Billions wasted while SA’s internal audit profession is not regulated

Considering the high profile scandals that have dominated news headlines in the last few years, from VBS Mutual Bank to Eskom, it does not seem unreasonable to say that South Africa may have a corporate fraud problem.

What’s more, the accounting irregularities that led to shareholders being defrauded and losing significant shareholder value, may have been entirely preventable if the internal auditors had been more empowered, protected and held to the same level of accountability as external auditors, via appropriate regulation of the Internal Audit industry.

This is according to Kariem Hoosain, Partner at Mazars South Africa, who says that external auditing firms have in recent years, may have justifiably garnered significant public criticism for missing acts of corporate fraud and accounting irregularities at both listed companies and state-owned entities for extended periods. “However, there has been little reflection or comment on the role of the internal auditors in these companies and entities. Internal auditors are meant to be an integral part of the “comprehensive assurance” on the financial and operational affairs, which must be provided to shareholders, boards and audit committees of these entities.”

He adds that the most concerning similarity between all of the major corporate fraud cases that the country has seen in recent years, is the length of time that it remained undetected. “As an example, it is currently estimated that around R19.6 billion in irregular expenditure took place at Eskom in the six-year time span between 2012 and the end of 2017.”

While external audit firms are often accused of negligence for failing to uncover these irregularities much sooner, Hoosain points out that an external auditor is not an adequate measure to combat fraud and corruption.

“External auditors conduct audits on a sample basis while applying a risk-based approach, which is highly effective at detecting unintentional errors and omissions in companies’ financial statements. On the other hand, when executives engage in fraud, they will commit collusion and forgery, and override internal controls in order to evade detection by random sampling. The fact is that external auditors cannot be expected to function as the first line of defense against fraud.”

He argues that internal auditors should be able to detect these types of practices more effectively than external auditors because they function much more closely with the business and its management.

“It is entirely possible that many internal auditors do become aware of these practices, but are not under the same regulatory requirements as external auditors to report these incidents. The absence of meaningful regulation in this regard also means that they do not have adequate regulatory protection when they need to report fraud.”

The lack of regulation also has a negative impact on the quality of skills in the internal audit sector, according to Charles Nel, Acting CEO 

of the Institute of Internal Auditors South Africa (IIA SA). “There are currently no regulations or legal requirements that regulate the internal audit profession in South Africa, and internal auditors are not required to have any specific qualification. Quite literally, anyone can practice as an internal auditor in South Africa, and we cannot accurately estimate the number of individuals who are working in the industry at this time.”

He explains that this not only leads to the absence of any real accountability for internal auditors but also a number of other challenges that prevent the internal audit profession from being an effective tool in the battle against corporate fraud. “To start, while there is no shortage of individuals in the profession, there is a scarcity of real competence. Part of the problem is that not enough organisations are willing to invest in the training of these professionals. Academic institutions only supply a theoretical base and it cannot be emphasised enough that the training component of an internal auditor’s career needs to happen in the workplace.

“In response to this, the IIA SA created occupational qualifications (what could be referred to as articles). However, the take-up has not been nearly as high as we would have liked, because once again, there are no regulations requiring internal auditors to complete them before entering the profession. At many large companies, it is also common to employ chartered accountants in the internal auditor’s role. While these professionals are trained, they still lack the specific experience required from an internal audit perspective, Nel says”

He adds that the IIA SA made efforts to ensure that its own members are held to the adequate standards for the profession, with the introduction of membership groupings. “The highest class of membership is that of Fellow, which professionals can only receive if they already have the designation of Internal Audit Technician, Professional Internal Auditor, or Certified Internal Auditor (which is the international designation). Next, our Graduate Members class is required to have a qualification as well as experience in the profession. Lastly, our Associate Members class is for those individuals working towards achieving the graduate class.”

In spite of this, Nel states that these measures are not enough to ensure quality in the country’s internal audit sector. “It is not a regulatory requirement to belong to our organisation, and indeed there are far too many individuals practising as internal auditors, who do not belong to the organisation.

It is crucial for companies to ensure that their internal auditors are in fact recognised members of IIA SA, and that they confirm which membership class the individuals belong to. If they do not take these measures, companies may be exposing themselves to unnecessary risk from unqualified or unskilled professionals.”

Another major problem for internal auditors is the issue
of intimidation, which is believed to be rife in the industry. An IIA SA survey of internal auditors showed that 18%
of respondents who worked at privately held large companies, had been intimidated into burying their findings. This was even higher at state owned companies, where 22% of internal auditors reported incidents of coercion and intimidation, while at municipalities this number was as high as 43%. In addition, 11% of internal auditors in the private sector, and up to 47% in the public sector, have reported that they would not feel safe if they exposed questionable activities to law enforcement agencies such as the National Prosecuting Authority (NPA).

“We receive many verbal reports from internal auditors who state that they are victimised, intimidated and coerced into sweeping misconduct under the carpet. By no means is this a problem that is unique to internal auditors, but they do find themselves in a position where they are particularly vulnerable.

“As it stands, we do not have the subpoena powers that adequate regulation would provide, meaning we do not have access to evidence such as companies’ records if these organisations do not want to freely cooperate with us. As a result, we are often severely limited in our ability to take disciplinary action or assist professionals who find themselves in situations where they are being coerced and intimidated.”

He notes that IIA SA is uncertain regarding how many organisations’ internal audit activities include quality assurance reviews as required (which is in fact mandated by law). “The responsibility of ensuring that these reviews take place should lie with the head of internal audit, but they need to be supported by the internal audit committee.”

Nel says that as long as internal audit professionals have the choice whether they belong to the IISA or not, this industry remains unregulated, and will continue to be exceedingly difficult for organisations like IIA SA to manage any of the above challenges.

Bernard Agulhas, CEO of the Independent Regulatory Board for Auditors (IRBA), believes that there is still hope that this industry can be regulated to ensure better performance. “IRBA submitted a proposal to the Minister of Finance to institute comprehensive regulation that will apply to all stakeholders within the financial reporting chain, which will include internal auditors and audit committees.”

Among the recommendations that the organisation submitted, was that all the stakeholders in the financial reporting chain be regulated through their respective professional organisations, which must be accredited by a regulator. “According to the proposal, the responsibility of devising the regulations for the other stakeholders in the reporting chain would lie with Treasury. However, the IRBA has also conducted extensive research, and we will be submitting a number of proposals to the Minister on how this regulation for the various stakeholders can be structured. We also have the support of the IIA SA initiative, since the organisation has recognised the fact that increased regulation is necessary.”

Agulhas notes that this proposal must still be approved, after which the Minister of Finance may decide to set up a separate regulator, or to incorporate the proposed regulations into IRBA’s legislation. “Ideally, if the regulations can be included under IRBA’s mandate, we would have the ability to regard the entire financial reporting eco-system and identify where lapses occurred in cases of corporate fraud.”

While new regulations are usually met with some resistance by any industry, Agulhas says that there are benefits to higher regulations for all parties involved. “It not only assures higher levels of accountability, but also affords better protection to all the role players as well as the public. Once again, it will fall to Treasury to make it clear to every stakeholder how an increase in regulation can benefit them and protect the public.”

He says that IRBA is hopeful that the Minister of Finance will review its proposal within the next few months. “If the Minister approves the proposal, it will take a minimum of about a year for the Ministry to consult, and another year to draft the legislation. While it could take longer, it is currently widely understood how critical it is, so we have faith that Government will push to get the adequate legislation passed in the shortest possible time frame.”

In closing, Hoosain says that both the private and public sector spends billions per year on internal auditors, which effectively goes to waste if they are not being regulated and utilised correctly. “One of the best tools that we have against fraud and corruption is not being used effectively, and the country is poorer for it. Increasing accountability and protection through appropriate and effective regulation for internal auditors will benefit everyone involved,” he concludes.