UNIVERSITY OF JOHANNESBURG FACULTY OF LAW

CERTIFICATE IN COMPLIANCE MANAGEMENT

Assignment 2 (2019) - Suggested Answers

Compliance Monitoring

Introduction

This document has been prepared to provide students with feedback relating to
Assignment 2 and to provide suggested answers.

Purpose of the assignment

The assignment questions are included in the document followed by considerations

that are relevant in answering the questions. These do not form part of the suggested
answer and are intended to assist students by providing background information.
Suggested answers are then set out thereunder.

CRR. September 2019 1

 Scenario

The Governing Body of a State Owned Entity (SOE) has, in relation to concerns
raised in respect of procurement shortfalls that have been identified, specifically
where these have led to “fruitless and wasteful expenditure”, asked the compliance
function to provide an assessment of whether the obligations contained in the Public
Finance Management Act (PFMA) have been complied with.

The following definition is included in the PFMA:

“fruitless and wasteful expenditure” means expenditure which was made in vain and
would have been avoided had reasonable care been exercised”

The objective of compliance monitoring that has been planned will be to provide
reasonable assurance relating to the level of fruitless and wasteful expenditure and
compliance with obligations relating to the manner in which financial misconduct
(which includes fruitless and wasteful expenditure) is handled.

An extract from the regulations relating to the PFMA is set out below:

33. Financial misconduct

33.1 Investigation of alleged financial misconduct [Sections 85(1)(b), (c) and (d) of
the PFMA]
33.1.1 If an employee is alleged to have committed financial misconduct, the
accounting authority of the public entity must ensure that an investigation is
conducted into the matter and if confirmed, must ensure that a disciplinary
hearing is held in accordance with the relevant prescripts.
33.1.2 The accounting authority must ensure that the investigation is instituted
within 30 days from the date of discovery of the alleged financial
misconduct.
33.1.3 If an accounting authority or any of its members is alleged to have
committed financial misconduct, the relevant executive authority must
initiate an investigation into the matter and if the allegations are confirmed,
must ensure that appropriate disciplinary proceedings are initiated
immediately.”

The Human Resources department of the entity has instituted a process to address
financial misconduct. This includes the implementation of a register that is used to
record all alleged fruitless and wasteful expenditure, as well as all investigations
relating thereto and the outcomes thereof.

All disciplinary action is undertaken in terms of the organisation’s disciplinary process

which is maintained by the Human Resources Department. Where this relates to
fruitless and wasteful expenditure, it is written up in the register within this context.
There have, in the last month, been 3 formal allegations of fruitless and wasteful
expenditure, which amount to R100 000. There were no such allegations prior to this.

The board of the SOE (accounting authority) has not yet received an assurance
report from the compliance or internal audit functions covering fruitless and wasteful
expenditure (as defined and addressed in the PFMA). Management has indicated
that it is possible that fruitless and wasteful expenditure could be incurred and not
detected. Controls relating to the detection of fruitless and wasteful expenditure are
not considered to be adequate.

CRR. September 2019 2

The SOE’s finance function has implemented a financial control framework taking
into account the PFMA Compliance Risk Management Plan that has been developed
by the function some five years ago.

There have been some 5000 procurement items over the last year (in respect of
expenditure and acquisition of assets) in the division that will be subject to review.
These include 500 items that exceed R50 000 and 3 items that exceed R10 000 000.
One of these large items relates to a computer system that was acquired that does
not appear to be fit for purpose.

The organisation’s compliance function was restructured a year ago. It has five full
time compliance officers that are situated at head office. The majority of the
compliance officers’ time is spent on compliance monitoring.

At a recent Executive Management Committee meeting, management expressed

concern that there is not enough clarity relating to the role that the compliance
function plays and indicated that communication between management and the
compliance function should be improved.

CRR. September 2019 3

Question 1 [10 marks]

Describe the role that the compliance function should play in relation to the PFMA
obligations that are applicable in the scenario, i.e. in respect of fruitless and wasteful
expenditure and financial misconduct.

Relevant considerations

Reference should be made to GACP Principles and Standards, particularly Principle

and Standards 10, and to relevant guidance relating to the role of the compliance
function.

The compliance process provides support needed by the governing body,

management and appropriate staff members. Refer to GACP page 122.

Suggested answer

In terms of GACP Principle 10, the primary role of the compliance function is to assist
the governing body, management and appropriate staff members in discharging their
responsibility to comply with applicable compliance obligations through the provision
of compliance risk management services.

Such services are provided in the application of an effective compliance process.

During the compliance risk identification and assessment phases of the compliance
process, the compliance function typically facilitates the development of a regulatory
universe. Within the context of the SOE, this would include PFMA obligations and
should specifically take into account fruitless and wasteful expenditure and financial
misconduct (in light of the impact thereof). This will provide a mechanism for the
compliance function to facilitate the identification and assessment of the compliance
risks relating to the applicable PFMA compliance obligations. Compliance related
advice that is provided by the compliance function will play a valuable role in
supporting management in this regard.

The compliance risk management phase of the compliance process would typically
involve the development of Compliance Risk Management Plans (CRMPs) for higher
risk compliance obligations. In light of the concerns raised in respect of procurement
shortfalls that have been identified and fruitless and wasteful expenditure, this should
include the relevant PFMA obligations. The compliance function would assist
management through the use of CRMPs (developed some 5 years ago), i.e. in
addressing PFMA compliance provisions, assessing risk, root cause analysis, control
measures in place and additional controls needed, as well as management
measures. The CRMP should be kept up to date with the help of the compliance
function. Management will be responsible for PFMA controls that are identified in the
CRMP, while the compliance function will play a support role in maintaining the tool.
The CRMP will be used by the compliance function in the design of a compliance
monitoring programme relating to the applicable obligations.

The compliance function’s role would cut across various departments in the
organisation. In the scenario, this will include the Human Resources Department’s
responsibilities relating to the register and disciplinary procedures and the Finance
Department’s role in relation to the payments made and the related Procurement
Function’s procurement process. The compliance process should adequately
address and integrate the efforts of such stakeholders. There should be a sound
working relationship with all of them.

CRR. September 2019 4

The compliance monitoring phase of the compliance process involves an
examination of business activities to assist the governing body to understand
whether business is conducted in a manner that will ensure compliance with relevant
compliance obligations, specifically in relation to fruitless and wasteful expenditure
and financial misconduct in the scenario. The monitoring that is conducted by the
compliance function should also assist management and staff members in
addressing compliance risks.

The reporting that is undertaken by the compliance function will play a valuable role
in communicating risks identified in the regulatory universe, CRMPs and compliance
monitoring. Appropriate reports should be provided by the compliance function to the
governing body and management as appropriate.

The compliance function would also assist stakeholders in managing the relationship
with regulators and supervisors, as well as other external parties. This may include
senior government officials where material instances of fruitless and wasteful
expenditure are found.

The compliance function should play a role in promoting a culture of compliance.

Challenges that are indicated in the scenario should be considered in this regard.

CRR. September 2019 5

Question 2 [15 marks]

Prepare a compliance monitoring programme that could be used in the scenario to

achieve the monitoring objective that has been set. This should specify the
monitoring tests to be carried out as well as other key planning considerations.

Relevant considerations

The compliance function should carry out compliance monitoring activities in

accordance with a risk-based compliance monitoring programme. This should ensure
that higher risk obligations are subject to more frequent, detailed and intensive
monitoring than lower risk ones.1

The compliance function must plan a monitoring programme to identify and improve
areas of compliance and control weakness, ensure that controls designed to protect
the organisation against non-compliance are adequate and effective, and review the
integrity and effectiveness of the compliance system.2

Specific reference should be made to GACP, page 139 - Compliance monitoring

plans.

Management has indicated that it is possible that fruitless and wasteful expenditure
could be incurred and not detected. Controls relating to the detection of fruitless and
wasteful expenditure are not considered to be adequate. Accordingly, the focus of
the monitoring would not be on controls testing – As indicated in the scenario the
objective is to provide reasonable assurance relating to the level of fruitless and
wasteful expenditure and compliance with obligations relating to the manner in which
financial misconduct (which includes fruitless and wasteful expenditure) is handled.
This is the context within which the question should be answered.

Suggested answer

Compliance monitoring programme - Fruitless and wasteful expenditure and financial

misconduct:

Date: 2 September 2019

Compliance Compliance Monitoring Context & Scope Timeline Respon-

Obligation Tests sibility
PFMA Obtain and review the financial Register used in the 2019-09-30 Senior
Regulation misconduct register that is last year Compliance
33 used to record all alleged Officer
fruitless and wasteful
expenditure, as well as all
investigations relating thereto
and the outcomes thereof.
PFMA Scrutinize the register for To identify PFMA 2019-09-30 Senior
Regulation information that is relevant in related information - Compliance
33 relation to PFMA obligations. Register records for Officer
the previous year
PFMA Obtain and review the Disciplinary process 2019-09-30 Senior

1
Refer GACP, page 43.
2
Refer GACP, page 43.

CRR. September 2019 6

Compliance Compliance Monitoring Context & Scope Timeline Respon-
Obligation Tests sibility
Regulation disciplinary process which is that was applicable Compliance
33 maintained by the Human in the last year Officer
Resources Department.
PFMA Trace all allegations of 3 formal allegations 2019-09-30 Senior
Regulation financial misconduct to the of fruitless and Compliance
33 register and assess the record wasteful expenditure, Officer
thereof for accuracy and which amount to
compliance with obligations. R100 000 during the
last month
PFMA Make enquiries of Allegations that 2019-09-30 Senior
Regulation management and staff to would be relevant Compliance
33 determine why there were no over the previous Officer
allegations prior to the year
previous month.

PFMA Select a representative sample Substantive test to 2019-10-15 PFMA

Regulation (statistical sampling) of assess the extent of Compliance
33 procurement items to assess fruitless and wasteful Officer
the extent of fruitless and expenditure – (specific
wasteful expenditure. Sample from 5000 finance
items over the competency
previous year needed)
PFMA Scrutinize the 500 items that Substantive test to 2019-10-15 PFMA
Regulation exceed R50 000 and identify assess the extent of Compliance
33 items that represent fruitless and wasteful Officer
particularly high risk PFMA expenditure – (specific
exposures and assess whether Selected items from finance
there has been fruitless and 500 items that competency
wasteful expenditure. exceed R50 000 needed)
Review such items. over the previous
year
PFMA Review all 3 items that exceed Substantive test to 2019-10-15 PFMA
Regulation R10 000 000. assess the extent of Compliance
33 Place particular emphasis on fruitless and wasteful Officer
the computer system that was expenditure – 3 (specific
acquired that does not appear items that exceed finance
to be fit for purpose. R10 000 000 competency
needed)

CRR. September 2019 7

Question 3 [15 marks]

Describe the monitoring scope setting and sampling methodology determination

steps of the compliance monitoring process and the approach you would adopt in
this regard in relation to the scenario.

Relevant considerations

The scope of a monitoring review would normally include the following:

- Consideration of the compliance obligations and operations that are to be

reviewed in terms of the monitoring plan, as well as the extent of the review.
- In-scope versus out of scope locations.
- Follow-up reviews on internal and external audit findings and management
comments.
- The reporting period that will be reviewed, for example, the previous financial
year or according to the provisions of legislation.
- The population of the group of items that needs to be monitored must be
defined.3

A compliance review might require a multi-disciplinary team, for example, a financial

or computer expert or audit staff in addition to the usual compliance staff. The review
must be conducted in a systematic and orderly manner to ensure the smooth running
of the assignment within a reasonable time-frame. Factors such as costs and
minimum disruption should be considered.

Team members and any specialists that may be engaged on the compliance review
must be identified during this phase to take the aforementioned into account.4

Suggested answer

The setting of the scope of a monitoring review is an important step in the planning
stage. The scope should be defined and limitations documented. In this regard, the
scope should relate to the objectives that need to be achieved. In terms of the
scenario, it should be set in relation to the “provision of reasonable assurance
relating to the level of fruitless and wasteful expenditure and compliance with
obligations relating to the manner in which financial misconduct (which includes
fruitless and wasteful expenditure) is handled”.

Accordingly, the monitoring will be a “reasonable assurance” engagement. The

scope should support a conclusion relating to the extent of fruitless and wasteful
expenditure. Substantive testing would be appropriate and a representative sample
from the population of 5000 procurement items could be considered. An appropriate
subset of these items could be selected, but this is not addressed in this answer.
There should be a specific focus on larger and higher risk items. All of the very large
items could be reviewed (greater than R10 000 000) in light of the size thereof and
one of them not being fit for purpose.

The scope should be set in a manner that allows for the optimisation of monitoring
recourses in the achievement of objectives.

In view of the inadequacy of controls relating to the detection of fruitless and wasteful

3
Refer GACP, page 141.
4
Refer GACP, page 141.

CRR. September 2019 8

expenditure, the focus of the monitoring would not be on controls testing relating
thereto. This would be excluded from the scope.

Further, the scope should address compliance with obligations relating to the manner
in which financial misconduct (which includes fruitless and wasteful expenditure) is
handled. This would include consideration of the register and disciplinary process
that is applied.

The substantive and other tests that are carried out would shed light on the controls
that are in place and findings should be written up.

The board of the SOE (accounting authority) has not yet received an assurance
report from the compliance or internal audit functions covering fruitless and wasteful
expenditure. Accordingly, past reviews cannot be included in the scope.

Both statistical and judgmental sampling techniques would be appropriate in the

scenario. The choice of approach would be determined in view of the monitoring
outcomes required.

The sample that is extracted from the 5000 items could be determined using
statistical techniques. This will provide an objective base from which to draw
conclusions, i.e. provide reasonable assurance relating to the objectives. An attribute
sampling methodology would be appropriate in relation to the compliance aspects of
the review. Monetary unit sampling would be appropriate in view of the monetary
profile of the population.

The sample must be selected using an approach that ensures that all items have an
equal chance of selection where statistical sampling methods are used.

On the other hand, a judgmental sampling approach in respect of higher value and
higher risk PFMA exposures would be appropriate. This would be advisable in view
of the nature thereof, particularly in selecting items that pose the highest risk.

Different samples could be extracted from the population of 5000 items. In particular,
this would be appropriate where there would be value in assessing the results of
each separately.

The PFMA obligations relating to fruitless and wasteful expenditure are technical in
nature (finance related) and it is advisable to develop the monitoring scope with this
in mind, i.e. from the monitoring test and resourcing perspectives.

CRR. September 2019 9

Question 4 [20 marks]

Identify and discuss the possible causes of the lack of clarity relating to the role
played by the compliance function as well as the need for improved communication.
Briefly indicate solutions that could be put in place relating to the aforementioned.

Relevant considerations

As indicated in the scenario: At a recent Executive Management Committee meeting,

management expressed concern that there is not enough clarity relating to the role
that the compliance function plays and indicated that communication between
management and the compliance function should be improved.

Reference should be made to GACP. Specific reference should be made to:

- Principle and Standards 10: Responsibility of compliance function;5 and

- Principle and Standards 21: Communication and consultation.6

Suggested answer

Possible causes of the lack of clarity relating to the role played by the compliance
function are identified and discussed below in relation to the scenario. The need for
improved communication is addressed.

a) Role description

There is no indication that there is a compliance role description.

The compliance function role description should be adequate for informing

stakeholders.

b) Change management

The organisation’s compliance function was restructured a year ago.

Where there is significant change in relation to the compliance function or the role
that it plays, this brings the need for effective change management in play. This may
not have been adequately addressed.

Effective change management processes should be applied.

c) Compliance structure

The compliance function has five full time compliance officers that are situated at
head office.

Where the function is centralized, there is the possibility of creating a “them and us
culture”. Centralisation can represent increased levels of communication challenge.

A centralised compliance function may, due to it being structurally separated from the
business, experience challenges in obtaining management support in implementing
and maintaining certain aspects of the compliance process, notably in respect of the

5
Refer GACP, page 42.
6
Refer GACP, page 71.

CRR. September 2019 10

enabling elements of the first three phases thereof.

The compliance function will need to focus attention on maintaining lines of

communication with management in providing compliance services that will assist
management to discharge its responsibility to undertake all business in compliance
with compliance obligations.

d) Compliance process

The majority of the compliance officers’ time is spent on compliance monitoring. This
indicates that the focus does not appear to be on the first three phases of the
compliance process. There may not be adequate support for management through
services relating to:

- Compliance risk identification;

- Compliance risk assessment; and
- Compliance risk management.

Where the proactive enabling components of the compliance process are not
adequately addressed, the compliance function may be viewed as purely being an
audit function.

Consideration should be given to the effective implementation of all phases of the

compliance process.

e) Compliance assurance

The board of the SOE has not yet received an assurance report from the compliance
or internal audit functions covering fruitless and wasteful.

Even though the compliance function resources are focused on compliance

monitoring, the PFMA exposures in question have not been brought to light in the
past. This may adversely impact on the perceived value of the compliance function
and could influence management’s view of the role played.

The compliance role relating to assurance should be clarified. Measures should be

implemented to ensure that there is appropriate assurance coverage.

f) Combined assurance

There is no indication that compliance monitoring is undertaken in a combined

assurance process. Notably, internal audit has not undertaken an audit of fruitless
and wasteful expenditure. Further, management appears to be aware of the
challenges relating to fruitless and wasteful expenditure, but these do not appear to
have been reported to a governance committee or the compliance function.

Where a combined assurance process is in place, this will improve communication

between stakeholders and will help clarify the role of the compliance function.

g) Compliance programme

The responsibilities of the compliance function should be carried out in terms of a

compliance programme. This should be risk based and approved within the
governance structure.

CRR. September 2019 11

There is no reference to a compliance programme in the scenario. Where the
programme has not been adequately developed, management has less opportunity
to engage with the compliance function in relation to its role.

h) Current tools

The PFMA compliance risk management plan appears to have been developed
some 5 years ago. The indications are that this may not have been kept up to date.

Compliance risk management tools should be kept up to date, particularly in relation

to higher risk obligations.

i) Governance of compliance and communication of the compliance policy

There should be appropriate governance of compliance, including the effective

communication of the compliance policy throughout all levels of the organisation.
The policy and charter should specifically address the role of the compliance
function. Lack of appreciation for the role played by the compliance function could
arise from inadequate communication of the policy.

The compliance function should assist management with the communication of the
compliance policy. There is no indication that this has not taken place in the
scenario, but should be considered in determining causes of the lack of
understanding of the role and what is needed to address this.

j) Line of communication to management

The head of compliance should establish a formal line of communication to

management to assist with the communication of compliance matters. This line of
communication would cut across all of the phases of the compliance process.

There may not be a formal line of communication. This should be addressed in the
compliance policy and charter.

Ongoing and informal communication also plays an important role.

k) Communication skills

The compliance team should have effective communication and influencing skills.
Where the team does not have such skills, this will adversely impact on stakeholder
understanding of the role played by the compliance function.

The communication skills of the compliance function should be considered.

l) Training programme

The compliance function should guide and facilitate the development and
implementation of a training programme on compliance matters affecting the
organisation.

This programme should be risk-based and reflect the training needs of different
stakeholders within the organisation.

m) Awareness campaign

CRR. September 2019 12

The compliance function should create a compliance awareness campaign aimed at
assisting management and the governing body in promoting a culture of compliance.

Where this is not in place, an opportunity to address the role of the compliance
function will be lost.

The programme should address the role of the compliance function.

n) Compliance manual

The compliance function is responsible for coordinating the development and

maintenance of a compliance manual.

This provides a robust platform from which to engage with management. It should
specifically address key aspects of the compliance function.

o) Stakeholder relationships

The compliance function’s relationship with stakeholders is important.

There should be a specific focus on how to maintain sound working relationships with
key stakeholders, including management.

CRR. September 2019 13

Question 5 [20 marks]

Describe the type of monitoring that will be appropriate (control or substantive) and
indicate how a combined assurance approach could be applied in the scenario.

Relevant considerations

As stated in the question, the objective of compliance monitoring that has been
planned will be to provide reasonable assurance relating to the level of fruitless and
wasteful expenditure and compliance with obligations relating to the manner in which
financial misconduct (which includes fruitless and wasteful expenditure) is handled.
The question should be answered with reference to this context. This will indicate the
need for control or substantive monitoring.

The updated version of GACP (2018) has an increased focus on the role of
compliance within an organisation’s broader enterprise risk management framework
and the importance of combined assurance.7

Combined assurance refers to assurance providers working together to ensure that

assurance in the right areas (depending on the organisation’s risk appetite) is
obtained, from the right resources in the most cost-effective way possible.8

Reference should be made to Part III of GACP, page 135, which contains a
description of the combined assurance process.

Suggested answer

Type of monitoring:

The monitoring that is undertaken must be appropriate for achieving monitoring

objectives. It should provide a basis for the provision of an opinion on the level of
fruitless and wasteful expenditure and compliance with obligations relating to the
manner in which financial misconduct is handled. This indicates that substantive
testing would be needed.

The monitoring will be a “reasonable assurance” engagement. In this regard, the

compliance function will seek to reduce the monitoring risk (the risk that a
compliance officer comes to an inappropriate conclusion) to an acceptably low level
in the circumstances of the engagement. Sufficient appropriate evidence must be
obtained to come to a monitoring conclusion in respect of the level of fruitless and
wasteful expenditure and compliance, i.e. relating to the monitoring objectives. The
conclusion would be expressed in a manner that conveys the compliance officer’s
opinion on the outcome of the monitoring. This can be framed in positive context, e.g.
“the level of fruitless and wasteful expenditure is ……”

Importantly, management has indicated that it is possible that fruitless and wasteful
expenditure could be incurred and not detected. Controls relating to the detection of
fruitless and wasteful expenditure are not considered to be adequate. Accordingly,
effectiveness / consistency testing relating to the relevant controls would not be
undertaken.

Independent substantive monitoring would be appropriate in the circumstances.

7
Refer GACP page 2.
8
Combined assurance definition in GACP.

CRR. September 2019 14

Independent monitoring is the compliance monitoring carried out by a compliance
function or other assurance function that is independent of management and the
controls, activities and processes being monitored. Where routine monitoring has
been undertaken, the outputs thereof would be considered.

Combined assurance:

The board of the SOE has not yet received an assurance report from the compliance
or internal audit functions covering fruitless and wasteful expenditure (as defined and
addressed in the PFMA). This could be addressed through the adoption of a
combined assurance process.

The question of why management’s understanding of the inadequacy of controls has

not been escalated or why the exposures were not addressed is relevant. A
combined assurance process should be designed to address this shortfall. In a
combined assurance model, management assurance may be sufficient for secondary
and low risk areas. However, in the circumstances of the scenario, this would not, on
its own, be appropriate.

In terms of the standards that relate to Principle 10, the compliance programme
should be coordinated with internal audit plans and risk management plans if these
functions exist in the organisation. In line with the principles of combined assurance,
the three assurance lines should agree on the appropriateness of the individual plans
and programmes. This could be achieved in the scenario by developing an
appropriate framework and facilitating engagement between management,
compliance and internal audit prior to undertaking the planned compliance
monitoring. The model that is applied should optimise all assurance services and
functions so that, taken as a whole, these enable effective control environment;
support the integrity of information used for internal decision-making by
management, the governing body and its committees, and support the integrity of the
organisation’s external reports.9

Experience has shown that there are significant conceptual and communication
challenges to overcome in the implementation of a combined assurance process.
Sound project and change management principles should be applied in this regard.
In view of the extent of the PFMA compliance risk exposure, the current monitoring
engagement will provide a valuable platform from which to develop a combined
assurance approach.

This could be undertaken with the support of a combined assurance sponsor (board
and executive level) and champions could be identified.

There should be a specific focus on the apparent communication challenges

(compliance function and management) and concerns relating to the role played by
the compliance function.

The combined assurance model should facilitate appropriate coverage of the

relevant PFMA obligations based on the risk assessments undertaken by
the respective lines of defense and there should be a basis for reliance on the
assurance provided by each of them.

The governing body should ensure that implementation of the combined assurance
model results in combining, coordinating and aligning assurance activities across the
9
Refer King IV.

CRR. September 2019 15

various lines of assurance.10

Effective and integrated reporting out of the combined assurance model should be
considered.

10
Refer GACP page 88.

CRR. September 2019 16