In her address at the National Prosecuting Authority’s Stakeholder Conference held in March 2007, the then Minister for Justice and Constitutional Development reminded the audience that one of the targets of the department was to reduce crime by between 7% – 10% per annum. Recognising the need for all stakeholders to join forces in order to meet this objective, she emphasised their commitment to ‘find solutions that talk to each other in order to leverage efficiencies that otherwise would not be available but for co-ordination.’
Section 45 of the Auditing Profession Act, Act 26 of 2005 (APA), creates one such mechanism whereby government could rely on audit regulation to contribute towards the reduction in white collar crime. The promulgation of the APA, together with proposed amendments to South African Corporate Legislation and the King Report on Corporate Governance at the time, have sparked renewed interest in the role of auditors in the accountability chain and the quest for improved governance in business.
Section 45, which deals with the auditor’s responsibility to report reportable irregularities to the Independent Regulatory Board for Auditors (IRBA), has certainly been the subject of much controversy and misinterpretation, including a perception that auditor-client relationships have been jeopardised by the obligations imposed on the auditor in terms of the APA. In this article, I will attempt to address these perceptions and provide clarity regarding uncertainties that may have been created by this section.
What does section 45 require?
Section 45 of the Act defines a reportable irregularity as ‘any unlawful act or omission committed by any person responsible for the management of an entity, which,
a. has caused or is likely to cause material financial loss to the entity or to any partner, member, shareholder, creditor or investor of the entity in respect of his or her or its dealings with that entity; or
b. is fraudulent or amounts to theft; or
c. represents a material breach of any fiduciary duty owed by such person to the entity or any partner, member, shareholder, creditor or investor of the entity under any law applying to the entity or the conduct or management thereof.’
It should be appreciated that, while it is the auditor’s duty to report irregularities to the IRBA, management remains responsible for ensuring that the necessary systems and controls are in place to manage the risk that such irregularities could occur in the first instance.
The auditor’s responsibility
In terms of section 45 of the Act, the process that the auditor must follow when a potential reportable irregularity is discovered is, briefly, as follows:
a. A registered auditor that is satisfied or has reason to believe that a reportable irregularity has taken place or is taking place must, without delay, send a written report to the Regulatory Board.
b. The registered auditor must within three days after sending the report in (a) notify members of the management board that he or she had sent such report.
c. The registered auditor must, within 30 days after having sent the first report to the Regulatory Board, take reasonable measures to discuss the matters with the members of the management board, obtaining representations from them, and then send a second report to the Regulatory Board, which either confirms or dispels the auditor’s initial suspicion.
The definition and process is different to the provisions that were contained in section 20(5) of the previous audit legislation, and it is important for directors to be familiar with the impact that this section has on them.
What management should know
Who is defined as ‘management’?
The unlawful act or omission must be committed by a person responsible for the management of the entity. The Act does not define management but does provide a definition for ‘management board’ as follows:
‘Management Board, in relation to an entity which is a company, means the board of directors of the company and, in relation to any other entity, means the body or individual responsible for the management of the business of the entity.’
A person responsible for management of an entity would usually be responsible for:
• setting the strategic objectives and operational policies of the entity;
• allocating resources to meet such objectives and support such policies; and
• selecting accounting policies, and reviewing and authorising financial statements.
These activities would generally be carried out by persons that are responsible for the overall planning, organising, leading, co-ordinating or controlling the business affairs of the entity. The following additional guiding principles are relevant:
• A branch manager may not be responsible for the management of the entity, only being responsible for part of the business of the entity.
• An executive committee would be responsible for the management of the entity.
• Third parties who are contracted to discharge the responsibility of the management of the entity, e.g., business managers, fund managers, pension fund administrators and investment managers, are parties that are responsible for the management of the entity.
• An unlawful act or omission of an employee of an entity with the knowledge of any person responsible for management is viewed as an unlawful act or omission by the person responsible for the management of the entity that has such knowledge.
When the duty to report arises
There is no requirement on the auditor to design procedures to discover reportable irregularities. However, the auditor must respond to any information that comes to his or her attention. That means that the auditor should consider all information, from any source, including third parties. The auditor, however, must consider the reliability of such information before conducting further investigations.
While the auditor would usually consider confidentiality requirements in terms of the Codes of Professional Conduct, this legal provision requires the auditor to consider knowledge that he or she gains, even when providing other services to the client, or even while providing services to another client. The report can only be lodged with the Regulator by the auditor of the entity.
Communication between the auditor and the client
Before the auditor reports to the IRBA, he/she may carry out any investigations considered necessary. These investigations are intended to provide the auditor with sufficient grounds to conclude whether a reportable irregularity has taken place. Although the investigations are not meant to provide management with an opportunity to rectify the situation and avoid reporting, the auditor may discuss the matter with management before sending a report to the IRBA. Such discussions can occur prior to the auditor sending the initial report to the IRBA.
The Act requires the auditor to send the initial report without delay, and the ‘reasonable auditor’ test is applied in interpreting the meaning of this phrase.
Once the initial report has been sent to the IRBA, the auditor has to apply reasonable measures to discuss the matter with members of management and allow them the opportunity to make representations to the auditor. Such reasonable measures could include written notice to the management, telephonic communication or using other electronic means to contact the client. The auditor, however, is not expected to assume the role of a tracing agent.
What happens to the reportable irregularity?
If the auditor, in the second report, reports that the reportable irregularity is continuing, the IRBA reports the matter to an appropriate regulator, which includes any national government department, regulator, agency, authority or oversight body. That body may, at its discretion, then decide whether to perform further investigations on the client involved.
What is the impact on the audit opinion?
In the event that a reportable irregularity has been reported to the IRBA, the Act does not allow the auditor to issue an audit opinion ‘without such qualifications as may be appropriate in the circumstances’. In layman’s terms, this means that under these circumstances the auditor cannot issue a ‘clean’ report, but has to include a modification to the audit report, which refers to the reportable irregularity. Such a modification would be required even when the reportable irregularity that existed is no longer taking place, and steps have been put in place for the recovery of any loss.
Since the date on which the Auditing Profession Act became effective, the IRBA has received 3023 reports compared to the relatively few reports received under the previous audit legislation, which amounted to approximately 50 reports per annum.
The types of reportable irregularities range from contraventions of the Companies Act, tax irregularities, estate agencies contraventions, non-compliance with JSE rules, labour laws and fraud etcetera.
So, while responsibilities of directors and auditors may have increased, these statistics provide substantive evidence that government may be well on its way to achieving its objective to reduce white collar crime, provided that those regulators to whom the irregularities are reported take the necessary steps when they are alerted to potential irregularities through the reports from the auditors. But this objective can really only be achieved in a culture of compliance, a desired state to which our democracy has long aspired and hopefully is close to reaching.
This is certainly a step in the right direction if government wishes to protect the financial interests of investors and the public at large, and ultimately the integrity of our financial markets.
Francois Opperman, BA LLB, is an Advocate of the High Court of South Africa, and the Professional Manager: Compliance at the Independent Regulatory Board for Auditors.