Fraud and Risk Management Policy - drakenstein.gov.za and... · The purpose of the fraud– and...
-
Upload
truongthuy -
Category
Documents
-
view
217 -
download
2
Transcript of Fraud and Risk Management Policy - drakenstein.gov.za and... · The purpose of the fraud– and...
Fraud and Risk Management Policy
Date of Approval/Review by Council Implementation Date
29 November 2017 29 November 2017
Fraud and Risk Management Policy
2
Table of contents
I Preamble ................................................................................................................................................. 3
II Legal framework ..................................................................................................................................... 4
III Definitions ............................................................................................................................................... 5
IV Policy content ......................................................................................................................................... 8
Part 1: Risk management ........................................................................................................................ 8
A Roles and responsibilities ................................................................................................................. 8
B Risk Management Process ............................................................................................................. 16
Part 2: Fraud Risk Management ........................................................................................................... 31
C Procedures for reporting fraudulent and/or corrupt activities ..................................................... 31
D Responsibility to conduct investigations into cases of fraud ......................................................... 34
E Protection of whistle-blowers ........................................................................................................ 34
F Pro-active approach ....................................................................................................................... 35
G Prevention measures ..................................................................................................................... 36
Part 3: Reporting ................................................................................................................................... 37
V Administration ...................................................................................................................................... 38
VI Appendices ........................................................................................................................................... 39
Fraud and Risk Management Policy
3
I Preamble
1. The purpose of the fraud– and risk management policy is to assist management with the risk
management process within the Drakenstein Municipality (“municipality”). This policy will assist
management to make informed decisions that will enable management to achieve, inter alia, the
following objectives:
1.1. Providing a level of assurance that current risks rated as significant are managed
effectively;
1.2. Improving operational performance through assistance to improve planning and
decision making processes;
1.3. Promoting an innovative, less risk averse culture;
1.4. Taking calculated risks in pursuit of opportunities to benefit the municipality;
1.5. Providing a sound basis for integrated risk management and internal control as
components of good corporate governance;
1.6. Reinforcing existing policies and procedures that are aimed at preventing, reacting to
and reducing the impact of fraud; and
1.7. Managing the susceptibility to fraud risks to reduce the likelihood of fraud occurring
within the municipality. Management can achieve this by raising the level of fraud
awareness amongst employees and other stakeholders.
2. By achieving the objectives listed above, the risk management process within the municipality
can contribute towards, inter alia, the following:
2.1. Increasing delivery of sustainable and reliable services;
2.2. Enhancing decision making underpinned by appropriate rigour and analysis;
2.3. Reducing waste;
2.4. Preventing fraud and corruption;
2.5. Limiting unforeseen shocks and crises;
2.6. Assisting to avoid reputational loss to the municipality;
2.7. Ensuring effective reporting that complies with laws and regulations;
2.8. Using resources more efficiently thus having better value for money; and
2.9. Improving project and programme management to deliver high quality outcome.
Fraud and Risk Management Policy
4
II Legal framework
1. Section 62(1(c)(i) and 95(c)(i)of the MFMA states that: “… The accounting officer of the
municipality and municipal entity is responsible for managing the financial administration of the
municipality, and must for this purpose take all reasonable steps to ensure that the municipality
has and maintains effective, efficient and transparent systems of financial and risk management
and internal control.”
2. The Accounting Officer has committed the municipality to implement and maintain an effective,
efficient and transparent system of risk management based on the National Treasury Public
Sector Risk Management Framework. The process of risk management is aligned to the principles
as set out in the King IV Report on Governance for South Africa 2016 and as supported by the
Municipal Finance Management Act (MFMA), Act no 56 of 2003.
3. The municipality is therefore committed to implement risk management within the municipality
and to embed a culture of risk management. A comprehensive approach is adopted to manage
risks. This policy further forms the basis of the strategy that was designed to assist the
municipality to achieve the objective in order to implement an effective risk management
process.
4. Section 112(m)(i) of the MFMA requires that the municipality must implement measures for:
“combating fraud, corruption, favouritism and unfair and irregular practices in municipal supply
chain management…”. It further states in section 115(b) that the municipality must “take all
reasonable steps to ensure that proper mechanisms and separation of duties in the supply chain
management system are in place to minimise the likelihood of fraud, corruption, favouritism and
unfair and irregular practices.”
5. The potential occurrence of fraud and corruption is not limited to the supply chain management
system. The municipality is therefore committed to implement fraud prevention measures within
the municipality to reduce the likelihood of fraud.
6. The municipality is further committed to protect whistle-blowers when they disclose information
relating to unlawful or irregular conduct involving the municipality or employees of the
municipality in terms of the Protected Disclosures Act, Act 26 of 2000.
Fraud and Risk Management Policy
5
III Definitions
1. In this policy, unless context indicates otherwise, a word or expression, to which meaning has
been assigned in the Municipal Finance Management Act (“MFMA”) has the same meaning.
2. In interpreting the under-mentioned definitions, cognizance must also be taken of the definitions
as encapsulated in applicable enabling legislation.
Competent Having the knowledge and skills to accomplish a certain task
Corruption
The giving or offering, receiving or agreeing to receive, obtaining or
attempting to obtain any benefit which is not legally due to or by a person
who has been charged with a duty or power by virtue of any employment,
to do any act or omit to do any act in relation to that power or duty
Event An incident or occurrence from internal or external sources to an
institution that affects the achievement of the institutions objectives
Favouritism The practice of giving unfair preferential treatment to one person or
group at the expense of another
Fraud
An unlawful and intentional making of a misrepresentation, which is
prejudicial or potentially prejudicial to another. The term is used to
describe acts such as deception, bribery, forgery, extortion, theft,
conspiracy, embezzlement, misappropriation, false representation,
concealment of material facts, collusion etc.
Impact
A result or effect of and event. The impact of an event can be positive or
negative. A negative event is referred to as a “risk”. Impact can also be
referred to as consequence
Inherent
The risk to an entity in the absence of any actions management might
take to alter either the risk’s impact or likelihood. In other words the
impact that the risk will have on the achievement of objectives if the
current controls that are in place are not considered
Integrated Risk
Management
A process, effected by the municipality’s accounting officer, management
and other personnel, applied in strategy setting across the municipality. It
is designed to identify potential events that may affect the municipality
and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of municipal objectives.
Likelihood /
Probability
The probability of the event occurring and can also be referred to as
severity
Fraud and Risk Management Policy
6
Mitigation /
Treatment
After comparing the risk score (severity rating = impact X likelihood) with
the risk tolerance, risks with unacceptable levels of risk will require
treatment plans (additional action to be taken by management)
Operations
Used with “objectives”, having to do with the effectiveness and efficiency
of the municipality’s activities, including performance and profitability
goals, and safeguarding resources against loss
Priority / Key
Risk
Risk that are rated high on an inherent level. Risk that need to be acted
upon. Risk that possess a serious threat to the municipality
Project Risk Risk that are identified for all major projects, covering the whole lifecycle
and for long-term projects
Residual
The remaining exposure after the controls/treatments has been taken
into consideration. (The remaining risk after management has put in place
measures to control the inherent risk)
Risk
Uncertain future events that could adversely influence the achievement
of our strategic and business objectives. An event can only be a risk, if it is
a threat to the municipality
Risk appetite The acceptable level or amount of risk that the municipality is willing to
accept, before action is needed to reduce it
Risk culture The set of shared attitudes, values and practices that characterise how the
municipality considers risk in its day-to-day activities
Risk
Management
A systematic and formalised process instituted by the municipality to
identify, assess, manage, monitor and report risks to ensure the
achievement of objectives
Risk Owner The person responsible for managing a particular risk
Risk Profile /
Register
Also known as the risk register. The risk profile will outline the number of
risks, type of risk and potential effects of the risk. This outline will allow
the municipality to anticipate additional costs or disruptions to
operations. Also describes the willingness of a company to take risks and
how those risks will affect the operational strategy of the municipality
Risk Response Management develop strategies to reduce or eliminate the threats and
events that create risks
Risk Tolerance The amount of risk the municipality is capable of bearing (as opposed to
the amount of risk it is willing to bear “risk appetite”)
Fraud and Risk Management Policy
7
Stakeholders Parties that are affected by the municipality, such as the communities in
which the municipality operates, employees, suppliers etc.
Strategic Used with “objectives”, it has to do with high-level goals that are aligned
with and support the municipality’s mission or vision
Theft
The unlawful and intentional misappropriation of another’s property or
property which is in his / her lawful possession, with the intention to
deprive the owner of its rights permanently
Fraud and Risk Management Policy
8
IV Policy content
Part 1: Risk management
1. The municipality can be exposed to a wide variety of risks. These risks includes operational and
other risks that are material and requires comprehensive controls and an on-going oversight to
manage.
2. The municipality adopted an integrated approach to risk management that enables the
municipality to be equipped to identify events that may have an impact on achieving the
municipality’s objectives and to manage risks according to the municipality’s risk appetite.
3. The municipality strives to enforce a culture of disciplined risk-taking and therefore risk
management is implemented across the municipality as per the structure in the diagram below:
Diagram1: Drakenstein municipality’s risk management structure
A Roles and responsibilities
4. Management is responsible to identify and manage risks; however, each employee can contribute
towards successful risk management within the municipality.
Fraud and Risk Management
Committee
Internal Audit Risk Management Accounting
Officer
Audit Committee
Council
Financial Services
Corporate Services
Community Services
Engineering Services
Planning and Development
Fraud and Risk Management Policy
9
5. To manage risk effectively, the municipality has established the roles and responsibilities of each
stakeholder within the following four categories:
5.1. Risk Management Oversight;
5.2. Risk Management Implementers;
5.3. Risk Management Support; and
5.4. Risk Management Assurance Providers.
Risk management oversight
6. The risk management function within the municipality is overseen by the following three
stakeholders which will be dealt with separately below:
6.1. Executive Authority (“Council”);
6.2. Fraud– and Risk Management Committee (“FARMCO”); and
6.3. Audit Committee
7. The Council is responsible to perform, inter alia, the following:
7.1. Ensure that risk management systems within the municipality are functional as these
systems can assist in protecting the municipality against significant risks;
7.2. Ensure that the municipality achieves its objectives as per the Service Delivery and
Budget Implementation Plan (“SDBIP”); and
7.3. Fulfil the following functions to fulfil their risk management mandate:
Table 1: Risk Management functions for the council
Ref. Function
01 Approve the levels of risk appetite with guidance from the Chief Risk Officer
(“CRO”) and FARMCO
02 Approve the Fraud– and Risk Management Policy by council resolution
03 Ensure that IT, fraud and Occupational Health and Safety (“OHS”) risks are
considered as part of the municipality’s risk management activities
04 Ensure that risk assessments (strategic and operational) are performed by
reviewing the FARMCO reports
05 Ensure that management implements, monitors and evaluates performance
through the FARMCO reports
06 Ensure that assurance regarding the effectiveness of the integrated risk
management process is received from the Audit Committee
Fraud and Risk Management Policy
10
Ref. Function
07
Disclose how they have satisfied themselves that risk assessments,
responses and interventions are effective as well as undue, unexpected or
unusual risks and any material losses (the annual report to include a risk
disclosure)
8. FARMCO is a committee appointed by the Accounting Officer to assist the Accounting Officer with
the risk management responsibilities associated with the position. The main role of FARMCO as
per the FARMCO charter is to:
8.1. Review, inter alia, the following:
8.1.1. Progression of risk management;
8.1.2. Maturity of the municipality in managing risks;
8.1.3. Effectiveness of risk management activities; and
8.1.4. Identification of key risks within the municipality and the responses to
manage these risks.
8.2. Perform the following duties to fulfil their risk management mandate:
Table 2: Risk management functions for the FARMCO
Ref. Function
01 Formally define its roles and responsibilities with respect to risk
management in its charter
02 Meet on a regular basis
03 Review and recommend for the approval by the Accounting Officer, the risk
appetite
04 Review and recommend for the approval by the Accounting Officer, the
fraud– and risk management policy
05 Review and recommend for the approval by the Accounting Officer, the risk
management implementation plan
06 Review and recommend for the approval by the Accounting Officer, the
fraud prevention implementation plan
07 Arrange for top risks to be formally re-evaluated
08 Advise council on how to improve management of the municipalities risks
09 Review risk management progress
10
Provide a timely and useful fraud– and risk management report to the
Accounting Officer. The report should contain the state of fraud and risk
Fraud and Risk Management Policy
11
Ref. Function
management within the municipality accompanied by, inter alia, the
following recommendations:
a) The key strategic risks facing the municipality;
b) The key operational risks per directorate/department (minimum the
top 5 identified risks); and
c) Any risk developments (changes) / incidents / losses; and
recommendations to address any deficiencies identified.
11 Measure and understand the municipality’s overall exposure to IT risks and
ensure that proper processes are in place
12
Review the risk registers/ dashboard at each meeting and update the
register’s contents to reflect any changes without formally reassessing the
risks
13 Provide guidance to the Accounting Officer, CRO and other relevant risk
management stakeholders on how to manage risks to an acceptable level
9. The Audit Committee is an independent committee responsible for the oversight of the
municipality’s control, governance and risk management. The primary role of the Audit
Committee is, inter alia, the following:
9.1. Providing an independent and objective view of the municipality’s risk management
process as per their responsibilities, which is formally defined within the Audit
Committee Charter;
9.2. Ensuring that financial, information technology (“IT”) and fraud risks relating to financial
reporting are identified and managed; and
9.3. Performing the following functions to fulfil their risk management mandate:
Table 3: Risk management functions for the Audit Committee
Ref. Function
01 Formally define its responsibility with respect to risk management in its
charter
02 Meet on a quarterly basis (minutes of the FARMCO meeting should be a
standard agenda item at these meetings)
03 Review and recommend disclosures on matters of risk in the annual report
04 Include statements regarding risk management performance in the annual
report to stakeholders
05 Provide an independent and objective view of the municipality’s risk
management effectiveness
06 Evaluate the effectiveness of Internal Audit in providing assurance on risk
management
07 Ensure that a combined assurance model is applied to provide a
coordinated approach to all assurance activities
Fraud and Risk Management Policy
12
Ref. Function
08 Review the internal and external audit plans and ensure that these plans
address the risk areas of the municipality
Risk Management Implementers
10. The risk management process within the municipality is implemented by the following three
stakeholders which will be dealt with separately below:
10.1. Accounting Officer;
10.2. Members of the strategic management team (“SMT”); and
10.3. Employees.
11. The Accounting Officer needs to ensure effective risk management and is therefore responsible
for, inter alia, the following:
11.1. Promoting accountability;
11.2. Promoting integrity and other factors that will create a positive control environment
within the municipality; and
11.3. The Accounting Officer must perform the following functions to fulfil the Accounting
Officer’s risk management mandate:
Table 4: Risk management functions for the Accounting Officer
Ref. Function
01 Appoint a CRO and Risk Champions
02 Appoint a FARMCO with the necessary skills, competencies and attributes
03 Approve the FARMCO charter
04 Recommend the risk appetite to council for approval
05 Recommend the Fraud– and Risk Management Policy to council for approval
06 Approve the risk management implementation plan
07 Approve the fraud prevention implementation plan
08
Ensure appropriate action in respect of recommendations of the Audit
Committee, Internal Audit, External Audit and FARMCO to improve risk
management
09 Provide assurance to relevant stakeholders that key risks are properly
identified, assessed and mitigated by reviewing the report issued by the
Fraud and Risk Management Policy
13
Ref. Function
FARMCO which should contain the state of risk management within the
municipality accompanied by, inter alia, the following recommendations:
a) The key strategic risks facing the municipality;
b) The key operational risks per directorate/department (minimum the top 5
identified risks); and
c) Any risk developments (changes) / incidents / losses; and
recommendations to address any deficiencies identified.
12. The SMT must ensure that risk management is implemented effectively within their management
areas through, inter alia, the following:
12.1. Promoting compliance with the risk appetite;
12.2. Continuously managing and addressing risks in conjunction with the risk management
appetite; and
12.3. Performing the following functions to fulfil their risk management mandate:
Table 5: Risk management functions for SMT
Ref. Function
01 Empower employees to perform effectively in their risk management
responsibilities
02 Devote personal attention to overseeing the management of key risks
within their area of responsibility
03 Maintain a co-operative relationship with the CRO and Risk Champions
04 Ensure that actions plans to mitigate risks are implemented within their
management areas
05 Maintain the proper functioning of the control environment within their
area of responsibility
06 Continuously monitor the implementation of risk management within their
area of responsibility
07 Hold employees accountable for their specific risk management
responsibilities
13. All employees are responsible to integrate risk management within their daily activities. This
includes, but is not limited to:
13.1. Ensuring compliance with systems of internal control; and
13.2. Performing the following functions to fulfil their risk management responsibilities :
Fraud and Risk Management Policy
14
Table 6: Risk management functions for employees
Ref. Function
01
Take the time to read and understand the content in the risk management
policy, but more importantly their roles and responsibilities in the risk
management process
02 Apply the risk management process in their respective functions
03 Inform their supervisors and/or the risk management unit (CRO) of new risks
and significant changes
04 Co-operating with other role players in the risk management process
05 Providing information as required.
Risk Management Support
14. The Risk Management Division is responsible to co-ordinate the risk management process within
the municipality. The following role players are responsible to provide support to the municipality
to manage risks which will be dealt with separately below:
14.1. CRO and
14.2. Risk champions.
15. The CRO is the custodian of the risk management strategy and the coordinator of risk
management activities throughout the municipality. The primary responsibility of the CRO is,
inter alia, the following:
15.1. Applying specialist expertise to assist the municipality to embed risk management and
leverage its benefits to enhance the performance of the municipality; and
15.2. Performing the following functions to fulfil the CRO’s risk management mandate:
Table 7: Risk management functions for the CRO
Ref. Function
01 Assist the Accounting Officer to determine/review the risk appetite
02 Review the fraud– and risk management policy
03 Draft the risk management implementation plan
04 Draft the fraud prevention implementation plan;
05 Coordinate and facilitate the assessments
06 Consolidate risks identified by the various Risk Champions
07 Prepare risk registers, reports and dashboards for submission to the FARMCO
and other role players
08 Ensure that all risk information is updated
09 Ensure that all IT, Fraud, OHS and Compliance risks are considered as part of
the municipality’s risk management activities
Fraud and Risk Management Policy
15
Ref. Function
10 Coordinate the implementation of action plans
11 Ensure that risk assessments are performed and reported to the FARMCO
12 Avail the approved risk registers to Internal Audit on request
16. Risk Champions are individuals appointed to assist risk owners to fulfil their risk management
duties, without assuming the role as risk owners.
16.1. Risk Champions will be appointed by the Accounting Officer and will possess the
following skills that will assist them to co-ordinate risk management within their
respective directorates over and above their daily duties;
16.1.1. A good understanding of risk management concepts, principles and
processes;
16.1.2. Good analytical skills;
16.1.3. Expert power;
16.1.4. Leadership and motivational qualities; and
16.1.5. Good communication skills.
16.2. Risk Champions must perform the following functions to fulfil their risk management
responsibilities:
Table 8: Risk management functions for risk champions
Ref. Function
01 Facilitate all operational risk assessments related to their daily tasks;
02 Ensure that each key risk have a nominated risk owner
03 Populate the risk registers/dashboard
04 Ensure that all risk information is updated
05 Co-ordinate the implementation of action plans for the risk and report on
any developments regarding the risk
Risk Management Assurance Providers
17. Assurance of risk management can be provided both internally and externally by the following
role players which will be dealt with separately below:
17.1. Internal Audit; and
17.2. External Audit
Fraud and Risk Management Policy
16
18. Internal Audit is responsible to provide independent and objective assurance to Council
regarding the effectiveness of risk management within the municipality. Further responsibilities
include, inter alia, the following:
18.1. Assist in providing a systematic disciplined approach to evaluate and improve the
effectiveness of the entire risk management system and provide recommendations for
improvement where necessary;
18.2. Provide a written assessment of the effectiveness of the municipality’s system of
internal control and risk management; and
18.3. Internal audit must perform the following functions to fulfil their risk management
mandate:
Table 9: Risk management functions for Internal Audit
Ref. Function
01 Provide assurance on the risk management process design and its
effectiveness
02 Provide assurance on the management of “key risks” including, the
effectiveness of the controls and other responses to the “key risks
03 Provide assurance on the assessment and reporting of risk and controls
04 Prepare a rolling three (3) year Internal Audit plan based on its assessment of
key risk areas
19. External Audit (Auditor General) will increasingly focus more on the effectiveness of risk
management within the municipality.
B Risk Management Process
20. The risk management process within the municipality consists of eight (8) components, which is
based on the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”)
framework principles. These eight (8) components which will be dealt with separately below,
holistically contributes towards managing risks successfully within the municipality:
20.1. Internal environment;
20.2. Objective setting;
20.3. Event identification;
20.4. Risk assessment;
20.5. Risk response;
20.6. Control activities;
20.7. Information and communication; and
Fraud and Risk Management Policy
17
20.8. Monitoring.
Internal environment
21. The internal environment encompasses the tone of the municipality to provide discipline and
structure by influencing, inter alia, the following
21.1. The risk consciousness of its people; and
21.2. The foundation for all other components of risk management.
22. The following ten (10) factors needs to be considered when addressing the internal environment
of the municipality:
22.1. The municipality’s risk management philosophy:
22.1.1. The CRO must communicate the risk philosophy effectively within the
municipality to ensure that all personnel understands the municipality’s
commitment to risk management; and
22.1.2. Management must reinforce the risk management philosophy within their
management areas to ensure that risk management forms part of daily
activities.
22.2. The municipality’s risk appetite
22.2.1. The municipality has a risk appetite rating of 45;
22.2.2. The risk appetite of the municipality is directly related to the municipality’s
strategy and therefore it is considered a strategy setting;
22.2.3. The desired return from a strategy must be aligned with the municipality’s
risk appetite; and
22.2.4. The municipality should address all risks greater than or equal to a residual
risk exposure rating of 45. Addressing these risks will assist the municipality
to avoid exposure to losses and to manage actions that can pose a
reputational risk to the municipality.
22.3. The municipality’s risk culture
22.3.1. Management should consider how the risk culture affects and aligns with
other elements of risk management; and
Fraud and Risk Management Policy
18
22.3.2. Management may take the necessary steps to reshape the risk culture where
a misalignment exists between the risk culture and other elements of risk
management. This may include, inter alia, the following:
a. Reviewing the philosophy;
b. Re-evaluating the risk appetite; and
c. Re-assessing how the risk culture applies to risk management.
22.4. Integrity and ethical values
22.4.1. The integrity and ethical values affects the design, administration and
monitoring of other risk management components within the municipality;
22.4.2. Management must therefore take into consideration the concerns of the
municipality, employees, suppliers and the public as the integrity and ethical
values are essential elements of the municipality; and
22.4.3. The standard behaviour of management must go beyond mere compliance
with legislation to ensure that the municipality maintains a good reputation;
therefore, management must act with integrity, as this is a prerequisite for
ethical behaviour.
22.5. Commitment to Competence;
22.5.1. The municipality’s strategy and objectives needs to be achieved, therefore
management should assign competent employees to complete those tasks;
22.5.2. Management can decide on the competency levels for specific positions and
translate those levels onto the required knowledge and skills required for the
position; and
22.5.3. Knowledge and skills depend on the individual’s intelligence, experience and
training.
22.6. Management's philosophy and operating style
22.6.1. Management's philosophy and operating style affects the way the
municipality is managed, including the types of risks being accepted;
22.6.2. The attitude and daily operating style of senior management affects the
extent to which actions are aligned with risk philosophy and appetite. For
example:
a. An undisciplined operating style is often associated with an appetite for
high risk, but it can also encourage a high-risk appetite.
Fraud and Risk Management Policy
19
22.6.3. To create an effective environment, risks should not be avoided, but rather
acknowledged; and
22.6.4. Management should be aware of the risks associated with the strategic
choices and the operating environment, both internal and external of the
municipality.
22.7. Organisational structure;
22.7.1. The organisational structure provides the framework to plan, execute,
control and monitor activities within the municipality;
22.7.2. The organisational structure will include defining key areas of authority and
responsibility and establish appropriate lines of reporting. For example:
A risk management function should be structured in a manner that achieves
organisational objectivity and permits full and unrestricted access to senior
management, FARMCO and the audit committee.
22.7.3. The CRO should report to a level within the municipality that allows the risk
management activity to fulfil its responsibilities; and
Regardless of the municipality’s organisational structure, the municipality should be structured in a
manner that enables the municipality to effectively manage risks, carry out its activities and achieve
its objectives.
22.8. Assignment of Authority and Responsibility
22.8.1. Delegations should only be to an extent required to achieve objectives;
22.8.2. Management should ensure that risk acceptance is based on sound practices
for risk identification and assessment to make good business decisions;
22.8.3. Management should consider, inter alia, the following when making
decisions:
a. The assessment of risks; and
b. Weighing of potential losses versus gains.
22.8.4. Management should ensure that all personnel understand the municipality’s
objectives. It is essential that individuals know how their actions interrelate
and contribute to achievement of the municipality’s objectives; and
22.8.5. The Accounting Officer, with executive authority oversight, is ultimately
responsible for all activities within the municipality. It is therefore important
that all individuals recognise what they are accountable for as this may have
an impact on the internal environment.
Fraud and Risk Management Policy
20
22.9. Human Resource Policies and Practices
22.9.1. Human resource practices includes, inter alia, the following:
a. Recruitment of employees;
b. Orientation, training and evaluation of employees;
c. Counselling of employees when necessary;
d. Promoting and compensating employees;
e. Taking remedial actions against employees when necessary; and
f. Informing employees regarding expected levels of integrity, ethical
behaviour and competence.
22.9.2. The municipality should be committed to appoint competent trustworthy
individuals. It is therefore recommended that the most qualified individuals
are hired with the emphasis on, inter alia, the following:
a. Educational background and prior work experience;
b. Past accomplishments; and
c. Evidence of integrity and ethical behaviour, demonstrate a
municipality’s commitment to competent and trustworthy people. The
same is true when recruiting practices include formal, in-depth
employment interviews and informative and insightful presentations on
the institutions history, culture and operating style.
22.9.3. Employees should be equipped to address risks, challenges and issues that
may arise within the municipality;
22.9.4. Due to a change in the environment as a result of changing technologies,
legislation and other external factors, it is important that employees stay
informed; and
22.9.5. The appointment of competent individuals and providing a once off training
session is not sufficient. Education is a continuous process and therefore it
should be encouraged to upskill staff through internal and external training
initiatives.
22.10. Difference in Environment.
22.10.1. The internal environment of an institution’s autonomous subsidiary,
divisions and other units can vary widely due to differences in senior
Fraud and Risk Management Policy
21
management's preferences, value judgments and management styles;
22.10.2. It is unlikely that internal environments will be the same when directorates
are managed by different senior managers, each with their own
management style;
22.10.3. Due to a difference in environments, it is important to establish what impact
the varying internal environments may have on other components of risk
management; and
22.10.4. An ineffective internal environment may have far reaching implications both
financially and reputational for the municipality and thus the internal
environment should be managed adequately.
Objective setting
23. Objectives are set on a strategic level to establish the basis for operations, reporting, and
compliance to the objectives. The objectives are aligned with the municipality’s risk appetite,
which drives the risk tolerance levels for the municipality’s activities.
24. Setting objectives is a prerequisite to identify events, assess risks and give a risk response. Risks
cannot be identified and actions to mitigate risks cannot be implemented if management is not
aware of the objectives that they need to achieve.
25. Management should consider the following five (5) factors with regard to objective setting:
25.1. Strategic objectives
25.1.1. Management formulates and sets strategic objectives based on the
municipality’s mission and what they want to aspire to achieve; and
25.1.2. The strategic objectives reflect the decisions made by management to
provide value to its stakeholders.
25.2. Related objectives
25.2.1. Related objectives aligned to strategic objectives should be developed by
management on an operational level, that once achieved will create and
persevere value;
25.2.2. All personnel at the municipality are required to have a requisite
understanding of the municipality’s objectives. The objectives should
therefore be readily understood and measurable;
25.2.3. All personnel should have a mutual understanding of what needs to be
accomplished and how accomplishments will be measured as these
objectives relate to the individual’s sphere of influence; and
Fraud and Risk Management Policy
22
25.2.4. Related objectives can be divided into the following three (3) categories:
a. The operation objectives relates to the effectiveness and efficiency of
the municipality’s operations. This includes performance and
profitability goals as well as the safeguarding of the municipality’s
resources.
b. The reporting objectives relates to the reliability of both internal and
external reporting and may include financial or non-financial
information as well.
c. The municipality must comply with relevant laws and regulations and
these objectives relate to the adherence thereto.
25.3. Selected objectives
25.3.1. As part of the risk management process, senior management must select
objectives after they have considered how these objectives will support the
municipality’s strategy and mission/vision; and
25.3.2. Selected objectives should be aligned with the municipality’s risk appetite for
management to ensure that misalignment does not cause, inter alia, the
following:
a. That the municipality does not accept enough risks to achieve its
objectives; and
b. That the municipality does not accept undue risks.
25.4. Risk appetite
25.4.1. Management should first consider the risk appetite before they decide to
accept risks in order to achieve their objectives as all risks above the risk
appetite should be mitigated.
Fraud and Risk Management Policy
23
25.5. Risk tolerance
25.5.1. Risk tolerance reflects the acceptable variation in outcomes related to
specific performance measures. Management should therefore consider risk
tolerance in order to achieve the municipality’s objectives.
Event Identification
26. Event identification is the process used by the municipality to identify potential events that can
affect the municipality’s ability to successfully implement strategies and achieve objectives.
27. A variety of internal and external factors can lead to the occurrence of events. Management
therefore needs to consider the full scope of the municipality when identifying events, which may
have a positive or negative impact on the municipality.
28. Management need to consider the following five (5) factors when identifying events:
28.1. Factors Influencing Strategy and Objectives
28.1.1. Employees need to recognise the importance of understanding internal and
external factors and the types of events that can emanate from these factors;
28.1.2. Management should consider all current factors as well as those that may
occur in the future when identifying events; and
28.1.3. Management should consider the following internal and external factors as
tabled below:
Table 10: Internal and external factors to be considered
No Internal External
1 Infrastructure Economic and business environment
2 Personnel Natural environment
3 Process Political environment
4 Technology Social environment
5 - Technological environment
28.2. Methodologies and techniques
28.2.1. Management may use various techniques and tools to identify and assess
events that may potentially have an impact on the municipality; and
28.2.2. The risk methodology should include techniques and tools that can be used
by the municipality to identify events. Event identification techniques and
tools may include, but is not limited to the following:
Fraud and Risk Management Policy
24
a. Workshops presented by a facilitator using technology-based tools to
assist participants in identifying and assessing risks;
b. Analysis of past events such as payment default histories, changes in
commodity prices as well incidents that resulted in reduced
productivity; and
c. Techniques that focuses on future exposures such as shifting
demographics and Newmarket conditions.
28.3. Event inter dependencies
28.3.1. Management should understand how events interrelate, as events do not
occur in isolation. One event can trigger another and can also occur
concurrently; and
28.3.2. Management should consider the interrelationships between events when
they identify and assess these events. This will enable management to direct
their risk management efforts where it is required the most, for example:
A change to a central bank interest rate affects foreign exchange rates, which
will have an effect on the municipality’s currency transaction gains and
losses.
28.4. Event categories
28.4.1. Potential events can be grouped together into categories as this may assist
management to understand the interrelationship between events;
28.4.2. Potential events can be aggregated horizontally across the municipality and
vertically within the operating units;
28.4.3. Management can gain enhanced information by grouping similar potential
events together. This will assist management to determine potential
opportunities and risks and forms the basis of assessing the risks;
28.4.4. Categorizing events will also assist management to determine the
completeness of their event identification efforts; and
28.4.5. It may be useful to group potential events into categories. By aggregating
events horizontally across the municipality and vertically within operating
units, management develops an understanding of the interrelationships
between events, gaining enhanced information as a basis for risk
assessment. By grouping together similar potential events, management can
better determine potential opportunities and risks. Event categorisation also
allows management to consider the completeness of its event identification
efforts.
Fraud and Risk Management Policy
25
28.5. Risks and opportunities
28.5.1. Events that may have a potentially positive impact on the municipality
represent opportunities. These opportunities should be channelled back to
the strategy and objective setting process by management;
28.5.2. Events that may have a potentially negative impact on the municipality
represent risks. These risks require management’s assessment and response;
and
28.5.3. To avoid overlooking relevant events that might occur, management need to
consider the likelihood of an event occurring, as they cannot foresee when
an event may occur.
Risk Assessment
29. The assessment of risks allows the municipality to consider the extent to which potential events
might affect the ability to achieve objectives.
30. Management should consider potential future events that are relevant to the municipality and
its activities, by taking into consideration the following factors:
30.1. The size of the municipality;
30.2. The complexity of the municipality’s operations; and
30.3. The degree of regulations over the municipality’s activities that affects the risk profile
and influences the methodology used to assess risks.
31. The impact of positive and negative events should be examined either on an individual basis or
through a category across the municipality, depending on management’s decision.
31.1. Management must evaluate risks according to the impact and likelihood of the risk
occurring as per the Risk Assessment Methodology. Both the impact and likelihood of
risks will be evaluated on an inherent and residual basis.
31.1.1. Inherent risk: Management must assess the inherent impact and likelihood
of a risk in the absence of any actions to respond to the risk and before the
implementation of controls to mitigate the risk.
31.1.2. Residual risk
a. Management needs to respond to the risks where after the residual
likelihood can be assessed; and
b. Once management has responded to the risks, the residual risk will be
determined through risk assessment techniques specified within the risk
assessment methodology.
Fraud and Risk Management Policy
26
Risk Response
32. It is management’s decision how they will respond to risks once all the relevant risks have been
assessed. The following risk responses are available:
32.1. Terminate – The termination/avoidance of the risk
32.1.1. Management may decide to take action to terminate the activities giving rise
to risk which may include, inter alia, the following:
a. Terminating services;
b. Declining developments to a new geographical areas; and
c. Dissolving units.
32.2. Treatment – The reduction of the risk
32.2.1. Management may decide to take action to reduce the risk likelihood and/or
impact. This may involve any of a myriad of everyday business decisions.
32.3. Transfer – The sharing of the risk
32.3.1. Management may decide to take action to reduce risk likelihood or impact
by transferring or otherwise sharing a portion of the risk; and
32.3.2. Common risk sharing techniques can include, inter alia, the following:
a. Purchasing insurance products;
b. Pooling risks;
c. Engaging in hedging transactions; and
d. Outsourcing an activity.
32.4. Tolerate – The acceptance of the risk
32.4.1. Management may decide not to take any action that will affect the impact
or likelihood of a risk; and
32.4.2. Management should refer to the following diagram as a guide when deciding
on the appropriate risk response for a risk:
Fraud and Risk Management Policy
27
Diagram1: Risk response strategy
33. Prior to management making a decision on the risk response, management needs to consider,
inter alia, the following:
33.1. The desired risk tolerance level provided that it is below the risk appetite;
33.2. The costs and benefits involved to implement controls and/or action plans to mitigate
the risks;
33.3. Whether the implementation of these controls and action plans are realistic and
sustainable; and
33.4. The purpose of risk response is for management to achieve a residual risk level aligned
with the municipality’s risk tolerance. To achieve this, management should consider
how individual responses or a combination thereof may affect potential events as this
may have an effect on, inter alia, the following:
33.4.1. The likelihood and impact on one or more potential events taking into
consideration past events and trends as well as future scenarios;
33.4.2. The efficiency of controls; and
33.4.3. Additional actions that needs to warranted.
34. Management should determine the potential effect on risk responses using the same units of
measure for the objectives and associated risk in the risk assessment component.
Control Activities
35. The municipality has various policies and procedures in place. These are the control activities
within the municipality and assists management to ensure that risk responses are carried out.
36. The types of control activities implemented by the municipality can be categorised in the
following three (3) categories:
36.1. Preventative controls
LikelihoodIm
pact
Medium risk High risk
Transfer
(Insurance)
Terminate and treat
(Control)
Tolerate
(Risk appetite)
Low risk Low risk
Treat & monitor
(Control)
Fraud and Risk Management Policy
28
36.1.1. Controls that are designed and implemented by management to prevent
errors and/or irregularities from occurring.
36.2. Detective controls
36.2.1. Controls that are designed and implemented by management to detect
errors and/or irregularities that may occur.
36.3. Corrective controls
36.3.1. Controls that are designed and implemented to correct errors and
irregularities that occurred.
37. Control activities are implemented throughout the municipality across all levels and functions and
can be executed through the following:
37.1. Manually
37.1.1. These are controls that are performed by people; and
37.1.2. Manual controls can include, but is not limited to, inter alia, the following:
a. Approvals and authorisations by authorised personnel;
b. Reconciliations;
c. Reviews of operating performance;
d. Security of assets;
e. Segregation of duties; and
f. Verifications.
37.2. Automatically
37.2.1. These are controls that are embedded within application code;
37.2.2. The municipality relies on various information systems and therefore
controls are required to oversee these systems; and
37.2.3. The automatic controls implemented by the municipality can be grouped in
the following two (2) categories:
a. General controls:
i. These controls applies to all the systems from the mainframe to the
client/server and desktop environment; and
Fraud and Risk Management Policy
29
ii. These general controls, include controls over, inter alia, the
following:
Information technology management;
Information technology infrastructure;
Security management and software acquisition; and
Development and maintenance.
b. Application controls:
i. These controls are designed to ensure completeness, accuracy,
authorisation and the validity of data capturing and processing;
ii. Application controls rely on computerised edit checks to detect
interface errors quickly and to prevent errors from entering the
system and allowing the correcting of errors once detected; and
iii. Application controls consist of inter alia, the following:
Format of data entered;
Validation of the existence of data;
Reasonableness of data entered; and
Any other data validations that were built into an application
during development.
38. The effectiveness of control activities are evaluated when assessing risks. Based on the control
effectiveness, the residual risk exposure will be calculated which will indicate whether the risk is
above or below the risk appetite and tolerance levels of the municipality.
39. Similarly to the risk appetite, the risk tolerance levels should be monitored to ensure that the
municipality does not tolerate more risks than what the municipality is capable of bearing.
Information and communication
40. Communication of relevant information internally and externally plays a vital role to enable all
employees to carry out their responsibilities. Effective communication and the gathering of
processed data will enable employees to address and manage risks.
41. Data and information relevant to the management of the municipality and possible events should
be gathered through internal information systems as well as external events, activities and
conditions.
Fraud and Risk Management Policy
30
42. Pertinent information relevant to the effective management of risks within the municipality is
then identified, captured and communicated in a manner and timeframe agreed by management.
43. All employees must be informed of their responsibilities regarding risk management and how
their individual activities relate to the work of others. It is the responsibility of risk owners to
ensure that this is communicated and monitored on continuous bases.
44. To ensure that communication is effective within the municipality, employees should be
encouraged to communicate significant information to management.
Monitoring
45. Risk management can change over a period of time due to changes in the municipality’s structure
and objectives, new processes or the appointment of new personnel. As a result of these changes,
responses that were once effective may become irrelevant and activities may become less
effective or no longer be performed.
45.1. Risk management should therefore be monitored through the assessment of the
presence and functionality of its components over a period of time through the
following activities:
45.2. On-going monitoring activities
45.2.1. Continuous monitoring of activities forms part of management’s normal
activities to monitor the effectiveness of risk management; and
45.2.2. On-going monitoring activities can include, but is not limited to the following:
a. Variance analysis;
b. Stress testing;
c. Comparisons; and
d. Reconciliations.
45.3. Separate evaluation activities
45.3.1. The scope and frequency of separate evaluations will depend primarily on
the assessment of risks and the effectiveness of the monitoring procedures;
45.3.2. Deficiencies will be escalated progressively and serious matters must be
reported to SMT and the Accounting Officer; and
45.3.3. Internal Audit will be responsible to assess the existence and functioning of
the eight (8) components of the risk management process at a certain point
in time.
Fraud and Risk Management Policy
31
Part 2: Fraud Risk Management
46. The municipality is committed to eliminate fraud and fosters a culture of zero tolerance towards
fraud and all its activities. The municipality therefore undertakes to combat all forms of fraud and
corruption as well as to remain pro-active in the fight against fraud.
47. The municipality must investigate all allegations of fraud, corruption, theft, maladministration or
any other dishonest activities of a similar nature. This includes the suspicion that fraud is
occurring, attempts to commit fraud or incidents where fraud has already occurred. The outcome
of these investigations must then be used to apply appropriate remedies to the full extent of the
law.
48. The municipality must develop and enforce appropriate prevention and detection controls. The
primary means of detecting fraud must remain a sound system of internal control and regular
internal audits.
49. Prevention and detection controls include existing financial and any other controls and
monitoring mechanisms implemented by the municipality as prescribed by policies and
regulations applicable to the municipality.
C Procedures for reporting fraudulent and/or corrupt activities
50. All councillors, employees, stakeholders, service providers and ratepayers must report any
reasonable suspicions, allegations and incidents of fraud regardless of the value to the
municipality.
51. The municipality must encourage members of the public and/or service providers who suspects
fraud to report it to the municipality through one of the approved mechanisms.
52. Employees that become aware or suspect incidents of fraud or acts of dishonesty must report the
incident through any of the following approved mechanisms:
52.1. Reporting the matter to the immediate supervisor or the next level of management if
the immediate supervisor is suspected to be a party to the alleged fraud or acts of
dishonesty;
52.2. The Accounting Officer;
52.3. The CRO; and
52.4. The hotline.
Fraud and Risk Management Policy
32
52.4.1. The municipality must have a hotline not administered by municipality. The
hotline must be a reporting channel where employees, suppliers, contractors
or any other third party can report irregular activities without being
victimised or repercussions;
52.4.2. The hotline must be able to give assurance of anonymity if the whistle blower
chooses to remain anonymous;
52.4.3. The municipality must commit to investigate all irregularities reported
through the hotline regardless of the seniority of the alleged offender; and
52.4.4. When the municipality receives reports of dishonest acts, the municipality
must take decisive corrective and protective steps to limit the municipality’s
exposure to further losses.
53. The Accounting Officer must upon receiving a report of fraud form an external person, write to
the person making the report stating the following:
53.1. Acknowledging that the concern has been received;
53.2. Indicating how the Accounting Officer proposes to deal with the matter and whether
any initial inquiries has been made;
53.3. Providing an estimate on the timeframe by when feedback can be expected; and
53.4. Informing the person that made the report whether any further investigation will take
place and if not, a reason must be provided.
54. All incidents and/or allegations not directly reported to the CRO, must be reported to the CRO
within 24 hours (1 working day) from becoming aware of the incident and/or allegations.
55. Depending on the nature of the reports that were received through any of the reporting
mechanisms, the municipality can decide to:
55.1. Investigate the matter internally and/or with the assistance of an external service
provider; and/or
55.2. Refer the matter to the South African Police Services (“SAPS”) or any other law
enforcement agency
56. The risk management unit will screen and monitor all investigations, whilst initiating, co-
ordinating and managing any forensic investigations where needed and/or recommend
appropriate steps.
57. The municipality will pursue any alleged fraud committed by an employee by conducting a
thorough investigation and to the full extent of the law. Where appropriate the municipality
should consider the following:
Fraud and Risk Management Policy
33
57.1. Taking disciplinary action against employees within a reasonable period of time after
the final report of the investigation becomes available; and/or
57.2. Reporting the matter to SAPS or any other relevant law enforcement agency to initiate
criminal prosecution; and/or
57.3. Instituting civil action to recover losses; and/or
57.4. Any other appropriate legal remedy available.
58. The Accounting Officer must ensure that in terms of section 62(1)(e) of the MFMA that
disciplinary action or when appropriate, criminal proceedings are instituted against any employee
of the municipality who has allegedly committed an act of financial misconduct or an offence.
59. Management is responsible to ensure that losses or damages suffered by the municipality as a
result of reported acts committed or omitted by an employee that reports to them, is recovered
if the employee is found to be liable.
60. The responsible manager with assistance from other relevant managers must ensure that the
following steps are taken to comply with the MFMA and the Municipal Act regarding financial
misconduct incidents:
60.1. Ensuring that the disciplinary proceedings are carried out in accordance with the
relevant prescripts;
60.2. Submitting a schedule to the Auditor-General annually containing the following:
60.2.1. The outcome of any disciplinary hearings and/or criminal charges;
60.2.2. The names and ranks of employees involved; and
60.2.3. The sanctions and any further actions taken against these employees.
60.3. Determining the nature of the disciplinary process against an employee by taking the
following into account:
60.3.1. The circumstances of the transgression;
60.3.2. The extent of the expenditure involved;
60.3.3. The nature and seriousness of the transgression; and
60.3.4. Reporting losses to the SAPS, the Accounting Officer and the Chief Financial
Officer.
Fraud and Risk Management Policy
34
D Responsibility to conduct investigations into cases of fraud
61. The municipality is legally required in terms of section 171(4)(a) of the MFMA to investigate all
allegations of fraud, therefore the Accounting Officer must ensure that allegations are
investigated. As a representative of the Accounting Officer, relevant line managers in consultation
with the CRO must investigate all allegations of fraud.
62. The relevant manager must report the following to the SAPS:
62.1. Irregular expenditure that constitute a criminal offence; and
62.2. Fraud, theft and corruption that occurred within the municipality.
63. The risk management unit is authorised to:
63.1. Have direct, immediate and unrestricted access to all functions, records, and assets and
personnel information, which includes, but is not limited to, inter alia, the following:
63.1.1. Labour relations;
63.1.2. Legal Advisory;
63.1.3. Insurance claims; and
63.1.4. Payroll information.
63.2. Obtain the necessary assistance from employees in other departments and divisions
within the municipality as well as other specialised services from external providers
where required.
64. The CRO in consultation with the Accounting Officer is responsible to supply appropriate feedback
on the progress of investigations to all relevant parties on a “need to know” basis.
E Protection of whistle-blowers
65. No employee will suffer any penalty or retribution for good faith reporting of any suspected or
actual incident of fraud.
66. The municipality is responsible to ensure that all necessary steps are taken to protect employees
from reprisals, harassment and victimisation when employees disclose information relating to
suspected or actual incidents of fraud.
67. Employees who makes any allegations in bad faith will be subject to disciplinary action. Where
external parties are involved, the municipality will take the appropriate action, as it deems
necessary.
Fraud and Risk Management Policy
35
68. In terms of the Protected Disclosures Act, Act 26 of 2000, a person shall not:
68.1. Prejudice, or threaten to prejudice, the safety or career of; or
68.2. Intimidate or harass, or threaten to intimidate or harass; or
68.3. Do any act that is, or is likely to be, to the detriment of another person because the
other person:
68.3.1. has assisted, is assisting or will or may in the future assist the Municipality
with the investigation;
68.3.2. has furnished, is furnishing or will or may in the future furnish information
to the Municipality; or
68.3.3. has been or is employed by, or acting on behalf of an independent agency or
appropriate authority to whom or which an allegation has been referred; or
68.3.4. has exercised a power or performed a duty, conferred imposed on the other
person or is exercising or performing, or will or may in the future exercise or
perform, any such power or duty.
69. Whistle-blowers may choose not to disclose their identity or that their identity must be kept
confidential. Concerns expressed anonymously are difficult to investigate; nevertheless, these
concerns will be followed up at the discretion of the municipality. This discretion will be applied
by taking into account the following:
69.1. The seriousness of the issue raised;
69.2. The credibility of the concern; and
69.3. The likelihood of confirming the allegation.
70. Through the investigation process, the source of the information may be revealed and employees
may be requested to provide statements that will form part of the evidence.
71. Management should discourage employees or any other person from making false accusations
with malicious intentions. Where it is discovered that an employee made false accusations, the
employee will be subject to the disciplinary process.
72. Any employee who seeks to conceal evidence of wrongdoing or to victimize and/or harass a
whistle blower, who has made a disclosure in good faith in terms of the Protected Disclosures
Act, will be subject to disciplinary action.
F Pro-active approach
73. The municipality must perform the following as part of their pro-active approach which is
essential to combat crime:
Fraud and Risk Management Policy
36
73.1. Actively identify instances of alleged fraud, theft and corruption using appropriate
prevention and detection mechanisms;
73.2. Perform a data interrogation exercise periodically on payroll records and procurement
transactions with the intention to identify patterns of potentially fraudulent behavior,
internal control implementation weaknesses and possible conflict of interest situations;
73.3. Ascertain the frequency with which the interrogation should be carried out on an
ongoing basis and plan for this, including establishing an expenditure budget;
73.4. Ensure that comprehensive background checks are carried out on prospective
employees, including, as considered appropriate, verification of previous employment
details, academic qualifications, citizenship, credit records and criminal records, with
due regard to the protection of personal information;
73.5. Ensure that comprehensive background checks are carried out on potential service
providers; and
73.6. Appropriately communicate all legislative requirements and obligations placed on the
municipality and its employees to ensure awareness thereof.
G Prevention measures
74. Management must create an environment and culture where employees believe that dishonest
acts will be detected, investigated and that the necessary corrective action will be taken.
75. Management must perform the following which forms part of prevention measures that are
implemented by the municipality:
75.1. Participate in in-house training programs covering the following:
75.1.1. Prevention of fraud and corruption; and
75.1.2. The municipality’s code of ethics.
75.2. Ensure that staff understands that the internal controls are designed and intended to
prevent and detect fraud and corruption or any other dishonest activities of a similar
nature;
75.3. Encourage staff to report suspected fraud and corruption directly to those responsible
for investigation without fear of disclosure or retribution;
75.4. Require suppliers to agree in writing as a part of the contract process, to abide by the
Municipality’s policies and procedures, and avoid or declare any conflict of interest; and
75.5. Measures to prevent fraud and corruption should be continually monitored, reviewed
and developed particularly as new systems, programs, contracting or arrangements are
introduced or modified.
Fraud and Risk Management Policy
37
Part 3: Reporting
76. The Risk Management Division is responsible to compile reports on a quarterly basis that needs
to be discussed with SMT members; where after the final reports must be presented to FARMCO.
The following reports need to be compiled:
76.1. A report on the municipality’s strategic risks;
76.2. A report on the risks above the municipality’s risk appetite;
76.3. A report on the progress of the action plans to mitigate the municipality’s risks; and
76.4. A report of emerging issues or risks that requires immediate attention.
77. All incidents and/or allegations formally reported to the CRO in writing must be added onto the
confidential unethical incident register where it will be monitored by the CRO. The unethical
incident register must also be tabled at the following meetings:
77.1. FARMCO for oversight and once accepted it can be tabled at:
77.1.1. Municipal Public Accounts Committee (“MPAC”) for oversight; and
77.1.2. Audit Committee for information purposes.
78. All reports of fraud, theft and corruption must be treated confidentially. The progress of
investigations will not be disclosed or discussed with any person(s) other than those who have a
legitimate right to such information as determined by the Accounting Officer and/or CRO. This is
a precaution by the municipality to avoid compromising the reputations of suspected persons
who are subsequently exonerated from any wrongful conduct.
79. No employee is authorized to supply any information with regard to reports of fraud, theft and
corruption, covered within this policy, to the media, or any other party, without the permission
of the Accounting Officer in consultation with the CRO.
80. The Accounting Officer in consultation with the CRO will decide whether any information relating
to corrective actions taken or sanctions imposed, regarding incidents of fraud should be brought
to the attention of other employees or made public through any other means.
Fraud and Risk Management Policy
38
V Administration
1. This policy must be reviewed annually by FARMCO to reflect the current stance on risk
management within the Drakenstein Municipality.
2. This policy must be approved every three (3) years by Council.
Recommended for approval by the Fraud and Risk Management Committee:
Meeting date: 20 October 2017
Approved by Council
Meeting date: 29 November 2017
Fraud and Risk Management Policy
39
VI Appendices
1. As part of the risk management process, the risk management division developed the following
documents to assist with fraud and risk management within the municipality:
A: Risk assessment methodology; and
B: Fraud and Risk Management implementation plan.
2. These documents does not form part of the Fraud– and Risk Management Policy and reference
thereto is only for information purposes.
3. All documents listed above, must be reviewed annually by FARMCO.