Fraud and Risk Management Policy - drakenstein.gov.za and... · The purpose of the fraud– and...

Fraud and Risk Management Policy

Date of Approval/Review by Council Implementation Date

29 November 2017 29 November 2017


2

Table of contents

I Preamble ................................................................................................................................................. 3

II Legal framework ..................................................................................................................................... 4

III Definitions ............................................................................................................................................... 5

IV Policy content ......................................................................................................................................... 8

Part 1: Risk management ........................................................................................................................ 8

A Roles and responsibilities ................................................................................................................. 8

B Risk Management Process ............................................................................................................. 16

Part 2: Fraud Risk Management ........................................................................................................... 31

C Procedures for reporting fraudulent and/or corrupt activities ..................................................... 31

D Responsibility to conduct investigations into cases of fraud ......................................................... 34

E Protection of whistle-blowers ........................................................................................................ 34

F Pro-active approach ....................................................................................................................... 35

G Prevention measures ..................................................................................................................... 36

Part 3: Reporting ................................................................................................................................... 37

V Administration ...................................................................................................................................... 38

VI Appendices ........................................................................................................................................... 39


3

I Preamble

1. The purpose of the fraud– and risk management policy is to assist management with the risk

management process within the Drakenstein Municipality (“municipality”). This policy will assist

management to make informed decisions that will enable management to achieve, inter alia, the

following objectives:

1.1. Providing a level of assurance that current risks rated as significant are managed

effectively;

1.2. Improving operational performance through assistance to improve planning and

decision making processes;

1.3. Promoting an innovative, less risk averse culture;

1.4. Taking calculated risks in pursuit of opportunities to benefit the municipality;

1.5. Providing a sound basis for integrated risk management and internal control as

components of good corporate governance;

1.6. Reinforcing existing policies and procedures that are aimed at preventing, reacting to

and reducing the impact of fraud; and

1.7. Managing the susceptibility to fraud risks to reduce the likelihood of fraud occurring

within the municipality. Management can achieve this by raising the level of fraud

awareness amongst employees and other stakeholders.

2. By achieving the objectives listed above, the risk management process within the municipality

can contribute towards, inter alia, the following:

2.1. Increasing delivery of sustainable and reliable services;

2.2. Enhancing decision making underpinned by appropriate rigour and analysis;

2.3. Reducing waste;

2.4. Preventing fraud and corruption;

2.5. Limiting unforeseen shocks and crises;

2.6. Assisting to avoid reputational loss to the municipality;

2.7. Ensuring effective reporting that complies with laws and regulations;

2.8. Using resources more efficiently thus having better value for money; and

2.9. Improving project and programme management to deliver high quality outcome.


4

II Legal framework

1. Section 62(1(c)(i) and 95(c)(i)of the MFMA states that: “… The accounting officer of the

municipality and municipal entity is responsible for managing the financial administration of the

municipality, and must for this purpose take all reasonable steps to ensure that the municipality

has and maintains effective, efficient and transparent systems of financial and risk management

and internal control.”

2. The Accounting Officer has committed the municipality to implement and maintain an effective,

efficient and transparent system of risk management based on the National Treasury Public

Sector Risk Management Framework. The process of risk management is aligned to the principles

as set out in the King IV Report on Governance for South Africa 2016 and as supported by the

Municipal Finance Management Act (MFMA), Act no 56 of 2003.

3. The municipality is therefore committed to implement risk management within the municipality

and to embed a culture of risk management. A comprehensive approach is adopted to manage

risks. This policy further forms the basis of the strategy that was designed to assist the

municipality to achieve the objective in order to implement an effective risk management

process.

4. Section 112(m)(i) of the MFMA requires that the municipality must implement measures for:

“combating fraud, corruption, favouritism and unfair and irregular practices in municipal supply

chain management…”. It further states in section 115(b) that the municipality must “take all

reasonable steps to ensure that proper mechanisms and separation of duties in the supply chain

management system are in place to minimise the likelihood of fraud, corruption, favouritism and

unfair and irregular practices.”

5. The potential occurrence of fraud and corruption is not limited to the supply chain management

system. The municipality is therefore committed to implement fraud prevention measures within

the municipality to reduce the likelihood of fraud.

6. The municipality is further committed to protect whistle-blowers when they disclose information

relating to unlawful or irregular conduct involving the municipality or employees of the

municipality in terms of the Protected Disclosures Act, Act 26 of 2000.


5

III Definitions

1. In this policy, unless context indicates otherwise, a word or expression, to which meaning has

been assigned in the Municipal Finance Management Act (“MFMA”) has the same meaning.

2. In interpreting the under-mentioned definitions, cognizance must also be taken of the definitions

as encapsulated in applicable enabling legislation.

Competent Having the knowledge and skills to accomplish a certain task

Corruption

The giving or offering, receiving or agreeing to receive, obtaining or

attempting to obtain any benefit which is not legally due to or by a person

who has been charged with a duty or power by virtue of any employment,

to do any act or omit to do any act in relation to that power or duty

Event An incident or occurrence from internal or external sources to an

institution that affects the achievement of the institutions objectives

Favouritism The practice of giving unfair preferential treatment to one person or

group at the expense of another

Fraud

An unlawful and intentional making of a misrepresentation, which is

prejudicial or potentially prejudicial to another. The term is used to

describe acts such as deception, bribery, forgery, extortion, theft,

conspiracy, embezzlement, misappropriation, false representation,

concealment of material facts, collusion etc.

Impact

A result or effect of and event. The impact of an event can be positive or

negative. A negative event is referred to as a “risk”. Impact can also be

referred to as consequence

Inherent

The risk to an entity in the absence of any actions management might

take to alter either the risk’s impact or likelihood. In other words the

impact that the risk will have on the achievement of objectives if the

current controls that are in place are not considered

Integrated Risk

Management

A process, effected by the municipality’s accounting officer, management

and other personnel, applied in strategy setting across the municipality. It

is designed to identify potential events that may affect the municipality

and manage risk to be within its risk appetite, to provide reasonable

assurance regarding the achievement of municipal objectives.

Likelihood /

Probability

The probability of the event occurring and can also be referred to as

severity


6

Mitigation /

Treatment

After comparing the risk score (severity rating = impact X likelihood) with

the risk tolerance, risks with unacceptable levels of risk will require

treatment plans (additional action to be taken by management)

Operations

Used with “objectives”, having to do with the effectiveness and efficiency

of the municipality’s activities, including performance and profitability

goals, and safeguarding resources against loss

Priority / Key

Risk

Risk that are rated high on an inherent level. Risk that need to be acted

upon. Risk that possess a serious threat to the municipality

Project Risk Risk that are identified for all major projects, covering the whole lifecycle

and for long-term projects

Residual

The remaining exposure after the controls/treatments has been taken

into consideration. (The remaining risk after management has put in place

measures to control the inherent risk)

Risk

Uncertain future events that could adversely influence the achievement

of our strategic and business objectives. An event can only be a risk, if it is

a threat to the municipality

Risk appetite The acceptable level or amount of risk that the municipality is willing to

accept, before action is needed to reduce it

Risk culture The set of shared attitudes, values and practices that characterise how the

municipality considers risk in its day-to-day activities

Risk

Management

A systematic and formalised process instituted by the municipality to

identify, assess, manage, monitor and report risks to ensure the

achievement of objectives

Risk Owner The person responsible for managing a particular risk

Risk Profile /

Register

Also known as the risk register. The risk profile will outline the number of

risks, type of risk and potential effects of the risk. This outline will allow

the municipality to anticipate additional costs or disruptions to

operations. Also describes the willingness of a company to take risks and

how those risks will affect the operational strategy of the municipality

Risk Response Management develop strategies to reduce or eliminate the threats and

events that create risks

Risk Tolerance The amount of risk the municipality is capable of bearing (as opposed to

the amount of risk it is willing to bear “risk appetite”)


7

Stakeholders Parties that are affected by the municipality, such as the communities in

which the municipality operates, employees, suppliers etc.

Strategic Used with “objectives”, it has to do with high-level goals that are aligned

with and support the municipality’s mission or vision

Theft

The unlawful and intentional misappropriation of another’s property or

property which is in his / her lawful possession, with the intention to

deprive the owner of its rights permanently


8

IV Policy content

Part 1: Risk management

1. The municipality can be exposed to a wide variety of risks. These risks includes operational and

other risks that are material and requires comprehensive controls and an on-going oversight to

manage.

2. The municipality adopted an integrated approach to risk management that enables the

municipality to be equipped to identify events that may have an impact on achieving the

municipality’s objectives and to manage risks according to the municipality’s risk appetite.

3. The municipality strives to enforce a culture of disciplined risk-taking and therefore risk

management is implemented across the municipality as per the structure in the diagram below:

Diagram1: Drakenstein municipality’s risk management structure

A Roles and responsibilities

4. Management is responsible to identify and manage risks; however, each employee can contribute

towards successful risk management within the municipality.

Fraud and Risk Management

Committee

Internal Audit Risk Management Accounting

Officer

Audit Committee

Council

Financial Services

Corporate Services

Community Services

Engineering Services

Planning and Development


9

5. To manage risk effectively, the municipality has established the roles and responsibilities of each

stakeholder within the following four categories:

5.1. Risk Management Oversight;

5.2. Risk Management Implementers;

5.3. Risk Management Support; and

5.4. Risk Management Assurance Providers.

Risk management oversight

6. The risk management function within the municipality is overseen by the following three

stakeholders which will be dealt with separately below:

6.1. Executive Authority (“Council”);

6.2. Fraud– and Risk Management Committee (“FARMCO”); and

6.3. Audit Committee

7. The Council is responsible to perform, inter alia, the following:

7.1. Ensure that risk management systems within the municipality are functional as these

systems can assist in protecting the municipality against significant risks;

7.2. Ensure that the municipality achieves its objectives as per the Service Delivery and

Budget Implementation Plan (“SDBIP”); and

7.3. Fulfil the following functions to fulfil their risk management mandate:

Table 1: Risk Management functions for the council

Ref. Function

01 Approve the levels of risk appetite with guidance from the Chief Risk Officer

(“CRO”) and FARMCO

02 Approve the Fraud– and Risk Management Policy by council resolution

03 Ensure that IT, fraud and Occupational Health and Safety (“OHS”) risks are

considered as part of the municipality’s risk management activities

04 Ensure that risk assessments (strategic and operational) are performed by

reviewing the FARMCO reports

05 Ensure that management implements, monitors and evaluates performance

through the FARMCO reports

06 Ensure that assurance regarding the effectiveness of the integrated risk

management process is received from the Audit Committee


10

Ref. Function

07

Disclose how they have satisfied themselves that risk assessments,

responses and interventions are effective as well as undue, unexpected or

unusual risks and any material losses (the annual report to include a risk

disclosure)

8. FARMCO is a committee appointed by the Accounting Officer to assist the Accounting Officer with

the risk management responsibilities associated with the position. The main role of FARMCO as

per the FARMCO charter is to:

8.1. Review, inter alia, the following:

8.1.1. Progression of risk management;

8.1.2. Maturity of the municipality in managing risks;

8.1.3. Effectiveness of risk management activities; and

8.1.4. Identification of key risks within the municipality and the responses to

manage these risks.

8.2. Perform the following duties to fulfil their risk management mandate:

Table 2: Risk management functions for the FARMCO

Ref. Function

01 Formally define its roles and responsibilities with respect to risk

management in its charter

02 Meet on a regular basis

03 Review and recommend for the approval by the Accounting Officer, the risk

appetite

04 Review and recommend for the approval by the Accounting Officer, the

fraud– and risk management policy

05 Review and recommend for the approval by the Accounting Officer, the risk

management implementation plan

06 Review and recommend for the approval by the Accounting Officer, the

fraud prevention implementation plan

07 Arrange for top risks to be formally re-evaluated

08 Advise council on how to improve management of the municipalities risks

09 Review risk management progress

10

Provide a timely and useful fraud– and risk management report to the

Accounting Officer. The report should contain the state of fraud and risk


11

Ref. Function

management within the municipality accompanied by, inter alia, the

following recommendations:

a) The key strategic risks facing the municipality;

b) The key operational risks per directorate/department (minimum the

top 5 identified risks); and

c) Any risk developments (changes) / incidents / losses; and

recommendations to address any deficiencies identified.

11 Measure and understand the municipality’s overall exposure to IT risks and

ensure that proper processes are in place

12

Review the risk registers/ dashboard at each meeting and update the

register’s contents to reflect any changes without formally reassessing the

risks

13 Provide guidance to the Accounting Officer, CRO and other relevant risk

management stakeholders on how to manage risks to an acceptable level

9. The Audit Committee is an independent committee responsible for the oversight of the

municipality’s control, governance and risk management. The primary role of the Audit

Committee is, inter alia, the following:

9.1. Providing an independent and objective view of the municipality’s risk management

process as per their responsibilities, which is formally defined within the Audit

Committee Charter;

9.2. Ensuring that financial, information technology (“IT”) and fraud risks relating to financial

reporting are identified and managed; and

9.3. Performing the following functions to fulfil their risk management mandate:

Table 3: Risk management functions for the Audit Committee

Ref. Function

01 Formally define its responsibility with respect to risk management in its

charter

02 Meet on a quarterly basis (minutes of the FARMCO meeting should be a

standard agenda item at these meetings)

03 Review and recommend disclosures on matters of risk in the annual report

04 Include statements regarding risk management performance in the annual

report to stakeholders

05 Provide an independent and objective view of the municipality’s risk

management effectiveness

06 Evaluate the effectiveness of Internal Audit in providing assurance on risk

management

07 Ensure that a combined assurance model is applied to provide a

coordinated approach to all assurance activities


12

Ref. Function

08 Review the internal and external audit plans and ensure that these plans

address the risk areas of the municipality

Risk Management Implementers

10. The risk management process within the municipality is implemented by the following three

stakeholders which will be dealt with separately below:

10.1. Accounting Officer;

10.2. Members of the strategic management team (“SMT”); and

10.3. Employees.

11. The Accounting Officer needs to ensure effective risk management and is therefore responsible

for, inter alia, the following:

11.1. Promoting accountability;

11.2. Promoting integrity and other factors that will create a positive control environment

within the municipality; and

11.3. The Accounting Officer must perform the following functions to fulfil the Accounting

Officer’s risk management mandate:

Table 4: Risk management functions for the Accounting Officer

Ref. Function

01 Appoint a CRO and Risk Champions

02 Appoint a FARMCO with the necessary skills, competencies and attributes

03 Approve the FARMCO charter

04 Recommend the risk appetite to council for approval

05 Recommend the Fraud– and Risk Management Policy to council for approval

06 Approve the risk management implementation plan

07 Approve the fraud prevention implementation plan

08

Ensure appropriate action in respect of recommendations of the Audit

Committee, Internal Audit, External Audit and FARMCO to improve risk

management

09 Provide assurance to relevant stakeholders that key risks are properly

identified, assessed and mitigated by reviewing the report issued by the


13

Ref. Function

FARMCO which should contain the state of risk management within the

municipality accompanied by, inter alia, the following recommendations:

a) The key strategic risks facing the municipality;

b) The key operational risks per directorate/department (minimum the top 5

identified risks); and

c) Any risk developments (changes) / incidents / losses; and

recommendations to address any deficiencies identified.

12. The SMT must ensure that risk management is implemented effectively within their management

areas through, inter alia, the following:

12.1. Promoting compliance with the risk appetite;

12.2. Continuously managing and addressing risks in conjunction with the risk management

appetite; and

12.3. Performing the following functions to fulfil their risk management mandate:

Table 5: Risk management functions for SMT

Ref. Function

01 Empower employees to perform effectively in their risk management

responsibilities

02 Devote personal attention to overseeing the management of key risks

within their area of responsibility

03 Maintain a co-operative relationship with the CRO and Risk Champions

04 Ensure that actions plans to mitigate risks are implemented within their

management areas

05 Maintain the proper functioning of the control environment within their

area of responsibility

06 Continuously monitor the implementation of risk management within their

area of responsibility

07 Hold employees accountable for their specific risk management

responsibilities

13. All employees are responsible to integrate risk management within their daily activities. This

includes, but is not limited to:

13.1. Ensuring compliance with systems of internal control; and

13.2. Performing the following functions to fulfil their risk management responsibilities :


14

Table 6: Risk management functions for employees

Ref. Function

01

Take the time to read and understand the content in the risk management

policy, but more importantly their roles and responsibilities in the risk

management process

02 Apply the risk management process in their respective functions

03 Inform their supervisors and/or the risk management unit (CRO) of new risks

and significant changes

04 Co-operating with other role players in the risk management process

05 Providing information as required.

Risk Management Support

14. The Risk Management Division is responsible to co-ordinate the risk management process within

the municipality. The following role players are responsible to provide support to the municipality

to manage risks which will be dealt with separately below:

14.1. CRO and

14.2. Risk champions.

15. The CRO is the custodian of the risk management strategy and the coordinator of risk

management activities throughout the municipality. The primary responsibility of the CRO is,

inter alia, the following:

15.1. Applying specialist expertise to assist the municipality to embed risk management and

leverage its benefits to enhance the performance of the municipality; and

15.2. Performing the following functions to fulfil the CRO’s risk management mandate:

Table 7: Risk management functions for the CRO

Ref. Function

01 Assist the Accounting Officer to determine/review the risk appetite

02 Review the fraud– and risk management policy

03 Draft the risk management implementation plan

04 Draft the fraud prevention implementation plan;

05 Coordinate and facilitate the assessments

06 Consolidate risks identified by the various Risk Champions

07 Prepare risk registers, reports and dashboards for submission to the FARMCO

and other role players

08 Ensure that all risk information is updated

09 Ensure that all IT, Fraud, OHS and Compliance risks are considered as part of

the municipality’s risk management activities


15

Ref. Function

10 Coordinate the implementation of action plans

11 Ensure that risk assessments are performed and reported to the FARMCO

12 Avail the approved risk registers to Internal Audit on request

16. Risk Champions are individuals appointed to assist risk owners to fulfil their risk management

duties, without assuming the role as risk owners.

16.1. Risk Champions will be appointed by the Accounting Officer and will possess the

following skills that will assist them to co-ordinate risk management within their

respective directorates over and above their daily duties;

16.1.1. A good understanding of risk management concepts, principles and

processes;

16.1.2. Good analytical skills;

16.1.3. Expert power;

16.1.4. Leadership and motivational qualities; and

16.1.5. Good communication skills.

16.2. Risk Champions must perform the following functions to fulfil their risk management

responsibilities:

Table 8: Risk management functions for risk champions

Ref. Function

01 Facilitate all operational risk assessments related to their daily tasks;

02 Ensure that each key risk have a nominated risk owner

03 Populate the risk registers/dashboard

04 Ensure that all risk information is updated

05 Co-ordinate the implementation of action plans for the risk and report on

any developments regarding the risk

Risk Management Assurance Providers

17. Assurance of risk management can be provided both internally and externally by the following

role players which will be dealt with separately below:

17.1. Internal Audit; and

17.2. External Audit


16

18. Internal Audit is responsible to provide independent and objective assurance to Council

regarding the effectiveness of risk management within the municipality. Further responsibilities

include, inter alia, the following:

18.1. Assist in providing a systematic disciplined approach to evaluate and improve the

effectiveness of the entire risk management system and provide recommendations for

improvement where necessary;

18.2. Provide a written assessment of the effectiveness of the municipality’s system of

internal control and risk management; and

18.3. Internal audit must perform the following functions to fulfil their risk management

mandate:

Table 9: Risk management functions for Internal Audit

Ref. Function

01 Provide assurance on the risk management process design and its

effectiveness

02 Provide assurance on the management of “key risks” including, the

effectiveness of the controls and other responses to the “key risks

03 Provide assurance on the assessment and reporting of risk and controls

04 Prepare a rolling three (3) year Internal Audit plan based on its assessment of

key risk areas

19. External Audit (Auditor General) will increasingly focus more on the effectiveness of risk

management within the municipality.

B Risk Management Process

20. The risk management process within the municipality consists of eight (8) components, which is

based on the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”)

framework principles. These eight (8) components which will be dealt with separately below,

holistically contributes towards managing risks successfully within the municipality:

20.1. Internal environment;

20.2. Objective setting;

20.3. Event identification;

20.4. Risk assessment;

20.5. Risk response;

20.6. Control activities;

20.7. Information and communication; and


17

20.8. Monitoring.

Internal environment

21. The internal environment encompasses the tone of the municipality to provide discipline and

structure by influencing, inter alia, the following

21.1. The risk consciousness of its people; and

21.2. The foundation for all other components of risk management.

22. The following ten (10) factors needs to be considered when addressing the internal environment

of the municipality:

22.1. The municipality’s risk management philosophy:

22.1.1. The CRO must communicate the risk philosophy effectively within the

municipality to ensure that all personnel understands the municipality’s

commitment to risk management; and

22.1.2. Management must reinforce the risk management philosophy within their

management areas to ensure that risk management forms part of daily

activities.

22.2. The municipality’s risk appetite

22.2.1. The municipality has a risk appetite rating of 45;

22.2.2. The risk appetite of the municipality is directly related to the municipality’s

strategy and therefore it is considered a strategy setting;

22.2.3. The desired return from a strategy must be aligned with the municipality’s

risk appetite; and

22.2.4. The municipality should address all risks greater than or equal to a residual

risk exposure rating of 45. Addressing these risks will assist the municipality

to avoid exposure to losses and to manage actions that can pose a

reputational risk to the municipality.

22.3. The municipality’s risk culture

22.3.1. Management should consider how the risk culture affects and aligns with

other elements of risk management; and


18

22.3.2. Management may take the necessary steps to reshape the risk culture where

a misalignment exists between the risk culture and other elements of risk

management. This may include, inter alia, the following:

a. Reviewing the philosophy;

b. Re-evaluating the risk appetite; and

c. Re-assessing how the risk culture applies to risk management.

22.4. Integrity and ethical values

22.4.1. The integrity and ethical values affects the design, administration and

monitoring of other risk management components within the municipality;

22.4.2. Management must therefore take into consideration the concerns of the

municipality, employees, suppliers and the public as the integrity and ethical

values are essential elements of the municipality; and

22.4.3. The standard behaviour of management must go beyond mere compliance

with legislation to ensure that the municipality maintains a good reputation;

therefore, management must act with integrity, as this is a prerequisite for

ethical behaviour.

22.5. Commitment to Competence;

22.5.1. The municipality’s strategy and objectives needs to be achieved, therefore

management should assign competent employees to complete those tasks;

22.5.2. Management can decide on the competency levels for specific positions and

translate those levels onto the required knowledge and skills required for the

position; and

22.5.3. Knowledge and skills depend on the individual’s intelligence, experience and

training.

22.6. Management's philosophy and operating style

22.6.1. Management's philosophy and operating style affects the way the

municipality is managed, including the types of risks being accepted;

22.6.2. The attitude and daily operating style of senior management affects the

extent to which actions are aligned with risk philosophy and appetite. For

example:

a. An undisciplined operating style is often associated with an appetite for

high risk, but it can also encourage a high-risk appetite.


19

22.6.3. To create an effective environment, risks should not be avoided, but rather

acknowledged; and

22.6.4. Management should be aware of the risks associated with the strategic

choices and the operating environment, both internal and external of the

municipality.

22.7. Organisational structure;

22.7.1. The organisational structure provides the framework to plan, execute,

control and monitor activities within the municipality;

22.7.2. The organisational structure will include defining key areas of authority and

responsibility and establish appropriate lines of reporting. For example:

A risk management function should be structured in a manner that achieves

organisational objectivity and permits full and unrestricted access to senior

management, FARMCO and the audit committee.

22.7.3. The CRO should report to a level within the municipality that allows the risk

management activity to fulfil its responsibilities; and

Regardless of the municipality’s organisational structure, the municipality should be structured in a

manner that enables the municipality to effectively manage risks, carry out its activities and achieve

its objectives.

22.8. Assignment of Authority and Responsibility

22.8.1. Delegations should only be to an extent required to achieve objectives;

22.8.2. Management should ensure that risk acceptance is based on sound practices

for risk identification and assessment to make good business decisions;

22.8.3. Management should consider, inter alia, the following when making

decisions:

a. The assessment of risks; and

b. Weighing of potential losses versus gains.

22.8.4. Management should ensure that all personnel understand the municipality’s

objectives. It is essential that individuals know how their actions interrelate

and contribute to achievement of the municipality’s objectives; and

22.8.5. The Accounting Officer, with executive authority oversight, is ultimately

responsible for all activities within the municipality. It is therefore important

that all individuals recognise what they are accountable for as this may have

an impact on the internal environment.


20

22.9. Human Resource Policies and Practices

22.9.1. Human resource practices includes, inter alia, the following:

a. Recruitment of employees;

b. Orientation, training and evaluation of employees;

c. Counselling of employees when necessary;

d. Promoting and compensating employees;

e. Taking remedial actions against employees when necessary; and

f. Informing employees regarding expected levels of integrity, ethical

behaviour and competence.

22.9.2. The municipality should be committed to appoint competent trustworthy

individuals. It is therefore recommended that the most qualified individuals

are hired with the emphasis on, inter alia, the following:

a. Educational background and prior work experience;

b. Past accomplishments; and

c. Evidence of integrity and ethical behaviour, demonstrate a

municipality’s commitment to competent and trustworthy people. The

same is true when recruiting practices include formal, in-depth

employment interviews and informative and insightful presentations on

the institutions history, culture and operating style.

22.9.3. Employees should be equipped to address risks, challenges and issues that

may arise within the municipality;

22.9.4. Due to a change in the environment as a result of changing technologies,

legislation and other external factors, it is important that employees stay

informed; and

22.9.5. The appointment of competent individuals and providing a once off training

session is not sufficient. Education is a continuous process and therefore it

should be encouraged to upskill staff through internal and external training

initiatives.

22.10. Difference in Environment.

22.10.1. The internal environment of an institution’s autonomous subsidiary,

divisions and other units can vary widely due to differences in senior


21

management's preferences, value judgments and management styles;

22.10.2. It is unlikely that internal environments will be the same when directorates

are managed by different senior managers, each with their own

management style;

22.10.3. Due to a difference in environments, it is important to establish what impact

the varying internal environments may have on other components of risk

management; and

22.10.4. An ineffective internal environment may have far reaching implications both

financially and reputational for the municipality and thus the internal

environment should be managed adequately.

Objective setting

23. Objectives are set on a strategic level to establish the basis for operations, reporting, and

compliance to the objectives. The objectives are aligned with the municipality’s risk appetite,

which drives the risk tolerance levels for the municipality’s activities.

24. Setting objectives is a prerequisite to identify events, assess risks and give a risk response. Risks

cannot be identified and actions to mitigate risks cannot be implemented if management is not

aware of the objectives that they need to achieve.

25. Management should consider the following five (5) factors with regard to objective setting:

25.1. Strategic objectives

25.1.1. Management formulates and sets strategic objectives based on the

municipality’s mission and what they want to aspire to achieve; and

25.1.2. The strategic objectives reflect the decisions made by management to

provide value to its stakeholders.

25.2. Related objectives

25.2.1. Related objectives aligned to strategic objectives should be developed by

management on an operational level, that once achieved will create and

persevere value;

25.2.2. All personnel at the municipality are required to have a requisite

understanding of the municipality’s objectives. The objectives should

therefore be readily understood and measurable;

25.2.3. All personnel should have a mutual understanding of what needs to be

accomplished and how accomplishments will be measured as these

objectives relate to the individual’s sphere of influence; and


22

25.2.4. Related objectives can be divided into the following three (3) categories:

a. The operation objectives relates to the effectiveness and efficiency of

the municipality’s operations. This includes performance and

profitability goals as well as the safeguarding of the municipality’s

resources.

b. The reporting objectives relates to the reliability of both internal and

external reporting and may include financial or non-financial

information as well.

c. The municipality must comply with relevant laws and regulations and

these objectives relate to the adherence thereto.

25.3. Selected objectives

25.3.1. As part of the risk management process, senior management must select

objectives after they have considered how these objectives will support the

municipality’s strategy and mission/vision; and

25.3.2. Selected objectives should be aligned with the municipality’s risk appetite for

management to ensure that misalignment does not cause, inter alia, the

following:

a. That the municipality does not accept enough risks to achieve its

objectives; and

b. That the municipality does not accept undue risks.

25.4. Risk appetite

25.4.1. Management should first consider the risk appetite before they decide to

accept risks in order to achieve their objectives as all risks above the risk

appetite should be mitigated.


23

25.5. Risk tolerance

25.5.1. Risk tolerance reflects the acceptable variation in outcomes related to

specific performance measures. Management should therefore consider risk

tolerance in order to achieve the municipality’s objectives.

Event Identification

26. Event identification is the process used by the municipality to identify potential events that can

affect the municipality’s ability to successfully implement strategies and achieve objectives.

27. A variety of internal and external factors can lead to the occurrence of events. Management

therefore needs to consider the full scope of the municipality when identifying events, which may

have a positive or negative impact on the municipality.

28. Management need to consider the following five (5) factors when identifying events:

28.1. Factors Influencing Strategy and Objectives

28.1.1. Employees need to recognise the importance of understanding internal and

external factors and the types of events that can emanate from these factors;

28.1.2. Management should consider all current factors as well as those that may

occur in the future when identifying events; and

28.1.3. Management should consider the following internal and external factors as

tabled below:

Table 10: Internal and external factors to be considered

No Internal External

1 Infrastructure Economic and business environment

2 Personnel Natural environment

3 Process Political environment

4 Technology Social environment

5 - Technological environment

28.2. Methodologies and techniques

28.2.1. Management may use various techniques and tools to identify and assess

events that may potentially have an impact on the municipality; and

28.2.2. The risk methodology should include techniques and tools that can be used

by the municipality to identify events. Event identification techniques and

tools may include, but is not limited to the following:


24

a. Workshops presented by a facilitator using technology-based tools to

assist participants in identifying and assessing risks;

b. Analysis of past events such as payment default histories, changes in

commodity prices as well incidents that resulted in reduced

productivity; and

c. Techniques that focuses on future exposures such as shifting

demographics and Newmarket conditions.

28.3. Event inter dependencies

28.3.1. Management should understand how events interrelate, as events do not

occur in isolation. One event can trigger another and can also occur

concurrently; and

28.3.2. Management should consider the interrelationships between events when

they identify and assess these events. This will enable management to direct

their risk management efforts where it is required the most, for example:

A change to a central bank interest rate affects foreign exchange rates, which

will have an effect on the municipality’s currency transaction gains and

losses.

28.4. Event categories

28.4.1. Potential events can be grouped together into categories as this may assist

management to understand the interrelationship between events;

28.4.2. Potential events can be aggregated horizontally across the municipality and

vertically within the operating units;

28.4.3. Management can gain enhanced information by grouping similar potential

events together. This will assist management to determine potential

opportunities and risks and forms the basis of assessing the risks;

28.4.4. Categorizing events will also assist management to determine the

completeness of their event identification efforts; and

28.4.5. It may be useful to group potential events into categories. By aggregating

events horizontally across the municipality and vertically within operating

units, management develops an understanding of the interrelationships

between events, gaining enhanced information as a basis for risk

assessment. By grouping together similar potential events, management can

better determine potential opportunities and risks. Event categorisation also

allows management to consider the completeness of its event identification

efforts.


25

28.5. Risks and opportunities

28.5.1. Events that may have a potentially positive impact on the municipality

represent opportunities. These opportunities should be channelled back to

the strategy and objective setting process by management;

28.5.2. Events that may have a potentially negative impact on the municipality

represent risks. These risks require management’s assessment and response;

and

28.5.3. To avoid overlooking relevant events that might occur, management need to

consider the likelihood of an event occurring, as they cannot foresee when

an event may occur.

Risk Assessment

29. The assessment of risks allows the municipality to consider the extent to which potential events

might affect the ability to achieve objectives.

30. Management should consider potential future events that are relevant to the municipality and

its activities, by taking into consideration the following factors:

30.1. The size of the municipality;

30.2. The complexity of the municipality’s operations; and

30.3. The degree of regulations over the municipality’s activities that affects the risk profile

and influences the methodology used to assess risks.

31. The impact of positive and negative events should be examined either on an individual basis or

through a category across the municipality, depending on management’s decision.

31.1. Management must evaluate risks according to the impact and likelihood of the risk

occurring as per the Risk Assessment Methodology. Both the impact and likelihood of

risks will be evaluated on an inherent and residual basis.

31.1.1. Inherent risk: Management must assess the inherent impact and likelihood

of a risk in the absence of any actions to respond to the risk and before the

implementation of controls to mitigate the risk.

31.1.2. Residual risk

a. Management needs to respond to the risks where after the residual

likelihood can be assessed; and

b. Once management has responded to the risks, the residual risk will be

determined through risk assessment techniques specified within the risk

assessment methodology.


26

Risk Response

32. It is management’s decision how they will respond to risks once all the relevant risks have been

assessed. The following risk responses are available:

32.1. Terminate – The termination/avoidance of the risk

32.1.1. Management may decide to take action to terminate the activities giving rise

to risk which may include, inter alia, the following:

a. Terminating services;

b. Declining developments to a new geographical areas; and

c. Dissolving units.

32.2. Treatment – The reduction of the risk

32.2.1. Management may decide to take action to reduce the risk likelihood and/or

impact. This may involve any of a myriad of everyday business decisions.

32.3. Transfer – The sharing of the risk

32.3.1. Management may decide to take action to reduce risk likelihood or impact

by transferring or otherwise sharing a portion of the risk; and

32.3.2. Common risk sharing techniques can include, inter alia, the following:

a. Purchasing insurance products;

b. Pooling risks;

c. Engaging in hedging transactions; and

d. Outsourcing an activity.

32.4. Tolerate – The acceptance of the risk

32.4.1. Management may decide not to take any action that will affect the impact

or likelihood of a risk; and

32.4.2. Management should refer to the following diagram as a guide when deciding

on the appropriate risk response for a risk:


27

Diagram1: Risk response strategy

33. Prior to management making a decision on the risk response, management needs to consider,

inter alia, the following:

33.1. The desired risk tolerance level provided that it is below the risk appetite;

33.2. The costs and benefits involved to implement controls and/or action plans to mitigate

the risks;

33.3. Whether the implementation of these controls and action plans are realistic and

sustainable; and

33.4. The purpose of risk response is for management to achieve a residual risk level aligned

with the municipality’s risk tolerance. To achieve this, management should consider

how individual responses or a combination thereof may affect potential events as this

may have an effect on, inter alia, the following:

33.4.1. The likelihood and impact on one or more potential events taking into

consideration past events and trends as well as future scenarios;

33.4.2. The efficiency of controls; and

33.4.3. Additional actions that needs to warranted.

34. Management should determine the potential effect on risk responses using the same units of

measure for the objectives and associated risk in the risk assessment component.

Control Activities

35. The municipality has various policies and procedures in place. These are the control activities

within the municipality and assists management to ensure that risk responses are carried out.

36. The types of control activities implemented by the municipality can be categorised in the

following three (3) categories:

36.1. Preventative controls

LikelihoodIm

pact

Medium risk High risk

Transfer

(Insurance)

Terminate and treat

(Control)

Tolerate

(Risk appetite)

Low risk Low risk

Treat & monitor

(Control)


28

36.1.1. Controls that are designed and implemented by management to prevent

errors and/or irregularities from occurring.

36.2. Detective controls

36.2.1. Controls that are designed and implemented by management to detect

errors and/or irregularities that may occur.

36.3. Corrective controls

36.3.1. Controls that are designed and implemented to correct errors and

irregularities that occurred.

37. Control activities are implemented throughout the municipality across all levels and functions and

can be executed through the following:

37.1. Manually

37.1.1. These are controls that are performed by people; and

37.1.2. Manual controls can include, but is not limited to, inter alia, the following:

a. Approvals and authorisations by authorised personnel;

b. Reconciliations;

c. Reviews of operating performance;

d. Security of assets;

e. Segregation of duties; and

f. Verifications.

37.2. Automatically

37.2.1. These are controls that are embedded within application code;

37.2.2. The municipality relies on various information systems and therefore

controls are required to oversee these systems; and

37.2.3. The automatic controls implemented by the municipality can be grouped in

the following two (2) categories:

a. General controls:

i. These controls applies to all the systems from the mainframe to the

client/server and desktop environment; and


29

ii. These general controls, include controls over, inter alia, the

following:

Information technology management;

Information technology infrastructure;

Security management and software acquisition; and

Development and maintenance.

b. Application controls:

i. These controls are designed to ensure completeness, accuracy,

authorisation and the validity of data capturing and processing;

ii. Application controls rely on computerised edit checks to detect

interface errors quickly and to prevent errors from entering the

system and allowing the correcting of errors once detected; and

iii. Application controls consist of inter alia, the following:

Format of data entered;

Validation of the existence of data;

Reasonableness of data entered; and

Any other data validations that were built into an application

during development.

38. The effectiveness of control activities are evaluated when assessing risks. Based on the control

effectiveness, the residual risk exposure will be calculated which will indicate whether the risk is

above or below the risk appetite and tolerance levels of the municipality.

39. Similarly to the risk appetite, the risk tolerance levels should be monitored to ensure that the

municipality does not tolerate more risks than what the municipality is capable of bearing.

Information and communication

40. Communication of relevant information internally and externally plays a vital role to enable all

employees to carry out their responsibilities. Effective communication and the gathering of

processed data will enable employees to address and manage risks.

41. Data and information relevant to the management of the municipality and possible events should

be gathered through internal information systems as well as external events, activities and

conditions.


30

42. Pertinent information relevant to the effective management of risks within the municipality is

then identified, captured and communicated in a manner and timeframe agreed by management.

43. All employees must be informed of their responsibilities regarding risk management and how

their individual activities relate to the work of others. It is the responsibility of risk owners to

ensure that this is communicated and monitored on continuous bases.

44. To ensure that communication is effective within the municipality, employees should be

encouraged to communicate significant information to management.

Monitoring

45. Risk management can change over a period of time due to changes in the municipality’s structure

and objectives, new processes or the appointment of new personnel. As a result of these changes,

responses that were once effective may become irrelevant and activities may become less

effective or no longer be performed.

45.1. Risk management should therefore be monitored through the assessment of the

presence and functionality of its components over a period of time through the

following activities:

45.2. On-going monitoring activities

45.2.1. Continuous monitoring of activities forms part of management’s normal

activities to monitor the effectiveness of risk management; and

45.2.2. On-going monitoring activities can include, but is not limited to the following:

a. Variance analysis;

b. Stress testing;

c. Comparisons; and

d. Reconciliations.

45.3. Separate evaluation activities

45.3.1. The scope and frequency of separate evaluations will depend primarily on

the assessment of risks and the effectiveness of the monitoring procedures;

45.3.2. Deficiencies will be escalated progressively and serious matters must be

reported to SMT and the Accounting Officer; and

45.3.3. Internal Audit will be responsible to assess the existence and functioning of

the eight (8) components of the risk management process at a certain point

in time.


31

Part 2: Fraud Risk Management

46. The municipality is committed to eliminate fraud and fosters a culture of zero tolerance towards

fraud and all its activities. The municipality therefore undertakes to combat all forms of fraud and

corruption as well as to remain pro-active in the fight against fraud.

47. The municipality must investigate all allegations of fraud, corruption, theft, maladministration or

any other dishonest activities of a similar nature. This includes the suspicion that fraud is

occurring, attempts to commit fraud or incidents where fraud has already occurred. The outcome

of these investigations must then be used to apply appropriate remedies to the full extent of the

law.

48. The municipality must develop and enforce appropriate prevention and detection controls. The

primary means of detecting fraud must remain a sound system of internal control and regular

internal audits.

49. Prevention and detection controls include existing financial and any other controls and

monitoring mechanisms implemented by the municipality as prescribed by policies and

regulations applicable to the municipality.

C Procedures for reporting fraudulent and/or corrupt activities

50. All councillors, employees, stakeholders, service providers and ratepayers must report any

reasonable suspicions, allegations and incidents of fraud regardless of the value to the

municipality.

51. The municipality must encourage members of the public and/or service providers who suspects

fraud to report it to the municipality through one of the approved mechanisms.

52. Employees that become aware or suspect incidents of fraud or acts of dishonesty must report the

incident through any of the following approved mechanisms:

52.1. Reporting the matter to the immediate supervisor or the next level of management if

the immediate supervisor is suspected to be a party to the alleged fraud or acts of

dishonesty;

52.2. The Accounting Officer;

52.3. The CRO; and

52.4. The hotline.


32

52.4.1. The municipality must have a hotline not administered by municipality. The

hotline must be a reporting channel where employees, suppliers, contractors

or any other third party can report irregular activities without being

victimised or repercussions;

52.4.2. The hotline must be able to give assurance of anonymity if the whistle blower

chooses to remain anonymous;

52.4.3. The municipality must commit to investigate all irregularities reported

through the hotline regardless of the seniority of the alleged offender; and

52.4.4. When the municipality receives reports of dishonest acts, the municipality

must take decisive corrective and protective steps to limit the municipality’s

exposure to further losses.

53. The Accounting Officer must upon receiving a report of fraud form an external person, write to

the person making the report stating the following:

53.1. Acknowledging that the concern has been received;

53.2. Indicating how the Accounting Officer proposes to deal with the matter and whether

any initial inquiries has been made;

53.3. Providing an estimate on the timeframe by when feedback can be expected; and

53.4. Informing the person that made the report whether any further investigation will take

place and if not, a reason must be provided.

54. All incidents and/or allegations not directly reported to the CRO, must be reported to the CRO

within 24 hours (1 working day) from becoming aware of the incident and/or allegations.

55. Depending on the nature of the reports that were received through any of the reporting

mechanisms, the municipality can decide to:

55.1. Investigate the matter internally and/or with the assistance of an external service

provider; and/or

55.2. Refer the matter to the South African Police Services (“SAPS”) or any other law

enforcement agency

56. The risk management unit will screen and monitor all investigations, whilst initiating, co-

ordinating and managing any forensic investigations where needed and/or recommend

appropriate steps.

57. The municipality will pursue any alleged fraud committed by an employee by conducting a

thorough investigation and to the full extent of the law. Where appropriate the municipality

should consider the following:


33

57.1. Taking disciplinary action against employees within a reasonable period of time after

the final report of the investigation becomes available; and/or

57.2. Reporting the matter to SAPS or any other relevant law enforcement agency to initiate

criminal prosecution; and/or

57.3. Instituting civil action to recover losses; and/or

57.4. Any other appropriate legal remedy available.

58. The Accounting Officer must ensure that in terms of section 62(1)(e) of the MFMA that

disciplinary action or when appropriate, criminal proceedings are instituted against any employee

of the municipality who has allegedly committed an act of financial misconduct or an offence.

59. Management is responsible to ensure that losses or damages suffered by the municipality as a

result of reported acts committed or omitted by an employee that reports to them, is recovered

if the employee is found to be liable.

60. The responsible manager with assistance from other relevant managers must ensure that the

following steps are taken to comply with the MFMA and the Municipal Act regarding financial

misconduct incidents:

60.1. Ensuring that the disciplinary proceedings are carried out in accordance with the

relevant prescripts;

60.2. Submitting a schedule to the Auditor-General annually containing the following:

60.2.1. The outcome of any disciplinary hearings and/or criminal charges;

60.2.2. The names and ranks of employees involved; and

60.2.3. The sanctions and any further actions taken against these employees.

60.3. Determining the nature of the disciplinary process against an employee by taking the

following into account:

60.3.1. The circumstances of the transgression;

60.3.2. The extent of the expenditure involved;

60.3.3. The nature and seriousness of the transgression; and

60.3.4. Reporting losses to the SAPS, the Accounting Officer and the Chief Financial

Officer.


34

D Responsibility to conduct investigations into cases of fraud

61. The municipality is legally required in terms of section 171(4)(a) of the MFMA to investigate all

allegations of fraud, therefore the Accounting Officer must ensure that allegations are

investigated. As a representative of the Accounting Officer, relevant line managers in consultation

with the CRO must investigate all allegations of fraud.

62. The relevant manager must report the following to the SAPS:

62.1. Irregular expenditure that constitute a criminal offence; and

62.2. Fraud, theft and corruption that occurred within the municipality.

63. The risk management unit is authorised to:

63.1. Have direct, immediate and unrestricted access to all functions, records, and assets and

personnel information, which includes, but is not limited to, inter alia, the following:

63.1.1. Labour relations;

63.1.2. Legal Advisory;

63.1.3. Insurance claims; and

63.1.4. Payroll information.

63.2. Obtain the necessary assistance from employees in other departments and divisions

within the municipality as well as other specialised services from external providers

where required.

64. The CRO in consultation with the Accounting Officer is responsible to supply appropriate feedback

on the progress of investigations to all relevant parties on a “need to know” basis.

E Protection of whistle-blowers

65. No employee will suffer any penalty or retribution for good faith reporting of any suspected or

actual incident of fraud.

66. The municipality is responsible to ensure that all necessary steps are taken to protect employees

from reprisals, harassment and victimisation when employees disclose information relating to

suspected or actual incidents of fraud.

67. Employees who makes any allegations in bad faith will be subject to disciplinary action. Where

external parties are involved, the municipality will take the appropriate action, as it deems

necessary.


35

68. In terms of the Protected Disclosures Act, Act 26 of 2000, a person shall not:

68.1. Prejudice, or threaten to prejudice, the safety or career of; or

68.2. Intimidate or harass, or threaten to intimidate or harass; or

68.3. Do any act that is, or is likely to be, to the detriment of another person because the

other person:

68.3.1. has assisted, is assisting or will or may in the future assist the Municipality

with the investigation;

68.3.2. has furnished, is furnishing or will or may in the future furnish information

to the Municipality; or

68.3.3. has been or is employed by, or acting on behalf of an independent agency or

appropriate authority to whom or which an allegation has been referred; or

68.3.4. has exercised a power or performed a duty, conferred imposed on the other

person or is exercising or performing, or will or may in the future exercise or

perform, any such power or duty.

69. Whistle-blowers may choose not to disclose their identity or that their identity must be kept

confidential. Concerns expressed anonymously are difficult to investigate; nevertheless, these

concerns will be followed up at the discretion of the municipality. This discretion will be applied

by taking into account the following:

69.1. The seriousness of the issue raised;

69.2. The credibility of the concern; and

69.3. The likelihood of confirming the allegation.

70. Through the investigation process, the source of the information may be revealed and employees

may be requested to provide statements that will form part of the evidence.

71. Management should discourage employees or any other person from making false accusations

with malicious intentions. Where it is discovered that an employee made false accusations, the

employee will be subject to the disciplinary process.

72. Any employee who seeks to conceal evidence of wrongdoing or to victimize and/or harass a

whistle blower, who has made a disclosure in good faith in terms of the Protected Disclosures

Act, will be subject to disciplinary action.

F Pro-active approach

73. The municipality must perform the following as part of their pro-active approach which is

essential to combat crime:


36

73.1. Actively identify instances of alleged fraud, theft and corruption using appropriate

prevention and detection mechanisms;

73.2. Perform a data interrogation exercise periodically on payroll records and procurement

transactions with the intention to identify patterns of potentially fraudulent behavior,

internal control implementation weaknesses and possible conflict of interest situations;

73.3. Ascertain the frequency with which the interrogation should be carried out on an

ongoing basis and plan for this, including establishing an expenditure budget;

73.4. Ensure that comprehensive background checks are carried out on prospective

employees, including, as considered appropriate, verification of previous employment

details, academic qualifications, citizenship, credit records and criminal records, with

due regard to the protection of personal information;

73.5. Ensure that comprehensive background checks are carried out on potential service

providers; and

73.6. Appropriately communicate all legislative requirements and obligations placed on the

municipality and its employees to ensure awareness thereof.

G Prevention measures

74. Management must create an environment and culture where employees believe that dishonest

acts will be detected, investigated and that the necessary corrective action will be taken.

75. Management must perform the following which forms part of prevention measures that are

implemented by the municipality:

75.1. Participate in in-house training programs covering the following:

75.1.1. Prevention of fraud and corruption; and

75.1.2. The municipality’s code of ethics.

75.2. Ensure that staff understands that the internal controls are designed and intended to

prevent and detect fraud and corruption or any other dishonest activities of a similar

nature;

75.3. Encourage staff to report suspected fraud and corruption directly to those responsible

for investigation without fear of disclosure or retribution;

75.4. Require suppliers to agree in writing as a part of the contract process, to abide by the

Municipality’s policies and procedures, and avoid or declare any conflict of interest; and

75.5. Measures to prevent fraud and corruption should be continually monitored, reviewed

and developed particularly as new systems, programs, contracting or arrangements are

introduced or modified.


37

Part 3: Reporting

76. The Risk Management Division is responsible to compile reports on a quarterly basis that needs

to be discussed with SMT members; where after the final reports must be presented to FARMCO.

The following reports need to be compiled:

76.1. A report on the municipality’s strategic risks;

76.2. A report on the risks above the municipality’s risk appetite;

76.3. A report on the progress of the action plans to mitigate the municipality’s risks; and

76.4. A report of emerging issues or risks that requires immediate attention.

77. All incidents and/or allegations formally reported to the CRO in writing must be added onto the

confidential unethical incident register where it will be monitored by the CRO. The unethical

incident register must also be tabled at the following meetings:

77.1. FARMCO for oversight and once accepted it can be tabled at:

77.1.1. Municipal Public Accounts Committee (“MPAC”) for oversight; and

77.1.2. Audit Committee for information purposes.

78. All reports of fraud, theft and corruption must be treated confidentially. The progress of

investigations will not be disclosed or discussed with any person(s) other than those who have a

legitimate right to such information as determined by the Accounting Officer and/or CRO. This is

a precaution by the municipality to avoid compromising the reputations of suspected persons

who are subsequently exonerated from any wrongful conduct.

79. No employee is authorized to supply any information with regard to reports of fraud, theft and

corruption, covered within this policy, to the media, or any other party, without the permission

of the Accounting Officer in consultation with the CRO.

80. The Accounting Officer in consultation with the CRO will decide whether any information relating

to corrective actions taken or sanctions imposed, regarding incidents of fraud should be brought

to the attention of other employees or made public through any other means.


38

V Administration

1. This policy must be reviewed annually by FARMCO to reflect the current stance on risk

management within the Drakenstein Municipality.

2. This policy must be approved every three (3) years by Council.

Recommended for approval by the Fraud and Risk Management Committee:

Meeting date: 20 October 2017

Approved by Council

Meeting date: 29 November 2017


39

VI Appendices

1. As part of the risk management process, the risk management division developed the following

documents to assist with fraud and risk management within the municipality:

A: Risk assessment methodology; and

B: Fraud and Risk Management implementation plan.

2. These documents does not form part of the Fraud– and Risk Management Policy and reference

thereto is only for information purposes.

3. All documents listed above, must be reviewed annually by FARMCO.

Fraud and Risk Management Policy - drakenstein.gov.za and... · The purpose of the fraud– and...

Documents

Transcript of Fraud and Risk Management Policy - drakenstein.gov.za and... · The purpose of the fraud– and...