APPENDIX 4: LIST OF SCHEDULE 1 OFFENCES 270

4.4 KPMG FRAUD RISK MANAGEMENT MODEL

4.4.2 An Ongoing Process

Providing continuous communication and training to employees to create awareness about fraud, serves to inculcate a culture of high integrity and compliance within an organisation.

Such a process also serves to equip employees to be able to identify fraud within their work environment, and to be aware how to report such suspicion.

effective today. It is essential to identify what are the current fraud risks and how they are being mitigated. The assessment phase should consider which relevant people, processes and systems should form part of the analysis process. Relevant stakeholders should be included in the team conducting the assessment. Once the organisation establishes the current state of internal controls, it should then identify what the desired state is and set milestones for the enhancement of internal controls. The deficiencies that are identified between the current and desired states should be taken into consideration when planning the next steps (KPMG;

2006:20).

4.4.2.2 Design

The design phase involves crafting internal controls that address fraud risks in a holistic manner, such as prevention, detection and responding to fraud risks. These controls should be aligned to legal and other regulatory frameworks and based on best practice. The objective is to design internal controls that safeguard the organisation from fraud risks. KPMG (2006:20) also suggests that the organisation should take into consideration the unique nature of its operating environment and design custom made internal controls. This suggests that there is no

“one size fits all” approach from an internal control perspective. Organisations are unique as the fraud risks they face. According to KPMG (2006:21), organisations are remiss if they merely design and implement controls to satisfy minimum criteria that are set by regulatory frameworks. Organisations should consider other best practices that are being used by similar types of organisations, where those internal controls were found to be adequate and effective.

This will assure management that such best practice is likely to successfully address fraud risks in their organisation.

4.4.2.3 Implementation

Implementation of new or enhanced internal controls requires a structured approach.

Responsibility for the internal controls should be assigned to employees who have an appropriate level of authority and seniority, as well as the required resources to give effect to the controls. KPMG (2006:21) suggests that there should be concise and regular communication to the relevant employees about when, how and by whom the new internal controls would be implemented. It will also be opportune, in this communication, to emphasise how compliance will be imposed.

4.4.2.4 Evaluation

The evaluation phase involves the appraisal or review of the design, adequacy and effectiveness of the internal control. The evaluation is conducted by means of a self- assessment of the internal control, testing for functionality, ongoing monitoring and individual evaluations (KPMG; 2006:20). The existence of an internal control does not mean that it is adequate and effective. It is suggested by KPMG (2006:21) that internal controls which have been in existence for a long period of time should be reviewed to ascertain whether it is still working as intended. The review of internal controls should be prioritised based on the profile of the risk that it is intended to mitigate. Compensating controls also contribute to risk mitigation, where a particular internal control may be found to be inadequate or ineffective.

KPMG (2006:21) urges organisations to consider the regulatory imperatives together with best practices in the relevant industry when evaluating and designing new internal controls. The best practice in the relevant industry would reveal which internal controls work well to mitigate fraud risks. Other similar organisations in that industry should compare their existing internal controls with the best practice. The shortfall or gap between the two scenarios should guide any control enhancements that may be required. Consideration should also be given, when conducting the evaluation, to whether internal controls have been properly implemented or not.

Organisations that design and implement a code of conduct do not necessarily have a high ethical culture. It is suggested by KPMG (2006:22) that employees may not be executing their tasks in line with the code of conduct. Having an internal control should not be a “tick box”

exercise but rather a process that guides employee activities in risk mitigation. The Oxford Dictionary (2014) defines “tick box” as “denoting or relating to a procedure or process carried out purely to satisfy convention, rules, or regulations”. Fraud prevention in all its complexity requires more than this simple check.

According to KPMG (2006:22), there are other ways to evaluate control effectiveness. Firstly, it is by conducting forensic analysis of relevant data. Secondly, it is by conducting a survey among employees in order to establish the perceptions about fraud risks within the organisation. Such a survey would be valuable in determining the status of control effectiveness. Evaluating the effectiveness of controls and responding thereto is an ongoing

process, according to KPMG (2006:22), which is dictated by changes in the environment in which an organisation operates. These changes could be influenced by the markets, external scrutiny, regulatory or legislative factors (KPMG; 2006:22). The process to design and implement initiatives, to address employee fraud and prevention strategies at universities in KwaZulu-Natal, should certainly include consideration of these aspects.