Under-regulated internal auditing sector plays part in corporate fraud

Kariem Hoosain, partner at Mazars

Kariem Hoosain, partner at Mazars South Africa, says that external auditing firms have in recent years, may have justifiably garnered significant public criticism for missing acts of corporate fraud and accounting irregularities at both listed companies and state-owned entities for extended periods. “However, there has been little reflection or comment on the role of the internal auditors in these companies and entities. Internal auditors are meant to be an integral part of the “comprehensive assurance” on the financial and operational affairs, which must be provided to shareholders, boards and audit committees of these entities".

He adds that the most concerning similarity between all of the major corporate fraud cases that the country has seen in recent years, is the length of time that it remained undetected. “As an example, it is currently estimated that around R19.6bn in irregular expenditure took place at Eskom in the six-year time span between 2012 and the end of 2017.”

While external audit firms are often accused of negligence for failing to uncover these irregularities much sooner, Hoosain points out that an external auditor is not an adequate measure to combat fraud and corruption.

“External auditors conduct audits on a sample basis while applying a risk-based approach, which is highly effective at detecting unintentional errors and omissions in companies’ financial statements. On the other hand, when executives engage in fraud, they will commit collusion and forgery, and override internal controls in order to evade detection by random sampling. The fact is that external auditors cannot be expected to function as a first line of defence against fraud.”

He argues that internal auditors should be able to detect these types of practices more effectively than external auditors, because they function much more closely with the business and its management. “It is entirely possible that many internal auditors do become aware of these practices, but are not under the same regulatory requirements as external auditors to report these incidents. The absence of meaningful regulation in this regard also means that they do not have adequate regulatory protection when they need to report fraud.”

No real accountability

The lack of regulation also has a negative impact on the quality of skills in the internal audit sector, according to Charles Nel, acting CEO of the Institute of Internal Auditors South Africa (IIA SA). “There are currently no regulations or legal requirements that regulate the internal audit profession in South Africa, and internal auditors are not required to have any specific qualification. Quite literally, anyone can practice as an internal auditor in South Africa, and we cannot accurately estimate the number of individuals who are working in the industry at this time.”

He explains that this not only leads to the absence of any real accountability for internal auditors, but also a number of other challenges that prevent the internal audit profession from being an effective tool in the battle against corporate fraud. “To start, while there is no shortage of individuals in the profession, there is a scarcity of real competence. Part of the problem is that not enough organisations are willing to invest in the training of these professionals. Academic institutions only supply a theoretical base and it cannot be emphasised enough that the training component of an internal auditor’s career needs to happen in the workplace.

“In response to this, the IIA SA created occupational qualifications (what could be referred to as articles). However, the take-up has not been nearly as high as we would have liked, because once again, there are no regulations requiring internal auditors to complete them before entering the profession. At many large companies, it is also common to employ chartered accountants in the internal auditor’s role. While these professionals are trained, they still lack the specific experience required from an internal audit perspective,” Nel says.

n spite of this, Nel states that these measures are not enough to ensure quality in the country’s internal audit sector. “It is not a regulatory requirement to belong to our organisation, and indeed there are far too many individuals practising as internal auditors, who do not belong to the organisation. It is crucial for companies to ensure that their internal auditors are in fact recognised members of IIA SA, and that they confirm which membership class the individuals belong to. If they do not take these measures, companies may be exposing themselves to unnecessary risk from unqualified or unskilled professionals.”

Intimidation

Another major problem for internal auditors is the issue of intimidation, which is believed to be rife in the industry. An IIA SA survey of internal auditors showed that 18% of respondents who worked at privately held large companies, had been intimidated into burying their findings. This was even higher at state owned companies, where 22% of internal auditors reported incidents of coercion and intimidation, while at municipalities this number was as high as 43%. In addition, 11% of internal auditors in the private sector, and up to 47% in the public sector, have reported that they would not feel safe if they exposed questionable activities to law enforcement agencies such as the National Prosecuting Authority (NPA).

“We receive many verbal reports from internal auditors who state that they are victimised, intimidated and coerced into sweeping misconduct under the carpet. By no means is this a problem that is unique to internal auditors, but they do find themselves in a position where they are particularly vulnerable.

“As it stands, we do not have the subpoena powers that adequate regulation would provide, meaning we do not have access to evidence such as companies’ records if these organisations do not want to freely cooperate with us. As a result, we are often severely limited in our ability to take disciplinary action or assist professionals who find themselves in situations where they are being coerced and intimidated.”

He notes that IIA SA is uncertain regarding how many organisations’ internal audit activities include quality assurance reviews as required (which is in fact mandated by law). “The responsibility of ensuring that these reviews take place should lie with the head of internal audit, but they need to be supported by the internal audit committee.”

Nel says that as long as internal audit professionals have the choice whether they belong to the II SA or not, this industry remains unregulated, and will continue to be exceedingly difficult for organisations like IIA SA to manage any of the above challenges.

In closing, Hoosain says that both the private and public sector spends billions per year on internal auditors, which effectively goes to waste if they are not being regulated and utilised correctly. “One of the best tools that we have against fraud and corruption is not being used effectively, and the country is poorer for it. Increasing accountability and protection through appropriate and effective regulation for internal auditors will benefit everyone involved,” he concludes.