Background

The Internal Audit (IA) department is a centralised, independent assurance function. Its purpose, authority and responsibilities are set out and formally defined in a charter approved by the Board Audit Committee.

IA forms part of the Enterprise Risk Management Framework as a third line of defence. Enterprise Risk Management (ERM) facilitates management’s desire to effectively govern and manage the Corporation’s approach to risk management and to create sustainable value to its stakeholders through business objectives such as achievement of developmental objectives, financial sustainability and satisfactory customer service.

Implementation of ERM does not create a risk-free environment. Rather, the Corporation operates in environments filled with uncertainty such as adverse economic conditions, electricity challenges, and socio and political dynamics which require proactive action to address risks in order to achieve its developmental mandate. Effective ERM involves the strategic implementation of three lines of defence as the first principle of the risk management framework. Risk governance guidance has to be provided at each line of defence to support the ERM framework.

Role of Internal Audit

The purpose of IA is to provide independent, objective assurance to the Board that the governance processes, management of risk and systems of internal control are adequate and effective to mitigate the most significant risks, both current and emerging, that threaten the achievement of the Group’s objectives, and in so doing help improve the control culture of the Corporation.

Internal Audit is responsible for developing a 3-year rolling Audit Plan using a risk-based methodology. Specific regulatory requirements pertaining to Internal Audit are taken into account, as are any risks or control concerns identified by management and the board. The Audit Plan is approved by the Board Audit Committee.

In addition to the normal audit activities, IA also provides Forensic Auditing and Consultative Services, including:

  • Performance of fraud, corruption and related irregular behaviour investigations, the reporting thereof to management and provision of recommendations regarding the outcomes of the investigations by the Forensic Audit team
  • Facilitation of the development and revision of systems and procedures throughout the Corporation

Internal Control Framework

The IDC internal control framework mirrors that as set out by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Under the COSO Enterprise Risk Management Framework, risks are categorised into strategic, operational, financial reporting, and legal/regulatory risk categories.

COSO-based auditing also enables effective evaluation of soft controls whilst avoiding the faulty, negative findings that can sometimes result from traditional audit methods. It is customer focused and outcome-oriented, addressing systemic root causes, avoiding placement of blame in order to find a workable solution.

Authority and competence

The Internal Audit Charter provides the mandate for IA activities within the Corporation, including the functional reporting to the Board Audit Committee. The Charter furthermore authorises access to records, personnel and physical properties relevant to the performance of engagements, and defines the scope of Internal Audit activities.

IA collectively possesses the knowledge, skills, experience, tenure and other competencies needed to fulfil its mandate in an effective and competent manner. IA has access to the integration of best practice through affiliation with various professional bodies, both locally and internationally, and shares best practice with various entities.

IA work is continuously assessed by management and at least annually by the Board Audit Committee. The Institute of Internal Auditors (IIA) standards require that an external quality assessment be conducted on the Internal Audit function of an entity at least once every five years. Such a review must be performed by a qualified, independent reviewer or review team from outside the IDC. Such an assessment was conducted as per the required IIA standard within the past three years, with the external assessor finding that IDC Internal Audit conforms to set standards and principles outlined by IIA, with no significant areas of improvements required.

IA is in the process of building its own quality assurance team that will review internal audit files to ensure consistency and the maintenance of quality standards; this will also ensure the department’s readiness for the next independent quality review.

Management’s responsibility for risk management and fraud

Management is responsible for the development, revision and implementation of IDC’s systems and procedures with IA facilitating the process thereof. IA further support and advise Management on the adequacy and effectiveness of developed or revised systems and procedures.

Key focus areas during past year: both audit and forensics

Internal Audit has performed at least 83 assignments during the year under review, comprising of both Internal Audit Reviews and Forensic Investigations as compared to 64 during the previous financial year. Analysis of the results of the aforementioned assignments guided Internal Audit to the conclusion that the control environment is adequate and operating effectively; with the exception of controls related to the IDC external fraud risk and in particular the misapplication and misappropriation of funds advanced by the IDC to clients. An example of such a case is provided in the case study which appears on page 73, Section 2 (committed to good governance) of this report.

Other initiatives over and above the provision of assurance services and forensic investigations during the year included:

  • Data analytics of the vendor master file to establish duplicate records. 2 audits already conducted on Vendors and Business Partners records and various areas of accountability have commenced with a clean-up exercise and Internal Audit is expected to conduct a follow-up review in the upcoming financial year
  • On-going anti-fraud and anti-corruption training and awareness programme. This awareness programme has greater reach this year, with regional offices receiving onsite training for the first time
  • Automation of online forensic requests for approval. This has been completed and requests are now approved by the CEO and noted by the General Counsel through a SAP workflow process
  • Extension of fraud and corruption awareness, training and education to major subsidiaries. Fraud awareness has been extended to main subsidiary, sefa, with various training and awareness programmes having been hosted at sefa
  • Roll-out of automated audit working paper. This has been piloted and it is at final implementation process
  • Networking with other DFI‘s with an objective to benchmark best practices. Various networking and benchmarking sessions were conducted with institutions such as Ithala Bank and Botswana Development Bank, to share best practices

Management has over the past financial year taken bold and significant steps to strengthen the control environment, chiefly through enhanced diligence in both the due diligence investigation and post investment management and review activities in order to address external fraud risk.

Stakeholder Engagement

Internal Audit main interfaces
Internal External
  • Board Audit Committee
  • Divisional Executives
  • Business unit/Departmental heads
  • External auditors
  • IDC subsidiaries
  • Auditor-General
  • Appointed law firms
  • Law enforcement
  • Financial institutions
  • Relevant government departments
  • General public (Whistle-blowers/tip-offs)

 

IA has a direct link to all the previously-mentioned stakeholders and has built up a professional relationship with all stakeholders. This has ensured Internal Audit is able to conduct its function effectively.

Risks: Internal Audit response:

Challenges in access to information (mainly from clients and other stakeholders, eg. banks) during forensic investigations

Negotiating a seat on industry bodies, eg. SABRIC. Engaging with legal department to establish where IDC could enforce or improve on its rights to access information of the clients during investigations

Long lead time to finalise investigations

Management, communication and education of stakeholder with regards to challenges and expectations

Fear to report: miss incidences of fraud and corruption, increase in legal costs

Manage stakeholder expectations and stakeholder education and awareness

Cash-based corruption

Work with the organisation to develop policy, systems and procedures to facilitate criminal reporting in the absence of internal evidence

World and local adverse economic climate which may result in increased incidents of fraud and corruption

Mitigate through training and awareness

 

Focus points for the year ahead

  • Implement a tool to facilitate electronic conversion of hardcopy records obtained during audits and investigations to enable quicker turnaround times especially on the application of funds reviews and investigations. The tool will assist to analyse and manipulate data for better interrogation especially when dealing with large volume of documents.
  • The implementation of Project Evolve has brought about some key operational changes to assist the Corporation in having a sharper focus on industrial capacity development objectives and improving IDC proactivity as well as activities that create new industries with future potential. As a result, the Corporation has to realign its processes, systems, procedures and policies to meet these needs. IA will therefore spend more focus on facilitation in the development of revised systems and procedures, and policies and processes. The department will also assess the adequacy of new processes in line with new focus areas and the operational model.
  • Better coordination between External and Internal Audit has been achieved. However, an area of improvement is being considered for the next reporting year with other assurance providers such as the Compliance and Risk Management departments.

Fraud prevention

Background

In its basic form, corporate fraud and corruption prevention entails never condoning fraud or corruption in any shape or form, providing fraud and corruption awareness and prevention training for employees, ensuring strong internal controls and limiting exposure to fraud and corruption through a robust detection, investigation and prevention programme. This also forms the pillars upon which the IDC corporate fraud and corruption prevention strategy is built.

The IDC takes a holistic view to fraud and corruption prevention, realising that fraud and corruption permeates the very soul of a corporation and that an empowered employee is the key to a successful fraud and corruption prevention programme. To this end the IDC has:

  • A robust fraud prevention policy, plan and response plan
  • Anonymous reporting hotline through independently managed tip-offs
  • A well-developed and properly communicated Code of Ethics and Business Conduct which includes a Conflict of Interest Policy and accompanying declaration of interest procedure
  • Regular fraud and anti-corruption education and awareness roadshows throughout the Corporation, including the regional offices, focusing on recent cases, legislative developments and red flag awareness
  • Distribution of Financial Crime Awareness pamphlets to clients and other stakeholders, with a distinct anti-corruption message
  • Fraud and anti-corruption awareness training during the training of new employees
  • Targeted additional training to specific Business Unit and Departmental heads with a high exposure to fraudulent activities
  • Naming and shaming of employees found guilty at disciplinary hearings and subsequently dismissed for having been involved in instances of irregular behaviour relating to cases fraud or corruption
  • Placing those who have been involved in acts of fraud and corruption, from both an internal and external perspective, on the IDC Delinquency register

In terms of the IDC Fraud and Corruption Prevention Policy, all requests for forensic investigations, from whatever reporting channel, have to be approved for investigation by the CEO and noted by the General Counsel. The policy, however, gives the Board the final authority to sanction and approve investigation if they believe that the CEO or senior management might be implicated. The outcomes of forensic investigations are presented to EXCO and the Board Audit Committee, being the committee responsible for the approval of recommendations contained therein.

Challenges, activities during the year and initiatives

During the year under review, the IDC has increased the effort, reach and focus of its fraud and corruption prevention training to employees who have become increasingly vigilant and diligent in reporting instances of fraud and corruption. New training methodologies and awareness materials have been introduced, with an increased focus on awareness for clients, resulting in enhanced stakeholder awareness of the impact of fraud and corruption. We believe the decrease in number of matters reported during the year under review bears testimony to the basket of initiatives in the fraud and corruption awareness environment.

Although progress has been made in dealing with fraud, the Corporation remains concerned about fraud and corruption related matters being reported. Despite communicating a zero-tolerance approach to fraud and related untoward behaviour, some clients continue to test preventative controls in the hope that a lack of diligence within the system will result in them accruing ill-gotten gains. Poor ethical decision making by clients remains a constant trend, as does the use of pseudo IDC documentation in order to induce a third party to advance funds in order to access funding in instances of fraudulent IDC funding applications.

Although incidents of untoward activity by clients remain persistent, they are identified earlier and the number of matters reported for investigation, both internal and external, has dropped from the previous financial year. Increased impetus in respect of both employee and client fraud education and awareness training during the year has also contributed to this decrease in the number of matters reported for investigation.

cases reported1The graph depicts the number of cases reported in 2015 compared to 2014.

IA firmly believes that employees, from their experiences on the ground combined with the anti-fraud and anti-corruption training they receive, form a key component in a fraud and corruption prevention programme. Therefore, during both training and investigation activities, IA assesses key operational areas for corruption risks. This has resulted in 11 out of 16 (69%) of such high risk areas being assessed during 2015. High risks areas include all operational units (12 business units), and the Financial Management, Procurement, Human Capital and Post-Investment Monitoring departments.

Our anti-corruption and anti-fraud training and communication activities saw 55% of IDC employees receiving communication on the subject matter and being trained therein. 100% of governing bodies (executive members) received communication regarding anti-corruption policies and procedures. No formal training on anti-corruption policies and procedures was provided to governing bodies.

The IDC’s anti-corruption policies and procedures were communicated to 11 out of 1 203 clients (1%). Total investigations were 19 of which 12 were client related. During 2015, the following fraud trends have been noted during instances of fraud committed against the IDC:

  • Misapplication of funds advanced by the IDC – from a poor decision-making perspective as well as through criminal misrepresentation
  • Blatant misappropriation of IDC funding through submission of irregular or falsified documentation
  • Presentation of false audit certificates, irregular audit certificates, misrepresented Annual Financial Statements and false bankers letters or other correspondence in order to obtain funding from the IDC
  • Over-invoicing of goods and services by clients when requesting advances on funding from the IDC
  • Purchasing of under-spec, lesser quality or lesser quantity of goods than what was initially presented on invoices for drawdown purposes
  • Use of pseudo or false IDC documentation in order to induce a third party to part with funds during a fraudulent IDC funding application
  • Client contributions injected into IDC-funded projects having origins of being the proceeds of corrupt relationships

The Corporation’s zero-tolerance stance to all instances of fraud and corruption remains non-negotiable. Promoting high ethical standards and combating corruption throughout the IDC’s sphere of influence is an important part of the Corporation’s drive to deliver social value through its core activities as a developmental institution.