Director General’s speech > Launching the Audit Committee Forum Paper 4 > Thursday, 21st of October 2016 > Hennessy Hotel

Distinguished Guests and Ladies and Gentlemen
Good afternoon

It is an honour for me to be here this afternoon for the launching of the Mauritius Institute of Directors’ Audit Committee Forum Position Paper 4 entitled ‘Guidelines for the Audit Committee’s Assessment and Response to the Risk of Fraud’. I would like to thank the MIOD and in particular Mr Juan Carlos Zara for the invitation.  I have been invited to talk on the prevention of fraud and corruption.  But I will speak on an issue that has now become the hot issue regarding compliance and governance at world level, that is., the issue of effectiveness of systems. I am sure that this is an issue that will be addressed by the Forum, if it has not already done so.

Let me make a preliminary comment at the outset: First, that fraud and corruption are often, if not always, at the center of financial scandals as we have witnessed in recent times. They are often the two faces of the same coin. A fraudulent act can often either be a form of corrupt practice or can lead to corruption.

In fact, recent events in the world of business shed some light on what is now required, perhaps more than ever before, to enhance risk management systems in order to prevent fraud and corruption.  In that respect, we have probably noticed that recently two events have marked developments in the field of regulatory compliance and governance, and how these now present new challenges: 1) the growing concern about new financial threats, and 2) this, despite an increase in the adoption of new forms of regulation and standards to address financial crime.

Ladies and Gentlemen, fraud, corruption, money laundering and terrorism finance, and lately cybercrime, are now considered national security issues that present new threats to the world order.  In the wake of the 2007 financial crisis, financial crime, especially fraud and corruption took centre stage when the crisis brought the financial system to its knees and the global economy to near collapse. Mortgage fraud, securities fraud, bribery and corruption, insider trading and dealing, Libor fraud, became the talk of town.  We have all heard of Madoff and others. We have also witnessed recently, the heist on the Bangladeshi central bank. And I do not want to list all the firms that have been sanctioned recently in billions of dollars for compliance failures. And how much money those firms are investing in compliance.

In the aftermath of the crisis, numerous instruments have been adopted to revamp the financial regulatory landscape. All the international financial regulatory bodies including the IMF, WB, IOSCO, G20, FSB, FATF, Basel Committee on Banking Supervision, ISO, have produced an enormous amount of policies, recommendations and guidelines in their respective line of activities in order to strengthen the financial system.  Many countries have complied. Mauritius, for example, is one of the countries that has a strong legislative and institutional framework to combat financial crime.
One would have thought that, after the devastating consequences of the crisis on the global economy, and the numerous regulation adopted, the right lessons would have been learnt and business would be conducted differently.

However, it is interesting to see that the type of fraudulent behaviour that characterized Enron in 2001 and the era leading up to 2007 crisis, continues to prevail. I only need to refer to the more recent Wells Fargo scandal, the latest in the series of fraud in a bank. WF is one of the 4 biggest banks in the world including Bank of America, JP Morgan Chase, Citigroup, adding to the list of the 20 big banks fined for a total amount of $285 billion after the crisis.  Well’s Fargo ended up with a fine of $185 million on 8 September for falsifying more than 2 million customer accounts to meet aggressive sales goals. Thousands of the bank’s employees were misusing customer information to open accounts they never asked for. Its CEO John Stumpf finally resigned last week.

So. the question is: is adopting laws and setting up institutions enough? Enacting laws and setting up institutions is clearly a crucial step in the process of ensuring compliance with international standards.  However, standard settors have recently realized that it was high time to move beyond and to start looking at how those laws and institutions are effective in addressing fraud and corruption.

Like I said earlier, it is high time to take a new look at compliance in general and, more specifically, at the effectiveness of systems designed to deal with financial crime, including fraud and corruption.  Hence my proposal, since my arrival 3 months ago at ICAC, for the need to assess and address issues related to the effectiveness of systems and institutions.

It was after over 20 years dealing with AML/CFT that the FATF, and recognizing serious shortcomings in its existing systems, that led the FATF in 2012 to do a 360 degree turn around of its 40+9 recommendations and came up with the new 40 recommendations based on the RBA. These recommendations were motivated by one single drastic change- the need for more effective systems.  The UNODC is doing the same thing in the world of anti-corruption.  The IMF, in its recent initiative to frontally address corruption in its work with countries on macroeconomic stability, is an eye-opener.  As disclosed in its recent Staff Discussion Note “Corruption: Costs and Mitigating Strategies”, in May of this year, the IMF has decided that it is high time to step up the fight against corruption. The paper clearly spells out, I quote “all of the best frameworks come to nothing, unless they are implemented. And implementation is all about effective institutions.” End of quote.

What lessons do these hold for the business sector and risk management?

So what is Effectiveness?

FATF Methodology 2013: “The effectiveness assessment differs fundamentally from the assessment of technical compliance. It seeks to assess the adequacy of the implementation of the FATF Recommendations, and identifies the extent to which a country achieves a defined set of outcomes that are central to a robust AML/CFT system. The focus of the effectiveness assessment is therefore on the extent to which the extent to which the legislative and institutional framework is producing the expected results”.

This is followed by a whole chapter on Effectiveness and the indicators that can be used to measure same.

Why am I focusing all this? The name of the game today in compliance and governance is about the RBA and effectiveness. Countries are already being assessed about their RBA strategy and the effectiveness of their systems around the world. The FATF has already embarked on this exercise. Soon, the Esaamlg will conduct the compliance assessment of Mauritius and the effectiveness of the system in the public and private sector will be under review. The UNODC is already conducting a review of Mauritius’ compliance with UNCAC.

Financial scandals continue to put a lot of pressure on businesses to review and revisit the effectiveness of the governance framework, of which the Audit Committee is an integral part. Being covert by their nature, fraud and corruption represent the invisible threats and, if not detected in a proactive manner, can trigger a chain-reaction with damaging consequences to the business and its stakeholders.  In fact, the governance framework including the array of policies and controls within an organisation, is considered as important line of defence to protect corporate organisations from financial scams and failures.
Corruption and fraud risk management are called upon to be an important part of the management framework of any organisation. These are necessary to ensure that the systems and procedures including its internal control mechanisms are effective in mitigating promptly such risks. Maintaining robust and flexible controls, and continually monitoring and addressing risks, are potential defences against non-compliance and financial failures.

The Audit Committee plays a major role in corporate governance regarding the organization’s direction, control, and accountability through the mechanism for internal and external audits, internal control, accounting and financial reporting, regulatory compliance and risk management. It has the prime responsibility to ensure that External Audit and Internal Audit are performing their oversight roles.

The overall effectiveness of the governance framework depends on its constituents in terms of a reliable External Audit, a fully functional Internal Audit and a performing Audit Committee. So we can clearly see the importance of the Audit Committee Forum in this context.

Since my arrival at the ICAC, I have decided to make effectiveness the pillar of my assignment. In other words, to make the ICAC more effective. The ICAC as an agency mandated to fight corruption encourages organisations to adopt a proactive approach to prevent corruption, fraud and other malpractices. It supports business organizations to engage in developing preventive methods as a cost-effective medium to long term solution against fraud and corruption.  The two main mandates of the ICAC are investigation and prevention / education. Prevention aims at engaging with business and other partners to enhance their systems in order to detect and prevent corruption. Why should companies prevent fraud and corruption?
•    A major proportion of victims of fraud and corruption do not recover their financial losses.
•    Reputational risk associated with fraud and corruption can more impactful than the financial losses.
The Board of a company is responsible for not only determining the risks that the Company is willing and able to take to achieve its strategic objectives but also ensuring that all the risks are properly identified, evaluated and managed.

Regulations such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA), the 1997 Organisation for Economic Co-operation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002, the U.S. Federal Sentencing Guidelines of 2005, and similar legislation throughout the world have increased management’s responsibility for fraud risk management. Some of these have relevance for Mauritius, for instance
•    Top management to adopt and promote a “no fraud tolerance” attitude
•    An inclusive approach for dealing with fraud risks
•    Promoting ethical behaviour and a culture of integrity
•    Regular assessment of the risk management system

As managers and directors, we should always be alert to potential risks of fraud and corruption and give due attention to organizational integrity which includes integrity of staff. Under Stumpf, Wells Fargo appeared safe with a 68% total return to shareholders. This is not bad considering he was steering Wells Fargo through the financial crisis or the aftermath for most of the nine years he led the company. And he wasn’t just another banking chief, he was 2015’s CEO of the Year, according to Morningstar. But we know what happened.

This Position Paper on the Assessment of Risk of Fraud complements the Mauritius Audit Committee Forum’s 3 previous Positions papers, especially Position Paper 3 which deals with the Audit Committee’s role in control and management of risk.
The development and adoption of the guidelines will no doubt improve functioning of an Audit Committee and enhance its effectiveness. It will help Audit Committees towards best practices for managing and incorporating their role in line with the Code of Corporate Governance. I commend the initiatives of the Mauritius Institute of Directors and KPMG in their efforts for improving the effectiveness of Audit Committees and trust that the guidelines will help organisations in keeping their risk management and compliance programmes complete and up-to-date.

This is an excellent initiative on the part of the Audit Committee Forum. But I would invite the Forum to ensure the effective implementation of the recommendations contained in the Paper. Business is now, perhaps more than ever before, confronted with the need to design effective risk fraud management systems.

With these words, Ladies and Gentlemen, I thank you for your kind attention.