Corporate fraud & corruption Quarter 2 2022

By SHIRLEY IVASON-WAGENER, Published in Fraud/corruption

Q. To what extent are boards and senior executives in South Africa taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company?

rgad

A. A holistic approach to managing fraud risk is required to effectively mitigate its effects. This includes implementing a robust fraud risk management framework incorporating prevention, detection and response strategies. In line with the South African Companies Act and King IV Code on Corporate Governance, the board is responsible for risk management, including fraud risk management. Organisations are expected to adopt an anti-fraud policy at board level. The accountability and oversight of fraud risk management is extended to board subcommittees, such as the audit and risk committee and the social and ethics committee. Senior management is required to report to the audit and risk committee and the board on the effectiveness of its fraud control activities. This fraud risk governance protocol helps to keep relevant players in check and keeps fraud risk duly on the radar. Most companies have adopted a more reactive approach to fraud risk management with limited proactive initiatives being implemented. However, there is a steady shift toward having a more holistic approach and this is evidenced by companies requesting forensic professionals assess and benchmark their fraud risk strategies to identify gaps and make recommendations for improvement.

Q. Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in South Africa over the past 12-18 months?

A. South Africa has a robust existing legal framework for combatting fraud and corruption. However, enforcement remains a challenge. In terms of recent developments, the Cybercrimes Act 19 of 2020 sets out offences for cyber fraud, cyber forgery and uttering and cyber extortion, among others. The Act imposes a reporting obligation on electronic communications service providers and financial institutions to report cyber offences within 72 hours of identification. Contravention of this reporting obligation will result in a fine. Another interesting development is the implementation of lifestyle audits for public servants in the national and provincial spheres of government.

Q. When suspicions of fraud or corruption arise within a firm, what steps should be taken to evaluate and resolve the potential problem?

A. Companies should already have a fraud response strategy in place, articulating the steps to be taken when fraud occurs. This should include the roles and responsibilities of the relevant stakeholders. A structured and clearly understood approach is vital to ensuring that each stakeholder understands what their role is in responding to fraud. Employees should understand and be clear about what they should do when they identify or witness fraud and what whistleblowing reporting mechanisms are in place to report fraud. Line management should understand when to get the forensic investigation function involved. The forensic investigation function should have appropriate capabilities and methodologies, backed by a legislative framework, to investigate fraud. Feedback to whistleblowers is also important from an enforcement and accountability perspective, providing assurance that matters reported get the necessary attention and action. This encourages whistleblowers to report wrongdoing and builds positively on the ethical and antifraud culture of the company.

Q. Do you believe companies are paying enough attention to employee awareness, such as training staff to identify and report potential fraud and misconduct?

Fraud and ethics awareness training are key foundational elements of a fraud risk management framework. Employees are an organisation's foot soldiers in the fight against fraud and the 'eyes and ears' of management on the ground. Thus, employees play a pivotal role in fraud detection. Employees know the definition of fraud and other forms of misconduct to identify it and report it. This should be defined clearly in the company's antifraud policy and form part of the fraud awareness training. Proper awareness and education of employees on how to spot fraud, what to do when fraud is identified and what information should be provided to have sufficient information to initiate an investigation is usually lacking. This can be evidenced by whistleblowing reports that are received with insufficient information to act on the report.

Q. How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to reports of potential wrongdoing?

A. There has been a spotlight on the protection of whistleblowers in recent years in South Africa, given their vital role in exposing fraud and corruption. Unfortunately, whistleblowing is generally viewed in a negative light. Obviously, whistleblowers pose a threat to those on the wrong side of the law and thus face huge safety and employment security risks. It is critical that companies put proper whistleblowing mechanisms in place and response protocols to safeguard the identity of whistleblowers and to respond to acts of retaliation or victimisation. South Africa's whistleblowing legislation, the Protected Disclosures Act, prohibits any retaliation against whistleblowers who come forward and report fraud and corruption in a bone fide manner. Regrettably, there have been limited strides in the successful application of the Act. Anonymous reporting is still the most sought-after method of whistleblowing. To this end, anonymous hotlines play a vital role in whistleblowing and protecting the identity of whistleblowers.

Q. Could you outline the main fraud and corruption risks that can emerge from third-party relationships? In your opinion, do firms pay sufficient attention to due diligence at the outset of a new business relationship?

A. Bribery, corruption and fraud are among the key risks linked to third-party relationships. These risks are common in high-risk environments within companies, such as supply chains and finance. These risks may be prevalent at various stages of the bid process, such as pre-bid, sourcing of bids, during the bid evaluation and post award of the bid. Often in high value tenders, the end user and senior management may influence the awarding of work to favoured or corrupt third parties. The first step toward mitigating third-party risks is conducting focused fraud and corruption risk assessments, to gain a full appreciation of the fraud and corruption risks in the company. This will also help identify the high-risk business units within the company and allow for a targeted approach to mitigate these risks. These risk assessments should be carried out regularly to align with the ever-changing fraud landscape. New business relationships may require a more in-depth due diligence exercise at the outset.

Q. What advice can you offer to companies on implementing and maintaining a robust fraud and corruption risk management process, with appropriate internal controls?

A. A foundational element of managing fraud and corruption risk is to establish and maintain a strong ethical culture. An important starting point would be to have a fraud and corruption risk management framework in place, with the overarching stance of the organisation embedded in its anti-fraud and corruption policy. Related policies and codes, such as those addressing ethical conduct, conflicts of interest, third-party relationships, political contributions, gifts and entertainment, among others, supplement and give effect to the overall anti-fraud and corruption policy. In developing the fraud and corruption risk management framework, it is vital to understand your fraud risk landscape and regulatory compliance framework, as well as identify the roles and responsibilities of relevant custodians across the business. The key elements of a fraud and corruption risk management framework include fraud risk strategy and policy, a governance framework, and the operating model. This framework should be communicated to all employees and management, and actively promoted by senior management and the board. A regular assessment of the fraud and corruption risk framework is required to ensure that the organisation's strategy remains relevant and aligned to the changing business and fraud landscape to effectively identify, mitigate and manage fraud across the organisation.

Ivason-Wagener is a Partner of KPMG (South Africa).

This article was first published in Financier Worldwide, In-depth Feature Reprint March 2022.