“Certain fraud risks are at times identified when performing risk assessments as operational, business continuity or compliance risks.”
Prevention is cheaper than cure – get risk and mergers and acquisitions assessed by forensic practitioners
The tasks undertaken by a forensics practitioner have evolved tremendously in the past decade, from merely analysing evidence after an illegal act has occurred to becoming multidisciplinary in nature and contributing to various areas of the business.
In this article we examine how forensics is offering a range of new services.
Fraud risk management
The original King Report on Corporate Governance for South Africa issued in March 2002 (King I) emphasised that the total process of risk management, including systems of internal control, rests solely with the Board of Directors. This report echoed the trend started in the United States in 2001 of instituting remedial action in terms of both corporate governance and auditor independence. The King I report stated that the board was responsible for ensuring that an adequate risk assessment process is implemented to continuously monitor the adequacy of the existing internal controls as part of the risk management process. The consequent King III report of 2010 went a step further to emphasise the following:
- It is essential for every organisation to establish systems that identify risks early and continuously and then to establish internal controls to mitigate the risks
- The King III report urges organisations (both private and public) to adopt ethical codes, which should be supported by effective communication channels.
- A key corporate governance responsibility should be to facilitate confidential whistle-blowing mechanisms and ensure that justified whistle-blowers are not penalised.
- The King III report urges audit committees to direct and supervise investigations.
Certain fraud risks are at times identified when performing risk assessments as operational, business continuity or compliance risks. The extent of fraud exposure, however, is sometimes underestimated, if not overlooked, as specialists in business risk or internal audit perform the assessments with a focus on identifying high level business risks as opposed to the true fraud risk. Risks related to fraud are easy to miss and require highly specialised skills and experience to identify and mitigate.
It is here that the forensic practitioner can play a role in filling the possible expertise gaps. Today’s forensic practitioner can offer a myriad of services for assisting businesses to managing fraud risks, such as risk assessments aimed at identifying high risk areas, vulnerability assessments for identifying weaknesses in processes and maturity assessments to determine the level of risk maturity in management functions.
Role in business in mergers and acquisitions
Linked to the risk element, the unique expertise and experience of the forensic practitioner is often called upon these days to try to understand and limit risks associated with investing in new markets, such as Africa. With the strong recovery of global trade following the financial crisis of 2008, the focus is now on emerging markets in the Middle East and Africa.
According to the 2013 Ernst & Young (EY) Africa Attractiveness Survey, Africa has some of the fastest growing economies in the world, estimated to attract US$150 billion worth of new foreign direct investment projects by 2015, which will ensure a significant amount of acquisitions on the continent.
Many investors have learnt to conduct due diligence in matters of mergers and acquisitions to ascertain the true nature of the companies they are investing in. This process can save an investor significant costs in regulatory and legal fines, penalties and remediation. Of equal importance would be discovering that a newly acquired company is involved in, or is the victim of, some fraudulent scheme which will become the responsibility of the new owner.
Surprisingly, in a recent survey it was found that the frequency with which companies conducted due diligence into fraud and/or corruption-related risks before acquiring a new business was relatively low for both Africa and globally. Only 54% of African respondents indicated that pre-acquisition due diligence was performed (global: 54%), while just 34% conducted post-acquisition due diligences (global: 41%).
Compounding the risk associated with new acquisitions in Africa is the fact that many African countries already have robust anti-bribery and corruption legislation, a number of which include extra-territorial reach and ban facilitation payments. Additionally, in the last few years we have started to see African regulators commencing derivative actions against companies already under investigation by US prosecutors for alleged Foreign Corruption Practices Act (FCPA) violations. A significant amount of bribery and corruption enforcement activity continues to relate to acquired entities. In 2011 alone, there were three FCPA settlements linked to prior violations by recently acquired subsidiaries.
Furthermore, companies should be mindful of the risk associated with fraudulent interactions,. The fraudulent activities could result in either skewing the picture of the financial health of the acquired company, or seriously impacting on its profitability.
It is clear that with regard to fraud, bribery and corruption, it is not only a matter of whether due diligence has been performed, but also when. It is essential that due diligence starts early. The earlier the issues are identified, the sooner an acquirer can understand the fraud and corruption risks of a deal. Comprehending these risks will allow the acquirer to discuss any issues with the relevant regulators, or walk away should that prove necessary.
Anti-corruption compliance and the requirements of the Companies Act
As mentioned above, Africa has some of the fastest growing economies in the world, which will ensure a significant amount of acquisitions.
However, corruption continues to be globally pervasive. Increased enforcement by international agencies has left multinational organisations vulnerable to international corruption investigations, significant financial penalties and even jail sentences for its guilty employees.
South Africa has its own corruption legislation with extra-territorial reach, the Prevention and Combating of Corrupt Activities Act, 2004 (Act 12 of 2004), or PRECCA, which makes it a crime to offer or receive a bribe, both in the public and private sector.
Although the enforcement of PRECCA has not been as widespread as that of the FCPA in the United States or the UK Bribery Act in the United Kingdom, we expect the enforcement of PRECCA to rise. Our expectation is based on the active enforcement culture of international enforcement agencies and the fact that South Africa’s new Companies Act includes regulations requiring companies to comply with the recommendations of the Organisation for Economic Co-operation and Development’s (OECD) Anti Bribery Convention.
The OECD Convention, of which South Africa is a non-member signatory, was signed by most of the major economies in the world and establishes legally binding standards to criminalise bribery of foreign public officials and a host of other related measures to combat bribery in international business transactions.
Section 43 (5)(a) of the Companies Act regulations requires that a company’s social and ethics committee should ensure that a company complies with relevant legislation and codes of best practice. In terms of this section, the committee has a duty to reduce corruption in the company and to comply with the following relevant legislation and codes of best practice:
- The United Nations Global Compact’s ten principles for business activities
- The OECD recommendations regarding corruption.
Again, this is an area of business that requires the expertise of a forensic practitioner who is well versed in the various permutations of corruption and has experience in both the legislation and the crime itself.
Recently, with the immense increase in computer-related crime, the specific expertise of forensic practitioners has been called upon to supplement the skill set of the computer crime experts.
As digital information storage continues to transform our working environment, computer forensic analysis of digital evidence is becoming the norm in most forensic investigations. Although forensic practitioners may not be directly responsible or involved in the acquisition and analysis of digital evidence, their knowledge and experience in specific topics are required by the computer forensic investigator to effectively analyse digital evidence.
In matters such as these, it falls upon the computer forensic experts to ascertain where and how the breaches occurred, whilst the forensic practitioner assesses the impact of the breach on the company. Audit logs extracted from servers, routers and firewalls, and datasets extracted from accounting, payroll and inventory systems are analysed. Forensic practitioners are able to quantify the incurred loss value, as well as the number of users or clients affected by a breach.
From the above it is safe to conclude that today’s forensic practitioner is one of the most adaptable and multi-skilled players in the financial services industry. They not only keep up with inventive criminal schemes, but also deliver services over a broad spectrum of business areas.
Sharon van Rooyen, BCom, LLB, LLM, Dip (Insurance), CFE, is the Director: EY Fraud Investigation and Dispute Services