FRAUD PREVENTION

Criminal Fraud Fraud Data analytics

behaviour responsibilities prevention
programme

Behaviour Fraud risk Ethics &

analysis management fraud policy
Data
Recruitment analysis
Fraud Management
& training
triangle
Fraud risk
External
and anti-
auditors
Current fraud
trends controls
Internal
auditors Fraud risk
assessment
Forensic
practitioners Whistle-
blowing
LEARNING UNIT 2
FRAUD RESPONSIBILITIES

Topic 2.1

Fraud risk management

Learning outcomes

At the end of this topic you should be able to

• understand the concept of risk management, including the
various risk management frameworks
• differentiate between fraud risk management and fraud
prevention and detection
• understand and demonstrate knowledge of the objectives,
principles, components, and steps of a fraud risk management
programme
• demonstrate knowledge of the role players in a fraud risk
management programme
• design a fraud risk management programme in a practical
scenario

The content within this learning unit is subject to ongoing (and rapid)
amendments in practice. You are encouraged to remain alert and be
vigilant to further developments within the industry within this
academic year. You should especially focus on changes in
standards and legislation, which are applicable to the content you
are required to study.

Risk managementi
According to the ACFE Manual 2023, the risk of fraud is just one of many risks that
organisations must manage.

Before we dive into the details of fraud risk management, you first need to understand the
concept of risk management.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) was

originally formed in 1985. COSO is a joint initiative of five private-sector organisations and is

1
dedicated to providing thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control, and fraud deterrence.

Definitionii

Risk can be defined as the effect, whether positive or negative, of

uncertainty on an organisation’s objectives (ISO 31000:2018).

COSO defines enterprise risk management as “the culture,

capabilities, and practices, integrated with strategy-setting and its
performance, that organisations rely on to manage risk in creating,
preserving and realising value.”

In other words, risk management balances risk appetite – how much

risk management is willing to accept – with the ability to meet the
organisation’s strategic, operational, reporting and compliance
objectives.

Risk management frameworksiii

There are various risk management frameworks in practice.

The widely used framework of COSO called Internal control – Integrated framework, was
released in 1992. This framework provides principle-based guidance for developing and
implementing effective internal controls. COSO revised this original framework in 2004,
resulting in the Enterprise risk management – Integrated framework (COSO ERM 2004).
COSO further revised the Internal control – Integrated framework (COSO IC 2013) in 2013
to include 17 additional principles to assist in creating an effective internal control system.
One of these principles, Principle 8, specifically addresses the importance of organisations
considering “the potential for fraud in assessing risks to the achievement of objectives”.

In 2017, COSO issued a framework for risk management called Enterprise risk
management – integrating with strategy and performance (COSO ERM 2017).

To provide best-practices guidance for organisations to follow when implementing this

principle, COSO partnered with the Association of Certified Fraud Examiners (ACFE) in 2016
to create the Fraud risk management guide (FRM 2016). The joint report is designed to aid
organisations in effectively establishing an overall fraud risk management programme.

Two other frameworks of interest are the ISO 31000:2018 (adopted in South Africa as
SANS 31000:2019), Risk management – Guidelines, published by the International
Organization for Standardization (ISO) and Managing the business risk of fraud: A
practical guide, jointly published by the IIA, AICPA and ACFE in 2008. ISO 31000:2018
provides a common approach to managing any type of risk and is not industry or sector
specific.

More recently, the ERM Initiative released The state of risk oversight: An overview of
enterprise risk management practices in 2021, which reported on the current state of
enterprise risk oversight initiatives at that time.

2
 You do not have to study the details of all these risk management
frameworks. You just need to be aware of them and how they fit into
the risk management and fraud risk management processes.

Read

Read Pages 4.801 to 4.807 of the Fraud examiners manual 2023.

Fraud risk management frameworkiv

We mentioned the 2016 Fraud risk management guide (FRM 2016) as part of the risk
management frameworks above. So how does this guide integrate into all the other risk
management frameworks?

FRM 2016 describes five broad principles, one for each of the five interrelated components of
internal control listed in COSO’s 2013 version of Internal control – Integrated framework
(COSO IC 2013). These five principles are also connected with the components of enterprise
risk management (ERM) described in COSO ERM 2017.

The relationship between the 2013 COSO framework’s five components, the Fraud
risk management guide’s five principles and the components of COSO ERM 2017vvi

# COSO IC 2013 FRM 2016 ERM 2017

The organisation establishes and communicates
a fraud risk management programme that
demonstrates the expectations of the board of Governance and
1 Control environment
directors and senior management and their culture
commitment to high integrity and ethical values
regarding managing fraud risk.
The organisation performs comprehensive fraud
risk assessments to identify specific fraud
schemes and risks, assess their likelihood and Strategy and
2 Risk assessment
significance, evaluate existing fraud control objective setting
activities, and implement actions to mitigate
residual fraud risks.
The organisation selects, develops and deploys
preventive and detective fraud control activities to
3 Control activities Performance
mitigate the risk of fraud events occurring or not
being detected in a timely manner.
The organisation establishes a communication
process to obtain information about potential Information,
Information and
4 fraud and deploys a coordinated approach to communication,
communication
investigation and corrective action to address and reporting
fraud appropriately and in a timely manner.
The organisation selects, develops, and performs
ongoing evaluations to ascertain whether each of Review and
5 Monitoring activities
the five principles of fraud risk management is revision
present and functioning and communicates fraud
3
 risk management programme deficiencies in a
timely manner to parties responsible for taking
corrective action, including senior management
and the board of directors.

The objectives of a fraud risk management programmevii

The fraud risk management programme should address fraud before, while and after it
happens.

This means that a fraud risk management programme must incorporate policies and
procedures designed to
• prevent,
• detect, and
• respond to identified fraud.

Fraud risk management vs fraud prevention and detection

At this point, you may very well ask, so what is the difference between
fraud risk management and fraud prevention?

In short, fraud prevention is a strategy or component within a fraud

risk management programme which helps to achieve the objectives
of the fraud risk management programme.

Therefore, fraud risk management is “the big picture”, while

fraud prevention consists of activities which help to manage the
risk of fraud in an organisation.

When learning of the components of a fraud risk management

programme and the steps to follow to develop an effective fraud risk
management programme, you will be able to identify some of these
activities, which will be introduced in the following topics of this
module, such as fraud risk assessment, anti-fraud controls, data
analytics, fraud awareness, etc.

The responsibility for managing fraud riskviii

Fraud risk management is a coordinated effort made by the governing body or board of
directors and the audit committee. Internally, it involves areas such as management, forensic
practitioners, internal auditing, risk management, the legal department, and the ethics and
compliance functions. It is also suggested that an across-departmental team, or fraud risk
management team, should be formed to plan and execute the fraud risk management
programme.

Remember this and compare it to the information that you will study in the following topics
regarding management, external auditing, internal auditing, and fraud practitioners’
responsibilities to prevent and detect fraud.

4
The fraud prevention checklistix

Go to https://legacy.acfe.com/report-to-the-nations/2024/
and download the ACFE’s Report to the Nations 2024.

Pages 102 and 103 of the report provide a sample fraud prevention
checklist that can be used as a guideline when trying to establish how
effective your current fraud prevention measures are.

Study
• The 2016 Fraud risk management guide Executive Summary,
available at
https://www.acfe.com/fraudrisktools/COSO-Fraud-Risk-
Management-Guide-Executive-Summary.pdf
• Pages 4.808 to 4.833 of the Fraud examiners manual 2023
• The ACFE’s Report to the Nations 2024

5
LEARNING UNIT 2
FRAUD RESPONSIBILITIES

Topic 2.2

Management’s responsibilities
Learning outcomes

At the end of this topic, you should be able to

• demonstrate knowledge of management’s responsibility for
internal controls as per the COSO control framework
• understand the responsibilities of management and those
charged with the governance of the entity in terms of the
Companies Act, ISA 240 and the JSE Ltd listing requirements
• give advice on compliance or non-compliance with the
Companies Act, ISA 240 and the JSE Ltd listing requirements
using a practical scenario
• give advice on compliance or non-compliance with King IV,
using a practical scenario
• give advice on the changes an entity should implement to be
in compliance with King IV, using a practical scenario
• comment on management and those charged with governance
responsibility in terms of fraud prevention and detection, using
a practical scenario
• comment on the accountability of management and those
charged with governance when occupational fraud is detected
in an entity, using a practical scenario

We will discuss the responsibilities of management regarding fraud under the following
headings:
• General
• Responsibilities in terms of the Companies Act
• Civil liability
• Prospectus liability
• Liability under the Insolvency Act
• The King Report
• ISA 240
• JSE requirements

6
1. Management’s general responsibilities relating to fraud x
Many parties involved in an entity play an important role in fighting fraud. However,
management is ultimately responsible for fraud prevention and detection in any entity. This
includes ensuring that proper internal controls are designed and that they operate effectively
to prevent and detect fraud.

As you’ve learned in the previous topic, the widely used framework of the Committee of
Sponsoring Organisations of the Treadway Commission’s (COSO) Internal control –
Integrated framework, is a framework which provides principle-based guidance for
developing and implementing effective internal controls.

Definitionxi

The COSO framework defines internal control as “a process, effected by

an entity’s board of directors, management and other personnel, designed
to provide reasonable assurance regarding the achievement of objectives”
in three categories:
• Effectiveness and efficiency of operations
• Reliability of financial and non-financial reporting
• Compliance with applicable laws and regulations

You will learn more about internal controls in topic 3.3 of learning unit 3. For now, you just
need to understand management’s responsibility for internal controls as per the COSO control
framework.

7
Source: COSO. Internal control: Integrated framework executive summary
https://www.coso.org/Shared%20Documents/Framework-Executive-Summary.pdf

2. Management’s responsibility and liability in terms of the Companies Act 2008xii

(ss 66-78).

Directors’ personal financial interests are discussed in section 75 of the Companies Act
(71/2008). The term “director” includes an alternate director, a prescribed officer and a person
who is a member of a committee of a board of a company, irrespective of whether the person
is also a member of the company’s board.

2.1 The standards of directors’ conduct are set out in section 76:
(2) A director of a company must –
(a) not use the position of director, or any information obtained while acting in
the capacity of a director—
(i) to gain an advantage for the director, or for another person other than
the company or a wholly owned subsidiary of the company; or
(ii) to knowingly cause harm to the company or a subsidiary of the company;
and
(b) communicate to the board at the earliest practicable opportunity any
information that comes to the director’s attention, unless the director—
(i) reasonably believes that the information is—
(aa) immaterial to the company; or
8
 (bb) generally available to the public, or known to the other directors;
or
(ii) is bound not to disclose that information by a legal or ethical obligation
of confidentiality.
(3) Subject to subsections (4) and (5), a director of a company, when acting in that capacity,
must exercise the powers and perform the functions of a director—
(a) in good faith and for a proper purpose;
(b) in the best interests of the company; and
(c) with the degree of care, skill and diligence that may reasonably be expected
of a person—
(i) carrying out those functions in relation to the company as those carried
out by that director; and
(ii) having the general knowledge, skill and experience of that director.

Section 77 of the Companies Act (71/2008) deals with the liability of directors and prescribed
officers. It is important to note that the term “director” also includes an alternate director, as
well as a prescribed officer, and board committee and audit committee member. This inclusion
is irrespective of whether or not a person is also a member of the board of the company.

Section 77(2) elaborates on the liability of a director and states that a director of a company
may be held liable:
• in accordance with the principles of the common law relating to breach of a fiduciary
duty, for any loss, damages or costs sustained by the company as a consequence of any
breach by the director of a duty contemplated in section 75, 76(2) or 76(3)(a) or (b); or
• in accordance with the principles of the common law relating to delict for any loss,
damages or costs sustained by the company as a consequence of any breach by the
director of—
o a duty contemplated in section 76(3)(c);
o any provision of this Act not otherwise mentioned in this section; or
o any provision of the company’s Memorandum of Incorporation.

REMEMBER

• section 75 = duty to disclose a personal financial interest

• section 76(2) = duty to avoid a conflict of interest
• section 76(3)(a)–(b) = duty to act in good faith and for a proper
purpose or in the best interests of the company
• section 76(3)(c) = duty to act with the required degree of care, skill,
and diligence

Also, take note of the provisions of section 77(3) and (4), which describe the liability of a
director in the event of loss, damages or costs sustained by the company because of certain
acts by a director or failure to act against certain unauthorised or unlawful actions and
situations.

Section 77(6) provides for the joint and several liability of a person with any other person.
Section 77(7) to 77(10) provide for proceedings to recover any loss, damages, or costs for
which a person is or may be held liable.
9
2.2 False statementsxiii
The Companies Act (71/2008) also makes provision for a person to be held accountable if
that person deliberately provided false statements, engaged in reckless conduct, or did not
comply with certain provisions of the Act as set out in section 214. The section reads as
follows:

Section 214 – False statements, reckless conduct and non-compliance

(1) A person is guilty of an offence if the person;
a. is a party to the falsification of any accounting records of a company;
b. with a fraudulent purpose, knowingly provided false or misleading
information in any circumstances in which this Act requires the person to
provide information or give notice to another person;
c. was knowingly a party to an act or omission by a company calculated to
defraud a creditor or employee of the company, or a holder of the company’s
securities, or with another fraudulent purpose; or
d. is a party to the preparation, approval, dissemination or publication of a
prospectus or a written statement contemplated in section 101, that contains
an ‘untrue statement’ as defined and described in section 95.
(2) For the purposes of subsection (1)(d) and section 29(6) a person is a party to the
preparation of a document contemplated in that subsection if:
a. the document includes or is otherwise based on a scheme, structure or form
of words or numbers devised, prepared or recommended by that person;
and
b. the scheme, structure or form of words is of such a nature that the person
knew, or ought reasonably to have known, that its inclusion or other use in
connection with the preparation of the document would cause it to be false
or misleading.
(3) It is an offence to fail to satisfy a compliance notice issued in terms of this Act, but no
person may be prosecuted for such an offence in respect of a particular compliance notice
if the Commission or Panel, as the case may be, has applied to a court in terms of section
171(7)(a) for the imposition of an administrative fine in respect of that person’s failure to
comply with that notice.

The provisions of the Companies Act (71/2008) would not have the same effect if they were
not enforceable by means of penalties. The penalties that are provided for in section 216
could take the form of either a fine and/or imprisonment. The section reads as follows:

2.3 Section 216 – Penalties

Any person convicted of an offence in terms of this Act, is liable:
a. in the case of a contravention of section 213(1) or 214(1), to a fine or to
imprisonment for a period not exceeding 10 years, or to both a fine and
imprisonment; or
b. in any other case, to a fine or to imprisonment for a period not exceeding 12
months, or to both a fine and imprisonment.

2.4 Section 218 – Civil actions

The Act also provides for civil liability towards a third party and reads as follows:
1. Subject to any provision in this Act specifically declaring void an agreement, resolution or
provision of an agreement, Memorandum of Incorporation, or rules of a company, nothing
in this Act renders void any other agreement, resolution or provision of an agreement,

10
 resolution, Memorandum of Incorporation or rule of a company that is prohibited, voidable
or that may be declared unlawful in terms of this Act, unless a court has made a
declaration to that effect regarding that agreement, resolution or provision.
2. Any person who contravenes any provision of this Act is liable to any other person for any
loss or damage suffered by that person as a result of that contravention.
The provisions of this section do not affect the right to any remedy that a person may otherwise
have.

2.5 Section 20 – Validity of company actions

Section 20(6) provides for shareholders of a company to claim damages against any person
who “fraudulently or due to gross negligence causes the company to do anything inconsistent
with this Act or a limitation, restriction or qualification contemplated in this section, unless that
action has been ratified by the shareholders in terms of subsection (2)”.

2.6 Section 22 – Reckless trading prohibited

Section 22 prohibits a company from carrying on its business recklessly, or with gross
negligence, with the intent to defraud any person or for any fraudulent purpose.

2.7 Section 104 – Prospectus liability

Prospectus liability (for untrue statements) is discussed in section 104(1) of the Companies
Act (71/2008). The liability is attached to a director, a promoter, a person who authorised the
issue of the prospectus or a person who made the offer to the public. Any of these individuals
could be liable to compensate any person for loss or damage sustained if that person, on the
basis of the untrue statements in the prospectus, acquired securities of the company.

Section 104(2) also provides that the liability provided for in subsection (1) is in addition to
the liability of a director of the company as contemplated in section 77(3)(d)(ii) (delictual
liability).

2.8 Liability under the Insolvency Act

Schedule 5 of the Companies Act (71/2008) deals with transitional arrangements – more
specifically, section 9 of schedule 5 provides for the continued application of the previous
Companies Act (61/1973) to the winding up and liquidation of companies. Therefore, sections
424, 425 and 426 of the previous Companies Act still apply and should be read in conjunction
with the Insolvency Act (24/1936).

2.9 Section 424(1) – Liability of directors and others for fraudulent conduct of
business
“When it appears, whether it be in a winding-up, judicial management or otherwise, that any
business of the company was or is being carried on recklessly or with intent to defraud
creditors of the company or creditors of any other person or for any fraudulent purpose, the
court may, on the application of the Master, the liquidator, the judicial manager, any creditor
or member or contributory of the company, declare that any person who was knowingly a
party to the carrying on of the business in the manner aforesaid, shall be personally
responsible, without any limitation of liability, for all or any of the debts or other
liabilities of the company as the Court may direct.”

11
Read

FOLLOW THE LINK to the article published by Moore South Africa. The
aim of the article is to make people aware of the term “prescribed officer”
and who is considered to fall into this category. Many individuals who
were previously not affected by the Companies Act will now find
themselves with a number of responsibilities under the provisions of the
2008 Act.

If you are a key individual in a company and you do not familiarise

yourself with these responsibilities, you may be unprotected against
liability.

https://www.moore-southafrica.com/services/business-
outsourcing/company-formation-secretarial/the-prescribed-officer

Remember that there is a difference between the nature of the remedies

that are available for the acts and omissions of directors in the
Companies Act. Section 77 sets out civil remedies, which in the majority
of cases have a financial effect, being penalties and costs or damages
that need to be paid as restitution. Sections 213 and 214 explain the
statutory offences and penalties for which a person can go to jail and/or
pay penalties if found guilty of an offence.

Two Acts, namely the General Laws (Anti-Money Laundering and

Combating Terrorism Financing) Amendment Act, 2022 (“General Laws
Amendment Act”) and the Protection of Constitutional Democracy
Against Terrorism and Related Activities Amendment Act, 2022
(“POCDATARA Amendment Act”) were signed into law in 2022. These
Acts were designed to strengthen the fight against corruption, fraud and
terrorism and to address the deficiencies in South Africa’s AML/CFT
measures that were identified in the 2021 Mutual Evaluation Report. xiv

The General Laws Amendment Act amends five different Acts, namely:
• Trust Property Control Act, 1988,
• Nonprofit Organisations Act, 1997,
• Financial Intelligence Centre Act, 2001,
• Companies Act, 2008 and
• Financial Sector Regulation Act, 2017.

“Amendments to the Companies Act (Sections 55 and 59 of the

Amendment Act )xv

Section 55 of the Amendment Act inserts the definitions of "affected

company" and "beneficial owner" into the Companies Act.

12
 • An "affected company" is defined to mean a regulated company as
set out in section 117(1)(i)1 and a private company that is controlled
by, or is a subsidiary of, a regulated company as a result of any
circumstances contemplated in section 2(2)(a) or 3(1)(a).2
• A "beneficial owner" is defined to mean an individual who, directly
or indirectly, ultimately owns a company or exercises effective
control of the company. This ownership or control includes the ways
set out in the definition (such as holding beneficial interests in
securities; exercising voting rights associated with securities; or
exercising a right to appoint or remove members of the board of
directors).

Section 59 of the Amendment Act amends section 69(8) of the

Companies Act to include additional grounds to disqualify an individual
from being a director or prescribed officer in a company. In particular, a
person who has been convicted and imprisoned without the option or a
fine or fined more than the prescribed amount for an offence involving
money laundering, terrorist financing or proliferation financing activities
(as those terms are defined in FICA) is disqualified from serving as a
director or prescribed officer.”

You must know the amendments related to the sections of the

Companies Act, 2008 you are required to study.

The Companies Amendment Bill 2023 (most recently amended on 1

March 2024) and Companies Second Amendment Bill 2023 were
adopted by the National Assembly on 30 November 2023. These Bills
aim to amend the Companies Act 71 of 2008 (Companies Act). The Bills
are not Acts of Parliament yet, as the President must still sign them into
law.

Visit https://www.thedtic.gov.za/wp-content/uploads/SC-Presentation-
on-Companies-Bill.pdf and read about the history and objectives of
these two Bills.

You do not need to study all the proposed amendments in these Bills,
but you must know the proposed amendments related to the sections of
the Companies Act, 2008 you are required to study.

3. The King Report on Corporate Governancexvi

The Institute of Directors (IoDSA) provides a summary of the history of the King Committee
on Corporate Governance at: Publications-King IV - The Institute of Directors in South Africa
NPC (iodsa.co.za).

King IV
The directors, or governing body, of an organisation have a key role to play in reducing fraud
and corruption, as indicated in King IV, principles 1 and 2. The Board is responsible for
13
establishing an ethical culture within the organisation. The responsibility to implement and
execute ethics policies, codes of conduct and whistleblowing mechanisms, is usually
delegated to management.

The governing body, or Board, should also ensure that an effective combined assurance
model is designed and implemented in the organisation, as per King IV, principle 15.
Assurance providers specifically include internal forensic fraud examiners and external
forensic fraud examiners and auditors.

The audit committee, according to King IV, paragraph 59e, is required to present their views
to the Board on the effectiveness of the design and implementation of internal financial
controls and on the control weaknesses that may lead to material financial loss, fraud, or
corruption.

4. Responsibility of Management for the Prevention and Detection of Fraud in terms

of ISA 240xvii
The International Standard on Auditing (ISA) 240 states the following in paragraph 4 of the
Standard:

“The primary responsibility for the prevention and detection of fraud rests with both those
charged with governance of the entity and management. It is important that management,
with the oversight of those charged with governance, place strong emphasis on fraud
prevention, which may reduce opportunities for fraud to take place, and fraud deterrence,
which could persuade individuals not to commit fraud because of the likelihood of detection
and punishment. This involves a commitment to creating a culture of honesty and ethical
behaviour which can be reinforced by an active oversight by those charged with governance.
Oversight by those charged with governance includes considering the potential for override
of controls or other inappropriate influence over the financial reporting process, such as efforts
by management to manage earnings in order to influence the perceptions of analysts as to
the entity’s performance and profitability.”

Read

FOLLOW THE LINK TO https://youtu.be/RaSlVxADoKc and watch the

video on ISA 240 – Auditors and fraud.

The standard is available at:

https://www.ifac.org/system/files/publications/files/A012%202013%20IAASB%20Handbook
%20ISA%20240.pdf

Also download and read the non-authoritative guidance published by the IAASB on 5 May
2022: The fraud lens-interactions between ISA240 and other ISAs, available at:

https://www.iaasb.org/publications/non-authoritative-guidance-fraud-lens-interactions-
between-isa-240-and-other-
isas?utm_source=Main%20List%20New&utm_campaign=f692fa7182-IAASB-alert-fraud-
guidance&utm_medium=email&utm_term=0_c325307f2b-f692fa7182-80693352
14
 The International Auditing and Assurance Standards Board (IAASB)
approved the exposure draft (ED) of the proposed ISA 240 (Revised)
in December 2023.

You should be aware of this ED and the proposed revisions to ISA 240
(Revised).

Visit https://accountingacademy.co.za/news/read/proposed-isa-240-
auditor-s-responsibilities-relating-to-fraud and familiarise yourself with
the key changes proposed to this standard.

5. JSE Ltd (Johannesburg Stock Exchange) requirements

All companies listed on the stock exchange must comply with the corporate governance
requirements of the King Report.

Section 8.62 of the JSE listing requirements requires that the annual financial statements
include information on adherence to the King Code. According to section 1.21 of the JSE
listing requirements, non-compliance with these requirements can result in suspension and/or
termination of a company’s listing on the JSE, as well as a fine to the maximum of R5 million
payable by the company and/or directors individually or jointly.

The GAAP (Generally Accepted Accounting Principles) monitoring panel was co-established
by SAICA and the JSE Ltd in 2002 to ensure compliance with South African accounting
standards. It has since been replaced with the Financial Reporting Investigation Panel (FRIP).
The role of the FRIP is to investigate complaints and advise the JSE Ltd on non-compliance
by issuers in terms of International Financial Reporting Standards (IFRS), the JSE Ltd’s listing
requirements and the Companies Act.

The scope of the FRIP is limited to investigating entities listed on the stock exchange and their
subsidiaries, joint ventures, and associated investments.

Read

Read the following sections of the JSE Ltd listing requirements, which
refer to the King Code:
• Objectives
• Censure and penalties (section 1.21)
• Minimum contents of annual financial statements (section 8.60)
• Corporate governance (section 3.84)
• King Code (sections 7.F.5 and 7.F.6)

The extracts above can be obtained from the JSE. Note, however, that the JSE continuously
reviews the listing requirements.

FOLLOW THE LINK and download the latest version of the listing requirements from
Limited Listing.pdf (jse.co.za)
15
 You are not required to study the entire JSE Ltd listing requirements –
only the sections that have been listed in your study guide.

When doing the assessment activities, remember that the aim of the JSE
Ltd listing requirements is to encourage companies to practise good
corporate governance. These listing requirements also include the
penalties that may be imposed for improper conduct.

Study
• Pages 4.401 to 4.406 of the ACFE Manual 2023
• The Report on Corporate Governance for South Africa 2016 – King
IV is available on the Institute of Directors’ website
• The Companies Act (71/2008) Chapter 2 (ss 57–78)
• The Companies Act (71/2008) Chapter 4 (ss 95–106)
• All the sections of the Companies Act (71/2008) (as amended) that
are specifically discussed in this topic
• The booklet published by Werksmans Attorneys titled “Claims
against directors in terms of the Companies Act, 2008”, which can
be found at the following link:
https://www.werksmans.com/wp-
content/uploads/2013/04/Werksmans-Directors-Liability-Booklet.pdf.
• ISA 240 The auditor’s responsibility relating to fraud in an audit of
financial statements, which is available at
https://www.ifac.org/system/files/publications/files/A012%202013%2
0IAASB%20Handbook%20ISA%20240.pdf
(pp 4.502-4.516 of the ACFE Manual 2023 provides guidance on
the standard)
• The JSE Ltd listing requirements referred to in this study guide

Assessment activity

Big Construction Limited (BCL) experienced two occurrences of procurement fraud during the
current financial year. The CEO of Big Construction Limited, Linda Nkosi, and the executive
team requested an urgent meeting with both the internal and external auditors to discuss the
fraud. According to the CFO, Peter Moketsi, it is the responsibility of the auditors to detect
and prevent fraud.

16
REQUIRED 25 MARKS

Ms Nkosi does fully not agree with the CFO and asks you, as the head of the internal audit
department, to prepare a memorandum to the executive management that briefly explains
management’s fraud-prevention responsibilities.

Guidelines for acceptable answers

(compiled from the ACFE Manual and https://kpm-

us.com/2019/08/06/managements-role-in-preventing-fraud/)

MEMORANDUM

To: Executive Management

From: Head of Internal Audit
Date: 14 March 2024

Subject: Management’s fraud-prevention responsibilities

Management’s fraud-prevention-related responsibilities are focused on five key areas:

• The tone at the top
• Fraud risk assessment
• Training
• Monitoring
• Corrective action

Primary responsibility for the prevention and detection of fraud (ISA 240)
The primary responsibility for the prevention and detection of fraud rests with both those
charged with the governance of the entity and management.

It is important that management, with the oversight of those charged with governance, place
a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take
place, and fraud deterrence, which could persuade individuals not to commit fraud because
of the likelihood of detection and punishment.

This involves a commitment to creating a culture of honesty and ethical behaviour, which can
be reinforced by active oversight by those charged with governance.

In exercising their oversight responsibility, those charged with governance must consider the
potential for the override of controls or other inappropriate influence over the financial
reporting process, such as efforts by management to manage earnings to influence the
perceptions of analysts as to the entity’s performance and profitability.

17
Tone at the top
King IV states that ethical leadership and a strong ethical culture are essential elements of
good corporate governance.

It is critical that managers understand their responsibility as leaders of an organisation.

Remember, if you do not lead by example, your employees will not follow suit.

A key part of the fraud prevention programme is the express commitment of the board and
senior management (ACFE 4.613-4.614).

The first thing any manager can and should do is foster a culture of integrity and honesty
within the workplace. Organisational culture plays a key role in influencing the organisation’s
vulnerability to fraud (ACFE 4.702-4.703). Establishing a formal code of conduct is one way
to accomplish this; it can be brief, as long as it is earnest.

Fraud risk assessment

The fraud risk assessment is useful in identifying areas that should be proactively investigated
for evidence of fraud. It provides management with the opportunity to review the company’s
internal control system for effectiveness. The fraud risk assessment is most effective when
management and auditors share ownership of the process and accountability for its success.

The sponsor for a fraud risk assessment must be senior enough in the organisation to
command the employees’ respect and full cooperation in the process (ACFE 4.707).

Educate employees and openly promote the fraud risk assessment processes. Employees
will be more inclined to participate in the process if they understand its purpose and the
expected outcomes (ACFE 4.714).

Fraud awareness training

The company should have a policy for educating managers, executives and employees on
fraud (ACFE 4.604 -4.606). Training must be provided on how to respond in difficult situations
and it must be emphasised that integrity is a core value of the organisation, which is expected
of all, no matter the position the employee holds.

If employees suspect fraudulent or suspicious activity, they should know exactly how and to
whom to report it. Periodic training refreshers should be given to all employees, regardless of
their tenure at the organisation.

Monitoring
The third most common way occupational fraud is discovered, is through management review
(13%) as per the ACFE Report to the Nations 2024.

Having systems in place and effectively monitoring them is one of your best protections
against fraud. Employees are much less likely to commit fraud if they know their actions are
being monitored.

Making sure that supervisors approve expense reimbursements or ensuring that the proper
segregation of duties is taking place can not only detect ongoing fraud in the workplace, but
also prevent it from happening in the first place.

18
Corrective action
Actions to correct and remediate internal control deficiencies must be identified and
implemented by management.

If fraud is discovered, managers must take disciplinary action and enforce the policies and
guidelines of the organisation. Disciplinary action can vary, depending on the severity of the
offense, from additional training to termination and civil or criminal proceedings.

The worst thing management can do is take no action at all – this sends a terrible message
to others in the organisation and destroys the integrity of management.

Please do not hesitate to contact me if you need additional information.

Kind regards,

W Masilo
Head: Internal Audit

19
LEARNING UNIT 2
FRAUD RESPONSIBILITIES

TOPIC 2.3

External auditors’ responsibilities

Learning outcomes

At the end of this topic, you should be able to

• explain the external auditors’ fraud-related responsibilities
• dissect the responsibilities of the external auditor in terms of ISA
240, and explain how the responsibilities should be carried out
• determine the liability of the external auditor in terms of South
African legislation (including the Companies Act)
• analyse circumstances that indicate the possibility that fraud
has occurred
• identify fraud risk factors in a practical scenario
• design possible audit procedures in a practical scenario

External auditors have specific responsibilities with respect to the prevention and detection of
fraud. The ACFE Manual 2023 briefly discusses the regulations, professional standards, and
best practices guidance that govern external auditors in carrying out their anti-fraud
responsibilities.

Read

FOLLOW THE LINK to the article by Paul Hatfield at

http://phinvv.wordpress.com/2010/11/14/do-the-auditors-share-blame-
in-bells-mess-is-la-ok/

This article touches on the public perception that it is the responsibility

of external auditors to identify fraud. This is still a widely held
perception, which is clear from comments such as “Why didn’t the
auditors pick this up?” It is therefore important to understand the
external auditors’ responsibilities and to realise that the allocation of
blame is not always clear-cut. The nature of fraud is such that it wants

20
 to stay hidden, and it is usually very difficult to determine who should
have picked it up, unless gross negligence was involved.

More recently and closer to home, follow the link to the article by Sindy
Pretorius on the website of Moore South Africa, published on 13
October 2020 at

https://www.moore-southafrica.com/news-views/october-
2020/prevention-and-detection-of-fraud-auditor%e2%80%99s-respon

Pay special attention to the part of the article where the term called the
“expectation gap” is defined.

The article also serves as an introduction to the next area you will learn
about, namely, “external audit standards related to fraud”.

External audit standards related to fraudxviii

The International Standard on Auditing (ISA) 240 is one of the most important external audit
standards prescribing the external auditor’s responsibilities relating to fraudulent financial
statements.

Other important external audit standards include ISA 200, ISA 315 (Revised), and ISA 330.

International Standard on Auditing 240 (ISA 240)xix

FOLLOW THE LINK
https://www.ifac.org/system/files/publications/files/A012%202013%20IAASB%20Handbook
%20ISA%20240.pdf to the following sections of ISA 240:

• Scope of this ISA

• Characteristics of fraud
• Responsibility for the prevention and detection of fraud
• Responsibilities of the auditor

The guidelines in ISA 240 relating to fraud risk reviews and journal entry testing are discussed
in more detail in learning units 3 and 4.

Remember

The IAASB approved the exposure draft (ED) of the proposed ISA 240
(Revised) in December 2023.

You should be aware of this ED and the proposed revisions to ISA 240
(Revised).

Revisit https://accountingacademy.co.za/news/read/proposed-isa-240-
auditor-s-responsibilities-relating-to-fraud and familiarise yourself with
the key changes proposed to this standard.

21
 Read

Read the article published on the website of the Independent

Regulatory Board for Auditors (IRBA) titled: “Fraud and the role of
auditors - what more can be done to detect fraud risk?” at
https://www.irba.co.za/news-headlines/press-releases/fraud-and-the-
role-of-auditors-what-more-can-be-done-to-detect-fraud-risk

The CEO of the IRBA, Imre Nagy, addressed the Association of

Certified Fraud Examiners’ (ACFE) 14th annual conference in 2021
and explored the terms “fraud expectation gap” and “audit expectation”.

Visit https://www.youtube.com/watch?v=f1Q1YNFU19E to watch the

video of the presentation.

External auditors’ responsibilities in terms of legislation

A contract exists between the auditor and the company that is being audited. If the auditor is
not performing a proper audit in accordance with the International Standards on Auditing,
he/she may be sued for breach of contract. In an action for damages, the following will have
to be proved:
• contractual relationship
• breach of contract
• loss suffered as a result of the breach

A court of law will then test the auditor’s work to determine its adequacy. In this process, the
court would probably seek confirmation that the auditor has complied with the International
Standards on Auditing in all material respects. If this cannot be confirmed, the court might
require proof that the deviation did not result from non-compliance with the International
Standards on Auditing.

In terms of common law delict, the auditor may also be liable to other third parties who are
users of the financial statements. However, before third parties can bring a successful claim
against an auditor, the following five requirements must be met. It must be shown
• that the incorrectly stated financial position of the company was an intentional or
negligent misrepresentation by the auditor
• that the auditor knew that the financial statements would be relied upon
• that the loss suffered by the third parties was caused by relying on the misstated financial
statements
• that the loss suffered was a financial loss, and
• that the auditor failed to observe the necessary degree of care and skill while performing
the audit

The auditor must be aware of and comply with the Auditing Profession Act 26 of 2005 and
the Auditing Profession Amendment Act 5 of 2021. Section 46 of this Act states that if an
auditor acted maliciously, fraudulently or negligently during the performance of his/her work,
he/she can be held liable for damages. The same five requirements discussed above in terms
of common law delict must be present before a third party can bring a claim against the
22
auditor.

Section 46(7) of the Auditing Profession Act states that a registered auditor may incur liability
to any partner, member, shareholder, creditor or investor of an entity if the auditor fails to
report a reportable irregularity as defined in section 45 of the Auditing Profession Act.

Section 95 of the Companies Act defines an “expert” as:

• A geologist, engineer, architect, quantity surveyor, valuer, accountant or auditor; or
o any person who professes to be a person referred to above; or
o to have extensive knowledge or experience, or to exercise special skill which
gives or implies authority to a statement made by that person.

Sections 214, 216 and 218 were discussed in topic 2.1 and deal with offences and penalties
for contraventions of the Companies Act. These sections state that “any person … is liable
…”

Therefore, it would follow that any auditor who contravenes the Companies Act, or is a party
to a contravention, is also subject to the provisions of sections 214, 216 and 218.

Changes to the APAxx

The Auditing Profession Amendment Act 5 of 2021 became effective on

26 April 2021.

The amendment aims to achieve multiple objectives, namely:

• strengthening the independence of the Independent Regulatory

Board for Auditors (IRBA);
• strengthening the investigating powers of the IRBA;
• ensuring the efficiency and effectiveness of the disciplinary
processes;
• increasing monetary sanctions that can be imposed for improper
conduct; and
• ensuring the protection and sharing of information under the control
of the IRBA.

Take special note of an addition to section 45, in the form of sections 45(7) and 45(8):

‘‘(7) If an individual registered auditor has reported an irregularity to the Regulatory Board in
terms of subsection (1)—
(a) the individual registered auditor may not be removed; and
(b) the entity may not remove the registered auditor, until subsection (3) is complied with (the
submission of the 2nd report to the IRBA).

(8) Where an individual registered auditor has reported an irregularity in terms

of subsection (1) and resigns from the firm before subsection (3) is complied with, that auditor
must do the necessary handover to the incoming auditor regardless of when the resignation
takes effect.’’

23
 FOLLOW THE LINK to
https://www.irba.co.za/upload/30_%20Overview%20of%20the%20amen
dments%20made%20to%20the%20Auditing%20Profession%20Act.pdf
for an overview of the amendments to the Auditing Profession Act 26 of
2005, published by the IRBA.

Hint: Remember that there are four circumstances in which an auditor

can be sued:
1. breach of contract
2. common law delict
3. criminal liability in terms of the Companies Act
4. liability in terms of the Auditing Profession Amendment Act

FOLLOW THE LINK to

https://www.irba.co.za/upload/APAAmendedAct5of2021.pdf
for the Auditing Profession Amendment Act (5/2021).

Study
• Pages 4.501 to 4.518 of the ACFE Manual 2023
• ISA 240 – the auditor’s responsibilities relating to fraud in an audit
of financial statements, and its appendices
• All the sections of the Companies Act 71of 2008 (as amended),
Chapter 3 (ss 90–94) that are specifically discussed in this topic
• The Auditing Profession Act 26 of 2005 (as amended), Chapters
4 to 6 (ss 41–54) (The rest of the Act should be read only as
background information.)

Assessment activity

You are the auditor of Stylewear (Pty) Ltd, a company engaged in the fashion industry.
Stylewear is a subsidiary of Hifashion Ltd and all the companies in the group must have their
annual financial statements externally audited. Shortly before you commence the audit for the

24
current year, you are approached by a former employee of Stylewear, who alleges that a
separate cash sales journal is kept in which the sales of reject garments are recorded.

The former employee also tells you that the money received from these reject garment sales
is handed to one of the directors. As you had no knowledge of this prior to your discussion
with this former employee, you raise the issue at the monthly board meeting which you have
asked to be allowed to attend. The financial director admits that he and the other directors
shared any money made from the sale of reject garments, without accounting for it in the
Stylewear records, but as there is no evidence, they will simply deny any allegations that you,
as the auditor, make. Despite further investigation, you are unable to locate the cash sales
journal, which the former employee alleged was used.

In addition, you ascertain that no inventory records of reject garments have been kept and
that, in fact, there is no evidence to prove the allegation. The director involved also tells you
that the employee who came to you originally with the story had been dismissed for stealing
inventory, so he would not be a credible witness.1

1. Source: Gowar and Jackson (2011)

REQUIRED 16 MARKS
Explain why, despite the lack of evidence, the situation above would give rise to a duty for
you, as the auditor, to report the matter to the IRBA in terms of section 45 of the Auditing
Profession Act. Comment on whether you should have reported the matter to the IRBA before
raising it with the board.

Guidelines for acceptable answers

A duty to report the matter to the IRBA would arise because:

• You have reason to believe (although you do not have conclusive evidence) that the
directors are perpetrating an unlawful act:
o a former employee told you of the unlawful act, and
o the financial director has admitted to it.
• The unlawful acts involved in this matter are
o theft from the company
o a breach of fiduciary duty on the part of the directors (to the company
members and others)
o fraudulent financial reporting in terms of the completeness of sales and cash
at bank
o tax evasion

25
• Because of the above, financial loss is being suffered by various parties (the company
itself, SARS and the shareholders, as well as the holding company).
• It would appear to be material financial loss, as a separate cashbook was needed to
keep track of the money.
• As the unlawful act is being perpetrated by the directors, it involves the management of
the company, and therefore one of the requirements of section 45 of the Auditing
Profession Act (any unlawful act or omission committed by any person responsible for
the management of an entity).
• Stylewear (Pty) Ltd is an audit client, bringing the audit engagement within the ambit of
the Auditing Profession Act.
• Where the auditor suspects a reportable irregularity, evidence from any source may be
used, thus the evidence of the former employee can be considered.

Should you have reported the matter to the IRBA before raising it with the board?
This question entails the interpretation of the Act:
• In terms of section 45, the auditor must report “without delay” to the IRBA once he/she
is satisfied or has reason to believe a reportable irregularity has occurred.
• In addition, within three days of submitting the report he/she must notify the company’s
management board of the report’s submission.
• While the intention of the Act may be to report an unlawful act and then notify the
directors (as opposed to notifying the directors and letting them rectify the situation
without reporting to the IRBA), it would have been impossible to submit a report before
raising the matter with the directors.
• The only way that you could have been in the position of being “satisfied or have
reason to believe” that the reportable irregularity took place was by discussing it
with the directors, because the allegation by the staff member could not “satisfy” you
to the extent that you should have reported it to the IRBA without delay, and there was
no other evidence for you to consider.

26
LEARNING UNIT 2
FRAUD RESPONSIBILITIES

TOPIC 2.4

Internal auditors’ responsibilities

Learning outcomes

At the end of this topic, you should be able to

• advise an internal auditor on his/her responsibilities
• apply the guidelines in the IIA Practice Guide on Internal
Auditing and Fraud to practical scenarios

Internal auditors play a key role in assisting organisations to prevent and detect fraud
activities. The internal audit team is involved in the organisation daily and therefore in a unique
position to uncover potentially fraudulent activities.

The IIA Standards clearly explain the internal auditors’ responsibilities with regard to fraud
prevention and detection.xxi

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the way it is
managed by the organisation, but are not expected to have the expertise of a person
whose primary responsibility is the detection and investigation of fraud. xxii

Therefore, it is quite clear that the internal auditors are not expected to be forensic
practitioners. This is a limitation of scope for the internal audit function and should be
clearly stated in the internal audit charter.

Operational knowledge of fraud required of internal auditorsxxiii

Operationally, the internal auditor should have sufficient knowledge of fraud to
• identify red flags indicating that fraud may have been committed
• understand the characteristics of fraud, the techniques used to commit fraud, and the
various fraud schemes and scenarios
• evaluate the indicators of fraud and decide whether further action is necessary or whether
an investigation should be recommended
• evaluate the effectiveness of controls to prevent or detect fraud

Where fraud has occurred, internal audit should understand how the controls failed and
identify opportunities for improvement. It should consider the probability of further errors, fraud
27
or noncompliance across the organisation and reassess the cost of insurance in relation to
potential benefits.

Internal auditors’ role in fighting fraud

The role of the internal auditor in fighting fraud is discussed in the Practice Guide: Internal
Audit and Fraud, 2009. An effective internal audit activity can be extremely helpful in
addressing fraud. Although management and the board are ultimately responsible for fraud
deterrence, internal auditors can assist management by determining whether the organisation
has adequate internal controls and whether it fosters an adequate control environment.

The head of internal audit may follow one or more of the following strategies with regard to
fraud when conducting internal audit activities:xxiv
• Auditing management controls over fraud, especially the fraud risk assessment policies,
procedures and results
• Auditing areas where fraud may be likely, such as testing payroll for phantom employees
• Considering fraud as part of every audit by brainstorming fraud risks inherent in the
specific assignment
• Consulting assignments, facilitating management’s self-assessment of identifying and
evaluating fraud risks and the adequacy of mitigating controls

Internal auditors need to be alert to the signs and possibilities of fraud within the organisation.
Specifically, internal auditors can assist in the deterrence of fraud by examining and
evaluating the adequacy and the effectiveness of internal controls. Internal audit may also
assist management in establishing effective fraud prevention measures.xxv

If internal audit is required to investigate fraud, the internal auditor should have the necessary
skills and experience to undertake the investigation and discharge their professional
responsibility without jeopardising the investigation and associated evidence.xxvi

The internal auditors should communicate to the audit committee and executive management
any fraud detected and special investigations in progress or completed.

The IIA Practice Guide on Internal Auditing and Fraud discusses fraud and provides
general guidance to help internal auditors comply with professional standards. Because fraud
negatively affects organisations in many ways, financially and reputationally, and because it
has psychological and social implications – it is important for organisations to have a strong
fraud programme in place that includes awareness, prevention and detection programmes,
and a fraud risk assessment process to identify risks in the organisation.

To help organisations and internal auditors combat fraud, the guide discusses the following:
• fraud awareness (e.g. reasons for, and examples of fraud and potential fraud indicators)
• fraud roles and responsibilities
• internal audit responsibilities during audit engagements (e.g. execution responsibilities
and communicating with the board)
• fraud risk assessment (e.g. identifying relevant fraud risk factors, mapping existing
controls to potential fraud schemes, and identifying gaps)
• fraud prevention and detection
• fraud investigation
• forming an opinion on internal controls as they relate to fraud

28
Internal audit’s role in auditing anti-bribery and anti-corruption programmes
The ACFE Manual refers to the internal auditor’s role in anti-bribery and anti-corruption
programmes. This involvement is based on the internal audit practice guidance: Auditing Anti-
Bribery and Anti-Corruption Programs (issued June 2014).

This practice guide complements Internal Auditing and Fraud by providing specific guidance
for assessing the effectiveness of an organisation’s system of internal control against bribery
and corruption.

Auditing anti-bribery and anti-corruption programmes requires a team of auditors with

collective skills, knowledge and expertise in compliance, fraud, investigations, regulatory
affairs, IT, finance, culture and ethics. Internal audit should assess the effectiveness of anti-
bribery and anti-corruption programmes to help anticipate the risk and identify the existence
of potential and actual incidents.xxvii

King IV and internal audit

King IV, Principle 15, paragraph 50, requires that the internal audit function should have the
necessary skills and resources to address the complexity and volume of risk faced by the
organisation, and that internal audit is supplemented, as required, by specialist services such
as those provided by forensic fraud examiners and auditors.

FOLLOW THE LINK to https://financialcrimeacademy.org/role-and-

responsibility-of-the-internal-audit-function/ and download the article
“Role and responsibility of the internal audit function: Accurate under the
‘strategic level’”, posted on the website of Financial Crime Academy on
22 March 2024.

Then, FOLLOW THE LINK to

https://www2.deloitte.com/content/dam/Deloitte/in/Documents/audit/in-
audit-internal-audit-brochure-noexp.pdf and download the article “The
inside story: the changing role of internal audit in dealing with financial
fraud”, published by Deloitte.

This article highlights the position of the internal audit function in

preventing, detecting and investigating fraud.

Study
• Pages 4.525 to 4.539 of the ACFE Manual 2023
• Practice Guide: Auditing Anti-Bribery and Anti-Corruption
Programs (issued June 2014), available at
https://www.iia.nl/SiteFiles/Nieuws/PG-Auditing-Anti-bribery-
and-Anti-corruption-Programs.pdf

29
Assessment activity

It is often said that internal audit, when working in partnership with management, can
contribute positive, productive ideas about the way in which opportunities and risks can be
balanced and can make valuable recommendations for assessing and strengthening
corporate governance.

REQUIRED 10 MARKS

Briefly discuss the way in which internal audit can play a role in strengthening corporate
governance.

Guidelines for acceptable answers

Corporate governance, or the oversight of risk management, is nothing new to the internal
auditing profession. It has long been tied into the missions of successful internal auditing
activities and qualified auditing professionals, and has been brought to the fore by modern
control frameworks such as the Committee of Sponsoring Organizations (COSO), the Criteria
of Control Board Guidance on Control (CoCo) and Cadbury.

Since 1978, the Institute of Internal Auditors’ (IIA) Standards for the Professional Practice of
Internal Auditing has recommended that the internal audit activity’s scope of work should
include the examination and evaluation of the adequacy and effectiveness of the
organisation’s system of internal control and the quality of performance in carrying out
assigned responsibilities.

This system of internal control, which aligns closely with current definitions of corporate
governance, encompasses the reliability and integrity of information; compliance with policies,
plans, procedures, laws and regulations; the safeguarding of assets; the economical and
efficient use of resources; and the accomplishment of established objectives and goals for
operations or programmes.

Internal auditors also play a vital role in ensuring that an organisation is efficiently run, morally
sound, technologically advanced, cognisant of the environment and other areas of concern,
and safe from unnecessary risk.

Internal auditing is an innovative profession which has recently welcomed emerging control
and audit specialities, including control self-assessment, which enlists the support of the
employees in diagnosing inefficiencies and implementing improvements; forensic auditing;
quality auditing; and environmental auditing.

30
Working in partnership with management, internal auditors can provide a wide assessment of
the risks and implications of audit findings and, ultimately, make a tremendous difference to
the success of an organisation.

There are some who argue that internal controls and the improvement of governance are not
the responsibility of the internal auditor, but the parallel between the IIA’s own definition of
corporate governance and the internal audit activity, “to help management and the board
achieve their objectives”, is very clear.

Effective corporate governance ensures that long-term strategic objectives and plans are
established, and that both the proper management and management structure are in place to
achieve these objectives, while at the same time making sure that the structure functions in
such a way that it maintains the organisation’s integrity, reputation, and accountability to its
relevant constituencies.

31
LEARNING UNIT 2
FRAUD RESPONSIBILITIES

TOPIC 2.5
Forensic practitioners’ responsibilities
Learning outcomes

At the end of this topic, you should be able to:

• explain the fraud-related responsibilities of the forensic
practitioner
• advise companies on steps to follow in case of suspected
fraud and specify what conduct is allowed or not allowed for a
forensic practitioner

A forensic investigation is a very specialised type of engagement, which requires highly skilled
team members who have experience not only of accounting and auditing techniques, but also
of the relevant legal framework.

What is a forensic practitioner?

It is common for a forensic practitioner to be known by another designation, such as certified
fraud examiner (CFE), commercial forensic practitioner (FP)SA, certified public accountant
(CPA), chartered accountant CA(SA), or certified internal auditor (CIA). A forensic practitioner
is not usually responsible for the initial detection of fraud. Rather, the forensic practitioner
usually becomes involved after sufficient indicators have been found that fraud has been
committed. Forensic practitioners therefore commonly supervise or direct the fraud
examination or investigation.

According to the ACFE Manual 2023, the forensic examiner’s responsibilities are to
• help resolve allegations of fraud, from inception to disposition
• obtain evidence
• take affidavits
• write reports of fraud examinations
• testify to findings
• assist in fraud detection and prevention

32
We will discuss these responsibilities in more detail below: xxviii

Help resolve allegations of fraud

Allegations of fraud are often based on insufficient evidence and must be resolved through
lawful evidence-gathering methods. The forensic examiner’s professional code of ethics
requires the forensic examiner to assist in that resolution. The disposition of a case might
involve a settlement or some other form of agreement, rather than a trial and conviction or
acquittal.

When conducting fraud examinations, fraud examiners should adhere to the fraud theory
approach.

Obtain evidence
The forensic examiner is responsible for gathering evidence and maintaining the custody of
evidence that will either confirm or refute a fraud allegation. The available evidence might
demonstrate that the fraud allegation is without merit. However, it can equally serve as
evidence that might prove the commission of fraud.

Take affidavits
Forensic examiners use interviewing skills. These skills are invaluable for obtaining affidavits
from witnesses, as well as securing admissions of guilt from perpetrators.

Write reports
Report writing is an important step in fraud investigations. A report includes the narration of
the series of events that has occurred, the witnesses who will testify to the facts and, if
appropriate, a signed admission by the perpetrator.

Testify to findings
The forensic examiner may have to testify to the findings of the investigation. Although this
step is not always necessary (e.g., in cases that do not proceed to trial), it is important that all
investigations be conducted under the premise that the case will go to trial and testimony will
be required. Keeping this premise in mind helps the fraud examiner to remember to take the
time to perform the investigation scrupulously.

When dealing with accounting and auditing matters, these professionals are often required to
give opinions. However, even if the forensic examiner holds another designation, he is still
bound by the CFE code of professional ethics, which specifically states: “A Certified Fraud
Examiner, when conducting examinations, will obtain evidence or other documentation to
establish a reasonable basis for any opinion rendered. No opinion shall be expressed
regarding the guilt or innocence of any person or party.” (This section implies that the forensic
examiner will NOT express an opinion, even if personally convinced of an individual’s guilt.)
Determining the guilt or innocence of an individual is reserved for a court of law; the forensic
examiner is merely a gatherer of facts, not the ultimate judge thereof.

Assist in the detection and prevention of fraud

Because of their education, experience and training, forensic examiners are uniquely qualified
to assist companies with proactive fraud prevention and detection programmes. Forensic
examiners can assist in the investigation of fraud allegations and help management to design
and implement internal control systems so that fraud will be less common and not go
undetected.

33
Selling fraud prevention to managementxxix
The forensic examiner should actively sell fraud prevention to management, specifically in
view of negative publicity and the impact of fraud on the bottom line.

Compliance with professional code of ethics and standards

The code of professional ethics for CFEs is discussed in the ACFE Manual 2023, on pages
4.1001 to 4.1024. The ACFE also issued a CFE Code of Professional Standards (ACFE
Manual 2023, pages 4.1101 to 4.1105).

Ethics for forensic examiners

Refer to the discussion in the ACFE Manual 2023, on pages 4.901 to 4.908.

The guidelines above are enforced for CFEs who are registered and
regulated by the ACFE (Association of Certified Fraud Examiners).

Although these guidelines are not enforced for forensic investigators (or
forensic accountants/practitioners) who are not CFEs, they are good
principles to follow and should be observed by all those working in the
forensic fraternity, regardless of whether or not they are CFEs.

Also refer to the Code of Ethics and Rules of Conduct for commercial
forensic practitioners (FP)SA on the website of the Institute of Commercial
Forensic Practitioners, at

https://www.icfp.co.za/2022/03/28/code-of-ethics-rules-of-conduct/

and download the attribute standards from

https://www.icfp.co.za/wp-content/uploads/2022/08/ICFP-Attribute-
Standards.pdf.

Study
• The content provided in this study guide (including links to
external sources)
• Pages 3.101 to 3.111 of the ACFE Manual 2023
• Pages 4.901 to 4.908 of the ACFE Manual 2023
• Pages 4.1001 to 4.1024 of the ACFE Manual 2023
• Pages 4.1101 to 4.1105 of the ACFE Manual 2023

34
Assessment activity

You are a CFE. A friend of yours, Thabo, who suspects that fraud has been committed at his
business, contacts you. He wants to know what you as a CFE can do for his company about
the suspected fraud.

He also requests that you investigate the matter and that, if you find that fraud has been
committed, you should state this in your report so that he can hand it over to the South African
Police Service. He is concerned that if he does not have a report from a CFE stating that fraud
was committed, the police will not attend to the matter.

REQUIRED 16 MARKS
Write a letter to Thabo telling him about the services that you can render to his company.

Guideline for acceptable answers

Stanley Business Park

45 Flower Drive
Port Elizabeth
0138
20 January 2024

123 Garden Crescent

Bedfordview
0437

Dear Thabo
FRAUD INVESTIGATION

With reference to our earlier conversation regarding the fraud that is suspected at your
company, I can provide the following services to the company:
• Help resolve the allegation of fraud from inception to disposition. (1)
• Gather and maintain custody of all the necessary evidence that will either confirm or
refute the allegation of fraud. (2)
• Interview all the necessary parties (including witnesses to obtain evidence, and the
accused to obtain an admission, if appropriate). (2)
• Take statements and affidavits where needed. (1)

35
 • Write a forensic report containing an account of the series of events that have
occurred, the witnesses who will testify and, if appropriate, a signed admission from
the perpetrator. (4)
• I will testify in any proceedings that result from the investigation, if appropriate. (1)

I will also be able to assist you in designing appropriate internal controls to prevent the
occurrence of fraud in the future, and to prevent fraud from going undetected. (1)

I cannot, however, express an opinion on the guilt of an individual, even if I am personally

convinced thereof. Determining the guilt or innocence of an individual is reserved for a court
of law. (2)

You are welcome to contact me should you need any further information.

Your sincerely

Alice Makwe
CFE

Two (2) marks will be allocated for providing the answer in letter format. (2)

Total: 16

You have reached the end of learning unit 2!

In learning unit 3, we will look at developing an appropriate fraud

prevention programme.

36
i https://www.acfe.com/fraud-resources/fraud-risk-tools
ii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud
prevention and deterrence. International edition. Texas. Association of Certified Fraud
Examiners. Pp 4.801 - 4.802.
iii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. Pp 4.803 - 4.807.
iv Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. Pp 4.808 – 4.810.
v
Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud
prevention and deterrence. International edition. Texas. Association of Certified Fraud
Examiners. Pp 4.808 – 4.809.
vi https://www.acfe.com/fraud-resources/fraud-risk-tools---coso/-

/media/6BAB1D6D9067447CB2071960B5BABB63.ashx
vii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. p4.819.
viii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. Pp 4.815 - 4.819.
ix Association of Certified Fraud Examiners. 2024. Report to the nations on occupational

fraud and abuse. https://legacy.acfe.com/report-to-the-nations/2024/

Date of access: 19 April 2023
x Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. Pp 4.401 - 4.402.
xi Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners, p 4.403.
xii South Africa. 2008. Companies Act 71 of 2008.
xiii South Africa. 2008. Companies Act 71 of 2008.
xiv
2023010601 MEDIA STATEMENT-ENACTMENT OF KEY ANTI-MONEY LAUNDERING
AND COMBATING OF TERROR FINANCING LAWS .pdf (treasury.gov.za). Date of access:
25 April 2024
xv
Commencement of the General Laws (Anti-Money Laundering and Combating Terrorism
Financing) Amendment Act | Webber Wentzel. Date of access: 25 April 2024.
xviPublications-King IV - The Institute of Directors in South Africa NPC (iodsa.co.za)

Date of access: 7 March 2022

xvii SAICA Student Handbook Volume 2A International Audit Standards. 2023/2024. ISA 240

The auditor’s responsibilities relating to fraud in an audit of financial statements. South

Africa: LexisNexis.
xviii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiners manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. p4.501.
xix SAICA Student Handbook Volume 2A International Audit Standards. 2023/2024. ISA 240

The auditor’s responsibilities relating to fraud in an audit of financial statements. South

Africa: LexisNexis.
xx https://accountingacademy.co.za/news/read/irba-overview-of-the-amendments-to-the-apa/

37
xxi Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud
prevention and deterrence. International edition. Texas. Association of Certified Fraud
Examiners. International edition. Texas. Association of Certified Fraud Examiners. p4.525 -
4.528.
xxii IIA Standards, par. 1210.A2.
xxiii Internal Audit Position Paper: 2019. Fraud and Internal Audit: Assurance Over Fraud

Controls Fundamental to Success (theiia.org).

xxiv The IIA Practice Guide on Internal Auditing and Fraud, Practice Guide: Internal Audit and

Fraud: 2009.
xxv The IIA Practice Guide on Internal Auditing and Fraud Practice Guide: Internal Audit and

Fraud:2009
xxvi Internal Audit Position Paper: 2019. https://www.theiia.org/en/content/position-

papers/2019/fraud-and-internal-audit-assurance-over-fraud-controls-fundamental-to-
success/ Date of access: 21 April 2024.
xxvii Practice Guide: Auditing Anti-Bribery and Anti-Corruption Programs (issued June 2014).

xxviii Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on

investigation. International edition. Texas. Association of Certified Fraud Examiners, pp

3.102-3.103.
xxix Association of Certified Fraud Examiners. 2023. ACFE Fraud examiner’s manual on fraud

prevention and deterrence. International edition. Texas. Association of Certified Fraud

Examiners. pp4.601 - 4.602.

38