement that the interview was voluntary
The date of the interview
The date the memorandum was prepared
How the interview was conducted (ie. In person or by phone)
If the interview was tape-recorded.
• Charts:
o Column chart: it is a good way to make data visual so that one can clearly see where values differ from one another.
o Line chart: In some cases you don’t just want a direct visual of data, but especially know where values have changed over a time period.
o Circle chart: can be used when you want to see which part each item makes out in total.
• Maps: can be used to illustrate the geographical position where certain events occurred. You can link a series of events and see what they all have in common or where a certain hot spot is.
• Building plans: can be used to illustrate place of events within a building. You can then have clarity of what is where or to see if the witnesses statement given is truthful and in accordance.
• Drawings/sketches: can be used to illustrate position of persons, items where crime took place. A simple drawing can be used to identify certain characteristics that can be useful for explaining the image you want people to understand.
• Video presentation: this can help the people to visualize the occurrences in the format that it happened. Videotape electronically carries both a picture and a sound track. Its features of sound, movement, vivid image, color, and variety hold an audience's attention the way film does. Videotape can be used to program an entire presentation, or to support a speaker's remarks by highlighting certain topics. By using this visual, it helps people to understand the situation with more ease.
• Photos: Actual pictures taken at the scene of the crime can help to put it all together. Photos will visualize what the data is saying and then it is easier to understand and to interpret for oneself.
• Posters: are prepared graphic devices that can be made of a variety of materials and media - photographs, diagrams, graphs, word messages, or a combination of these. Each poster should contain one message or theme. Words, charts, diagrams, and other symbols must be penned in a large enough size to be seen by everyone in the room.
• Organization chart: can be used to illustrate hierarchical relationships, such as department managers and employees within a company. You can organize all your data into headings, subheadings so that it can be easy understandable and neat. The audience will then be able to see the whole report clearly and understand how everything fits in where.
Difference Between an Audit Report and a Fraud Report
• Audit report is a typically read by company’s board of directors, its shareholders and / or lenders.
• A fraud report may be shared with company insiders, attorneys, defendants and witnesses, judges, juries and the media.
• A report concerning a fraud examination provides details of an alleged crime or tort.
• The primary purpose of a fraud report is to communicate the results of a fraud investigation and to document the work actually preformed.
• A fraud report may be shared with company insiders, attorneys, defendants and witnesses, judges, juries and the media.
• A report concerning a fraud examination provides details of an alleged crime or tort.
• The primary purpose of a fraud report is to communicate the results of a fraud investigation and to document the work actually preformed.
Important Considerations for the Well Written Report
• Do not clutter your presentation because this will make the audience lose focus on what is important. Cluttering confuses the audience and promotes them to miss the point of the presentation. Keep the presentation as tidy as possible and split up the presentation in more groups to avoid confusions and make it easy readable.
• Use 1.5 spacing to make the presentation easy readable and trim. Using the spacing will make the audience read the report faster and follow the text comfortably.
• Avoid technical jargon to assure that everyone will understand the report. Not everyone will understand your terminology or slang and this barbarous or debased language might give the wrong impression and cause a misunderstanding.
• Avoid too many “big” words for this makes the report difficult to read or to understand. This causes a loss of time because the reader will have to look the words up. This can also cause a misunderstanding because the word may have more than one meaning in different aspects than the reader is familiar with.
• Visual aids make a report more attractive and exciting to read. A visual aid helps to express the image that you want to create with the data. This can also enhance or clarify the explanation of the report.
• Use colours where possible to highlight certain facts that you wish to be noted as important. Colours make a report more interesting and helpful for browsing headings or specific data.
• Charts are more effective than a wordy description for it leads to an easy understandable visual representation of the data. Charts help to analyse and interpret data and to provide an effective dynamic way to show patterns which you can compare or come to certain conclusions.
• Cross reference facts to source to facilitate reading and checking. This professionalizes your report and the reader will see that you have done your homework. This also allows the reader to verify the facts for themselves. The cross referenced facts to source confirms that the information in the report are based on something that is not made up.
• The reviewer must be critical in order to judge the report fairly. The mistakes must be pointed out so that the writer will be educated and correct faults in the future.
• The reviewer must ensure that the mandate has been satisfied and that the order has been done correct. The command must be done in accordance to what was expected of you.
• Use 1.5 spacing to make the presentation easy readable and trim. Using the spacing will make the audience read the report faster and follow the text comfortably.
• Avoid technical jargon to assure that everyone will understand the report. Not everyone will understand your terminology or slang and this barbarous or debased language might give the wrong impression and cause a misunderstanding.
• Avoid too many “big” words for this makes the report difficult to read or to understand. This causes a loss of time because the reader will have to look the words up. This can also cause a misunderstanding because the word may have more than one meaning in different aspects than the reader is familiar with.
• Visual aids make a report more attractive and exciting to read. A visual aid helps to express the image that you want to create with the data. This can also enhance or clarify the explanation of the report.
• Use colours where possible to highlight certain facts that you wish to be noted as important. Colours make a report more interesting and helpful for browsing headings or specific data.
• Charts are more effective than a wordy description for it leads to an easy understandable visual representation of the data. Charts help to analyse and interpret data and to provide an effective dynamic way to show patterns which you can compare or come to certain conclusions.
• Cross reference facts to source to facilitate reading and checking. This professionalizes your report and the reader will see that you have done your homework. This also allows the reader to verify the facts for themselves. The cross referenced facts to source confirms that the information in the report are based on something that is not made up.
• The reviewer must be critical in order to judge the report fairly. The mistakes must be pointed out so that the writer will be educated and correct faults in the future.
• The reviewer must ensure that the mandate has been satisfied and that the order has been done correct. The command must be done in accordance to what was expected of you.
Staff Vetting
If an organization is to prevent fraud successfully it must have effective policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for position of trust.
Pro active procedures should include the following, before appointing any employee:
• Conduct a background investigation on the individual who apply for employment or for promoting to a position of trust.
• Thoroughly checking a candidate’s education, employment history and personal references.
These above procedures are also known as staff vetting, which means that all applicants are screened thoroughly before employment is offered.
The following should be checked as part of the screening process:
• references,
• criminal records,
• civil records,
• disciplinary records,
• insolvency,
• other businesses,
• qualifications – CV audit,
• technical competence,
• psychometric testing.
These preventive measures, however time consuming and costly, would assist them in appointing the correct candidate.
Pro active procedures should include the following, before appointing any employee:
• Conduct a background investigation on the individual who apply for employment or for promoting to a position of trust.
• Thoroughly checking a candidate’s education, employment history and personal references.
These above procedures are also known as staff vetting, which means that all applicants are screened thoroughly before employment is offered.
The following should be checked as part of the screening process:
• references,
• criminal records,
• civil records,
• disciplinary records,
• insolvency,
• other businesses,
• qualifications – CV audit,
• technical competence,
• psychometric testing.
These preventive measures, however time consuming and costly, would assist them in appointing the correct candidate.
Who will Commit Fraud, and Why?
Most people will not commit fraud, because in society we assume that people we first meet are always honest and that there are more honest than dishonest people. Fraud does not differentiate between the rich or poor in any society.
There are many factors that contribute to people wanting to commit fraud, such as:
• Low self-esteem.
• Personal background and experiences while growing up.
• Pier pressure on individual.
• Substance abusers.
• People living with financial pressure.
Five common reasons for employee crimes:
• The employee feel some frustration about some aspect of his/her job or
• Personal life that is not job related.
• The employee wants to get even with his employer because he/she feels abused in the work place.
• The organisation’s internal controls are so poor that employee’s is tempted to steel.
• Employees today are morally, ethically and spiritually bankrupt.
There are many factors that contribute to people wanting to commit fraud, such as:
• Low self-esteem.
• Personal background and experiences while growing up.
• Pier pressure on individual.
• Substance abusers.
• People living with financial pressure.
Five common reasons for employee crimes:
• The employee feel some frustration about some aspect of his/her job or
• Personal life that is not job related.
• The employee wants to get even with his employer because he/she feels abused in the work place.
• The organisation’s internal controls are so poor that employee’s is tempted to steel.
• Employees today are morally, ethically and spiritually bankrupt.
How to Create and Maintain a Culture of Honesty and Sound Ethics
• Creating and maintaining a culture of honesty and sound ethics
- Setting the tone at the top: It is important for top management to lead by example
- Creating a positive work environment: To enhance employee well being, productivity and job satisfaction
- Hiring and promoting appropriate employees: Implement proactive and pre employment vetting procedures.
- Raining: All new appointees to under go organization’s induction course, and where applicable receive additional or refresher training.
- Confirmation: Managers must let the employee know their accountability and responsibilities.
- Discipline: Regular communication via different forms of media about consequences of committing wrong doings and fraud.
• Evaluating antifraud process and control
- Identifying and measuring fraud risk: It is the primary responsibility of management to establish and monitor all aspects of the organisation’s fraud risk assessment and prevention activities.
- Mitigating fraud risk: Streamline organisation’s activities and processes in order to reduce or eliminate certain fraud risks.
- Implementing and monitoring appropriate internal control: Identify the processes, controls and other procedures that are required to moderate the identified risks and implement appropriate monitoring controls.
• Developing and appropriate oversight process
- An organisation should have an appropriate external and internal oversight function in place to deter or prevent fraud effectively.
- Setting the tone at the top: It is important for top management to lead by example
- Creating a positive work environment: To enhance employee well being, productivity and job satisfaction
- Hiring and promoting appropriate employees: Implement proactive and pre employment vetting procedures.
- Raining: All new appointees to under go organization’s induction course, and where applicable receive additional or refresher training.
- Confirmation: Managers must let the employee know their accountability and responsibilities.
- Discipline: Regular communication via different forms of media about consequences of committing wrong doings and fraud.
• Evaluating antifraud process and control
- Identifying and measuring fraud risk: It is the primary responsibility of management to establish and monitor all aspects of the organisation’s fraud risk assessment and prevention activities.
- Mitigating fraud risk: Streamline organisation’s activities and processes in order to reduce or eliminate certain fraud risks.
- Implementing and monitoring appropriate internal control: Identify the processes, controls and other procedures that are required to moderate the identified risks and implement appropriate monitoring controls.
• Developing and appropriate oversight process
- An organisation should have an appropriate external and internal oversight function in place to deter or prevent fraud effectively.
The Responsibility of Management in the Prevention of Fraud
• Set moral environment in which the organization function.
• Make available resources for the organization to accomplish its plans and follows its policies.
• Establish and maintain internal controls.
• Determine appropriate cost versus control ratio (exposure – safeguard =risks).
• Keep everyone up to date within the organization as to the current and daily status of the organization.
• Make available resources for the organization to accomplish its plans and follows its policies.
• Establish and maintain internal controls.
• Determine appropriate cost versus control ratio (exposure – safeguard =risks).
• Keep everyone up to date within the organization as to the current and daily status of the organization.
Five Different Forms of Fraud
• Cash Fraud – Skimming: Cash is removed from organization before transaction is recorded in the accounting systems.
• Cheque Fraud – Stopped cheque: Bearer pays for goods by cheque, which is accepted in good faith or has been authorized/cleared by the bank and once the goods are in their possession, the bearer stop the cheque before the transfer can take place.
• Procurement Fraud – False invoices: False invoicing, nondelivery of purchased goods.
• Computer Fraud - Computer programmes and data are changed without authorisation to the benefit of the perpetrator or detriment of the company.
• Payroll Fraud - “Ghost” workers: Fictitious employees on the payroll
• Cheque Fraud – Stopped cheque: Bearer pays for goods by cheque, which is accepted in good faith or has been authorized/cleared by the bank and once the goods are in their possession, the bearer stop the cheque before the transfer can take place.
• Procurement Fraud – False invoices: False invoicing, nondelivery of purchased goods.
• Computer Fraud - Computer programmes and data are changed without authorisation to the benefit of the perpetrator or detriment of the company.
• Payroll Fraud - “Ghost” workers: Fictitious employees on the payroll
Five Forms of Commercial Crime:
• Kiting: This is the process whereby cash, which is either nonexistent or in transit, is moved between several bank accounts.
• Skimming: Cash is removed from organization before transaction is recorded in the accounting systems.
• Misappropriation of funds: If one employee is responsible for collecting and depositing cash and then removes funds from the organization for their own use then conceals the theft through the deposits by destroying the cash receipts.
• False endorsements: This is whereby cheques are not properly cross and this gives an opportunity for staff to steal the cheques and endorse it on the back, to either have the cheque cashed or deposited into another account.
• Forging a signature on stolen cheques: Blank cheques are stolen from an organization and then used fraudulently by others such that original owner of the cheque or bank suffers a lost.
• Skimming: Cash is removed from organization before transaction is recorded in the accounting systems.
• Misappropriation of funds: If one employee is responsible for collecting and depositing cash and then removes funds from the organization for their own use then conceals the theft through the deposits by destroying the cash receipts.
• False endorsements: This is whereby cheques are not properly cross and this gives an opportunity for staff to steal the cheques and endorse it on the back, to either have the cheque cashed or deposited into another account.
• Forging a signature on stolen cheques: Blank cheques are stolen from an organization and then used fraudulently by others such that original owner of the cheque or bank suffers a lost.
Reasons for Managers to Commit Fraud
1. Incompetent managers may deceive to survive. Good manager keep abreast of change. In Mr Knowsome case there is computerised inventory control system that is not yet been installed by him because he believes that this would only increase his workload.
2. Profit centre may distort facts to hold off divestment. Mr Knowsome is three months late with his monthly reports. It can be that he is trying to distort financial figures in order to retain his position.
3. Performance may be distorted to warrant lager bonuses. It is also known that Mr Knowsome is working a lot of overtime to keep the creditors system, the bank reconciliation and inventory system of the branch up to date, despite sufficient stuff.
4. The need to succeed can turn manager to deception. When ambition and self-advancement are more important than solid accomplishment, some mangers will betray the stewardship pf the resources entrusted to them.
5. Profits may be inflated to obtain advantages in the marketplace. The financial officers who want their organisation’s stock to make a splash in the market to cash in stock options, or seek to obtain unwarranted credit lines, may inflate profits unfairly.
6. Organisations publicise estimates of future sales level, marker share, income and stock performance to the financial market. When any of these performance measures cannot be reached, aggressive accounting is in use to achieve the required result.
2. Profit centre may distort facts to hold off divestment. Mr Knowsome is three months late with his monthly reports. It can be that he is trying to distort financial figures in order to retain his position.
3. Performance may be distorted to warrant lager bonuses. It is also known that Mr Knowsome is working a lot of overtime to keep the creditors system, the bank reconciliation and inventory system of the branch up to date, despite sufficient stuff.
4. The need to succeed can turn manager to deception. When ambition and self-advancement are more important than solid accomplishment, some mangers will betray the stewardship pf the resources entrusted to them.
5. Profits may be inflated to obtain advantages in the marketplace. The financial officers who want their organisation’s stock to make a splash in the market to cash in stock options, or seek to obtain unwarranted credit lines, may inflate profits unfairly.
6. Organisations publicise estimates of future sales level, marker share, income and stock performance to the financial market. When any of these performance measures cannot be reached, aggressive accounting is in use to achieve the required result.
Four Common Reactions to Fraud
Good: Some fraudsters may feel good because they think they have beaten the organisation’s system and got away with it.
Indifferent: Some fraudsters will have an indifferent feeling, those who have a indifferent feeling are not likely to talk about their feats or brag to anyone, they will also show no behaviour peculiarities.
Guilty: Some fraudsters will have feelings of guilt. Conscientious employees, particularly those with strong and stable family backgrounds, those who have strong religious convictions. These employees are more likely not to talk to anyone about their deed. This will increase their stress levels, which will manifest in changing behaviour patterns.
Fear: Those who fear discovery will not brag about their exploits. They will not display constant or regular behaviour peculiarities, but they will react strongly to specific circumstances, especially when they think that they are on the verge of being discovered.
Indifferent: Some fraudsters will have an indifferent feeling, those who have a indifferent feeling are not likely to talk about their feats or brag to anyone, they will also show no behaviour peculiarities.
Guilty: Some fraudsters will have feelings of guilt. Conscientious employees, particularly those with strong and stable family backgrounds, those who have strong religious convictions. These employees are more likely not to talk to anyone about their deed. This will increase their stress levels, which will manifest in changing behaviour patterns.
Fear: Those who fear discovery will not brag about their exploits. They will not display constant or regular behaviour peculiarities, but they will react strongly to specific circumstances, especially when they think that they are on the verge of being discovered.
Monday, August 30, 2010
Audi Alteram Partem
Audi alteram partem means that the employee has the right to defend himself/herself by stating his/her defense. The accused employee will also have the right to adequate notice of the proceedings, right to information, the right to call witnesses, the right to a translator, and above all: the right to a procedurally and substantively fair hearing. The employee also has the right to appeal a finding, or to take the matter to the CCMA or the Labor Court.
Audi alteram partem is a principle of natural justice which prohibits a judicial decision which impacts upon individual rights without giving all parties in the dispute a right to be heard.
Audi alteram partem is a principle of natural justice which prohibits a judicial decision which impacts upon individual rights without giving all parties in the dispute a right to be heard.
Onus of Proof
Onus of proof: A duty placed upon a civil or criminal defendant to prove or disprove a disputed fact.
Burden of proof can define the duty placed upon a party to prove or disprove a disputed fact, or it can define which party bears this burden. In criminal cases, the burden of proof is placed on the prosecution, who must demonstrate that the defendant is guilty before a jury may convict him or her. But in some jurisdiction, the defendant has the burden of establishing the existence of certain facts that give rise to a defense, such as the insanity plea. In civil cases, the plaintiff is normally charged with the burden of proof, but the defendant can be required to establish certain defenses.
The different onuses of proof for the Criminal and Civil Courts:
• Criminal Courts require proof beyond all reasonable doubt, meaning it has to be 99% factual evidence or proof.
• Civil Courts only require proof which has a balance of probability, meaning the evidence or proof has more than a 50% probability.
Burden of proof can define the duty placed upon a party to prove or disprove a disputed fact, or it can define which party bears this burden. In criminal cases, the burden of proof is placed on the prosecution, who must demonstrate that the defendant is guilty before a jury may convict him or her. But in some jurisdiction, the defendant has the burden of establishing the existence of certain facts that give rise to a defense, such as the insanity plea. In civil cases, the plaintiff is normally charged with the burden of proof, but the defendant can be required to establish certain defenses.
The different onuses of proof for the Criminal and Civil Courts:
• Criminal Courts require proof beyond all reasonable doubt, meaning it has to be 99% factual evidence or proof.
• Civil Courts only require proof which has a balance of probability, meaning the evidence or proof has more than a 50% probability.
Follow-up and Remedial Action
Analysis:
Analysis means that after every fraudulent loss, the victim should examine the entire situation of the fraud, carefully taking into account which internal controls failed to either prevent the fraud, or failed to identify the fraud earlier.
The purpose of this stage is to learn from prior mistakes, and to ensure that the same mistakes aren’t made in the future, to protect the organization from further losses. If this step isn’t taken into consideration, the aftermath would be that the organization exposes itself to similar, re-occurring fraud. It is recommended to maximize the analysis stage, that after every fraud, all the parties involved should brainstorm new fraud prevention methods, ensuring a greater success rate.
Publication:
It can be beneficial to publicize details of fraud, if the delicate details and names of offenders are left out, except if the entire disciplinary process has been completed up to the final appeal or CCMA resolution, to ensure that no person’s reputation is slandered.
The advantages of publication are:
• Managing the negative rumors that always arise.
• Visible signs that decisive action is taken.
• Sending a clear message about zero tolerance towards fraudulent activity.
• And lastly, the deterrent effect it has if a person has been “named and blamed”.
Implement controls:
As stated in the analysis stage, fraud occurs if internal controls aren’t effective enough, and the ideas that were brainstormed should now be implemented to ensure that internal controls are effective enough to identify and prevent fraud.
Implementing controls consists of better segregation of duties, greater supervisory controls, and better custodial controls.
Testing and training:
After implementing controls, the new internal controls have to be tested, and staff members need to be trained on their new and improved responsibilities regarding the new internal controls.
This stage is used to maximize the efficiency and effectiveness of the implemented controls, and to ensure that the whole process is a success.
Proactive fraud auditing:
The best way to protect an organization against fraud is by identifying it as soon as possible, making sure that the losses are minimal, and the perpetrator is caught, and in effect, not suffering devastating long term fraud. Actively seeking out fraud is better than accidental discovery, and should be performed by suitably qualified people who should carefully identify and consider all red flags. After every fraud in a department, all other departments should be tested for similar frauds, based on red flags identified during the analysis stage. Basically the proactive fraud auditing stage is to get all the bad apples out of the tree.
Analysis means that after every fraudulent loss, the victim should examine the entire situation of the fraud, carefully taking into account which internal controls failed to either prevent the fraud, or failed to identify the fraud earlier.
The purpose of this stage is to learn from prior mistakes, and to ensure that the same mistakes aren’t made in the future, to protect the organization from further losses. If this step isn’t taken into consideration, the aftermath would be that the organization exposes itself to similar, re-occurring fraud. It is recommended to maximize the analysis stage, that after every fraud, all the parties involved should brainstorm new fraud prevention methods, ensuring a greater success rate.
Publication:
It can be beneficial to publicize details of fraud, if the delicate details and names of offenders are left out, except if the entire disciplinary process has been completed up to the final appeal or CCMA resolution, to ensure that no person’s reputation is slandered.
The advantages of publication are:
• Managing the negative rumors that always arise.
• Visible signs that decisive action is taken.
• Sending a clear message about zero tolerance towards fraudulent activity.
• And lastly, the deterrent effect it has if a person has been “named and blamed”.
Implement controls:
As stated in the analysis stage, fraud occurs if internal controls aren’t effective enough, and the ideas that were brainstormed should now be implemented to ensure that internal controls are effective enough to identify and prevent fraud.
Implementing controls consists of better segregation of duties, greater supervisory controls, and better custodial controls.
Testing and training:
After implementing controls, the new internal controls have to be tested, and staff members need to be trained on their new and improved responsibilities regarding the new internal controls.
This stage is used to maximize the efficiency and effectiveness of the implemented controls, and to ensure that the whole process is a success.
Proactive fraud auditing:
The best way to protect an organization against fraud is by identifying it as soon as possible, making sure that the losses are minimal, and the perpetrator is caught, and in effect, not suffering devastating long term fraud. Actively seeking out fraud is better than accidental discovery, and should be performed by suitably qualified people who should carefully identify and consider all red flags. After every fraud in a department, all other departments should be tested for similar frauds, based on red flags identified during the analysis stage. Basically the proactive fraud auditing stage is to get all the bad apples out of the tree.
Thursday, August 19, 2010
Five Phases of an Investigation
1. First receipt of allegation and mandate to investigate:
Internal and external forensic auditors have to ensure that a mandate for an investigation is obtained. Internal auditors need a signed letter of instructions from their employers, to obtain clarity in an investigation and protect the forensic auditor, and it can be presented to a witness to prove the identification of the forensic auditor. External auditors obtain mandate to investigate through an engagement letter from a client. If a forensic auditor receives an allegation of possible economic crime, the auditor needs to evaluate the given information about the possible crime and if there is sufficient evidence, the auditor can proceed to the planning and execution phase, but if there is only a limited amount of evidence, the auditor has to start a preliminary investigation. A preliminary is also needed to determine if a crime was committed, the extent of the crime, and who the perpetrators are.
2. The preliminary investigation:
Purpose:
• To determine whether allegations that a crime has been committed can be proven or disproven.
• To determine the nature of the crime.
• To determine who the perpetrators are.
• To determine what resources will be needed to investigate the crime.
• To compare the expenditure of the investigation with the success of an investigation.
A preliminary investigation is a fact finding mission to asses whether or not a full scale investigation should be conducted, and might not necessarily lead to prima facie proof of a crime.
Preliminary investigation focuses on:
• The lifestyle of the accountant (person in question).
• Other possible sources of income.
• Further indications that the person in question is living beyond his/her means.
• The sources of money that the person is receiving.
• A cursory evaluation of the company’s books in order to determine if there are any obvious shortages or manipulations.
If large electronic transfers were made from the company’s bank account by a person in question, or VAT or tax statements seem to have been manipulated by the accountant, or the accountant has a sudden change in spending patterns that can’t be explained, a full scale investigation has to be conducted.
The preliminary investigation ends as soon as soon as it is confirmed that there are objective reasons that a crime has been committed and that the accountant’s income is questionable. The mandatory must then be informed of all the findings by the forensic auditor, and the mandatory is then responsible for requesting a full scale investigation.
The main objective of a preliminary investigation is thus to determine if a full scale investigation is necessary.
3. Assessment, preliminary reporting and planning:
As previously stated, the mandatory is responsible for requesting a full scale investigation. This decision is based on a preliminary report where the forensic auditor has to report all facts that where discovered during the preliminary investigation pointing to the commission of a crime, and/or facts that prove the innocence of suspects and indicators that may point to the suspension of the investigation. If the preliminary report shows that further investigation is needed, and the mandatory decides that further investigation is necessary, the execution phase of the investigation is continued.
4. The execution phase:
The forensic auditor must perform all procedures in accordance with the investigation plan, and gather all evidence necessary for a successful prosecution. Two of the procedures that will always be performed are taking of affidavits and the gathering and interpretation of documentary evidence. The compilation of a case docket and the maintenance of an investigation diary are also important elements of all investigations.
There are numerous procedures that may be performed during an investigation, but there are no definitive blueprints that will fit all investigations. Some procedures may apply in some cases, and some may not. It is crucial to also know the law relating to investigation as described in the Criminal Procedure Act and other legislation. If the forensic auditor has no knowledge of the law, he or she would not know that the Police may apply for a search warrant in terms of the Criminal Procedure Act for the searching of premises and the seizure of evidence, or that a subpoena in terms of section 205 of the Criminal Procedure Act can grant the Police access to important information held by private persons and entities such as the banks, that would otherwise not be accessible for investigation purposes.
It should be noted that it is often beneficial for the forensic auditor to work and co-operate with the Police. It should be borne in mind that all evidence collected by the Police in terms of powers extended to them in the Criminal Procedure Act or other legislation are for the use of the Police in a criminal trial only. There are certain exceptions and permission may be obtained from the Director of Public Prosecution to utilize information in a police case docket for the purposes such as disciplinary hearings, etc.
A forensic auditor’s mandate very often includes assisting the Police with the investigation in order to prepare the matter for submission to the prosecutor.
5. Reporting:
The reporting phase could be regarded as the most important phase of a forensic audit. Regardless of how well the work was done, if the report is not written properly, the perception of the reader will be that the audit was not a success. The report must reflect the quality of an investigation.
Internal and external forensic auditors have to ensure that a mandate for an investigation is obtained. Internal auditors need a signed letter of instructions from their employers, to obtain clarity in an investigation and protect the forensic auditor, and it can be presented to a witness to prove the identification of the forensic auditor. External auditors obtain mandate to investigate through an engagement letter from a client. If a forensic auditor receives an allegation of possible economic crime, the auditor needs to evaluate the given information about the possible crime and if there is sufficient evidence, the auditor can proceed to the planning and execution phase, but if there is only a limited amount of evidence, the auditor has to start a preliminary investigation. A preliminary is also needed to determine if a crime was committed, the extent of the crime, and who the perpetrators are.
2. The preliminary investigation:
Purpose:
• To determine whether allegations that a crime has been committed can be proven or disproven.
• To determine the nature of the crime.
• To determine who the perpetrators are.
• To determine what resources will be needed to investigate the crime.
• To compare the expenditure of the investigation with the success of an investigation.
A preliminary investigation is a fact finding mission to asses whether or not a full scale investigation should be conducted, and might not necessarily lead to prima facie proof of a crime.
Preliminary investigation focuses on:
• The lifestyle of the accountant (person in question).
• Other possible sources of income.
• Further indications that the person in question is living beyond his/her means.
• The sources of money that the person is receiving.
• A cursory evaluation of the company’s books in order to determine if there are any obvious shortages or manipulations.
If large electronic transfers were made from the company’s bank account by a person in question, or VAT or tax statements seem to have been manipulated by the accountant, or the accountant has a sudden change in spending patterns that can’t be explained, a full scale investigation has to be conducted.
The preliminary investigation ends as soon as soon as it is confirmed that there are objective reasons that a crime has been committed and that the accountant’s income is questionable. The mandatory must then be informed of all the findings by the forensic auditor, and the mandatory is then responsible for requesting a full scale investigation.
The main objective of a preliminary investigation is thus to determine if a full scale investigation is necessary.
3. Assessment, preliminary reporting and planning:
As previously stated, the mandatory is responsible for requesting a full scale investigation. This decision is based on a preliminary report where the forensic auditor has to report all facts that where discovered during the preliminary investigation pointing to the commission of a crime, and/or facts that prove the innocence of suspects and indicators that may point to the suspension of the investigation. If the preliminary report shows that further investigation is needed, and the mandatory decides that further investigation is necessary, the execution phase of the investigation is continued.
4. The execution phase:
The forensic auditor must perform all procedures in accordance with the investigation plan, and gather all evidence necessary for a successful prosecution. Two of the procedures that will always be performed are taking of affidavits and the gathering and interpretation of documentary evidence. The compilation of a case docket and the maintenance of an investigation diary are also important elements of all investigations.
There are numerous procedures that may be performed during an investigation, but there are no definitive blueprints that will fit all investigations. Some procedures may apply in some cases, and some may not. It is crucial to also know the law relating to investigation as described in the Criminal Procedure Act and other legislation. If the forensic auditor has no knowledge of the law, he or she would not know that the Police may apply for a search warrant in terms of the Criminal Procedure Act for the searching of premises and the seizure of evidence, or that a subpoena in terms of section 205 of the Criminal Procedure Act can grant the Police access to important information held by private persons and entities such as the banks, that would otherwise not be accessible for investigation purposes.
It should be noted that it is often beneficial for the forensic auditor to work and co-operate with the Police. It should be borne in mind that all evidence collected by the Police in terms of powers extended to them in the Criminal Procedure Act or other legislation are for the use of the Police in a criminal trial only. There are certain exceptions and permission may be obtained from the Director of Public Prosecution to utilize information in a police case docket for the purposes such as disciplinary hearings, etc.
A forensic auditor’s mandate very often includes assisting the Police with the investigation in order to prepare the matter for submission to the prosecutor.
5. Reporting:
The reporting phase could be regarded as the most important phase of a forensic audit. Regardless of how well the work was done, if the report is not written properly, the perception of the reader will be that the audit was not a success. The report must reflect the quality of an investigation.
Thursday, August 5, 2010
Motivation for Internal Control
• The effectiveness and efficiency of operations.
• Safeguarding of the company’s assets.
• Safeguarding of the company’s information.
• Compliance with applicable laws, regulations, and supervisory requirements.
• Supporting business sustainability under normal as well as adverse operating conditions.
• The reliability of reporting.
• Behaving responsibly to stakeholders.
• Safeguarding of the company’s assets.
• Safeguarding of the company’s information.
• Compliance with applicable laws, regulations, and supervisory requirements.
• Supporting business sustainability under normal as well as adverse operating conditions.
• The reliability of reporting.
• Behaving responsibly to stakeholders.
Five Components of Internal Control
• Control environment - The control environment provides the company with the discipline and structure required for all aspects of risk management and control. It includes integrity, ethical values, organizational culture, and competence of employees, management’s philosophy and operating style, assignment of authority.
• Risk assessment - The risk assessment process involves the identification, evaluation, and management of risks that are significant to the achievement of an organization’s objective. The forensic auditor should obtain an understanding of the significant fraud risks and identify the implications of any such risks for the organization.
• Information and communication - All organizations should have information systems that measure process results and compare them with objectives. They should also have communication practices to ensure that senior management promptly receives all such information, both positive and negative.
• Control activities - These are the policies and procedures established by management as a response to internal and external risks.
• Monitoring - Management’s monitoring procedures involve the assessment of actual performance and the comparison of actual and anticipated performance. The board must fully understand the business risk issues and key performance indicators that could affect the ability of the organization to achieve its purpose in the long term. Business risk and key performance indicators should be benchmarked against industry norms and best practice.
• Risk assessment - The risk assessment process involves the identification, evaluation, and management of risks that are significant to the achievement of an organization’s objective. The forensic auditor should obtain an understanding of the significant fraud risks and identify the implications of any such risks for the organization.
• Information and communication - All organizations should have information systems that measure process results and compare them with objectives. They should also have communication practices to ensure that senior management promptly receives all such information, both positive and negative.
• Control activities - These are the policies and procedures established by management as a response to internal and external risks.
• Monitoring - Management’s monitoring procedures involve the assessment of actual performance and the comparison of actual and anticipated performance. The board must fully understand the business risk issues and key performance indicators that could affect the ability of the organization to achieve its purpose in the long term. Business risk and key performance indicators should be benchmarked against industry norms and best practice.
Limitations of Internal Control
• Cost versus budget - The cost of an implemented control should not exceed its anticipated benefit. In circumstances where management has assessed the risk of loss and has decided to “accept” the risk as insignificant, this could lead to an absence of controls in areas where they could have prevented fraud.
• Routine versus non-routine transactions - Most controls are directed at routine rather than non-routine transaction processes, for example a business where thousands of sales transactions occur daily, such transactions are likely to be tightly controlled, with specific approval, processing, and monitoring controls in place. On the other hand, infrequent transactions such as the purchase of fixed assets for high values, usually formally approved by directors’ minutes may not have formalized procedures in place to identify, capture, and communicate the transactions. As a result, the completeness and measurement or accuracy of the recorded transactions may be in doubt.
• Human error - This relates to the potential for human error due to carelessness, distractions, poor judgment, and the misunderstanding of instructions. Temporary or permanent changes in personnel, systems, or procedures may contribute to human errors.
• Collusion - This refers to the possibility that a member of management or an employee colludes with parties inside or outside the organization to circumvent internal controls. An example of internal collusion is collusion between a staff member in human resources and a staff member dealing with funds transfers: The human resources staff member adds fictitious employees and/or additional employee back accounts onto the standing data files of the payroll, and the other staff member then authorizes the electronic fund transfers to these fictitious bank accounts.
• Management override - This revolves around the possibility that a person responsible for exercising a control could abuse that responsibility, for example, when a member of management overrides a control. Management override may be associated with aggressive earning policies, personal expenses processed through the business, the improper authorization of transactions, and deliberately misleading representations to secure financial benefits. These actions may be associated with deliberate attempts by management to mislead the auditors.
• Changes in conditions - This relates to the possibility that procedures may become inadequate owing to changes in conditions, and that compliance with control procedures may deteriorate. Examples are changes in the IT environment, and changes in the entity owing to large acquisitions, reorganizations, the development of new products or services operations in regions that are economically unstable, the application of new accounting standards, off-balance sheet finance, etc.
• Routine versus non-routine transactions - Most controls are directed at routine rather than non-routine transaction processes, for example a business where thousands of sales transactions occur daily, such transactions are likely to be tightly controlled, with specific approval, processing, and monitoring controls in place. On the other hand, infrequent transactions such as the purchase of fixed assets for high values, usually formally approved by directors’ minutes may not have formalized procedures in place to identify, capture, and communicate the transactions. As a result, the completeness and measurement or accuracy of the recorded transactions may be in doubt.
• Human error - This relates to the potential for human error due to carelessness, distractions, poor judgment, and the misunderstanding of instructions. Temporary or permanent changes in personnel, systems, or procedures may contribute to human errors.
• Collusion - This refers to the possibility that a member of management or an employee colludes with parties inside or outside the organization to circumvent internal controls. An example of internal collusion is collusion between a staff member in human resources and a staff member dealing with funds transfers: The human resources staff member adds fictitious employees and/or additional employee back accounts onto the standing data files of the payroll, and the other staff member then authorizes the electronic fund transfers to these fictitious bank accounts.
• Management override - This revolves around the possibility that a person responsible for exercising a control could abuse that responsibility, for example, when a member of management overrides a control. Management override may be associated with aggressive earning policies, personal expenses processed through the business, the improper authorization of transactions, and deliberately misleading representations to secure financial benefits. These actions may be associated with deliberate attempts by management to mislead the auditors.
• Changes in conditions - This relates to the possibility that procedures may become inadequate owing to changes in conditions, and that compliance with control procedures may deteriorate. Examples are changes in the IT environment, and changes in the entity owing to large acquisitions, reorganizations, the development of new products or services operations in regions that are economically unstable, the application of new accounting standards, off-balance sheet finance, etc.
The King Report II on Good Corporate Governance
Introduction
In 1994 the King Report on Corporate Governance (King I) was published by the King Committee on Corporate Governance, headed by former High Court judge, Mervyn King S.C. King I, incorporating a Code of Corporate Practices and Conduct, was the first of its kind in the country and was aimed at promoting the highest standards of corporate governance in South Africa.
Over and above the financial and regulatory aspects of corporate governance, King I advocated an integrated approach to good governance in the interests of a wide range of stakeholders. Although groundbreaking at the time, the evolving global economic environment together with recent legislative developments, have necessitated that King I be updated. To this end, the King Committee on Corporate Governance developed the King Report on Corporate Governance for South Africa, 2002 (King II).
King II acknowledges that there is a move away from the single bottom line (that is, profit for shareholders) to a triple bottom line, which embraces the economic, environmental and social aspects of a company’s activities. In the words of the King Committee:
Directors and their Responsibilities
1. Who should be on the Board?
It is recommended that South African companies have a unitary board structure. This should comprise executive and non-executive directors, preferably with a majority of non-executive directors, of whom a sufficient number should be independent of management in order to ensure the protection of minority shareholders’ interests.
2. Functions of the Board
2.1 The board must retain full and effective control over the company and be responsible for monitoring management in respect of implementation of board plans and strategies. The board, with the guidance of the company secretary, has the duty of ensuring that the company complies with all the relevant laws, regulations and codes of business practice.
2.2 The board is ultimately responsible for the affairs of the company. The delegation of authority to any committee does not discharge the responsibility
of the board in respect of the actions and decisions of a committee.
2.3 The board must give strategic direction to the company.
2.4 The board is responsible for the appointment of the chief executive officer and the succession process.
2.5 It is recommended that the board has an agreed procedure whereby directors are able to seek independent professional advice, should the need arise. The professional services procured should be at the company’s expense.
2.6 The board should develop a corporate code of conduct that addresses issues that relate, inter alia, to conflicts of interest, particularly relating to directors and management.
2.7 Insofar as it is practical, the board is responsible for assessing and rectifying issues in respect of the size, diversity and demographics of the company.
2.8 The board is responsible for identifying risk areas and performance indicators in respect of the company. The board must regularly monitor these issues.
2.9 The board is also responsible for the monitoring and assessment of the non-financial aspects pertaining to the company.
2.10 The board should aim to conform to the governance constraints while simultaneously performing in an innovative and entrepreneurial way.
3. Is there a distinction between the Chairperson and Chief Executive Officer?
3.1 The chairperson is responsible for the effective functioning of the board and the chief executive officer is responsible for the running of the company’s business. There should be a clear distinction between these roles.
3.2 The chairperson’s primary function is to preside over meetings of directors and ensure the smooth functioning of the board. The chairperson usually presides over the company shareholders’ meetings. The core functions performed by the chairperson include, inter alia:
• the overall leadership of the board;
• participating in the selection of board members;
• monitoring and evaluating board and director appraisals;
• formulating an annual work plan for the board;
• acting as the main informal link between the board and management;
• maintaining relations with the company’s shareholders.
3.3 The chief executive officer’s task is to run the business and to implement the policies and strategies adopted by the board.
3.4 Where the roles of the chairperson and the chief executive officer are combined, there should be an independent non-executive director serving as the deputy chairperson. Alternatively, there should be a strong independent non-executive director element on the board. Any decision to combine roles must be justified each year in the company’s annual report.
3.5 The chairperson or sub-committee appointed by the board should appraise the performance of the chief executive officer. Such appraisal should be performed on an annual basis.
4. Directors
4.1 In the company’s annual report, the capacity of the directors of the board should be categorised as follows:
• Executive Director: A director involved in the day to day management and/or in the full time employ of the company, and/or any of its subsidiaries;
• Non-Executive Director: A director not involved in the day to day management of the company and not a full time salaried employee of the company or any of its subsidiaries;
• Independent Director: A non-executive director who is not a representative of a shareholder, has not been employed by the company in any executive capacity for the preceding three financial years and has no significant contractual relationship or interest in the company or group.
4.2 Shadow directors are discouraged.
4.3 A formal orientation program is recommended to familiarise new directors with the company’s structure, operations and policies.
4.4 Directors should be regularly updated on any new or pending legislation, regulations and codes of best business practice.
4.5 New directors must receive developmental and educational training in respect of their duties and responsibilities to the company.
4.6 An executive director’s fixed term service contract should not exceed three years. Should it exceed such period, full disclosure of the reasons pertaining to such decision must be provided to the shareholders, and the shareholders’ consent must be obtained.
4.7 A formal and transparent remuneration policy must be developed by the company in respect of director remuneration. A Statement of Remuneration Philosophy published in the annual report must support this policy.
5. Remuneration Committee
5.1 The company should appoint a remuneration committee. This committee should consist mainly of independent non-executive directors.
5.2 The function of this committee should be to make recommendations to the board in respect of remuneration packages for executive directors.
5.3 Membership of the remuneration committee must be disclosed in the annual report.
5.4 Companies should also provide full disclosure of director remuneration on an individual basis in their annual reports.
5.5 Shareholders must approve any granting of share options to non-executive directors having regard to the provisions of the Companies Act. It must be noted that in some global markets the trend is to grant non-executive directors shares as opposed to share options.
6. Allocation of Share Options
6.1 A vesting period should be applied in respect of the allocation of share options to non-executive directors in order to dissuade short-term decision making.
6.2 Boards should have regard to the possibilities and the consequences of the removal or resignation of directors prior to the maturing of the vesting period. The impact on a director’s independence must be considered.
6.3 Any re-pricing of share options must be subject to shareholder approval. The shareholders must be provided with all necessary details in respect of the directors, executive or non-executive, that stand to benefit from such proposal.
6.4 In the event that share options are issued at a discount to the ruling share price, a separate vote must be cast by the shareholders in respect of this clause in the trust deed creating the share scheme. Any amendments proposed to the trust deed that would authorise allocations of share options at discounts must be approved by the shareholders.
6.5 Full disclosure by directors on an individual basis must be made in respect of all share schemes and incentive schemes.
7. Committees
7.1 Board committees should be established to aid the board and its directors in giving detailed attention to specific areas of the directors’ duties and responsibilities. The board of directors is solely responsible for the actions and decisions of these committees.
7.2 The board of directors should determine a policy for the frequency, purpose, conduct and duration of its meetings and those of the formally established committees, such as the audit committee and the remuneration committee.
7.3 There must be transparency and full disclosure from the committee to the board except where the committee has been mandated otherwise by the board.
7.4 It is recommended that all board committees be chaired by an independent non-executive director.
7.5 Board committees should be empowered to take independent professional advice where circumstances dictate, at the company’s expense. This policy must be agreed to at board level.
7.6 The composition of the committees (especially the remuneration, audit and nomination committees) should be detailed in the annual report, together with information containing a description of the committees’ responsibilities, the number of meetings held and any other information that may be of relevance to shareholders.
7.7 It is recommended that these committees be subject to regular evaluation and monitoring by the board in order to ensure that the committees’ duties and responsibilities are being effectively carried out.
8. Evaluation of the Directors
The nomination committee or a committee appointed for the fulfilment of a similar purpose should regularly review and assess the board, the committees and the individual directors in order to assess the effectiveness of the board and committees as a whole and to evaluate performance on a personal and individual level. It is recommended that these evaluations take place on an annual basis.
9. Dealing in Securities
9.1 A listed company must have a policy and practice restricting its directors, officers and other employees from dealing in the company’s securities prior to any formal announcement in respect of its financial results or during any other period where such dealings may be considered sensitive.
9.2 A listed company should also have a practice in place where the dealings of directors, as required by the listing requirements of the JSE Securities Exchange South Africa (JSE), are regulated and monitored.
9.3 The policy and practice referred to above, should be established by the board and implemented and monitored by the company secretary.
10. Annual Reports and General Meetings
10.1 Every board should have a charter that sets out the responsibilities and duties of the board. The charter should be disclosed in the company’s annual report.
10.2 The board must ensure that each item of special business included in the notice of the annual general meeting or any shareholders’ meeting is accompanied by a full explanation of the justification for and the effects of the proposed resolution.
10.3 Shareholders should be encouraged by the board to attend annual general meetings. All directors should be present at the annual general meeting, and particularly the chairpersons of the various committees.
11. Who is the Company Secretary?
11.1 In terms of section 268A of the Companies Act, the appointment of a company secretary in public companies with a share capital is mandatory.
11.2 The Companies Act makes provision for the appointment, removal and duties of the company secretary. The board is responsible for the appointment of the company secretary and should ensure that the company secretary is empowered to enable him or her to perform the duties effectively.
11.3 The company secretary must guide the board in respect of its duties and responsibilities and update the board on all new and pending legislation and regulations that may have an effect on the operation of the company.
11.4 The company secretary should play a role in the induction of new or inexperienced directors.
11.5 The company secretary assists the chairperson and the chief executive officer in determining the annual board plan.
11.6 The company secretary provides the main source of guidance in respect of matters of ethics and good governance.
11.7 It is recommended that the company secretary be subjected to a fit and proper test and evaluation.
Risk Management
1. What is Risk Management?
1.1 Risk management is the identification and evaluation of actual and potential areas of risk as they pertain to a company, followed by a procedure of termination, transfer, acceptance (tolerance) or mitigation of each risk.
1.2 Risk management is therefore a process that utilizes internal controls as a measure to mitigate and control risk.
2. Who is responsible for Risk Management?
2.1 The board is responsible for ensuring that the company has implemented an effective ongoing process to identify risk, measure its potential impact against a set of assumptions, and then activate what it believes is necessary to proactively manage these risks.
2.2 The board should therefore decide on what risk the company is prepared to take and what risks it will not take in pursuance of its goals and objectives.
2.3 The risk management process requires an inclusive team based approach which is effective across the company. A committee comprising of executive directors and members of senior management, who are accountable to the board, are best placed to evaluate risk in the company and report to the board.
3. What should Risk Assessment address?
Risk assessment should address the company’s exposure to the following:
• physical and operational risks;
• human resource risks;
• technical risks;
• business continuity and disaster recovery;
• credit and market risks;
• compliance risks.
4. What is the role of the Internal Audit Function in Risk Management?
The internal audit function should be used to provide independent assurance in relation to the board’s assertion surrounding the effectiveness of risk management and internal control.
5. Assimilating Risk to the Control Environment
5.1 The board should implement a comprehensive system of controls to ensure that risks are mitigated and that the company’s objectives are attained.
5.2 The control environment should set the tone of the company and cover ethical values, management’s philosophy and the competence of employees.
5.3 Five essential aspects of control are identified, namely:
• control environment;
• risk assessment;
• control activities;
• information and communications;
• monitoring.
5.4 Any vulnerability in the achievement of the company’s objectives, whether caused by internal or external risk factors, should be detected in good time, reported by the systems of control in place and met with appropriate intervention. Not only will this improve the company’s risk profile, thereby enhancing the company’s attraction as a worthwhile investment, but it will also enhance the positive influences of risk on the business.
5.5 The company should also consider the need for a confidential reporting process (whistle-blowing) covering fraud and other risks.
6. How is Risk Management applied?
6.1 The board is responsible for setting risk tolerance and related strategies and policies. It is also the board’s responsibility to review the effectiveness of these policies on a regular basis and in a manner in which its objectives are clearly defined for the benefit of management to guide them in carrying out their responsibilities.
6.2 In reviewing the reports on risk management and internal control in the course of a financial year, the board should:
• consider what the company’s risks are and how they have been identified, evaluated and controlled;
• assess the effectiveness of the related process of risk management and particularly reports of significant failings or weaknesses in the process;
• consider if the necessary action is being taken timely to rectify any significant failings or weaknesses;
• consider whether the results obtained from the review process indicate that more extensive monitoring is required.
7. Where should a Company’s Policy on Risk Management be reported?
7.1 The board should disclose how the company has dealt with risk and control in its annual report.
7.2 At a minimum, the board should disclose:
• that it is accountable for the process of risk management and the system of internal control, which is regularly reviewed for effectiveness and for establishing appropriate risk and control policies and communicating these throughout the company;
• that there is an ongoing process for identifying, evaluating and managing the significant risks faced by the company, which has been in place for the year under review and up to the date of approval of the annual report and financial statements;
• that there is an adequate and effective system of internal control in place to mitigate the significant risks faced by the company to an acceptable level;
• that there is a documented and tested process in place that will allow the company to continue its critical business processes in the event of a disastrous incident impacting on its activities;
• where material joint ventures and associates have not been dealt with as par t of the group for the purposes of applying these recommendations;
• any additional information in the annual report to assist in the understanding of the company’s risk management processes and system of internal control.
7.3 Where the board cannot make any of the disclosures set out above, it should state this fact and provide a suitable explanation.
8. Summary of Risk Management
8.1 The risk management review processes may identify areas of opportunity, such as where effective risk management can be turned into a competitive advantage for the company, and it should therefore not only be viewed from a negative perspective.
8.2 Risk management goes beyond the control of financial risks. Reputation and a company’s future survival are also at stake.
8.3 Companies must ensure that the governance surrounding risk management is transparent and disclosed to its stakeholders.
8.4 Risk management is a continuous process of identifying, evaluating and managing risk. Unless companies see risk management as more than just an act of compliance, they are unlikely to reap the benefits it can offer.
Internal Audit
1. What is Internal Audit?
According to the Institute of Internal Auditors: “Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
2. Is there a need for Internal Audit?
2.1 King II requires that companies have an effective internal audit function that has the respect and co-operation of both the board and management. Where the board decides not to establish an internal audit function, full reasons must be disclosed in the company’s annual report, with an explanation as to how assurance of effective internal controls, processes and systems will be obtained. Criteria to be considered in assessing the need for an internal audit function include:
• whether the existing management processes are adequate to identify and monitor the significant risks facing the company, and whether the established internal control system operates effectively;
• whether those who are responsible for managing risks and operating controls take a wholly objective and systematic view of their own performance;
• whether the board receives the right quality of assurance and information from management.
2.2 If the board decides that there is a need for an internal audit function, it must approve an “internal audit charter” which, inter alia, formally defines the purposes, authority and responsibility of the internal audit activity.
3. What is the status of Internal Audit?
3.1 The board must ensure that the internal audit team has a standing that commands respect in the company and that the internal audit operates at a level within the company that allows it fully to accomplish its responsibilities. In addition, the head of the internal audit should report administratively to the chief executive officer and should have ready access to the chairperson of the company and the chairperson of the audit committee.
3.2 If the external and internal audit functions are carried out by the same accounting firm, the audit committee and the board should satisfy themselves that there is adequate segregation between the two functions in order to ensure that their independence is not impaired.
4. Can Internal Auditors be Employees of the Company?
4.1 King II recognises that the fact that internal auditors may be employees of the company does not of itself impair their objectivity.
4.2 The internal audit activity should be independent of the activities audited and internal auditors should be objective in performing their work.
5. What is the role and function of Internal Audit?
5.1 The objective of internal audit is to assist members of executive and senior management in the effective discharge of their duties and responsibilities. To this end, internal audit furnishes them with analyses, appraisals, recommendations, counsel and information regarding the activities reviewed.
5.2 An effective internal audit function should provide:
• assurance that the management processes are adequate to identify and monitor significant risks;
• confirmation of the effective operation of the established internal control systems;
• credible processes for feedback on risk management and assurance;
• objective confirmation that the board receives the right quality of assurance and information from management and that this information is reliable.
5.3 Adherence to the standards proposed will ensure a common framework and understanding of the requirements for internal auditing.
6. What should the scope of Internal Audit be?
6.1 Internal audit should consider relevant strategic, business and operational risks and their significance, taking account of the board’s, senior management’s and its own professional judgment.
6.2 The internal audit plan, which should be approved by the audit committee, should be based on risk assessment as well as issues highlighted by the audit committee and senior management. The risk assessment process should be of a continuous nature so as to identify not only residual or existing risks but also emerging risks.
6.3 The internal audit function should co-ordinate with other internal and external providers of assurance to ensure proper coverage of financial, operational and compliance controls and to minimize duplication of effort.
7. How often should Internal Audits be conducted?
Internal audits should be conducted formally at least annually but more often in complex organizations.
Integrated Sustainability Reporting
1. What is Integrated Sustainability Reporting?
1.1 The concept of sustainability has recently been recognized and adopted in a business context to mean the achievement of balanced and integrated economic, social and environmental performance (“triple bottom line”).
1.2 King II seeks to provide indicative, inspirational guidelines to South African companies who are seeking to improve on their disclosure practices and recognize the importance of the relationship between an enterprise and the community in which it exists.
2. How is Integrated Sustainability Reporting achieved?
2.1 Every company should report at least annually on the nature and extent of its social, transformation, ethical, safety, health and environmental management policies and practices.
2.2 The board of directors should, in determining what is relevant for disclosure, take into account the environment in which the company operates.
2.3 A South African board should disclose:
• the HIV/Aids strategy plan and policies the company has in place to address and manage the potential impact of HIV/Aids on the company;
• the company’s formal procurement policies that take into account black economic empowerment;
• whether it has developed and implemented a definitive set of standards and practices in the company based on a clearly articulated code of ethics.
2.4 Principles of reliability, relevance, clarity, comparability, timeliness and verifiability should govern a company’s public disclosure of non-financial information.
3. What is meant by Organizational Integrity/Code of Ethics?
3.1 A company should demonstrate its commitment to organizational integrity by qualifying its standards in a code of ethics.
3.2 Each company should demonstrate its commitment to its code of ethics by:
• creating systems and procedures to introduce, monitor and enforce its ethical code;
• assigning high level individuals to oversee compliance with the ethical code;
• assessing the integrity of new appointees in selection and promotion procedures;
• exercising due care in delegating discretionary authority;
• communicating with and training all employees regarding enterprise values, standards and compliance procedures;
• providing, monitoring and auditing safe systems for reporting of unethical or risky behavior;
• consistently enforcing appropriate discipline;
• responding to offences and preventing reoccurrences.
3.3 The disclosure of the code of ethics should include a statement of the extent to which the directors believe the ethical standards and above criteria are being met.
4. What is “SHE”?
SHE stands for Safety, Health and Environment. King II has recognized that companies should have, as part of their objectives, the integration of SHE issues into their sustainability policies and procedures. This assists companies in achieving the triple bottom line goals.
5. Society and Transformation Requirements
5.1 Companies should value the diversity of approach, values and contribution which women and black people bring to the table and should develop mechanisms positively to reinforce the richness of diversity.
5.2 Companies should disclose the nature of policies and practices in place to promote equal opportunities for the previously disadvantaged in terms of realizing their full potential and reaching executive levels in the company.
6. Human Capital and what is required by King II?
6.1 Human capital indicates the latent or potential value that employees at all levels represent for a company. It has been recognized that the development of human capital serves not only the economic interests of the company itself, but also the requirements of the society within which the company operates.
6.2 Companies should disclose in their annual reports the criteria by which they propose to measure human capital developments and their performance in terms of such criteria.
6.3 Good corporate governance requires that business practice should reflect human capital development in areas such as the number of staff, with a particular focus on demographics (race, gender, people with disabilities), age, corporate training initiatives, employee development etc.
6.4 Reporting on the development of human capital is important because it provides both a public account of past performance and, more importantly, an indication of future prospects of the company.
External Audit
1. How important is an External Audit?
In addition to being a statutory requirement, an external audit provides an independent and objective check on the way in which the financial statements have been prepared and presented by the directors. An annual audit is an essential part of the checks and balances required and are one of the cornerstones of corporate governance.
2. What qualities should the External Auditors have?
The external auditors should:
• observe the highest level of business and professional ethics and, in particular, their independence should not be impaired in any way;
• be objective and consciously aware of their accountability to the shareholders.
3. Can the External Auditors also perform non-audit services for the Company?
3.1 The audit committee should set the principles for recommending use of the accounting firm of the external auditors for non-audit services, such as management consultancy and corporate finance services.
3.2 Audit committees should have the necessary business acumen to address external auditor independence on a case-by-case basis, thereby preserving the company’s ability to select its external auditor for non-audit services if that is in the best interests of the company and its investors.
3.3 In considering the external auditors’ independence, the board should consider, inter alia, the structure and ownership of the accounting firm. Management should encourage consultation between the internal and external auditors.
3.4 In addition to the Companies Act requirements, there should be separate disclosure of the amount paid for non-audit services with a detailed description in the notes to the annual financial statements of the nature thereof, together with the amounts paid for each of the services described.
4. Must Interim Reports be independently reviewed?
4.1 This is not mandatory, although the audit committee should consider whether an independent review of the interim reports is in the best interests of the company.
4.2 King II recommends that, at a minimum, the audit committee should request that an independent review of the interim report is performed if the auditors have qualified or disclaimed their opinion, or produced an adverse opinion, in the latest annual financial statements.
4.3 Where an independent review is conducted, the audit committee’s report commenting on the independent report, together with the auditor’s review report, should be tabled at the board meeting to adopt the interim report.
4.4 Where an independent review was not conducted, a comprehensive statement of the reasons why the audit committee concluded that a review was not required should be tabled at the board meeting.
4.5 Where an independent review was not conducted, any publication of the interim results should be labeled “unaudited”.
5. What is the Board’s responsibility regarding Going Concern Statements?
5.1 South African Statements of Generally Accepted Accounting Practice (GAAP) state that, when preparing financial statements, management should make an assessment of the company’s ability to continue as a going concern. In addition, these statements of GAAP require that, in assessing going concern, management should take into consideration all available information for the foreseeable future. This should be at least, but not limited to, 12 months from the balance sheet date.
5.2 Financial statements should be prepared on a going concern basis, unless management either intends to liquidate the company or to cease trading, or has no realistic alternative but to do so. When management is aware of material uncertainties relating to events or conditions that may cast doubt upon the company’s ability to continue as a going concern, those uncertainties should be disclosed.
5.3 When the financial statements are not prepared on a going concern basis, that fact should be disclosed, together with the basis on which the financial statements are prepared and the reason why the company is not considered to be a going concern.
5.4 Directors should consider the position at the previous year end, and determine whether any of the significant factors identified at that time have changed in a way that affects the going concern assumption at the interim reporting stage.
6. Who should be on the Audit Committee?
6.1 King II does not specify the size of the audit committee. The board should appoint an audit committee that has a majority of independent non-executive directors. The majority of the members of the audit committee should be financially literate.
6.2 The chairperson should be an independent non-executive director and not the chairperson of the board. The chairperson should have the requisite business, financial and leadership skills and should be a good communicator. King II recommends that the board chairperson should not be a member of the audit committee and that the board should consider if it is desirable for the chief executive officer to be a member or to attend only by invitation.
6.3 Membership of the audit committee should be disclosed in the annual report and the chairperson of the committee should be available to answer questions at the annual general meeting.
7. What is the role and function of the Audit Committee?
7.1 The appointment of the audit committee gives the board a means to monitor an effective internal control system. In addition, the audit committee reinforces both the internal control system and the internal audit function.
7.2 The audit committee should have written terms of reference dealing adequately with its membership, authority and duties. The terms of reference of the audit committee should be confirmed by the board and reviewed every year. Companies should disclose in their annual reports whether or not the audit committee has adopted formal terms of reference and, if so, whether or not the committee has satisfied its responsibilities for the year, in compliance with its terms of reference.
7.3 The audit committee should review:
• the functioning of the internal control system;
• the functioning of the internal audit department;
• the risk areas of the company’s operations to be covered in the scope of the external and internal audits;
• the reliability and accuracy of the financial information provided to management and other users of financial information, and whether the company should continue to use the services of the current internal and external auditors;
• any accounting or auditing concerns identified as a result of the internal or external audits;
• the company’s compliance with legal and regulatory provisions, its articles of association, code of conduct, by-laws and the rules established by the board.
7.4 The audit committee should, inter alia, also:
• encourage communication between members of the board, senior executive management, the internal audit department and the external auditors;
• confirm the internal audit department’s charter and internal audit plan;
• develop a direct, strong and candid relationship with the external auditors;
• review the scope and results of the external audit, its cost effectiveness and the independence and objectivity of the external auditors (and in so doing should review the nature and extent of any non-audit services provided to the company by the external auditors);
• place the minutes of its meetings before the board at the next board meeting;
• consider the rotation policy of the external auditors and whether there is a need to change the audit partner or senior staff engaged in the audit;
• draw up a recommendation to the board for the appointment and removal of the external auditors;
• investigate any matters within its terms of reference and safeguard all information supplied to it.
Compliance and Enforcement
1. How will King II be enforced?
1.1 The legal mechanisms to be relied on for enforcement of King II and the Code of Corporate Practices and Conduct (the Code) are:
• existing legal remedies, principally under the Companies Act (such as section 424, dealing with liability of directors and others for the fraudulent or reckless conduct of a company’s business) and the common law;
• the provisions of the amended listing requirements of the JSE.
1.2 In order to prevent the Code from becoming too burdensome and because King II is largely non-prescriptive in nature, compliance is for the most part treated as a matter between boards and the stakeholders of companies. King II encourages greater activism by shareholders, business and the financial press and relies heavily on disclosure as a regulatory mechanism.
1.3 In this regard it is important to note that King II recommends a number of changes and developments to existing legislation and enforcement processes so as to ensure that role-players do not merely pay lip service to the Code and the provisions of King II. Boards should implement effective measures to achieve compliance with the Code and the provisions of King II and should monitor corporate governance issues closely in order to ensure that they are not caught unawares by changes and developments.
2. To whom will King II apply?
2.1 King II, including the Code, applies to the following business enterprises:
• all companies with securities listed on the JSE;
• banks, financial and insurance entities;
• certain public sector enterprises and agencies.
2.2 King II recommends that all companies, in addition to those falling within the prescribed categories, give due consideration to the application of King II.
2.3 King II is effective in respect of the specified business enterprises whose financial years commence on or after 1 March 2002.
In 1994 the King Report on Corporate Governance (King I) was published by the King Committee on Corporate Governance, headed by former High Court judge, Mervyn King S.C. King I, incorporating a Code of Corporate Practices and Conduct, was the first of its kind in the country and was aimed at promoting the highest standards of corporate governance in South Africa.
Over and above the financial and regulatory aspects of corporate governance, King I advocated an integrated approach to good governance in the interests of a wide range of stakeholders. Although groundbreaking at the time, the evolving global economic environment together with recent legislative developments, have necessitated that King I be updated. To this end, the King Committee on Corporate Governance developed the King Report on Corporate Governance for South Africa, 2002 (King II).
King II acknowledges that there is a move away from the single bottom line (that is, profit for shareholders) to a triple bottom line, which embraces the economic, environmental and social aspects of a company’s activities. In the words of the King Committee:
"...successful governance in the world in the 21st century requires companies to adopt an inclusive and not exclusive approach. The company must be open to institutional activism and there must be greater emphasis on the sustainable or non-financial aspects of its performance. Boards must apply the test of fairness, accountability, responsibility and transparency to all acts or omissions and be accountable to the company but also responsive and responsible towards the company’s identified stakeholders. The correct balance between conformance with governance principles and performance in an entrepreneurial market economy must be found, but this will be specific to each company."
Directors and their Responsibilities
1. Who should be on the Board?
It is recommended that South African companies have a unitary board structure. This should comprise executive and non-executive directors, preferably with a majority of non-executive directors, of whom a sufficient number should be independent of management in order to ensure the protection of minority shareholders’ interests.
2. Functions of the Board
2.1 The board must retain full and effective control over the company and be responsible for monitoring management in respect of implementation of board plans and strategies. The board, with the guidance of the company secretary, has the duty of ensuring that the company complies with all the relevant laws, regulations and codes of business practice.
2.2 The board is ultimately responsible for the affairs of the company. The delegation of authority to any committee does not discharge the responsibility
of the board in respect of the actions and decisions of a committee.
2.3 The board must give strategic direction to the company.
2.4 The board is responsible for the appointment of the chief executive officer and the succession process.
2.5 It is recommended that the board has an agreed procedure whereby directors are able to seek independent professional advice, should the need arise. The professional services procured should be at the company’s expense.
2.6 The board should develop a corporate code of conduct that addresses issues that relate, inter alia, to conflicts of interest, particularly relating to directors and management.
2.7 Insofar as it is practical, the board is responsible for assessing and rectifying issues in respect of the size, diversity and demographics of the company.
2.8 The board is responsible for identifying risk areas and performance indicators in respect of the company. The board must regularly monitor these issues.
2.9 The board is also responsible for the monitoring and assessment of the non-financial aspects pertaining to the company.
2.10 The board should aim to conform to the governance constraints while simultaneously performing in an innovative and entrepreneurial way.
3. Is there a distinction between the Chairperson and Chief Executive Officer?
3.1 The chairperson is responsible for the effective functioning of the board and the chief executive officer is responsible for the running of the company’s business. There should be a clear distinction between these roles.
3.2 The chairperson’s primary function is to preside over meetings of directors and ensure the smooth functioning of the board. The chairperson usually presides over the company shareholders’ meetings. The core functions performed by the chairperson include, inter alia:
• the overall leadership of the board;
• participating in the selection of board members;
• monitoring and evaluating board and director appraisals;
• formulating an annual work plan for the board;
• acting as the main informal link between the board and management;
• maintaining relations with the company’s shareholders.
3.3 The chief executive officer’s task is to run the business and to implement the policies and strategies adopted by the board.
3.4 Where the roles of the chairperson and the chief executive officer are combined, there should be an independent non-executive director serving as the deputy chairperson. Alternatively, there should be a strong independent non-executive director element on the board. Any decision to combine roles must be justified each year in the company’s annual report.
3.5 The chairperson or sub-committee appointed by the board should appraise the performance of the chief executive officer. Such appraisal should be performed on an annual basis.
4. Directors
4.1 In the company’s annual report, the capacity of the directors of the board should be categorised as follows:
• Executive Director: A director involved in the day to day management and/or in the full time employ of the company, and/or any of its subsidiaries;
• Non-Executive Director: A director not involved in the day to day management of the company and not a full time salaried employee of the company or any of its subsidiaries;
• Independent Director: A non-executive director who is not a representative of a shareholder, has not been employed by the company in any executive capacity for the preceding three financial years and has no significant contractual relationship or interest in the company or group.
4.2 Shadow directors are discouraged.
4.3 A formal orientation program is recommended to familiarise new directors with the company’s structure, operations and policies.
4.4 Directors should be regularly updated on any new or pending legislation, regulations and codes of best business practice.
4.5 New directors must receive developmental and educational training in respect of their duties and responsibilities to the company.
4.6 An executive director’s fixed term service contract should not exceed three years. Should it exceed such period, full disclosure of the reasons pertaining to such decision must be provided to the shareholders, and the shareholders’ consent must be obtained.
4.7 A formal and transparent remuneration policy must be developed by the company in respect of director remuneration. A Statement of Remuneration Philosophy published in the annual report must support this policy.
5. Remuneration Committee
5.1 The company should appoint a remuneration committee. This committee should consist mainly of independent non-executive directors.
5.2 The function of this committee should be to make recommendations to the board in respect of remuneration packages for executive directors.
5.3 Membership of the remuneration committee must be disclosed in the annual report.
5.4 Companies should also provide full disclosure of director remuneration on an individual basis in their annual reports.
5.5 Shareholders must approve any granting of share options to non-executive directors having regard to the provisions of the Companies Act. It must be noted that in some global markets the trend is to grant non-executive directors shares as opposed to share options.
6. Allocation of Share Options
6.1 A vesting period should be applied in respect of the allocation of share options to non-executive directors in order to dissuade short-term decision making.
6.2 Boards should have regard to the possibilities and the consequences of the removal or resignation of directors prior to the maturing of the vesting period. The impact on a director’s independence must be considered.
6.3 Any re-pricing of share options must be subject to shareholder approval. The shareholders must be provided with all necessary details in respect of the directors, executive or non-executive, that stand to benefit from such proposal.
6.4 In the event that share options are issued at a discount to the ruling share price, a separate vote must be cast by the shareholders in respect of this clause in the trust deed creating the share scheme. Any amendments proposed to the trust deed that would authorise allocations of share options at discounts must be approved by the shareholders.
6.5 Full disclosure by directors on an individual basis must be made in respect of all share schemes and incentive schemes.
7. Committees
7.1 Board committees should be established to aid the board and its directors in giving detailed attention to specific areas of the directors’ duties and responsibilities. The board of directors is solely responsible for the actions and decisions of these committees.
7.2 The board of directors should determine a policy for the frequency, purpose, conduct and duration of its meetings and those of the formally established committees, such as the audit committee and the remuneration committee.
7.3 There must be transparency and full disclosure from the committee to the board except where the committee has been mandated otherwise by the board.
7.4 It is recommended that all board committees be chaired by an independent non-executive director.
7.5 Board committees should be empowered to take independent professional advice where circumstances dictate, at the company’s expense. This policy must be agreed to at board level.
7.6 The composition of the committees (especially the remuneration, audit and nomination committees) should be detailed in the annual report, together with information containing a description of the committees’ responsibilities, the number of meetings held and any other information that may be of relevance to shareholders.
7.7 It is recommended that these committees be subject to regular evaluation and monitoring by the board in order to ensure that the committees’ duties and responsibilities are being effectively carried out.
8. Evaluation of the Directors
The nomination committee or a committee appointed for the fulfilment of a similar purpose should regularly review and assess the board, the committees and the individual directors in order to assess the effectiveness of the board and committees as a whole and to evaluate performance on a personal and individual level. It is recommended that these evaluations take place on an annual basis.
9. Dealing in Securities
9.1 A listed company must have a policy and practice restricting its directors, officers and other employees from dealing in the company’s securities prior to any formal announcement in respect of its financial results or during any other period where such dealings may be considered sensitive.
9.2 A listed company should also have a practice in place where the dealings of directors, as required by the listing requirements of the JSE Securities Exchange South Africa (JSE), are regulated and monitored.
9.3 The policy and practice referred to above, should be established by the board and implemented and monitored by the company secretary.
10. Annual Reports and General Meetings
10.1 Every board should have a charter that sets out the responsibilities and duties of the board. The charter should be disclosed in the company’s annual report.
10.2 The board must ensure that each item of special business included in the notice of the annual general meeting or any shareholders’ meeting is accompanied by a full explanation of the justification for and the effects of the proposed resolution.
10.3 Shareholders should be encouraged by the board to attend annual general meetings. All directors should be present at the annual general meeting, and particularly the chairpersons of the various committees.
11. Who is the Company Secretary?
11.1 In terms of section 268A of the Companies Act, the appointment of a company secretary in public companies with a share capital is mandatory.
11.2 The Companies Act makes provision for the appointment, removal and duties of the company secretary. The board is responsible for the appointment of the company secretary and should ensure that the company secretary is empowered to enable him or her to perform the duties effectively.
11.3 The company secretary must guide the board in respect of its duties and responsibilities and update the board on all new and pending legislation and regulations that may have an effect on the operation of the company.
11.4 The company secretary should play a role in the induction of new or inexperienced directors.
11.5 The company secretary assists the chairperson and the chief executive officer in determining the annual board plan.
11.6 The company secretary provides the main source of guidance in respect of matters of ethics and good governance.
11.7 It is recommended that the company secretary be subjected to a fit and proper test and evaluation.
Risk Management
1. What is Risk Management?
1.1 Risk management is the identification and evaluation of actual and potential areas of risk as they pertain to a company, followed by a procedure of termination, transfer, acceptance (tolerance) or mitigation of each risk.
1.2 Risk management is therefore a process that utilizes internal controls as a measure to mitigate and control risk.
2. Who is responsible for Risk Management?
2.1 The board is responsible for ensuring that the company has implemented an effective ongoing process to identify risk, measure its potential impact against a set of assumptions, and then activate what it believes is necessary to proactively manage these risks.
2.2 The board should therefore decide on what risk the company is prepared to take and what risks it will not take in pursuance of its goals and objectives.
2.3 The risk management process requires an inclusive team based approach which is effective across the company. A committee comprising of executive directors and members of senior management, who are accountable to the board, are best placed to evaluate risk in the company and report to the board.
3. What should Risk Assessment address?
Risk assessment should address the company’s exposure to the following:
• physical and operational risks;
• human resource risks;
• technical risks;
• business continuity and disaster recovery;
• credit and market risks;
• compliance risks.
4. What is the role of the Internal Audit Function in Risk Management?
The internal audit function should be used to provide independent assurance in relation to the board’s assertion surrounding the effectiveness of risk management and internal control.
5. Assimilating Risk to the Control Environment
5.1 The board should implement a comprehensive system of controls to ensure that risks are mitigated and that the company’s objectives are attained.
5.2 The control environment should set the tone of the company and cover ethical values, management’s philosophy and the competence of employees.
5.3 Five essential aspects of control are identified, namely:
• control environment;
• risk assessment;
• control activities;
• information and communications;
• monitoring.
5.4 Any vulnerability in the achievement of the company’s objectives, whether caused by internal or external risk factors, should be detected in good time, reported by the systems of control in place and met with appropriate intervention. Not only will this improve the company’s risk profile, thereby enhancing the company’s attraction as a worthwhile investment, but it will also enhance the positive influences of risk on the business.
5.5 The company should also consider the need for a confidential reporting process (whistle-blowing) covering fraud and other risks.
6. How is Risk Management applied?
6.1 The board is responsible for setting risk tolerance and related strategies and policies. It is also the board’s responsibility to review the effectiveness of these policies on a regular basis and in a manner in which its objectives are clearly defined for the benefit of management to guide them in carrying out their responsibilities.
6.2 In reviewing the reports on risk management and internal control in the course of a financial year, the board should:
• consider what the company’s risks are and how they have been identified, evaluated and controlled;
• assess the effectiveness of the related process of risk management and particularly reports of significant failings or weaknesses in the process;
• consider if the necessary action is being taken timely to rectify any significant failings or weaknesses;
• consider whether the results obtained from the review process indicate that more extensive monitoring is required.
7. Where should a Company’s Policy on Risk Management be reported?
7.1 The board should disclose how the company has dealt with risk and control in its annual report.
7.2 At a minimum, the board should disclose:
• that it is accountable for the process of risk management and the system of internal control, which is regularly reviewed for effectiveness and for establishing appropriate risk and control policies and communicating these throughout the company;
• that there is an ongoing process for identifying, evaluating and managing the significant risks faced by the company, which has been in place for the year under review and up to the date of approval of the annual report and financial statements;
• that there is an adequate and effective system of internal control in place to mitigate the significant risks faced by the company to an acceptable level;
• that there is a documented and tested process in place that will allow the company to continue its critical business processes in the event of a disastrous incident impacting on its activities;
• where material joint ventures and associates have not been dealt with as par t of the group for the purposes of applying these recommendations;
• any additional information in the annual report to assist in the understanding of the company’s risk management processes and system of internal control.
7.3 Where the board cannot make any of the disclosures set out above, it should state this fact and provide a suitable explanation.
8. Summary of Risk Management
8.1 The risk management review processes may identify areas of opportunity, such as where effective risk management can be turned into a competitive advantage for the company, and it should therefore not only be viewed from a negative perspective.
8.2 Risk management goes beyond the control of financial risks. Reputation and a company’s future survival are also at stake.
8.3 Companies must ensure that the governance surrounding risk management is transparent and disclosed to its stakeholders.
8.4 Risk management is a continuous process of identifying, evaluating and managing risk. Unless companies see risk management as more than just an act of compliance, they are unlikely to reap the benefits it can offer.
Internal Audit
1. What is Internal Audit?
According to the Institute of Internal Auditors: “Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
2. Is there a need for Internal Audit?
2.1 King II requires that companies have an effective internal audit function that has the respect and co-operation of both the board and management. Where the board decides not to establish an internal audit function, full reasons must be disclosed in the company’s annual report, with an explanation as to how assurance of effective internal controls, processes and systems will be obtained. Criteria to be considered in assessing the need for an internal audit function include:
• whether the existing management processes are adequate to identify and monitor the significant risks facing the company, and whether the established internal control system operates effectively;
• whether those who are responsible for managing risks and operating controls take a wholly objective and systematic view of their own performance;
• whether the board receives the right quality of assurance and information from management.
2.2 If the board decides that there is a need for an internal audit function, it must approve an “internal audit charter” which, inter alia, formally defines the purposes, authority and responsibility of the internal audit activity.
3. What is the status of Internal Audit?
3.1 The board must ensure that the internal audit team has a standing that commands respect in the company and that the internal audit operates at a level within the company that allows it fully to accomplish its responsibilities. In addition, the head of the internal audit should report administratively to the chief executive officer and should have ready access to the chairperson of the company and the chairperson of the audit committee.
3.2 If the external and internal audit functions are carried out by the same accounting firm, the audit committee and the board should satisfy themselves that there is adequate segregation between the two functions in order to ensure that their independence is not impaired.
4. Can Internal Auditors be Employees of the Company?
4.1 King II recognises that the fact that internal auditors may be employees of the company does not of itself impair their objectivity.
4.2 The internal audit activity should be independent of the activities audited and internal auditors should be objective in performing their work.
5. What is the role and function of Internal Audit?
5.1 The objective of internal audit is to assist members of executive and senior management in the effective discharge of their duties and responsibilities. To this end, internal audit furnishes them with analyses, appraisals, recommendations, counsel and information regarding the activities reviewed.
5.2 An effective internal audit function should provide:
• assurance that the management processes are adequate to identify and monitor significant risks;
• confirmation of the effective operation of the established internal control systems;
• credible processes for feedback on risk management and assurance;
• objective confirmation that the board receives the right quality of assurance and information from management and that this information is reliable.
5.3 Adherence to the standards proposed will ensure a common framework and understanding of the requirements for internal auditing.
6. What should the scope of Internal Audit be?
6.1 Internal audit should consider relevant strategic, business and operational risks and their significance, taking account of the board’s, senior management’s and its own professional judgment.
6.2 The internal audit plan, which should be approved by the audit committee, should be based on risk assessment as well as issues highlighted by the audit committee and senior management. The risk assessment process should be of a continuous nature so as to identify not only residual or existing risks but also emerging risks.
6.3 The internal audit function should co-ordinate with other internal and external providers of assurance to ensure proper coverage of financial, operational and compliance controls and to minimize duplication of effort.
7. How often should Internal Audits be conducted?
Internal audits should be conducted formally at least annually but more often in complex organizations.
Integrated Sustainability Reporting
1. What is Integrated Sustainability Reporting?
1.1 The concept of sustainability has recently been recognized and adopted in a business context to mean the achievement of balanced and integrated economic, social and environmental performance (“triple bottom line”).
1.2 King II seeks to provide indicative, inspirational guidelines to South African companies who are seeking to improve on their disclosure practices and recognize the importance of the relationship between an enterprise and the community in which it exists.
2. How is Integrated Sustainability Reporting achieved?
2.1 Every company should report at least annually on the nature and extent of its social, transformation, ethical, safety, health and environmental management policies and practices.
2.2 The board of directors should, in determining what is relevant for disclosure, take into account the environment in which the company operates.
2.3 A South African board should disclose:
• the HIV/Aids strategy plan and policies the company has in place to address and manage the potential impact of HIV/Aids on the company;
• the company’s formal procurement policies that take into account black economic empowerment;
• whether it has developed and implemented a definitive set of standards and practices in the company based on a clearly articulated code of ethics.
2.4 Principles of reliability, relevance, clarity, comparability, timeliness and verifiability should govern a company’s public disclosure of non-financial information.
3. What is meant by Organizational Integrity/Code of Ethics?
3.1 A company should demonstrate its commitment to organizational integrity by qualifying its standards in a code of ethics.
3.2 Each company should demonstrate its commitment to its code of ethics by:
• creating systems and procedures to introduce, monitor and enforce its ethical code;
• assigning high level individuals to oversee compliance with the ethical code;
• assessing the integrity of new appointees in selection and promotion procedures;
• exercising due care in delegating discretionary authority;
• communicating with and training all employees regarding enterprise values, standards and compliance procedures;
• providing, monitoring and auditing safe systems for reporting of unethical or risky behavior;
• consistently enforcing appropriate discipline;
• responding to offences and preventing reoccurrences.
3.3 The disclosure of the code of ethics should include a statement of the extent to which the directors believe the ethical standards and above criteria are being met.
4. What is “SHE”?
SHE stands for Safety, Health and Environment. King II has recognized that companies should have, as part of their objectives, the integration of SHE issues into their sustainability policies and procedures. This assists companies in achieving the triple bottom line goals.
5. Society and Transformation Requirements
5.1 Companies should value the diversity of approach, values and contribution which women and black people bring to the table and should develop mechanisms positively to reinforce the richness of diversity.
5.2 Companies should disclose the nature of policies and practices in place to promote equal opportunities for the previously disadvantaged in terms of realizing their full potential and reaching executive levels in the company.
6. Human Capital and what is required by King II?
6.1 Human capital indicates the latent or potential value that employees at all levels represent for a company. It has been recognized that the development of human capital serves not only the economic interests of the company itself, but also the requirements of the society within which the company operates.
6.2 Companies should disclose in their annual reports the criteria by which they propose to measure human capital developments and their performance in terms of such criteria.
6.3 Good corporate governance requires that business practice should reflect human capital development in areas such as the number of staff, with a particular focus on demographics (race, gender, people with disabilities), age, corporate training initiatives, employee development etc.
6.4 Reporting on the development of human capital is important because it provides both a public account of past performance and, more importantly, an indication of future prospects of the company.
External Audit
1. How important is an External Audit?
In addition to being a statutory requirement, an external audit provides an independent and objective check on the way in which the financial statements have been prepared and presented by the directors. An annual audit is an essential part of the checks and balances required and are one of the cornerstones of corporate governance.
2. What qualities should the External Auditors have?
The external auditors should:
• observe the highest level of business and professional ethics and, in particular, their independence should not be impaired in any way;
• be objective and consciously aware of their accountability to the shareholders.
3. Can the External Auditors also perform non-audit services for the Company?
3.1 The audit committee should set the principles for recommending use of the accounting firm of the external auditors for non-audit services, such as management consultancy and corporate finance services.
3.2 Audit committees should have the necessary business acumen to address external auditor independence on a case-by-case basis, thereby preserving the company’s ability to select its external auditor for non-audit services if that is in the best interests of the company and its investors.
3.3 In considering the external auditors’ independence, the board should consider, inter alia, the structure and ownership of the accounting firm. Management should encourage consultation between the internal and external auditors.
3.4 In addition to the Companies Act requirements, there should be separate disclosure of the amount paid for non-audit services with a detailed description in the notes to the annual financial statements of the nature thereof, together with the amounts paid for each of the services described.
4. Must Interim Reports be independently reviewed?
4.1 This is not mandatory, although the audit committee should consider whether an independent review of the interim reports is in the best interests of the company.
4.2 King II recommends that, at a minimum, the audit committee should request that an independent review of the interim report is performed if the auditors have qualified or disclaimed their opinion, or produced an adverse opinion, in the latest annual financial statements.
4.3 Where an independent review is conducted, the audit committee’s report commenting on the independent report, together with the auditor’s review report, should be tabled at the board meeting to adopt the interim report.
4.4 Where an independent review was not conducted, a comprehensive statement of the reasons why the audit committee concluded that a review was not required should be tabled at the board meeting.
4.5 Where an independent review was not conducted, any publication of the interim results should be labeled “unaudited”.
5. What is the Board’s responsibility regarding Going Concern Statements?
5.1 South African Statements of Generally Accepted Accounting Practice (GAAP) state that, when preparing financial statements, management should make an assessment of the company’s ability to continue as a going concern. In addition, these statements of GAAP require that, in assessing going concern, management should take into consideration all available information for the foreseeable future. This should be at least, but not limited to, 12 months from the balance sheet date.
5.2 Financial statements should be prepared on a going concern basis, unless management either intends to liquidate the company or to cease trading, or has no realistic alternative but to do so. When management is aware of material uncertainties relating to events or conditions that may cast doubt upon the company’s ability to continue as a going concern, those uncertainties should be disclosed.
5.3 When the financial statements are not prepared on a going concern basis, that fact should be disclosed, together with the basis on which the financial statements are prepared and the reason why the company is not considered to be a going concern.
5.4 Directors should consider the position at the previous year end, and determine whether any of the significant factors identified at that time have changed in a way that affects the going concern assumption at the interim reporting stage.
6. Who should be on the Audit Committee?
6.1 King II does not specify the size of the audit committee. The board should appoint an audit committee that has a majority of independent non-executive directors. The majority of the members of the audit committee should be financially literate.
6.2 The chairperson should be an independent non-executive director and not the chairperson of the board. The chairperson should have the requisite business, financial and leadership skills and should be a good communicator. King II recommends that the board chairperson should not be a member of the audit committee and that the board should consider if it is desirable for the chief executive officer to be a member or to attend only by invitation.
6.3 Membership of the audit committee should be disclosed in the annual report and the chairperson of the committee should be available to answer questions at the annual general meeting.
7. What is the role and function of the Audit Committee?
7.1 The appointment of the audit committee gives the board a means to monitor an effective internal control system. In addition, the audit committee reinforces both the internal control system and the internal audit function.
7.2 The audit committee should have written terms of reference dealing adequately with its membership, authority and duties. The terms of reference of the audit committee should be confirmed by the board and reviewed every year. Companies should disclose in their annual reports whether or not the audit committee has adopted formal terms of reference and, if so, whether or not the committee has satisfied its responsibilities for the year, in compliance with its terms of reference.
7.3 The audit committee should review:
• the functioning of the internal control system;
• the functioning of the internal audit department;
• the risk areas of the company’s operations to be covered in the scope of the external and internal audits;
• the reliability and accuracy of the financial information provided to management and other users of financial information, and whether the company should continue to use the services of the current internal and external auditors;
• any accounting or auditing concerns identified as a result of the internal or external audits;
• the company’s compliance with legal and regulatory provisions, its articles of association, code of conduct, by-laws and the rules established by the board.
7.4 The audit committee should, inter alia, also:
• encourage communication between members of the board, senior executive management, the internal audit department and the external auditors;
• confirm the internal audit department’s charter and internal audit plan;
• develop a direct, strong and candid relationship with the external auditors;
• review the scope and results of the external audit, its cost effectiveness and the independence and objectivity of the external auditors (and in so doing should review the nature and extent of any non-audit services provided to the company by the external auditors);
• place the minutes of its meetings before the board at the next board meeting;
• consider the rotation policy of the external auditors and whether there is a need to change the audit partner or senior staff engaged in the audit;
• draw up a recommendation to the board for the appointment and removal of the external auditors;
• investigate any matters within its terms of reference and safeguard all information supplied to it.
Compliance and Enforcement
1. How will King II be enforced?
1.1 The legal mechanisms to be relied on for enforcement of King II and the Code of Corporate Practices and Conduct (the Code) are:
• existing legal remedies, principally under the Companies Act (such as section 424, dealing with liability of directors and others for the fraudulent or reckless conduct of a company’s business) and the common law;
• the provisions of the amended listing requirements of the JSE.
1.2 In order to prevent the Code from becoming too burdensome and because King II is largely non-prescriptive in nature, compliance is for the most part treated as a matter between boards and the stakeholders of companies. King II encourages greater activism by shareholders, business and the financial press and relies heavily on disclosure as a regulatory mechanism.
1.3 In this regard it is important to note that King II recommends a number of changes and developments to existing legislation and enforcement processes so as to ensure that role-players do not merely pay lip service to the Code and the provisions of King II. Boards should implement effective measures to achieve compliance with the Code and the provisions of King II and should monitor corporate governance issues closely in order to ensure that they are not caught unawares by changes and developments.
2. To whom will King II apply?
2.1 King II, including the Code, applies to the following business enterprises:
• all companies with securities listed on the JSE;
• banks, financial and insurance entities;
• certain public sector enterprises and agencies.
2.2 King II recommends that all companies, in addition to those falling within the prescribed categories, give due consideration to the application of King II.
2.3 King II is effective in respect of the specified business enterprises whose financial years commence on or after 1 March 2002.
Wednesday, August 4, 2010
Fraud Risk Assessment
Risk assessment and fraud susceptibility assessments are the largest contributors of active fraud prevention. Fraud can be prevented by assessing which departments in an organization are exposed to fraud, and using limited resources to restrict exposures in an organization. Fraud risk assessments are non-stop processes; therefore the intelligence keeps on increasing in an organization to prevent future frauds.
Four components of a fraud risk assessment:
1. Identify areas of exposures:
This is a process where the audit team identifies areas where fraud has been committed based on current trends within the industry, rumors, allegations, or it may be triggered by discoveries in other locations. The audit team needs to identify the types of fraud committed, such as cheque fraud, procurement fraud, and computer fraud. The frauds need to be evaluated to facilitate a process of prioritizing fraud risk. Managers of each department are responsible for evaluating their own departments in terms of their department’s fraud risk. The evaluation can consist of either atop-down or pyramid fashion, making all departments aware of fraud risk and recognize proactive steps taken by the board of directors to restrict the organization’s exposure to fraud as set out in the fraud policy. With this step everyone is made aware of fraud and has to contribute to the fight against fraud. After all the evaluations from each department is received, the fraud team has to assess the priorities of each department and start a planning process.
2. Grade positions in the exposed areas:
Further assessments are necessary to determine if there has been any fraud committed or if there is any fraud in progress in the exposed areas. This is a very subjective test and should be used as a guideline for prioritization purposes only. If the assessment has revealed exposure to a particular fraud, the positions which are the most exposed, and where the heaviest reliance is placed must be determined. Internal controls must then be assessed, as well as the segregated duties in this section. To be able to assess the problems, internal and external auditors should rethink previous problems in terms of controls, which may give good indications of where the problem areas are.
Risk Priorities:
• Low Risk
Internal controls = very good.
Segregation of duties = more than adequate.
Supervisory and custodial controls = effective.
There should be no known or rumored losses in that section.
• Medium Risk
Internal controls = good.
Segregation of duties = adequate.
There should be no audit queries relating to control issues.
There should be an assessment that there is heavy reliance on trust, but that it is not an issue.
• High Risk
Internal controls = deficient.
Supervisory and custodial controls = inadequate.
There will be heavy reliance on trust.
There will be historical audit queries.
There may be previous losses.
• Critical Risk
Includes all of the factors considered under High Risk (above).
There will be known shortages.
The incumbent can do a considerable amount of damage to the organization.
3. Grade employees:
Employees that fall under the High Risk and Critical Risk profiles must be graded as low, medium, high, or red, based on the reviews. Low and Medium Risk employees do not match the description of fraudsters, but still, fraudsters often appear to be above suspicion.
High risk employees are the ones who fit a fraudster’s profile.
Red risk employees are the ones who fit a fraudster’s profile, and have been named in actual fraud alerts such as anonymous tip-offs, a track record of indiscretions, or repeated warnings. Red risk employees are those who previously got off on a technicality, have prior criminal records, or have been dismissed for dishonesty from previous jobs. They are usually the ones talked about like: “we know he is stealing, but we haven’t caught him yet”.
To grade employees and test whether the allegations are true, test will have to be performed to profile the alleged fraudster.
Profiling consists of:
• All personal details.
• Previous employment.
• Personal habits.
• Background checks.
• Qualifications.
• Financial profile.
• Behavioral profile.
• Access in the different departments of the organization.
• Asset tracing.
• Links with suppliers.
4. Proactive tests for fraud:
Proactive fraud auditing is justified for all sectors which are exposed to any type of fraud. The testing for fraud is very open-ended and requires a number of complementary skills. When elements of fraud are discovered, a fraud response plan should be followed.
Four components of a fraud risk assessment:
1. Identify areas of exposures:
This is a process where the audit team identifies areas where fraud has been committed based on current trends within the industry, rumors, allegations, or it may be triggered by discoveries in other locations. The audit team needs to identify the types of fraud committed, such as cheque fraud, procurement fraud, and computer fraud. The frauds need to be evaluated to facilitate a process of prioritizing fraud risk. Managers of each department are responsible for evaluating their own departments in terms of their department’s fraud risk. The evaluation can consist of either atop-down or pyramid fashion, making all departments aware of fraud risk and recognize proactive steps taken by the board of directors to restrict the organization’s exposure to fraud as set out in the fraud policy. With this step everyone is made aware of fraud and has to contribute to the fight against fraud. After all the evaluations from each department is received, the fraud team has to assess the priorities of each department and start a planning process.
2. Grade positions in the exposed areas:
Further assessments are necessary to determine if there has been any fraud committed or if there is any fraud in progress in the exposed areas. This is a very subjective test and should be used as a guideline for prioritization purposes only. If the assessment has revealed exposure to a particular fraud, the positions which are the most exposed, and where the heaviest reliance is placed must be determined. Internal controls must then be assessed, as well as the segregated duties in this section. To be able to assess the problems, internal and external auditors should rethink previous problems in terms of controls, which may give good indications of where the problem areas are.
Risk Priorities:
• Low Risk
Internal controls = very good.
Segregation of duties = more than adequate.
Supervisory and custodial controls = effective.
There should be no known or rumored losses in that section.
• Medium Risk
Internal controls = good.
Segregation of duties = adequate.
There should be no audit queries relating to control issues.
There should be an assessment that there is heavy reliance on trust, but that it is not an issue.
• High Risk
Internal controls = deficient.
Supervisory and custodial controls = inadequate.
There will be heavy reliance on trust.
There will be historical audit queries.
There may be previous losses.
• Critical Risk
Includes all of the factors considered under High Risk (above).
There will be known shortages.
The incumbent can do a considerable amount of damage to the organization.
3. Grade employees:
Employees that fall under the High Risk and Critical Risk profiles must be graded as low, medium, high, or red, based on the reviews. Low and Medium Risk employees do not match the description of fraudsters, but still, fraudsters often appear to be above suspicion.
High risk employees are the ones who fit a fraudster’s profile.
Red risk employees are the ones who fit a fraudster’s profile, and have been named in actual fraud alerts such as anonymous tip-offs, a track record of indiscretions, or repeated warnings. Red risk employees are those who previously got off on a technicality, have prior criminal records, or have been dismissed for dishonesty from previous jobs. They are usually the ones talked about like: “we know he is stealing, but we haven’t caught him yet”.
To grade employees and test whether the allegations are true, test will have to be performed to profile the alleged fraudster.
Profiling consists of:
• All personal details.
• Previous employment.
• Personal habits.
• Background checks.
• Qualifications.
• Financial profile.
• Behavioral profile.
• Access in the different departments of the organization.
• Asset tracing.
• Links with suppliers.
4. Proactive tests for fraud:
Proactive fraud auditing is justified for all sectors which are exposed to any type of fraud. The testing for fraud is very open-ended and requires a number of complementary skills. When elements of fraud are discovered, a fraud response plan should be followed.
Subscribe to:
Posts (Atom)