CONTENTS

ACKNOWLEDGEMENTS
INTRODUCTION -

DEALING WITH WHITE COLLAR CRIME

SECTION 1

ESTABLISHING AN ETHICAL CULTURE

SECTION 2

ESTABLISHING POLICY

SECTION 3

S RISKASSESSMENTS

SECTION 4

CRIME RESPONSE PLANS

SECTION 5

INTERNAL CONTROLS

SECTION 6

THE PREVENTION OF CORRUPTION

SECTION 7

INVESTIGATIONS

SECTION 8

COMPUTER CRIME AND THE USE OF

COMPUTERS IN CRIME

SECTION 9

REFERENCES

ACKNOWLEDGEMENTS
This project was undertaken by Business Against Crimes KwaZulu Natal White Collar Crime Task
Group. The members of the Task Group contributed their opinions and experiences to make this a
truly co-operative effort.
References are made in the text of the document to specific sources of information. Moreover, a
great amount of background material is based on press releases, audit manuals, bulletins of private
accounting firms, corporate policy notes, periodicals and other media from various countries in the
world.
EDITORIAL PANEL
Basil Cariston

(Chairman) Security Consultant

Tongaat-Hulett Group

Eckhard VokerForensic Accountant KPMG

Carl VenterSAPS Commercial Branch

OTHER TEXT CONTRIBUTORS

Campbell Alexander

Partner, Cox Yeats Attorneys

Jeremy Perks

Partner, Computer Audit KPMG

Ivan Maleham

NBS

BUSINESSAGAINST CRIME - KZN

Board of Directors :B. M.Adams
R. A. Barbour
C. J. Brimacombe
R. B. Boustred
Dr. 0. D. Dhlomo
Ms V. Gcabashe
G. R. Hibbert
Major Gen. C. E. Le Roux
D. J. Marshall
(Managing)
N. R. MacNeillie
T. McNally
M. A. Moosa
P. N. Ngcobo

T.Ngcobo
Min N. J. Ngubane
R. A. Norton
Bishop M. Nuttal
J. Porter
D. H. Reed
T. Rosenberg
(Chairman)
Comm C. P. J. Serfontein
R. D. Sishi
N. E. B. Smorenberg
A. N. Taylor
E. 0. Tocknell
(Dep Chairman)
Min J. G. Zuma

DEALING WITH WHITE COLLAR CRIME

INTRODUCTION
The incidence of crime in South Africa is now assuming epidemic proportions. While all crime
gives rise to concern, it is particularly those crimes involving dishonesty which are really eating
away at the very fabric of business and government ethics and which are threatening the
foundations upon which our economic system is built.
Although the classification that we are discussing would include common theft, the area of
particular concern is that which is commonly known as "white collar crime". This is a very broad
category but in essence we are talking about fraud, bribery and corruption. We are concerned with
those crimes of commission and omission which are both actual and intended. It is a fact, that in
white collar crime, the potential rewards are greater, the risk of detection is lower, successful
prosecution is more difficult and finally, in the main, the penalties are less severe. These are all
sound "business" reasons for both local criminals and large international crime syndicates to put
their efforts into this type of crime.
It is a sad, but very true fact, that the South African Police Services, and in particular the
Commercial Branch, cannot cope now, and in the foreseeable future, with the ever increasing tide of
white collar crime in the country. The statistics are horrific, and even these are grossly understated
as contemporary wisdom has it that only about 20% of white collar crime is actually reported. The
Commercial Branch of the South African Police Services readily admit that there is a crisis in this
respect and that without the active support and tangible assistance of business and government
organisations, they will not be able to control the situation.
Business against Crime strongly believes that there is a dire need for organisations in this Country
to work towards the creation of an ethical business environment, to adopt preventative measures
against white collar crime; and in the event of an attack, to have a contingency plan which sets out
what needs to be done, when and by whom. This pamphlet has been prepared with these aims in
mind.

Section 1
ESTABLISHING AN ETHICAL CULTURE
The success of any organisation is dependent on the quality of the decisions and the behaviour of
individuals at all levels throughout the organisation. White Collar Crime will undermine the right
decisions and positive work ethic. The foundation of any successful fight against white collar crime
is an ethical culture within the institution.
In order to establish such an ethical culture, management and employees together must believe:

that their institution is honest and ethical in its business dealings, including dealings with
customers, suppliers and employees;
that their employer treats them with respect, rewards them fairly, imposes discipline fairly,
and, where regrettably redundancy becomes necessary, exits them fairly;
that commercial crime prevention is a common objective throughout the organisation at all
levels, that they have been trained to play their part in the fight, and that their efforts are
acknowledged;
that if White Collar or commercial crime is suspected, the perpetrator can expect the most
rigorous investigation and if found guilty, a severe sentence.

The culture of an organization is set by top management. When the directors are themselves
involved in fraud or unacceptable standards of business behaviour, employees at all levels are more
easily able to justify their own dishonesty. It follows that if an organization is to combat white
collar crime, management should first look inwards and adopt standards that are scrupulously
honest and fair.
It is vital that the organisation demonstrates its honest, ethical intent. With this in mind many
organisations are adopting formal statements of principles. In this respect: Business against Crime
recommends:

A charter along the lines of that at Appendix 1;

and A statement of business principles, the main parts of which are at Appendix 2.

Appendix 2

STATEMENT OF BUSINESS PRINCIPLES

(Suggested by the British Institute of Business Ethics)

1. PREFACE OR INTRODUCTION (signed by the Chairman or Chief Executive, or both)

2.

A sentence on the purpose of the statement-the values which are important to the top management in the
conduct of the business such as integrity, efficiency, professionalism and responsibility. The role of the
company in the community and a personal endorsement of the statement and the expectation that the standards
set out in it will be maintained by all involved in the organisation.
KEY AREAS TO INCLUDE
The objects of the business
The service which is being provided - a group of products or a set of services - financial objectives
and the business's role in society as the company sees it.
Customer relations
The importance of customer satisfaction and good faith in all agreements. The priority given to
customer needs, fair pricing and after sales service.
Shareholders or other providers of money
The protection of investment made in the company and proper 'return' on money lent. A commitment
to effective communication with this group of people.
Suppliers
Long term co-operation. Settlement of bills. Joint actions to achieve quality and efficiency.
Employees
How the business values employees. The companies policies on recruitment, organisation,
development and training, communication, work conditions, safety, industrial relations, employment
opportunity, retirement, severance and redundancy.
Society or the wider community
Compliance with laws. The companies obligations to conform to environmental constraints. Involving
staff in the corporate policy, education and charities. Role of the business. Standards within the
organisation and in dealings with others.
Other matters
Relations with development policy and management. The ethical standards expected of employees
(detailed guidance will usually be in a separate code of business ethics)

Section 2
ESTABLISHING POLICY FOR DEALING WITH
COMMERCIAL CRIME
Every organisation, no matter how big or small, should devise and implement a security policy.
Moreover, it is particularly important for each employee within the organisation to be absolutely
clear about their duty and responsibility within the security policy.
It is vital that in order to be truly effective, the policy is owned by management and that it is agreed
by the Board, or executive management committee, and that is promulgated under the signature of
the senior executive, owner or Chairman of the organisation. Emphasis should be placed on the
word "follow" as it is essential that management itself should lead the implementation of the policy.
The aim of the policy should be to emphasise the organisation's commitment to rooting out white
collar crime, to lay down the organisational framework, guidelines and procedures for dealing with
the crime as well as the measures necessary to prevent it.
Large organisations might set up a committee to devise the strategy and draw up the policy but it is
our belief that once this is done, a Board member or senior executive should be identified by post as
being overall responsible for driving the policy. Individual responsibilities for white collar crime
risk management should then be identified throughout the organisation.
Irrespective of the size of the organisation, the following responsibilities need to be recognised and
assigned:

Personnel management need to take responsibility for implementing an effective recruitment

policy to prevent white collar criminals entering the organisation. This will be in addition to
their responsibility for establishing the necessary remuneration policy', employee rules,
disciplinary processes and security of employment policies which will establish the required
ethical culture of the organisation.

The responsibility for monitoring the integrity of key operations such as creditors, debtors,
lending, insurance, payments etc, must be assumed by the line management concerned.

Product design and systems managers will need to take responsibility for delivering secure
(as well as attractive and efficient) new products and systems.

Financial management will need to take responsibility for the broader stewardship of assets,
and of course for control over financial accounting, the institution's bank accounts, and the
payment of suppliers.

Branch and departmental management must take responsibility for the security of their own
operations, and for white collar crime loss control through the normal setting and achieving
of business objectives.

Support services management must take responsibility for the integrity of their own
departmental operations.If a special investigations/security department is justified, it must be
given a clear mandate and a set of objectives as any other business function within the
organisation. In particular, the relationships with other functions must be defined.

A structure should be in place for the purpose of enabling all employees a confidential
procedure to follow inorder to report suspected commercial crime.

As well as checking on systems, internal audit must take responsibility for independently
checking and reporting upon the organisation's compliance with, and the overall
effectiveness of, the strategy.

As soon as commercial crime is suspected, an urgent crime response procedure should be

followed to investigate, secure evidence and undertake internal disciplinary action, which
will then be followed by recoveries of losses and criminal prosecution.

The above list is not necessarily comprehensive but it illustrates the importance for the entire
management structure of the organisation to be involved in the fight against white collar crime. The
Risk responsibilities should be reflected in job descriptions and in the setting and evaluation of
annual objectives. Through such an empowered management structure, every member of the
organisation must be encouraged to take individual responsibility for the combat of white collar
crime.
MAIN PLANKS OF THE POLICY
Business Against Crime believes that in order to fulfil the aim of emphasising the organisational
commitment to eradicate white collar crime the following areas of policy need to be clearly
established:

The organizational framework for dealing with crime.

The reporting of crime

The organization's approach to:

o Investigation
o Reporting to the South African Police Service
o Internal disciplinary action
o Prosecution
o Recovery
o Pension, accrued leave pay, bonus and other emoluments.

The education of staff as to their responsibilities and awareness in relation to white collar
crime.

ORGANIZATIONAL FRAMEWORK
We have already said that once the strategy and policy for dealing with white collar crime has been
established, a Board member or a senior executive should be identified to bear over all
responsibility for driving the policy. In medium sized and smaller organisations this person could be
the Managing Director or Chief Executive Officer. We advocate that this post is supported by an
"Enquiry Controller". The Enquiry Controller's main functions should include:

the design and, when necessary, the activation of the organization's contingency plan.

The conduct of any investigation.

Co-ordination and liaison with outside agencies (SAPS, Government Departments, Forensic,
Auditors etc).

Receiving reports of Commercial Crime.

In a large organization with an investigations department the Enquiry Controller could be the
departmental head. In smaller organizations a predetermined senior manager should be selected.
Where an organization operates from a number of sites, consideration should be given to the appointment of a Deputy
Enquiry Controller at each site.

The Enquiry Controller should identify and have on standby, a small team of experts as part of the
Contingency Plan. The resulting framework can be depicted diagrammatically as follows:

The selection of the Enquiry Controller should be made with care. A post holder should be
identified, not an individual. The post holder concerned should be expected to have the training,
proven ability and corporate status to take charge of the situation immediately.
THE REPORTING OF CRIME
The policy document should clearly state that the reporting of commercial crime as well as
suspected commercial crime, is expected and the procedures for doing so widely promulgated. The
reporting policy should state the type of incidents that are to be reported.
A climate of openness about mistakes and losses should be created. A manager, except in the most
unusual circumstances, should not be treated too severely because a fraud has been detected in his
area of operation, unless of course, there is reason to believe that he is involved. He might not be
blamed for the fact that fraud has occurred, but he should be dismissed or severely reprimanded for
concealing any loss.
Employees must be made aware of their responsibility for reporting commercial crime and the
procedures for doing so. They should be confident that they will be protected, that their information
will be investigated and treated with care, and that their actions will be appreciated.
Obviously the reporting of incidents should not be confined to commercial crime. For example;
robberies, burglaries, fraud, fires, sabotage and breaches of safety rules should all be specified in the
policy. We recommend that initially a report should be made to the head of the department/section
who should in turn immediately inform the nominated board member/CEO and the Enquiry

Controller. It is essential that reports are kept secret and only disseminated on a strict need to know
basis. Employees should be able to bypass the departmentall section head if for any reason they feel
that not doing so may compromise the report.
A confidential telephone number, e-mail address or similar, monitored by the Enquiry Controll are
recommended for this purpose. False alarms should be accepted graciously as a demonstration of
conscientiousness and loyalty to the institution. Anonymous reporting should be discouraged, but
investigated when it occurs.
INVESTIGATIONAL POLICY
An investigation using the best and most appropriate resources available should be conducted into
all commercial crime in the organisation. Detection serves as a deterrent, and does so without
restricting the freedom of action of honest employees and business contacts. The threat of detection
discriminates against criminals; it does not restrict innocent people.
REPORTING TO THE AUTHORITIES
Business Against Crime is clear that all commercial crime should be reported to the South African
Police Services. There should be no deviation from this policy. We recognise however, that the
initial priorities of the victim organization and the investigating police officer are different. The
victim's prime concern is generally to recover funds and prevent recurrence, while the police
officer's focus is to arrest the offender and recover the best evidence. If the organization has an
effective and well trained investigation department, the need for immediate reporting to the police is
less urgent, as the investigation department can take steps to preserve the evidence. However, the
police have powers which are not available to in-house investigation departments. The arguments
for reporting to the police are as follows:

It is society's job to decide on the guilt or innocence of people suspected of criminal

offences. It could be argued that organizations have no right to make society's judgements.

It is society's obligation to rehabilitate criminals.

Criminal courts can impose punishments - in addition to restitution - and in so doing may
deter others from crime.

Criminal prosecution should ensure a certainty and consistency of response.

The judgement given in a criminal court may be used as the authority for pursuing a civil
claim or for enforcing a dismissal notice.

Failing to prosecute means that the offender's record remains untarnished, which is unfair to
subsequent employers and job applicants with whom he/she may compete.

The theory has been advanced that organizations often fail to report crime to the police for fear of
adverse publicity. In contemporary South Africa it is more likely that the opposite is true, for such is
the scale of commercial crime that there are few, if any, organizations which are not affected, and
an organization with a clean internal crime record is itself liable to speculation that it is soft on
crime and therefore not protective of shareholders interests.

Our advice is that all commercial crime must be reported to the police. Where an in-house
investigational department exists, this reporting can be delayed. However, in this case we are of the
view that the crime should be at least registered with the police.
The civil recovery procedures should, if possible, work hand in hand with the criminal prosecution,
so that information is shared freely by the victim in order to assist the criminal prosecution and vice
versa.
INTERNAL DISCIPLINARY ACTION
Criminal prosecution does not prevent the victim organization from taking internal disciplinary
action. Indeed it is our recommendation that this is done as soon as a case can be made against the
employee on the balance of probability. The reasoning behind this is simple; why should an
organization continue to employ a criminal while the often long and tedious process of bringing
him/her before the courts takes place?
Timely internal disciplinary action is often necessary against white collar criminals. Invariably,
once they realise that there is a case against them, they will resign hoping to avoid prosecution, as
well as to secure any pension or leaving emoluments and to hide their illgotten gains. It is a sad fact
that many organizations in South Africa actually prefer the resignation route as an easy means of
divesting themselves of a known criminal. This is an extremely short sighted view, as it sends a
very clear message to all employees that white collar crime is actually tolerated in the organization
and that such criminal activity pays.
Business Against Crime firmly believes that all commercial crime, even that perpetrated at senior
management level, should be the subject of disciplinary action.
PROSECUTION
The fact that an organization invariably prosecutes those who commit white collar crime against it,
has a high deterrent effect. We believe that every case should be prosecuted to the full extent of the
law. The threat of imprisonment to a white collar or management criminal is a most effective
deterrent. For him or her, prosecution and imprisonment may be the equivalent of a life sentence in
the destruction of his life style or family reputation. The certainty and consistency of response
should be used to provide a deterrent; the position of the detected white collar criminal - one he
usually deserves - should not be allowed to cloud decisions that are in the best interests of the
organization, its honest and loyal employees, customers and suppliers. It is always easy to take the
simple course not to involve the police, not to mount a criminal prosecution, not to dismiss the
dishonest employee, or cut off the criminal customer or supplier. Sympathy for the thief often
overrides common sense and sound organizational strategy. The position of the offender is often
considered in isolation and the broader issues ignored. We are of the view that lenient treatment of a
suspected criminal will encourage others; set a precedent which will be difficult to vary; will be
viewed by the criminal, his accomplices, and the general public as softness; and that it is
inconsistent with responsible management and not in the best interests of the organization.
The prosecution, either in civil or criminal court, against dishonest customers or suppliers should
not be ignored. An organization which condones a customer's or supplier's fraud in the philosophy
that "half a loaf is better than no loaf at all', or on the grounds that volume and sales count for all, or
on the assumption that the required service or expertise is not available elsewhere, is digging its
own grave. Once one fraud is condoned, others spring up, and the problem escalates to
uncontrollable proportions.

RECOVERY
It is clearly in the interests of the organization to recover any losses that it may have suffered. There
are a number of procedures for this which are discussed in the section which deals with the Crime
Response Plan. Policy with regard to the following needs to be established:

The reporting and recovery relationship between the organization and its insurers and the
institution and its regulator.
The Human Resource procedures to be used for the recording of the culprits agreement to
recovery being made from emoluments due and pensions. (Section 37D Pensions Act).
The procedure required by the relevant pensions authority for recoveries to be made from
pensions.
The route and authority required for dealing with the organization's lawyers in respect of
initiating civil recovery action, urgent anti-dissipation orders and sequestrations.

STAFF TRAINING AND MOTIVATION

A loyal staff committed to White Collar Crime prevention and detection is the key to success.
Clearly there are a number of routes to this goal. Procedure manuals are an important training tool,
but the existence of comprehensively written manuals will not in themselves deliver the necessary
training and will certainly not foster the necessary motivation. Organizations should consider the
following:

White Collar Crime to be a regular topic for discussion at staff meetings.

New employees to be given induction training and documentation which includes details on
the organization's policy, approach and plans on white collar crime as well as the relevant
employees responsibilities in this regard.
Fraud training should be provided to all relevant staff - training sessions should focus on
individual products and services, and use as many practical case studies as possible.
Fraud risk and prevention should be included in staff training related to new products and
services prior to launch.
Annual refresher training.
Publication of in-house newsletters on white collar crime which includes latest trends, latest
cases and detection successes by the organization in terms of beating the white collar
criminal.
Appropriate rewards for staff who have prevented white collar crime. Despite the fact that
prevention should be part of the employee's job description anyway, the receipt of a box of
chocolates or bottle of champagne from the departmental manager, or a special dinner for
branch/departmental staff can have a considerable effect on morale and motivation.

Section 3
RISK ASSESSMENTS
INTRODUCTION
Every organisation should have arrangements in place for the recognition of the symptoms of White
Collar Crime, even where no prior suspicion or evidence of it exists. This is firmly a management
responsibility. Although they have an extremely important role to play, organisations should guard
against failing into the trap of leaving this entire function to internal auditors. In this respect it is
worth keeping in mind the fact that the auditing process detects only a very small percentage of
white collar crime (current statistics are 2-3%).
One of the most common methodologies to assess the possible risk to an organisation from white
collar crime is a Risk Assessment. A Risk Assessment is a method of balancing security controls
against the possible loss that could occur in any organisation. There are many variants of risk
assessment systems and processes. Indeed, the subject would require a book of its own. It is our
intention in this section to concentrate on one or two methodologies which can be utilised by
organisations of all sizes.
RISK ASSESSMENT BASICS
Some of the key elements in any risk assessment methodology is that it must be:

capable of being consistently applied across the organisation's operations;

capable of providing a risk rating for each type of fraud;
amenable to fine tuning;
capable of being replicated;
able to look at risks as if there were no controls in place; and
able to measure the effectiveness of existing controls.

It is recognised that it is easier to measure inherent risks than to determine the effectiveness of
controls. The latter requires not only a detailed understanding of the controls, their strengths and
weaknesses, but also a factual assessment of how these controls are applied. This can only be done
by those with a detailed understanding of the operations of the organisation.
CRITERIA FOR MEASURING RISK
It is obviously impossible to set down a definitive list of factors for assessing the risk of whitecollar crime in organisation. However, the following factors are usually present:

the rand quantum of the operations;

recognition of white collar crime aspects other than money (time, information, threat to
safety, insider trading, conflict of interest, etc);
recognition of vulnerability to other serious criminal activities, like the abuse of influence,
corruption, secret commissions and dishonest advantage;
tapping in on the management perspective;
past history of white collar crime in the organisation;
results of internal and external audits on the organisation.

Annexure A reflects a more comprehensive list of criteria adapted from the Australian Law
Enforcement Board's publication "Best Practice for Fraud Control".
THE BAC SYSTEM
The author has devised an extremely simple methodology which can be adapted to suit any sized
organisation. This comprises of five steps:
1.
2.
3.
4.
5.

The threat assessment.

The production of a schedule of weaknesses.
The production of an agreed list of vulnerable areas.
The identification of the options available to close the vulnerable areas.
The production of an action plan.

THE THREAT ASSESSMENT.

Essentially, the procedure is to list all the functional areas of the organisation. For each area the
activity is described and the critical activity identified. For each activity the relevant risk criteria are
listed. The activity and risk criteria are then analysed to identify the possible areas of compromise.
The protection in place is then examined to see if possible areas of compromise are closed and from
this the areas of weakness identified. An outline format for this is in Annexure B to this section.
SCHEDULE OF WEAKNESSES
The second step is the production of a schedule of weaknesses. This should be in two parts:

weakness in critical areas; and

other weaknesses.

LIST OF VULNERABLE AREAS

In the third step the schedule of weaknesses is discussed with the CEO/Board/Audit Committee of
the organisation and a prioritised list of vulnerable areas agreed upon. Depending on the size of the
organisation and the number of weaknesses exposed, it may be necessary to produce:

a consequence profile (a scientific analysis of what effect the threats would have on the
organisation should they materialise); and/or
a probability profile (an assessment of what percentile chance the threats at each area of
weakness have of occurring).

OPTIONS OPEN TO CLOSE AREAS OF WEAKNESS

The fourth step is to identify the options available to close the prioritised areas of weakness. These
should be costed and further prioritised.
ACTION PLAN
The final step is the production of an action plan by the Audit Committee, if one exists. However,
the Managing Director/CEO of the organisation should always take ownership of the plan.
Although the methodology described is simple in concept, management should be aware that it is
not so in execution. In medium to large sized organisations, it is recommended that a team be

formed to carry out the exercise. This team should include accountants, security experts, computer
specialists and internal auditors. However, it is so designed that in a small organisation one person
could do the job.
BRITISH BANKERS' ASSOCIATION METHOD
The British Banking Association's recommended system involves the production of the
organisations threat profile as a first step. This includes the identification of fraud threats specific to
the products and services of the organisation and in addition, the general factors applicable to the
sector in which the organisation operates which may make it more susceptible to fraud. It is
important to perform this analysis in all sections of the organisation. The threat profile is usually
documented in table format such as depicted in Annexure C.
The next stage is the examination of the organisation's existing policies and procedures in order to
assess their effectiveness in addressing the threats identified. It is important that the effectiveness of
the prevention, detection and response procedures for each threat take into account the basic
techniques of:

segregation of duties
levels of authority
monitoring and supervision
design of value paper
security of premises

Having identified and documented the risk evaluation, management can then produce the
assessment of risk and identify any modification of controls to improve effectiveness.
Organisations wishing to adopt this system will need to obtain the British Bankers' Association's "Fraud Managers Handbook" which is available from BBA
Crime Prevention Programmes, Information Transfer, 15 Newmarket Road, Cambridge CB5 8EG, England.

COMPUTER AIDS
There are a number of proprietary computer programmes on the market which aid the fraud risk
process. For example Bergman Voysey's "Security by Analysis (SBA)" system. Others known to
the author are "RiskWatch" and "BiAsys".
OTHER TECHNIQUES
Risk Assessments are of course not the only techniques for the recognition, of the symptoms of
fraud. Some other techniques are:

analysis of case studies of crimes committed in the general sector and their application to the
organisation;
vulnerability charts;
invigilation (creation of a controlled environment);
observation or surveillance;
under cover investigations and informants;
business and intelligence;
spot checking;
criminal targeting; and
critical point auditing.

WHO CARRIES OUT THE ASSESSMENTS.

The reason why so much fraud escapes detection is usually because no one person in the
organisation is made accountable for the task. The idea that fraud will be detected by auditors or
police is often a fatal fallacy. The auditor is a watchdog, not a bloodhound. The police investigate
fraud, they seldom detect it. To detect fraud, resources must be allocated specifically to that task. It
cannot usually be achieved as a 'spin off' from conventional auditing. In detecting fraud, the
objective should not be confused or combined with other work. It should not be considered as a
one-off exercise as if done properly, it includes routine monitoring of events, and a lot of hard work.
It is vital that "fraud detectors" have considerable investigative expertise and are capable of taking
cases from initial detection of symptoms right through to criminal prosecution by the courts. For
obvious reasons, the 'fraud detector' should be independent from the accounting department of the
organisation. He is probably best located in the security department if one exists in the organisation.

ANNEXURE A

CRITERIA AGAINST WHICH FRAUD RISKS CAN BE MEASURED

INHERENT RISKS
PROGRAMME FOCUS
1. Nature of Programme
The extent to which the business of the organisation creates a risk (e.g. service delivery
would be of higher risk than policy advice)
2. Policies and Strategies
The extent to which policies, procedures and strategies which recognise the importance or
fraud control have been developed, in other words, attitude of management.
3. Reputation
The extent to which the organisation is perceived to be an easy target for fraud.
RESOURCES
4. Cash
Handling of cash or other instruments, electronic transfer, etc which can be readily
negotiated for cash.
5. Attractive Assets
The extent to which the organisation handles assets that can be easily stolen or misused.
6. Intellectual Property
The extent to which the organisation holds information that can be traded, or has a cash
value.
7. Services
The potential for the misuse of facilities (i.e. undertaking private work in company time,
abuse of motor vehicles, telephones, computers, publishing facilities, etc).
COMPLEXITY
8. Computerisation
Sophisticated information technology systems present an opportunity for fraudulent
behaviour. (Of course, they may at the same time -be a part of the control mechanism).
9. Skill
The degree to which judgement, academic or technical skills are required to under take
functions.
10. Diversity
The extent to which tasks in an organisation (and the management systems needed to
perform those tasks) are diverse.
PUBLIC CONTACTISENSITIVITY
11. Client Relations
Extent to which exposure to client groups involves a fraud risk.
12. Business Relations
Extent to which exposure to business community and pressure groups involves a fraud risk.
13. Human Relations
The degree to which the influence of unions and public expectations may involve a fraud
risk.

PROGRAMME REVIEWS
14. Effectiveness of reviews in reducing exposure to risk.
STABILITY
15. Procedures
The impact of any changes to procedures or system redevelopment.
16. Personnel
Continuity in personnel involved in control systems.
17. Organisation
Effectiveness of reporting arrangements.
18. Character
Does the programme have characteristics which adversely affect fraud control.
STATUTORY REQUIREMENTS
19. Legal/Regulatory
Adequacy of legislation and other formal directions.
PRESSURE TO MEET OBJECTIVES
20. Deadlines
The extent to which deadlines are an integral part of programme delivery.
21. Productivity
The extent to which productivity pressures impact upon the programme.
22. Economic
The extent to which performance is affected by external economic conditions and revenue
targets.
SIZE
23. Number of Departmental StaffMultiple Locations
24. Multiple locations
25. Projects
Cost of projects undertaken by the organisation.
26. Rand Throughput
27. Volume of Transactions
28. Assets/Liabilities
Magnitude of the assets or liabilities controlled by the organisation.
INTERNAL CONTROL RISK
GENERAL CONTROL ENVIRONMENT
1. Corporate Framework
Where the organisation is going and how it is going to get there.
2. Information Management
Ensuring management has reliable information to make appropriate, timely and informed
decisions.
3. Organisational Vulnerability
Reducing the exposure to fraud risk.

INFORMATION TECHNOLOGY
4. Processing and Operations
Having the computer power an agency needs and when it needs it.
5. Security
The right information in the hands of the right people.
6. Development Environment
Maintaining the leading edge without excess cost.
7. Managerial Control
Keeping it all on the rails.
PURCHASES/PAYMENTS
8. Ordering of Goods and Services
The right quality/quantity at the right time.
9. Commitment of Funds to Clients
Approval of funding to the right people at the correct rate.
10. Accepting Charges
Ensuring the organisation only pays for what it gets.
11. Controlling Payments
Payment of the right amount at the right time to the right people.
12. Overall Control and Management
Assurance that expenditure is under control and properly reflects results.

ANNEXURE B

ORGANISATION
THREAT ASSESSMENT SCHEDULE
FUNCTIONAL AREA

ACTIVITY

CRITICAL ACTIVITY

For example: purchasing, creditors, pay describe the

describe the most
and allowances, human resources,
functions performed important
production etc.
in detail.
functions.
COMPROMISE

PROTECTION IN PLACE

Analysis of all possible ways a

Detail the controls in place and equipment
person/people can overcome the activity installed to close the areas of compromise
to gain unjust advantage.
and neutralise the threat.

RELEVANT RISK CRITERIA

List the relevant inherent risks and

internal control risks. See
Annexure A for ideas
AREAS OF WEAKNESS

Detail the areas of weakness

highlighting those in the areas of
critical activity.

ANNEXURE C

ORGANISATION
THREAT PROFILE
PRODUCT/
SERVICE

VOLUME

MAJOR SUPPORTING SYSTEMS

VALUE

GENERAL FACTORS (DETAILS)

RELEVANT
DEPARTMENT
/BRANCH

RECORDED CASES

LEVEL OF
THREAT H/M/L
COMMENTARY

SEGREGATION OF DUTIES

LEVEL OF AUTHORITY

MONITORING & SUPERVISION

VALUE PAPER DESIGN

OFFICE SECURITY

PROCEDURES (ONLINE OF KEY

CONTROLS)

ASSESSMENT OF RISK
(COMMENTARY)

ACTION REQUIRED, AND

PRIORITY

Section 4
THE CRIME RESPONSE PLAN
Any prudent organization will plan its response to white collar crime so that when it strikes, it can
be dealt with in an organised and efficient manner. Key decision makers should have no doubts
about what needs to be done, and what the likely effect of their decisions will be. As white collar
crime frequently involves the swift movement of money, the need for quick decisions and action is
a vital ingredient of the plan.
Clearly any contingency plan must be consistent with the organization's policy. Although this
document concentrates on the response to white collar crime, the plan could be written to
encompass all serious crime.
Business Against Crime believes that the purpose of a crime response plan is to enable the
organization to take prompt and effective action to:
a. put into place immediate and appropriate damage control measures;
b. investigate and secure the evidence so that any subsequent internal disciplinary or civil or
criminal action in the courts will succeed;
c. minimise the risk of subsequent losses;
d. improve the chance and scale of recoveries;
e. reduce any adverse commercial effects;
f. make a clear statement that the organization is not a soft target for crime;
g. minimise negative or adverse publicity;
h. identify any lessons for the future in respect of improving the organisations' defence against
white collar crime;
i. make recoveries from otherwise unattainable sources such as pension monies due to the
perpetrator;
j. consider the insolvency alternative in order to take advantage of the insolvency
investigation, interrogation and, other extra-ordinary powers granted to liquidators.
The plan will assist in demonstrating to staff, customers and the public that the organization remains
in control of its affairs in a crisis situation.
We have already discussed various policy issues related to crime contingency planning in the
section which deals with establishing policy for dealing with commercial crime. In this section we
proceed on the assumption that the policy recommended by Business Against Crime has been
agreed upon.
Any contingency plan will need to include details of:

the immediate action on a crime being discovered or suspected;

how and by whom the crime will be investigated within the organization;
how and by whom the immediate subsequent action (in line with the organization's policy)
will be handled;
whether, and under what circumstances, contact should be made with the media;
which sources of external assistance should be used.

IMMEDIATE ACTION ON CRIME BEING DISCOVERED OR SUSPECTED.

We recommend that the sequence of events on the discovery of a crime or suspected crime should
be :
a. An immediate report should be made to the head of the department who should in turn
immediately inform the nominated board member/CEO and the Enquiry Controller. Speed
and secrecy is of the essence. To ensure that there is no delay in further action, both the
nominated board member and the Enquiry Controller should have nominated deputies. All
this is in line with our recommended policy in Section Two.
b. The Enquiry Controller should take immediate steps to preserve the evidence and secure
assets at risk.
c. The nominated board member and the Enquiry Controller will need to decide on the
immediate subsequent action. Depending on the nature and seriousness of the crime this
action may include:
I.
II.
III.
IV.
V.
VI.
VII.
VIII.

IX.

notifying the South African Police Services;

the steps necessary to secure the assets at risk;
the removal of the suspect from a position of authority and the withdrawal of signing
powers;
countering the undermining of staff morale or interference in the investigation by
removing the suspect from the organisation's premises;
changing passwords and access codes as well as securing accounting and other
records;
securing the contents of the suspects office, personal computer, diary and files,
including all personal documents on the premises;
securing the relevant records held on the organization's computer network (this
should be done by a computer specialist);
appointing the appropriate investigators to commence the actual investigation as
soon as possible with the initial aim of establishing the scale of the offence and the
degree of contamination within the organization;
doing a preliminary assessment of the following issues:
1. the possible need for civil recovery in terms of section 300 of the Criminal
Procedure Act (Act 51 of 1977);
2. the possible requirement for a sequestration or anti-dissipation interdict order
from the courts;
3. the registration of a likely insurance claim;
4. the specialist investigative resources which may be required;
5. and a recovery in terms of Section 37D of the Pensions Act.

INVESTIGATION WITHIN THE ORGANIZATION

As his title implies, the Enquiry Controller is normally responsible for the control of the
investigation within the organization. The person that actually carries out the investigation will
depend on the nature of the crime and on the organization of the institution. Large institutions with
their own security department can expect that department to undertake the majority of the
investigation themselves. Smaller institutions might have a designated, trained manager. Whoever
undertakes the task, the investigation must be carried out to a high professional standard if the
objectives are to be met. The Enquiry Controller should ensure that the investigators are adequately
trained. This training should include:

the legal issues relating to white collar crime. In particular, fraud, bribery and corruption;
the organization's disciplinary procedures;
evidence gathering and interview techniques;
evaluating and presenting evidence, both orally and in writing.

When drawing up the contingency plan the Enquiry Controller should identify, brief and train
individual specialists who may be required for the investigation team. Some examples are:

A Computer Expert
This expert must be prepared to secure the computer evidence (either on a network or a PC),
in such a manner that it will be acceptable in a court of law. This will have to be preplanned
and the procedures documented as part of the plan. The computer expert should be chosen
with care as he or she must:
a. have a real understanding of the roles that computers can play in the commission of a
crime;
b. be able to provide clear simple testimony of what they can prove to be a fact;
c. have a high professional reputation as well as a professional approach;
d. be trustworthy and able to work as part of a team;
e. be articulate, in terms of being able to explain technical computer matters to laymen;
f. have a "presence" before a group, displaying no irritating mannerisms and
idiosyncrasies.
The expert must be an articulate and credible witness who will be able to establish the
accuracy of the data processing evidence being presented in court.

A Legal Expert
This person should be trained and know what is required for both civil legal recoveries and
criminal prosecution.
A Human Resources Manager
This manager should be warned that he/she will have to initiate such actions as suspension,
internal disciplinary hearings and provide advice on the organization's approach to the
recovery of money under the auspices of the appropriate section of the Basic Conditions of
Employment Act (or replacement legislation) as well as on the Pension Funds Act No. 24 of
1956.
A Nominated In-House Accountant.
This person should be trained to understand the basics of forensic accounting so that he/she
can carry out this function in respect of low level frauds and be able to assemble all the
relevant records and documents and prepare schedules in preparation for the deployment of
an external forensic accountant. The rationale behind this is simply that forensic accountants
are expensive, therefore it is sensible to have someone within the organization to assemble
information and documents so that the forensic auditor's time is utilized cost effectively.
Internal Auditors
Internal Auditors have a major part to play in the prevention of white collar crime. The focus
of their activity is normally on the systems in place within the organization. However the
nominated Board Member/CEO should encourage their participation in the crime response
plan and through the organization's audit committee expect them to be an independent
monitor of the effectiveness of the plan.

EXTERNAL SOURCES OF ASSISTANCE

There are a number of external resources available to assist the organization in its response to crime.
All of these have both advantages and disadvantages and it is essential that the Enquiry Controller is
aware of these and that he identifies the individuals concerned, establishes their possible reaction
time and likely costs involved. Some of these external resources are:
SAPS
If the objective is to mount a criminal prosecution, the sooner the police are involved the better.
However, there may be cases where the police may not be over enthusiastic when receiving a call
for assistance, particularly when the facts are complicated, the accounting systems confused or the
proof of loss unclear. Technically, the police are obliged to investigate every complaint, but some
are investigated more thoroughly and more quickly than others. SAPS Commercial branches in
South Africa are over-burdened as it is and an organization's case has a much better chance of being
attended to if it has been properly presented and the evidence correctly preserved.
The organization should be aware that once a case is handed to the police, it will lose control over
events. An organization normally wishes to have a loss proved down to the last cent so that it can
seek compensation. The role of the police is law enforcement, it does not matter too much if a
criminal is convicted of a R5000 or R5million fraud. The conviction is the important outcome for
the police; recovery quite rightly, is the concern of the organization. But, as we have already made
clear in our section on policy, we are adamant that all commercial crime should be reported to the
SAPS for the reasons given in that section. The Enquiry Controller should establish a good rapport
with the relevant SAPS departments as part of the plan so that cases can be discussed, mutual
approaches agreed upon and a free exchange of information is possible.
Other Government Departments
Other Government bodies, besides the police, may be able to help with investigations especially
when their interests coincide. Some of these are: Revenue Department, Office of Serious Economic
Crimes. All of these, and others ,have investigation resources which might be called upon. Local
contacts should be established by the Enquiry Controller and included in the plan documentation.
Lawyers
The organization's legal advisors are obviously an important element in the response plan. They
should be consulted when drawing up the plan and detailed procedures agreed upon for their
involvement. The lawyers have a major part to play in, inter alia, the recovery of money and assets,
liaising with the forensic accountants, interviewing witnesses, assembling documentation, if
possible cross examining the perpetrator, taking steps to prevent the dissipation of assets and, if
need be, pursuing a sequestration, drawing up of acknowledgements of debt, the presentation of the
case to, and liaison with, the SAPS for criminal proceedings and, of course, the processing of any
action through the civil courts.
Forensic Auditors
The key attributes of a forensic auditor are clarity of reporting, good witness box performance and
an above average accounting competence. Forensic accounting is a relatively new discipline, but
one, when correctly utilized, can save an organisation a good deal of money. But they are relatively
expensive and, in our view, should not be utilized as the sole source of investigational capacity in a
case. They must be part of a team - not take over. When drawing up a response plan the Enquiry

Controller should establish contact with a selected firm of forensic auditors and discuss their
possible role in the plan. Large organizations who experience fairly frequent crimes will find it
both cost effective and beneficial to arrange visits to the organization by the selected forensic
auditors for them to be briefed on the organization's accounting methods and systems.
lnvestigational Firms
It would be prudent for smaller organizations without in-house security/investigational departments
to identify external private investigational facilities. There are a number of private firms in South
Africa who specialise in commercial crime. It may be worth a small retainer to such a firm to ensure
their rapid response to a crime and a prior briefing as to the organization's policy and procedures.
Care needs to be taken when selecting such a firm as 'fly by nights' abound in South Africa. When
selecting such a firm the Enquiry Controller might consult the local branch of the Security
Association of South Africa.
CONTACT WITH THE MEDIA
In due course the media will learn of any major fraud. Organizations should accept this inevitability
and make plans to attempt to control it. It is a sad but true fact that fraud is not good media copy in
contemporary South Africa; a gory murder or hijack is much more likely to grab the headlines.
Nevertheless it is important that a media strategy is agreed by the organization for every
commercial crime case and where the SAPS or any other outside organization is involved, a
common approach decided. The Enquiry Controller should establish the procedures for this as part
of the response plan.
FUNDS RECOVERY
The Enquiry Controller should consider three remedial actions to recover funds; Tracing, Freezing
and Recovery.

Tracing
Criminals do not hesitate to exploit the confidential nature of the banker/customer
relationship. Speed is essential to follow the movement of any funds and organizations
should not hesitate to call upon its own bankers to assist in the tracing process. Although
there are limits to what they can achieve in tracing funds, bankers prefer to talk to one
another, rather than the victim or the police. The philosophy of fraud investigation is "follow
the money". In this respect the interests of the victim organization and the police will be the
same and there are many ways in which the police can trace funds to their ultimate
destination. The Enquiry Controller should discuss the possibilities of such assistance with
both the organization's bankers and the police when establishing the detail of the crime
response plan. Furthermore, a liquidator has extraordinary powers to obtain bank statements
and other documents and has the right to pursue an insolvency interrogation of the
perpetrator in order to "follow the money" and the perpetrator is obliged to answer all
questions.
Freezing
More often than not the criminal is a step or two ahead of the victim organization, with the
result that the chances of tracing being successful are not good. An anti-dissipation interdict
is often an important weapon in the organization's armoury to recover funds. The essential
purpose of an anti-dissipation interdict is to prevent a person who can be shown to have no
bona fide defence against an organization's claim; have assets within the jurisdiction of the
relevant court; and be intending to defeat any claim by the organization by hiding his assets
from defeating the ends of justice, providing the organization can show a clear indication of

loss. Clearly the organization's lawyers will be involved in obtaining such an order and the
Enquiry Controller should discuss with them their requirements should the event occur. This
should be documented in the plan. There are usually difficulties associated with obtaining an
anti-dissipation order because of the requirement for proof at an early stage. Sequestration
can often provide an effective alternative.
Recovery
Although the freezing of funds can be achieved relatively quickly the actual recovery is
likely to take much longer. Obviously the quickest and simplest method of recovery is to
obtain the criminal's acknowledgement of debt. If this is not possible recovery can be sought
through the civil courts or by direct negotiation between the parties involved. In all of this
the organization's lawyers should be involved and their involvement pre-planned as part of
the response plan. Another potential method of recovery is during any criminal prosecution
as the prosecutor can ask the Judge/Magistrate to make an order of court for repayment. The
Enquiry Controller should be alive to this latter possibility although it would be unwise for
an organization to plan on such an order being made.

Section 5
INTERNAL CONTROL
Management will wish to have some confidence that the systems instituted by it are working
properly. To this end it introduces controls known as internal controls-over the systems. The aim of
the controls, in general, is to prevent or detect errors and fraud.
FRAUD PREVENTION
Many organisations currently have plans or would like to implement some specific changes to
combat fraud. Steps most commonly planned include:

training courses in fraud prevention and detection

increased budget for internal audit
the establishment of an audit committee
staff rotation policy
increased focus of senior management on the problem
investigative review
a review of and improvement of internal controls
increased budget for security personnel

DISCOVERY OF FRAUD
The control or prevention of internal fraud is within the control of an organisation through internal
control procedures and the role of an internal audit department. External fraud is more difficult to
control/prevent as it is external to the company. However, good business procedures and regular
review of these by means of internal audit can reduce the risks.
Overall, 41% of respondents to the KPMG Fraud Survey 1996 indicated that fraud was discovered
through internal controls. This was the most common method of detection in most regions. In
almost half the cases internal controls were cited as the most common method of detection. The
following chart provides the top three detection methods by region:
REGION

METHOD OF DETECTION

% OF RESPONDENTS
(Multiple responses may apply)

North America

Internal control
Specific Investigation by management
Notification by employee

41%
37%
36%

Hong Kong

Internal controls
Notification by customer
Internal auditor review

50%
25%
23%

Middle East / Asia

Internal controls
Specific Investigation by management
Accident

62%
45%
45%

Europe

Internal controls
Notification by employee
Accident

34%
32%
25%

Australia

Specific Investigation by management

Notification by employee
Internal auditor review

39%
28%
28%

Africa

Internal controls
Specific Investigation by management Notification by employee

54%
31%
21%

The element responsible in most regions for raising "red flags" was the internal control
structure.
Organisations are implementing a number of procedures to combat fraud. Frequently, cited
planned improvements include further review of internal controls, training courses in fraud
prevention, and increased funding of audit and security controls.

For a control to be designated a key control it must operate over information that is material and
must have three properties:

it must be well designed.

it must provide reasonably persuasive evidence of its operation
it must, where necessary, have the support of adequate general controls.

The quality of the design on a control can only be assessed by asking whether the control will
achieve its purpose and whether it is possible to foresee that errors which it is intended to prevent
might nevertheless slip through. It requires, among other things, the ability to detect an error and, if
necessary, to correct it. Points to consider when looking at the design of a control are:

Authority
Is authority really worth anything? How many authorised signatories are there (if there are
too many the person responsible for rejecting unauthorised items will not be able to
distinguish authorised from unauthorised)? Is authority given to what should happen or to
what has happened (the latter is more likely to be effective)?
Responsibility
Is responsibility for control really taken by the user? Does he have sufficient information to
carry out his responsibility? Where functions have been split, or systems integrated, have
lines of responsibility been clearly laid down?
Appropriate Personnel
Is authority or responsibility for the performance of a task in the hands of an appropriate
person? Is he/she sufficiently senior to give authorisation or take responsibility? Is he/she
competent to carry out the task? Is he/she divorced from other functions which would
conflict with the task concerned?

There are two other elements which are included in the generally accepted view of what is an
internal control:

procedures which are outside an accounting system as such (e.g. keeping the door to a stockroom locked)
arrangements that determine how something is done as opposed to whether it is done at all
(e.g. use of well-trained staff)

It is possible, therefore, to include in the definition of internal control a very wide variety of things.
Eight types of controls may be found: organisation; segregation of duties; physical (e.g. locking up
the cash); authorisation and approval; arithmetical and accounting; personnel (e.g. training);
supervision and management (e.g. budgetary control).
The result is that 'control' is a word which is so loosely used as to be devoid of real meaning. It is
only proper controls which really do provide the desired effect that can assist us. In order for
controls to be effective:
a. they must include a procedure that will detect the type of error against which protection is
sought

b. they must include procedures to correct such errors as are found

c. both (a) and (b) must operate within a short enough time period to be of use.

Reality of Control
Does the procedure really provide the desired control? This is largely a question of
understanding exactly what is being done. It particularly applied to reconciliations: it is
common to find that neither of the figures being reconciled actually provides any control
over the other, usually because they are not obtained from really independent sources. It also
applies to anything called a control total.
Timeliness
To be effective a control must be applied at the right time - i.e. the right stage in the
processing cycle. For example, updates to a master file of sales prices must be authorised
after updating but before processing any sales invoices to be priced from the dated file.
Reasonableness
Is it reasonable to expect the control to work? For example, could the authorisation of a
print-out of the wages of 1 000 employees mean very much? Can a senior executive be
expected to devote more than a few minutes to a control procedure?

With this background we can consider:

completeness, existence and accuracy controls

authorisation controls
processing controls
internal controls over computerised processes
safeguard controls

PREVENTIVE AND DETECTIVE CONTROLS

Preventive controls and detective controls are designed to discover errors, distinction is based on the
timing of application but generally a combination of both elements is used.

Preventive controls are applied prior to processing because they prevent the errors from
occurring. Examples include the custodial aspects of safeguard controls.
Detective controls are applied at or after the subsequent processing step. Examples include
reconciliations, reviews and comparisons by individuals not involved in the activity being
controlled.

Reconciliation controls between two independent information streams can detect the occurrence of
completeness, existence and accuracy errors at several different control points. Detectives do not
prevent errors occurring, nor do they identify the sources of any errors detected.
SEGREGATION OF DUTIES
Segregation of duties prevents individuals within the entity from being in a position to both
perpetrate and conceal an error or irregularity.
Examples of different functions which should normally be segregated are:
Despatch of goods

and receiving cash

Receiving cash

and updating sales ledger

Receiving goods

and payment of invoices

Performance of reconciliations and correction of errors

Segregation of duties may also be necessary over allocations. For example, a credit clerk who has
access to cash receipts, should not also be able to issue credit notes to the receivables account or to
write off old receivable, otherwise the clerk could misappropriate cash receipts and write off the
corresponding invoice as a bad debt.
EXISTENCE AND ACCURACY CONTROLS
Existence controls are designed to ensure that only valid exchanges are recorded by the accounting
system. Examples of common existence controls are:

procedures to ensure that the exchange document is compared to the physical goods either
received or shipped to ensure that an exchange occurred;
independent verification of employees on the payroll.

Accuracy controls are designed to ensure that captured exchanges are recorded accurately by the
accounting system and relate to price, quantity, date, party and description. There are various types
of accuracy controls:

reconciliations
comparisons
mathematical checks
review of one individual's work by another

AUTHORISATION CONTROLS
Authorisation controls may be instituted by management to ensure that transactions are executed in
accordance with its general or specific instructions. Sound authorisation procedures help ensure that
all exchanges executed by the entity have legitimate corporate purposes.
INTERNAL CONTROLS OVER COMPUTERISED PROCESSES
There are two types of internal controls applicable to both the capture and processing of
computerised data:

user controls
EDP controls

EDP controls are dependent on computer programmes for their operation; user controls are operated
independently of the computer processes.
SAFEGUARD CONTROLS
Safeguard controls have two aspects:

Custodial
designed to prevent unauthorised use of assets during the period that they are in the custody
of an individual or a department, also providing assurance that movable assets are not lost or
stolen. Custodial controls include access restrictions and procedures to ensure that incoming

and outgoing assets are counted, inspected, and received or given up only on the basis of an
authorisation. Vaults containing negotiable instruments and shipping and storage
departments, for example, should have such internal controls.
Accountability
designed to detect situations inconsistent with those on record and thus prevent the financial
statements from being in error because of undetected errors or irregularities. For example,
the storeman responsible for safeguarding inventory should not be primarily responsible for
carrying out counts of the inventory.

Section 6
A PRACTICAL APPROACH TO THE PREVENTION OF
CORRUPTION
Introduction
There is nothing new about corruption, it has been around for a long time. As far as back 300 BC,
Katilya, the then Prime Minister and Emperor Chandragupta of India, identified forty ways of
embezzlement of funds by employees in the private sector and he had this to say about Government
servants:
"Just as it is impossible not to taste the honey or the poison that finds itself at the tip of the tongue,
so it is impossible for a Government servant not to eat up at least a bit of the King's revenue".
But corruption is an increasingly important clandestine driving force in South Africa, and it is
beginning to seriously undermine our citizens faith in the very foundations of our society; in
particular the market economy system, which is supposed to be free and fair, and democracy under
which we should expect to be ruled by a just and equalitarian Government and by the rule of law
over power implemented by a independent, uncorrupt and fair judicial system. We do not have to
look far for the signs. Ghost employees in the Civil Service, fraud in the hospitals, and school meals
schemes, unauthorised use of credit cards by Transnet officials, all manner of corruption in the
police force, leaking of examination papers, issue of fraudulent university degrees, electoral fraud,
insider trading on the Johannesburg Stock exchange, the Tollgate affair etc., are just some of the
more visible signs.
As well as the media evidence, the information we have received from courts, official and unofficial
reports suggest that corruption in our society is not a matter of individual, exceptional modes of
behavior, but something which is fairly common practice, affecting many sectors of activity. The
problem is that, despite the evidence that we have available, corruption is substantially less visible
than many other types of crime and this is perhaps the reason why it has not been attacked with the
appropriate vigor. Corruption is a consensual crime in the sense that all participants are usually
willing parties who together have an interest in concealing it. There are therefore fewer conscious
victims and witnesses to it. One theory is that the origin of the current scale of corruption in South
Africa is the sanctions placed upon the country by the rest of the world during the apartheid years,
as a result of which the Government and many business firms had to be corrupt to survive. In this
scenario the distinction between acceptable and ethical activity became blurred. Many of the
businessmen and Civil Servants who operated during this era are still around today, and old habits
die hard. But it would be simplistic and incorrect to blame it all on the sanctions alone. Some
consider that it is only one of a number of offences which have arisen out of a certain worldwide
loosening of moral standards. Indeed, a full-scale debate could be held on the question of the causes
and the point of time when corruption became as widespread as it currently is. Another important
factor is economic globalisation which has created tremendous new opportunities for illicit as well
as productive creation of wealth. Yet another is the sheer volume of money arising from modern
trade and construction. But the bottom line is that corruption is one of the main dangers facing our
society, on a par with violence, unemployment, racism, etc
The major problem facing those engaged in the battle against corruption is that corrupt dealings are
by nature secretive; few, if any, crimes are harder to prove. It is hard to detect and less susceptible
to reactive policing. It is difficult to investigate as it is often subtle and perpetrated by cunning

people who know the system. It is our contention that a National strategy for ethics and anticorruption led from the top echelons of the Government needs to be urgently developed in South
Africa. This strategy should be both educational and regulatory and adopt a multi-faceted approach
that investigates, punishes and deters the corrupt, and educates and assists everyone to resist
corruption. The development of a national strategy is a goal toward which we must strive but it is
not the focus of this paper which concentrates on prevention within organisations as one important
practical plank of any national strategy.
Clearly prevention of corruption is better than cure. Setting up an efficient corruption free system
will undoubtedly be cheaper than spending decades in investigating isolated instances of corruption
that may be occurring easily within a system or business that has little resistance to corruption. It is
also less confrontational and less socially divisive to promote and achieve good behavior than to
wait for the crime to occur and then investigate and punish the perpetrator. We have no doubt that
corruption prevention is a management function. And we mean management in it is broadest sense
both in business and in the public service. Where management is committed to the prevention of the
corruption and the encouragement of integrity, these goals are more likely to be achieved than if no
management assistance of guidance is given. We strongly believe that in every business and public
department directors and management should be made accountable for prevention of corruption.
Indeed, It is very relevant in the respect that the common law of vicarious liability imputes liability
to the employer (principal) for the negligent acts of its employee (agent) that occur within the scope
of employment.
It is the aim of this document to provide management with some ideas on a practical approach
toward the achievement of their responsibility in this respect.
What is Corruption?
It is important at this stage to understand what we mean by corruption. The offence of corruption as
defined in the United Kingdom Public Bodies Corrupts Practices Act 1889 and the Prevention of
Corruption Act 1906, consists of three main elements. It has to be shown:
a. that a gift or consideration was given or offered by one party to another;
b. That the gift or consideration was given, or received, as an inducement or reward for
services to be rendered or already rendered in relation to official duties; and
c. that the transaction took place corruptly.
An April 1996 memorandum prepared by the Directorate of Legal Affairs of the Council of
Europe's Multidisciplinary Group on Corruption describes corruption thus:
The simplest from of corruption is where one individual hands over cash (services or goods) to
another in return for services rendered or to be rendered. Complications may ensue in respect of
the following four parameters: the person involved, the services rendered, the consideration
received and the manner in which the latter is transmitted.
Among the persons involved are, of course, sellers of purchasers of all kinds commodities or
services on the basis of private of public transactions, political decision makers, civil servants
(national and international) responsible for selling, purchasing, selecting or controlling, police
officers, bailiffs, prosecutors and judges, and also journalists, who may be paid to put questions to
the government, footballers, who may agree to have a "off day", sports coaches or club managers,
who may make surprising decisions, and so on and so forth. The list is endless. Many people
apparently get involved at both ends of a corruption affair.. they offer bribes (the obvious part), but
they also accept them. Or they may play the part of go-between, e.g. they might be paid for

promising to exert influence on a person they rightly or wrongly claim to influence (influence
peddling).
The above list gives some idea of the multitude of areas potentially inviting corruption. Buying,
selling, selecting, legislating, supervising or failing to supervise, doing one's job properly or
improperly, even speaking, mentioning a name, putting a question, designating an object or posing
beside it, appearing as at a given place or wearing a given item of clothing, all may be the subject
of a corruption agreement
The Attorney-General of the Witwatersrand in his address to SACOB Conference on Ethics and
Corruption in 1993 had this to say about corruption:
Corruption as a generic term covers a multitude of sins such as moral and ethical depravity, social
conduct which society finds unacceptable and that type of conduct that falls within the description
of an offence and is visited by punishment inflicted by law.
The appropriate law in South Africa is the Corruption Act (Act 94 of 1992). A copy is attached to
Annexure A. This makes it an offence to corruptly give or offer any benefit not legally due to a
person holding office in the public or private sector with the intention:

to influence him/her to do any act or inaction in relation to the powers or duties conferred on
that person; or
to reward such a person for having committed or omitted to do any act constituting an
excess of his power or a neglect of his duty.

The Act also makes it an offence for any person holding office to corruptly receive a benefit or
reward not legally due, even if the giver of that benefit or reward did not have the intention to
reward that person for committing a certain act or omitting to do an act.
Faced with the above, where does the manager begin his/her prevention strategy? We are of the
view that a much simpler definition is required and suggest:
Corruption is a favour offered for a favour granted in return, during which transaction
damage is done to the organisation concerned.
Corruption as a Process
In order to apply any one of the definitions above to a corrupt act, the act itself must have already
taken place. It follows therefore that while the definitions are appropriate to the detection,
investigative, and punishment process, they are of little assistance in the development of a
preventative plan of action. We have therefore decided to follow the approach of the Netherlands
College for Criminal Investigation and Crime Control which is to identify the elements common to
most definitions and to use these elements both to define corruption and to describe corruption as a
process. From this activity four elements which together describe a corrupt act are identified.
These are:
1. Receiving a favour(money, goods, sex, services).
2. Doing somebody a favour; the person is able to do this favour because of his position within
the organisation.
[There has to be a relationship between these two favours. The initiative or either giving or
receiving a favour can come from either side.]

3. Damage to the organisation. This damage could done in a variety of ways, including
financial, image, ethical, and physical.
4. Secrecy.
An act can only be described as corrupt when all four of the above elements are in place. If only
one, two or three of the elements are in place, then corruption can be said to be in process. This is
an important distinction as the key to our proposed prevention strategy lies in the understanding and
recognition of the elements and decision making which follows this recognition. At this stage we
must leave these thoughts out in the sun to ripen, but to return to later, as it is essential that we give
consideration to the role of the individual in the process before continuing this theme.
The Role of the Individual
In order for corruption to take place individuals must be involved. It is impossible for innate objects
to corrupt. If we truly wish to prevent corruption therefore, we must address the problem by
focusing on the individual. This of course must be done within the framework of a proper
organisational culture in which management is an example to their employees and where procedures
protect the employee from exposure, as far as possible, to corruption. But in the end corruption is
about the decision made by an individual to begin the process described above. We need to be clear
about the pressures on the individuals to give in to corruption and the psychological factors
involved. If someone wants to ask a favour, he/she will probably ask it in a way which will make it
easy for the answer to be "yes". He/she will most likely utilise one of two strategies for this (Deaux
& Wrightman, 1984):

Foot in the door. He/she will start with a small favour, one which is so small that it would
seem ridiculous to refuse it. Once the answer is "yes", he/she will start to ask for bigger
favours. Since the first favour has already been agreed to, it is most likely that the target will
agree to the second and third and so on.
Door in the face. This is exactly the opposite to the above. Someone starts with an extreme
favour, so extreme that it is easy to refuse. Then he/she will ask a small favour and since the
first one has been refused, the target will feel almost obliged to at least do this one to avoid
being rude and confrontational.

Of course there are other pressures on individuals to begin the process. Some of these are:

peer pressure
a poor atmosphere at work (lack of leadership, constant reorganisation, lack of recognition,
fear of affirmative action policies, lack of communication, etc.)
a paucity of career opportunities
private problems (relationship, alcohol, drugs)
cultural - a code of silence
contact with the public and criminals. Some elements within the organisation will be more
exposed to corruption possibilities that others; police with criminals, buyers with suppliers,
politicians with lobbyists, etc.

We categorise these pressures as risk factors. When individual accepts any one of these factors the
situation becomes risky. It is also a time when the individual must make a decision, asking himself:
o
o

will I accept this risk?;

will I accept that the situation might degenerate into one of risk?

One has to assume that people very rarely join an organisation with the intention of being corrupt
and that they do not suddenly leap into a corrupt situation. It is much more likely that it is a gradual
process. And once into the process it is inordinately difficult to get out. The reason why it is so
difficult to break out of the process is explained by a social psychological concept, Festinger's 1957
"cognitive dissonance reduction theory" which is very clearly articulated by Deaux & Wrightman in
their book "Social psychology in the 80's" the fourth edition of which was published in 1984.
It is human nature for people to want their behaviour and their notions (cognitions) to be in the
harmony (consonant). If this is not the case, the situation jars, or in other words it is dissonant and
they instinctively feel uncomfortable. They will therefore try to reduce the dissonance. They can do
this by changing their cognitions, or by changing their behaviour, or by making one of them, or
both, of little importance. We will try to illustrate this with a example: Let us take a buyer who's
basic cognition is that he is a good, reliable and trustworthy employee. If he goes wrong, for
example by accepting a present from a supplier, he will instinctively feel uncomfortable,
particularly if the rules against accepting presents from suppliers are extremely strict, and the
process will commence. As the behaviour, or act, has already taken place, he will seek to change his
cognitions by trying to rationalise his behaviour in some way. Perhaps by thinking that it does not
really matter as every body does it, or it was only a small gift of little consequence. The next time
around it will be easier for him to behave in the same way as his cognitions will already be
balanced. And as the acts are repeated it will become more and more difficult to break out of the
pattern. In fact the only way he can breakout is by admitting to himself that his whole way of
thinking is wrong. And it is human nature that this is not the easiest thing to do.
The implications of this theory are that the best time to stop the process of an individual becoming
corrupt is at the very beginning, as the longer one waits or the more involved the individual
becomes, the more difficult it is to extract from the situation. Another important implication is that
in order to be proactive in the prevention of corruption, management should seek to educate the
relevant decision making and thought process of individuals within their organisation.
Action Plan
We believe that any action plan to prevent corruption must be based upon two factors: the elements
which together describe a corrupt act and the role of the individual in corruption. The focus must be
upon the individual.
The first step is the education of both management and employees in the corruption process
elements. There is nothing difficult about this as they are startingly simple. But what do these
elements mean to the way things are done within the organisation? And at this stage we hope that
the period that the readers thoughts have been ripening in the sun in this respect are beginning to
show dividend, for we do not pretend that we have all the answers. But it is worthy of considerable
reflection that the elimination of any of the elements is tantamount to the elimination of corruption.
We accept that this is not easy and that it does not eliminate the process. Let us consider some of the
more obvious actions which can be taken by an organisation:

Secrecy.
o The creation of an open and transparent culture in the organisation. This has to be led
from the very top. If there is the slightest suspicion by the employees that the leaders
in the organisation are themselves corrupt, the employees cognitive dissonance will
be balanced that corruption in the organisation will become the norm.
o The separation of duties so that any transaction which could conceivably lead to
corruption has to be handled by at least two different people and preferably two
different departments in the organisation.

Making those who have access to business secrets sign trade restraint agreements.
Having a gifts register into which all members of an organisation must enter gifts
received no matter how small.
o Rewarding, aiding and protecting people who break secrecy - the whistle blowers.
o As part of the open and transparent organisational culture, training employees in the
art of disclosure to ensure that it becomes unemotional and all inclusive.
o Encourage discussion on the subject.
Damage to the Organisation
o Have clear and simple guidelines as to corporate values, goals and objectives.
o Explain and detail the need for compliance with the laws that regulate and apply to
the organisation, its systems and conduct of business.
o Reduction of the exposure of the organisation to damage. For example, restricting
and controlling access to confidential information, patents, plans etc., to those who
have a need to know, having the normal safeguards against insider trading, conflict
of interests, and the like.
o Reducing corporate opportunity. In other words making it difficult for employees to
take advantage for their own benefit of an opportunity that should be offered to the
organisation.
o Having a fairly paid staff and caring organisation.
o Clear boundaries of responsibility should be defined. Consider Anderson's law:
Probability of abuse = value of asset x the number of people with access.
Doing Somebody a Favour
o Having strict rules about the employment of, or contracting of the services of,
relatives.
o Ensuring that there are no other opportunities for the conflict of interests.
o Having strict rules for any payments to third parties. We suggest that these rules
should include the necessity for a committee to approve such payments.
o Centralising and institutionalising all donations, including that of the business
product.
o Encourage personnel to seek guidance before granting favours to outsiders.
o Having strict rules against the bribery of foreign officials during international
transaction. This should be included in the contracts of foreign commercial agents. In
this respect it is worth pointing out there is considerable international action in
progress which targets both companies and countries with a view to imposing
penalties for such action.
Receiving a Favour
o Use of a gifts register as described above.
o Monitoring of employees looking for signs of unusually wealthy lifestyles.
o Ensuring a division of responsibilities so that no one person should have complete
responsibility for any one business process.
o Communicating with suppliers stressing that the organisation wishes to conduct its
business in an ethical manner and that any attempts to provide favours to employees
will be regarded in a serious light. The communication should also give a
confidential reporting 'hot line' so that attempts by employees to solicit favours can
be reported.
o Independent checks looking for signs that favours have been received. For example:
suppliers not offering the usual discounts and special deals, ambiguous or
abbreviated descriptions on invoices, over orders or surplus stock lines, abnormal
number of credit notes, bids very close together, or tenders accepted after closing
date etc.
o
o

We have already said what we believe that the focus must be on the individual. This should be done
within an organisational framework of, inter alia, rules, legislation, regulations, job descriptions,
systems, corporate ethics, controls, alert management, and clear policy and working guidelines. We
suggest that the best way of sensitising individuals to dealing with corruption is by training. This
training should include:

Describing the process of corruption.

Explaining the cognitive dissonance reduction theory.
Providing an insight into the decision process and recognition of the risks. We have already
described the risk factors, Individuals need to be able to recognise the moments when they
have to make a decision in relation to the risks. They need to know that a decision is made,
even it is made unconsciously, they should be aware of the kind of decision they are making
and the effects and consequences of such a decision They should also be clear that any
decision is their responsibility.
Training in the skill of saying "no". This is not as simple as it seems. It is not difficult when
the relationship with the other person is not important, but when the relationship is
important, the problem is to say "no" in such a way that the relationship stays the same and
the message is clear and accepted.
Practising the skill of disclosure. This influences the process of corruption by avoiding the
fourth element, secrecy. Obviously the culture of the organisation has an important part to
play here. Individuals should be encouraged to unemotionally disclose their mistakes, to be
open about their dealings with third parties, and have no inhibitions about confronting or
discussing anything to do with the elements of corruption and the associated risks with their
peers. It is also important that the receivers of any disclosure, be it management or
colleague, are taught to react in an unemotional manner.

We do not envisage a complicated educational course for all this. After all, we believe that the
beauty of our approach is in its simplicity. We suggest a short presentation on the concept followed
by discussion and role plays. The subject should also feature during staff personal development
assessments and settings of individual key performance areas.
Conclusion
We hope that we have arrived at a simple, yet effective approach to encourage the prevention of
corruption in both the public and private sectors. The approach is unashamedly directed at the
individuals within an organisation and is educationally biased. Of course all this must be seen
within a framework of organisational rules and regulations as well as the law. And none of it will
work unless there is commitment and encouragement from the top.

ANNEXURE A TO SECTION 6

STATUTES OF THE REPUBLIC OF SOUTH AFRICA - CRIMINAL LAW AND PROCEDURE

CORRUPTION ACT
NO. 94 OF 1992
(ASSENTED TO 18 JUNE, 1992) (DATE OF COMMENCEMENT: 3 JULY, 1992)
(English text signed by the State President)
ACT
To provide anew for the criminalization of corruption and for matters connected therewith.
1. Prohibition on offer or acceptance of benefit for commission of act in relation to
certain powers or duties.1. Any persona. who corruptly gives or offers or agrees to give any benefit of whatever nature
which is not legally due, to any person upon whomi. any power has been conferred or who has been charged with any duty
by virtue of any employment or the holding of any office or any
relationship of agency or any law, or to anyone else, with the
intention to influence the person upon which such power has been
conferred or who has been charged with such duty to commit or omit
to do any act in relation to such power or duty; or
ii. any power has been conferred or who has been charged with any duty
by virtue of any employment or the holdings of any office or any
relationship of agency or any law and who committed or omitted to
do any act constituting any excess of such power or any neglect of
such duty, with the intention to reward the person upon whom such
power has been conferred or who has been charged with such duty
because he so acted; or
b. upon whom any power has been conferred or who has been charged with any
duty by virtue of any employment or the holding of any post or any
relationship of agency or any law and who corruptly receives or obtains or
agrees to receive or attempts to obtain any benefit of whatever nature which
is not legally due, from any person, either for himself or for anyone else, with
the intentioni. that he should commit or omit to do any act in relation to such power
or duty, whether the giver or offeror of the benefit has the intention to
influence the person upon whom such power has been conferred or
who has been charged with such duty, so to act or not; or
ii. to be rewarded for having committed or omitted to do any act
constituting any excess of such power or any neglect of such duty,
whether the giver or offeror of the benefit has the intention to reward
the person upon whom such power has been conferred or who has
been charged with such duty, so act or not,
shall be guilty of an offence.

2. If any offence referred to in subsection (1) or any part thereof is committed or done
outside the Republic, it shall be deemed to have been committed or done in the
Republic if the power or duty referred to in that subsection is connected with any
person or any institution or any government body in the Republic.
2. Jurisdiction in respect of offences committed outside Republic.
2. Any court within the area of jurisdiction in which the person, institution or
government body referred to in subsection (2) of section 1 is domiciled or seated,
shall have jurisdiction to try any offence referred to in that subsection.
3. Subject to the provisions of section 47 of the First Schedule to the Defence Act, 1
957 (Act No. 44 of 1957), "court" shall, for the purposes of this section, meana. any magistrate's or regional court referred to in the Magistrates' Courts Act,
1944 (Act No. 32 of 1944); or
b. any provincial or local division of the Supreme Court referred to in the
Supreme Court Act, 1959 (Act No. 59 of 1959)
3. Penalties.- of the Criminal Subject to the provisions of section 277 (1) Procedure Act, 1977
(Act No. 51 of 1977), any person who is convicted of an offence referred to in section 1
shall be liable to any penalty within the punitive jurisdiction of the court concerned.
4. Repeal of laws.- The common law crime bribery, the Prevention of Corruption Act, 1958
(Act No. 6 of 1958), section 36 of the General Law Amendment Act, 1964 (Act No. 80 of
1964), and the Prevention of Corruption Amendment Act, 1982 (Act No. 43 of 1982), are
hereby repealed.
5. Short title.- This Act shall be called the Corruption Act, 1992.

Section 7
INVESTIGATION / PROSECUTION
1 PRE-INVESTIGATION ACTIVITY
1. Debrief First Information of Crime informant fully.
2. Instruction form and hat he is to speak to no one else about suspected offence.
3. Establish which departments of the business will be involved by the nature of the offence
suspected, e.g. Purchasing Department, Accounting Department, etc.
4. Establish the names and functional responsibilities of all personnel in each of the
departments listed in 3.
5. Apply Need to Know principle. Decide who will have to be consulted from the list of names
mentioned in 4. This will also comprise the list of persons to be interviewed.
6. Decide who will be responsible for investigation.
7. Construct plan of investigation, e.g. begin in Accounting Department - interview Accountant
Mr X - request his assistance in doing xyz; Purchasing Department interview M r S etc. Etc.
8. Secure all records, archives, computer tapes and personal records of suspects as first step,
then establish what the required documentary evidence will be, from where and whose
control it will be obtained, how it will be safeguarded. The persons listed here will all have
to submit affidavits.
9. Decide upon who will give the Police the initial affidavit which will not only report the
suspected offence, but will set out in detail the system of operation within the business and
how this system was overridden or compromised. This affidavit need only be submitted after
the matter has been properly investigated and the factual situation established.
10. Make a list of evidence that is required but beyond the powers of the private investigating
official to obtain, e.g., suspect's bank statements, paid cheques, etc.
2 INVESTIGATION
2.1 GATHERING INFORMATION:
i.
ii.
iii.
iv.

v.

vi.

Draw up flow chart of internal system and documentary trail.

Establish the period to be investigated, e.g., last six months.
Gather all identified and required documentary evidence that reflects the transaction flow of
the entire system for the whole of the identified period of investigation.
Use only ONE person to gather the documentary evidence if possible. This person must note
the date, time and place as well as the person from whose control he uplifted the
documentary evidence. He should issue receipts and keep original copies of same. Affidavits
will be required from each of the persons who handed him the documentary evidence. He
will also be required to submit an affidavit stating that he uplifted all the documents, from
whom and when this was done.
Working copies of all uplifted documentary evidence must be made. The originals should
then be locked away in a safe place. No marks whatsoever must be made on any original
document . An index of documents uplifted, which not only lists these documents, but also
explains the nature of each, should be compiled.
Any computer evidence should be copied on separate disks by the person normally
responsible for operating that computer. If that person happens to be a suspect then copies
must be made by any other computer literate person IN THE PRESENCE OF THE
SUSPECT. The copied disks should be sealed in the suspect's presence and safely stored.

vii.

Working copies of the computer information can be made for the investigating officer's
needs. Hard copy of the information should be printed and an affidavit obtained from the
computer operator that the printed copy is a true copy of the information stored in the
identified and sealed disk. (But see Section 8)
Affidavits will be required each step of the way regarding gathered documentation. The
person who is responsible for preparing the document must be identified. The author of any
signatures and other handwriting on any document must be identified. Affidavits from these
persons will be required.

2.2 QUESTIONING
The purpose of questioning any person is to establish the truth. The questions should be aimed at
establishing any unknown factor confirming a known fact.
THE QUESTIONS SHOULD NOT BE TO ESTABLISH A PERSON'S GUILT.
If, however, in the course of questioning a person certain facts emerge which cannot be explained in
any other way, that person, by his answers indicates that he is guilty of committing an offence, then
it must be proven that the person volunteered a confession and that it was not prised from him.
Further questioning should stop and the person should be informed that he could be incriminating
himself by his answers. He should be informed that if he so desires, he is free to make a full
confession to a magistrate. If the person agrees, arrangements should be made for him to see a
magistrate.
Questions by a private person, and confessions and statements made to a private person are
admissible in certain circumstances.
2.3 INTERVIEWING GUIDELINES
The purpose of interviewing someone is to obtain information. In the nature of investigation this
will be one sided, in that no information will be given to the subject unless it is necessary for the
purposes of the interview. The subject must be very briefly informed of the reasons for the
interview without disclosing any sensitive facts such as that criminal offences are suspected, or that
certain persons are suspected, etc. The subject must also be requested not to speak to any person
about his interview or tell anyone what he was asked. He must be informed that if anyone insists on
knowing what he was asked, this person must be reported to the investigating officer. The subject
should be informed (if he is definitely not a suspect) that he has nothing to worry about and that the
interview is being conducted to try to establish the correct systems, facts, occurrences, etc. that took
place in the recent past.
2.4 PREPARATION
The investigating officer should know as much about his subject as possible, from a personal
perspective as well as a professional one. He should obviously know if the subject could be a
possible suspect or not. He should know exactly where the subject fits in insofar as the investigation
is concerned. He should know exactly what information he wishes to extract from the subject. He
should have a prepared list of questions.
2.5 THE INTERVIEW
The interview should be conducted by at least two persons but preferably not more than three. Four
people conducting the interview can be perceived as intimidating and may cause the subject to
become defensive. Preferably one of the participants should be known to the subject as this can help

him relax. Each of the participants should have his list of questions for the subject. The interview
room should be situated away from the general office area. The use of micro recorders or video
cameras should be pointed out to the subject, however they should be placed in an inconspicuous
position as they can be intimidating. The subject must give his permission for the use of this
equipment. Affidavits should be obtained from subjects interviewed immediately after the
interview.
3 DOCUMENTATION
3.1 DOCKET
i.
ii.
iii.

iv.

v.

vi.

As soon as the first information regarding an alleged offence has been received an internal
file or "docket" should immediately be opened.
Use a normal file or folder for matters with a few documents and lever arch file for matters
with several documents.
The SAPS divide their dockets in three sections called A, B and C. A contains all the sworn
affidavits and documents referred to in the affidavits. C contains the investigation diary. B
contains all correspondence, and reports as well as everything that cannot be used as
evidence in court, but is of information value. For ease of reference it is suggested that the
firm must use the same sections for their docket.
Everything filed in the docket must be marked with a reference number. The reference
number must be quoted in the diary. Be aware not to make any marks on original
documents. Place them in plastic sleeves or envelopes and mark the envelope.
Every affidavit and every exhibit must be copied twice. One set should be handed to the
SAPS. The second set should be filed in the firm's docket. The original documents should be
locked away until required by the court during the trial.
The firm's internal reference number and the SAPS reference number should be quoted on
the front of the firm's "docket".

3.2 STATEMENTS
i.

ii.
iii.

iv.

Affidavits must be obtained from every person who witnessed the offence, and/or who were
at any stage involved during the transaction, and or who handled the documents and/or
spoke to the suspect after the offence had been committed. All chains must be completed.
The golden rule: Every exhibit must be accompanied by an affidavit by someone. Exhibits
must be handed in at court by witnesses.
Every criminal case must have a complainant. Establish who will act as the complainant in
this case. This person must be duly authorised to lodge the complaint. Ideally the
complainant should know the system and how the system has been abused. The complainant
should be easily available to give evidence at court.
Use the proforma in Annexure A for the beginning and end of all affidavits to ensure that all
the relevant aspects are included in these paragraphs.

3.3 EXHIBITS
When you discover a fraud you must seize all the documents that may serve as proof of the fraud
and lock them away in a safe place. Consider whether it would be necessary for purposes of proving
a fact in court that any fingerprints on the document belong to any person. This would normally be
in a case where documents, e.g. cheques, were falsified. In such a case it is important to handle the
document as little as possible. The best way to preserve any fingerprints on the document is to put it
in a plastic sleeve before dealing with it any further.

If a fraud was committed by means of a computer system, you must change the computer access
codes and, if possible, make a full printout or save the contents on disks. This is done to ensure that
whatever information is on the computer cannot be altered or destroyed. (But see Section 8)
If an audit is required to unravel the fraud, ensure that the auditors are instructed to specifically look
for fraud.
If possible the suspect must be isolated from the place where he can commit further frauds or
destroy the evidence.
Once the exhibits are safeguarded, the next step would be to start preparing the evidence. This is not
only important for purposes of a possible criminal trial, but also if you intend to sue the culprit
civilly to recover any losses.
We recommend that you make photocopies of the documents and use the photocopies for purposes
of making your statement.
Let us then examine what you should do with the photocopies.
i.
ii.
iii.
iv.

v.

Sort the documents so that all the documents concerning a specific transaction are kept
together.
Put the documents relating to a particular transaction in a logical sequence, e.g. in the
sequence in which they are produced.
Sort the various transactions in date sequence.
It is a good idea to number the copies as it makes reference to the documents easier. This is
particularly the case where several transactions are involved. One way of numbering the
documents that we found very useful is to number each transaction consecutively and then
to number each page relating to that transaction, e.g. the documents relating to the first
transaction will be numbered 1(1), 1(2),1(3)etc.
Flow charts and schedules - In conjunction with a statement, prepare and illustrate by means
of a flow chart the system and steps used by the company to process documents, cheques
etc. Prepare a schedule where necessary of relevant exhibits, e.g. cheques with numbers,
amounts, payee details, etc.

3.4 DIARY
i.

ii.
iii.
iv.
v.

vi.

The diary has a double function. It is used as an index to all the affidavits, exhibits,
correspondence and other documents filed in the docket. It is also used as a summary of all
investigation done in the case.
Use a proforma type similar to that in Annexure B.
Record every incident from the time that you became suspicious and update the diary until
all the internal, civil and criminal proceedings are finalised.
Entries should be made whenever a person has been interviewed or telephoned, whenever a
place has been visited and whenever documents were obtained or seized.
Also record every consultation with the SAPS investigating officer and Public Prosecutor
with a short description of what had been discussed. Although there are many hard working
detectives in the SAPS and just as many good prosecutors in the Department of Justice there
will always be some lazy ones. It may become necessary to report them at some stage to
higher authority and the specific dates and times of interviews and contents of the
discussions should be supplied to ensure that proper steps can be taken against these
officials.
Always mention dates and times in the diary.

vii.

Allocate numbers in numerical order to every affidavit and exhibit and state these reference
numbers in the diary.
If different people make entries in the diary, then every entry should be signed.
If the Enquiry Controller supplies an affidavit he must ensure that the dates and times
mentioned in his affidavit correspond with the dates and times mentioned in the diary.

viii.
ix.

3.5 THE REPORT

3.5.1 Following the detection of a fraud or theft, various reports must be submitted, for example:a. The report to management;
b. The report to the legal section;
c. The report to the SAPS.
3.5.2 Every firm must develop their own formats of the reports to management a n d the legal
section. In this document we will only refer to the "Report to the SAPS".
3.5.3 The report should be addressed to one of the following officials:a. The Station Commissioner;
b. The Head of Investigations : Criminal Investigations;
c. The Unit Commander, Commercial Crime Unit.
Before the report is delivered, establish which unit deals with the specific offence. The report
should then be addressed to the Commander of that unit. This will prevent unnecessary delays. The
report should only be addressed to the Station Commissioner if it cannot be ascertained which unit
will be dealing with it.
3.5.4 Contents of the Report
i.

Introduction
a. Mention the type of offence, i.e., fraud, theft.
b. Mention the amount involved.
c. Mention the period involved.
d. Mention the names of the suspects.
e. Mention the name of the person with whom the SAPS must deal in future.

ii.

Description of the Offence

a. Set out in short how the offence was committed/how the system was manipulated.
b. Whether it is a single incident or whether the offence was committed over a period of
time.
c. Whether expert evidence will be required to prove the offence.

iii.

Description of Suspects
a. If the suspect is an employee of your firm, supply his:
full names;
I.D. number;
residential address;
clock number or company number;
name of his superior;
division where employed;

position held by him;

whether he had been suspended or transferred to another dept
b.

If the suspect is not an employee, supply as much information about him as possible.

c.

If the suspect is of another firm, CC or Company, supply:

the full name of the firm;
the name of its owners, managers, members or directors;
the street address of the firm;
the telephone number of the firm;
the Registration number in the case of a CC or Company.

iv.

Names of Witnesses from whom Statements have already been obtained

Mention their names.
Attach copies of their affidavits.

v.

Names of Witnesses from whom Statements are still to be obtained by the Enquiry
Controller
Mention their names.
Mention the aspects that will be covered in their affidavits.

vi.

Names of Witnesses from whom Statements must be obtained by the SAPS

Mention their full names, ID number, residential and business addresses and telephone
numbers.
Mention the aspects that should be covered in their affidavits.
If possible attach copies of the documents pertaining to these witnesses.

vii.

Civil / Department Action

Mention whenever civil or departmental actions are also instituted.
Mention the names and telephone number of the legal practitioners involved.

viii.

Name of Contact Person

Supply the name, office telephone and cellular telephone number of the person with whom
the SAPS should deal. Supply the name and telephone number of a second person in case
the main contact person is not available.

ix.

Copies of Statements and Documentary Exhibits

Attach copies of all affidavits already obtained as well as copies of documentary exhibits.
Attach them in such a way that they can be separated from the report. These affidavits and
exhibits will be filed in Section A of the Police Docket whereas there port will be filed in
Section B of the Police Docket.

4. LEGALITIES
1. Criminal prosecutions are regulated by the Criminal Procedure Act, Act 51 of 1977 as well
as the Bill of Human Rights.
2. In addition to this there are specific acts dealing with each and every statutory offence.
3. Common law offences are regulated by previous court decisions.
4. There are specific rules when dealing with the questioning of suspects, the making of tape
recordings, and the use of computer evidence.

5. Enquiry Controllers should obtain copies of these acts and should ensure that they comply
with all of them.
5. EVIDENCE
1. Except for a few extraordinary exceptions all evidence is led by witnesses appearing in
person in court.
2. All state witnesses have to make a sworn affidavit prior to them giving evidence. A copy of
this affidavit must be supplied to the defence. This is normally done when the indictment is
served on the accused. In any event, the defence is entitled to a copy of this affidavit before
the witness testifies in court.
3. The witness gets called to the witness box. The Magistrate will ask him which language he
prefers and whether he has any objection to the taking of the prescribed oath. The Magistrate
will thereafter administer the oath.
4. The Public Prosecutor will then put questions to the witness and normally gets the witness to
tell the story.
5. When referring to documents the witness will be handed the original documents and copies
will be handed to the Magistrate, the Prosecutor and the Defence.
6. When documents are handed in at court they are given an exhibit number. The witness
should thereafter refer to the exhibit number whenever he refers to a specific document. This
enables everyone to know exactly what document he is referring to.
7. Only original documents are accepted at court. A carbon copy of the original is recorded as
being an original but a photostat copy is not acceptable as an original.
8. A copy will only be accepted in extraordinary situations.
9. Evidence needs to be led as to who the author of the document was. If someone else wrote
anything on it or made any marks then evidence should also be led as to who made which
mark.
10. Quite often documentary evidence is rejected because of marks on the documents which
were made after the offence had been committed; for instance if the internal investigator or
forensic accountant makes marks on it. Therefore it is absolutely crucial that original
documents are photocopied right at the beginning of the investigation and thereafter placed
in sleeves or envelopes and locked away without writing anything on it.
11. There are specific rules that must be complied with before tape recording or computer
printouts can be used as evidence. The enquiry controller should ensure that he knows and
complies with these rules, otherwise this form of evidence will be rejected.
12. When the State completes leading the evidence of the witnesses the defence is entitled to
cross-examine the witness.
13. Defence Attorneys use all sorts of tactics to break the evidence of a State witness down. The
witness should remain calm even if he has to answer the same questions several times. He
should listen carefully to the question put to him. He should be careful not to concede

anything that he should not concede. He is supposed to answer all questions. If undue
pressure is placed on him, the Prosecutor will object to it.
14. After cross examination the Prosecutor may re-examine the witness. Thereafter the
Magistrate may ask questions if he is uncertain about any aspect.
15. A witness may also be called back at a later stage to be re-examined. This does not happen
too often.
16. During adjournments the witness that is testifying should avoid speaking to the Prosecutor,
the detective or other witnesses. He should also not talk to the accused or his attorney.
17. Before giving his evidence the witness should remain outside the court room. After his
evidence he may listen to the trial if he so wishes.
6. PROSECUTION
6.1 PARTNERS IN THE PROSECUTION PROCESS
1. No one on his own does all the investigation and prosecution. The key word is team work.
2. The team should consist of the following people:
a. a senior manager of the firm;
b. the Enquiry Controller;
c. the SAPS investigating officer;
d. the Public Prosecutor.
3. The following people are not always required but it is highly recommended that they are
included in more serious and more technical cases:
a. private investigator;
b. forensic accountant
c. legal practitioner (internal or external).
4. Who is the senior partner in the Prosecution Process?
The Public Prosecutor is the person ultimately responsible for getting a conviction in a
criminal court. If he is experienced enough he will know exactly what is required for a
successful prosecution. Therefore everyone else should treat him as the senior partner and
should do their utmost in complying with his requests.
6.2 THE PROSECUTION PROCESS
1. After the initial investigation conducted by the enquiry controller the matter gets handed
over to the SAPS.
2. The SAPS can either arrest the suspect immediately, take him to court and thereafter
conduct the investigation, or they can first complete the investigation and thereafter have the
suspect charged.
3. Although the first option may appeal to the firm, it should be avoided as far as possible. The
suspect should only be arrested in the initial stages if there is a serious threat of him skipping
the country. An early arrest leads to a hasty, often half completed investigation which results
in cases being withdrawn at court or the acquittal of the accused.

4. Ideally, the investigation should be completed first. While the SAPS is conducting their
investigation the Enquiry Controller must have regular contact with the detective. He must
ensure that the detective does not waste unnecessary time.
5. When the investigation is complete the Enquiry Controller should accompany the detective
to the Public Prosecutor where he should discuss the seriousness of the case with the
prosecutor.
6. Thereafter the Enquiry Controller should give his full co-operation to the Public Prosecutor.
He should contact the Prosecutor regularly enough to ensure that his case receives the
necessary attention.
7. When the prosecutor is satisfied that all the required evidence has been obtained, he will
draw up a charge sheet. He will also order that the suspect be charged and brought before
court. This can be done by issuing a warrant of arrest or a summons to appear before court.
8. The detective will then locate the suspect and execute the warrant of arrest or serve the
summons. As from this moment the suspect will be referred to as the accused.
9. If the accused has been arrested he will be brought before a court within a specified period
and unless there are reasons to believe that he will not stand trial, he will be released on bail.
Normally the onus will be on the State to prove that there are reasonable grounds to believe
that he will not stand his trial. If the State decides to oppose a bail application, the Enquiry
Controller should assist the detective in gathering evidence to prove that there are reasonable
grounds to believe that the accused will not stand his trial.
10. After the first appearance in court the matter will be remanded to allow the state to finish
their investigation. Depending on the nature of the offence the Magistrate will only allow the
State one or two remands.
11. When the State is ready to proceed with the trial the defence is still entitled to remands. For
instance the accused will be allowed a remand to consult an attorney or to apply for legal aid
or to locate his witnesses. Remands will also be granted if the accused or his attorney is ill.
12. The first step of the trial is the plea, either guilty or not guilty.
13. If the accused pleads not guilty then the State will have to call their witnesses. The defence
is entitled to cross examine every witness.
14. If the State fails to prove their case, the accused can be acquitted at the end of the State's
case, otherwise he will then give his evidence followed by the testimony of his witnesses.
The State is entitled to cross examine the accused and all his witnesses.
15. When the defence close their case, the Prosecutor and the defence attorney argue their cases.
Thereafter the Magistrate gives judgement, either guilty or not guilty.
16. Thereafter mitigating and aggravating evidence is led where after the Magistrate passes
sentence.
17. When leading evidence for aggravation the Prosecutor can also request the Magistrate in
terms of Section 300 of the Criminal Procedure Act to make a compensatory order. There
are however limits to the compensation amount that a Magistrate in the Magistrate Court
and the Regional Court may order.

18. The internal investigator should establish what these maximum amounts are and whenever
his case is for a smaller amount he should ensure that the Prosecutor applies for such a
compensating order.

ANNEXURE B TO SECTION 7
INVESTIGATION DIARY
DATE TIME NO

REPORT

CROSS REF

Section 8
COMPUTER CRIME & THE USE OF COMPUTERS IN
CRIME
Introduction
This guideline was written to provide senior management and people responsible for overseeing
computer operations with an overview of the key issues involved in maintaining secure systems. It
is not intended to be a technical guide, anyone requiring further information should contact an
independent computer specialist.
Structure
This guideline is structured so as to enable a person who is not familiar with the risks associated
with computers to make an easy transition from their knowledge of general business risks to those
associated with the use of computers in a business environment. The topics covered are:
1.
2.
3.
4.
5.
6.
7.
8.

Generic overview of a computer system

How the use of computers alters risk
Business issues in computerisation
Computer risks and controls
Obtaining Evidence and Prosecuting Computer Crimes
Some simple fraud prevention techniques
Conclusion
Glossary of terms

Many of the topics are dealt with in a simplistic manner but give sufficient information to enable the
reader to gain an easy understanding of the issues involved.
Terminology
If you are not a technical person, you may find some of the terms used by computer people quite
confusing. Confusion will only weaken your ability to understand the issues that you have to deal
with, so we have included a small glossary of terms at the back of this document. If you find that
there's a term that you don't understand, don't be afraid to ask a competent person - it is always far
better to be seen to be ignorant once than many times over.

Generic overview of a computer system

The generic overview describes some of the terms that are used in computing and shows how they
all relate to each other. Understanding these terms and their relationships is important because many
of the risks and controls discussed later on arise from the items that are found on a computer and the
way that it is structured.
General concepts
A computer system comprises 'hardware', 'software' and 'data'.
'Hardware' refers to the physical components of the computer such as the keyboard, disks and a
processor.
'Software, refers to the programmes that run on hardware and generally comprises two classes:

'Operating system software', which controls the way that the hardware operates and
communicates with other computers.
'Application software' which is the software that will be operated by the users of the system,
typically this would be accounting packages, spreadsheets, word processing, databases,
stock control and, in the case of financial organisations, loans and savings accounts.

'Data' is an expression that refers to the information used by application software. Taking the
recording of a cash receipt into a cash book system as an example; the application software records
a receipt of cash into a file containing all the receipts. The collective name for all those files and
their contents is the 'data' held by the computer.
All that has been said previously could be represented in a simple diagram

Naturally, users operate the system through keyboards and screens but they actually use the
application software to achieve their business objectives.
Internal Structures

Internally, a computer is structured around a number of components each of which are designed to
achieve specific tasks:
Hard disk - this is the area where application software, data and the operating system is stored;
Processor - the device that carries out all the instructions issued by the software, often referred to as
the CPU (Central Processor Unit).
Memory - a number of microchips that contain information used by the processor (the processor
does not operate on information held on the hard disk but calls in the information from disk to
memory before using it).
Once again, this could be shown diagrammatically as follows:

From the diagram you'll note that all of the information relating to the computer system, and much
of the information concerning your business, is stored on the hard disk. Given this, it is easy to see
why access to the disk and the information it contains should be controlled. Much of what is
discussed later on will build on this need to control access to the disk.
Before progressing further, it is important to realise that the information stored on a disk is not
simply randomly stored, rather it is organised into groups known as directories. There are special
directories for storing the programmes forming the operating system, the application software and
the data used by the application software.
Networks
Frequently a business will require that more than one computer be used, possibly because of large
numbers of users or high volumes of transactions going through the system. Because the business
will want to be able to gain access to all it's data, it will frequently connect the computers together
using cables or telephone lines. This arrangement is known as networking.
Networks can be small (three computers linked together on one floor of a building) or large (where
computers around the world are linked together).
Organisation and staff
In simple computer systems, such as the one you might have on your desktop, you look after the
applications, the operating system and the data. In bigger systems this is not possible because the
applications, the operating system and the data used are much more complex. Consequently,
specialists are employed to manage these aspects of a larger computer system. Groups of specialists
deal with the operating system, the application software and manage the storage of data. You are
probably familiar with some of these specialists:

Programmers are skilled in writing and modifying programs that access and change the data stored
on the computer systems.
Systems software specialists assume responsibility for ensuring that the operating system works as
efficiently as possible.
How the use of computers afters risk
You'll have seen that one of the characteristics of a computer is that all the information about the
computer and much of the information about your business is stored in one place, on the disk.
You'll also have noted that there are specialists who can gain access to that information.
This brings us to the first area where the use of computers changes risk - it concentrates information
in one place. In paper based systems information was scattered around offices, sometimes in
different buildings. In the computer environment all the information is stored on one or more disks.
If the disk, or any other component of the computer system, fails then you cannot get access to the
information.
The second area where risk is changed is that people have access to much more information than
they had previously. Sometimes the people who have access to information may be people whose
only responsibility is to maintain the computer systems. If any one of those people acts against you
or your organisation, they have much more power to do real damage. A small business without a
computer system often has a similar problem, frequently one person does all the administration
work and there are insufficient other people to cross check the work that has been done.
Thirdly, the power of a computer allows it to do enormous volumes of work. A computer system is
generally reliable and accurate but sometimes mistakes do happen, normally through human error.
If this occurs you can lose some, or all of the information about your business.
Fourthly, much of what is done by a computer is invisible to the outside observer. Although there
may be records of everything that has been done, these may deleted after a period of time leaving no
obvious record of events that took place.
Fifth, theft or destruction of data may be accomplished without the business ever knowing that it
occurred. You may have read about 'hackers' who gained access to computer systems operated by
the Department of Defense in the United States (a 'hacker' is a person who uses a computer to gain
access to another computer and read or alter the data it contains). If you have a modem attached to
your computer system another person could dial into your company and steal information. If your
business is not competitive that might not make you feel too bad but imagine if information about
the cost and profit from every sale you have made was taken and made available to the public or
your competitors. Allied to this risk is the one of a hacker gaining access for no other reason than to
see if it can be done', the hacker views it as a challenge and has no real intention of harming your
organisation. Sometimes the hacker damages your systems or data accidentally.
Sixth, you may become dependant on highly specialised people and ultimately be held to ransom by
them. When paper based systems were used most people knew how to write an invoice or receipt
and then enter those in the sales journal or cash book. In a complex computer environment you are
dependant on the people who maintain the networks, the application software and the operating
system.
Seven, in recent years 'computer viruses' have become an increasingly prevalent risk. Often a virus
is written to see if it can be done 'and' how far it spreads'. While the author of the virus may find

that an interesting topic, the existence of viruses on a computer system may seriously damage the
data held on that computer system or, at the least, cause considerable inconvenience and disruption.
Another new area of risk arises from the fact that computers have got smaller while disks hold more
information than they ever used to. That means that your staff can now carry around sufficient
information on a notebook computer (that's a small computer designed to fit into your briefcase or
carry over your shoulder) to enable them to quote for insurance, sell your products and work out
detailed costings for the sale. If there is not sufficient information on the notebook to do their work
the computer dials the main computer in your office and requests the information. Alternatively, the
sales person may dial the office and correspond using electronic mail (e-mail). This has tremendous
benefits for you, the manager, because you can communicate with your staff at any time and their
productivity is enhanced. However, what happens if the computer gets stolen or sent in for repair?
Suddenly, information about your company and it's products could be common knowledge. That
might not be good for your business.
Of course, the risk of disclosure of information is not limited only to notebook computers; a corrupt
employee might be able to go home in the evening with a complete list of your debtors and stock on
40 pages of computer print-out or a single diskette. Before computers were introduced this would
have required them to carry ledgers, books and other documents, most of which would have been
noticed as they left the workplace.
We have not listed all the shifts in risk that arise from using a computer but we have listed
many of the critical ones. None of these shifts in risk should prevent you from using a
computer and benefiting from the advantages it offers. The purpose of describing the shifts is
to show you where to apply control.
Earlier in this document we discussed some of the specialist employees that you may have in a
computer department. We also noted earlier in this section that computers tend to centralise and
concentrate information. We all know that information is power and we need to be aware of the
risks arising from this centralisation.
Before computers were commonly used we used a system of checks whereby one person could do a
limited number of things and another person would be able to do others. This restricted the power of
any one person and was commonly referred to as 'division of duties'.
If we wish to continue to have division of duty we need to have a look at a computer's disk and see
what it contains:

Obviously we simplified things a bit and we know that there is much more data that shown in the
diagram but let us think first about what people we have and what we need to think about.
What we have....
Operating systems software
programmers

What might we think about.....

These people have tremendous power over the computer system.
Fortunately, they are not accountants and in many cases they don't
know how to write programmes. But they are generally intelligent
and enquiring people and we should never rely on ignorance as a
safety precaution.
Application programmers
These people are bright, they don't have as much power as operating
system software programmers but they certainly know how the
programmes work and they know what the data looks like. (if you use
packages you may not have these employees)
Users (sales clerks, debtors They're generally bright people too. They don't know too much about
clerks,accountants, salesmen) programming and still less about operating systems. They know how
to do their job and sometimes know how to use the computer in
unusual ways to make their tasks easier. They also know the data
very well because they entered it into the computer in the first place.
We don't really want either application or operating systems software programmers playing with our
data, they might damage it by mistake or on purpose. At the same time, we don't want users who
work with a cash book to be able to work with debtors, they might make processing errors, either by
mistake or on purpose. But we want to empower our people to do their jobs in the best way at the
least possible cost to us. So let's re-draw the picture of the disk and see how to make it possible

We have now separated the disk so that people can only go where they need to do their normal
work.
Business issues in computerisation
Introduction
If you had a business where you transported money from place to place you'd probably not use an
open car or bakkie to carry the money around. However if your business were to carry heavy
objects from the place where you buy them to the place where you sell them, a bakkie might be a
very useful vehicle.

The same logic applies to computers. There are computers and systems that offer excellent controls
and can reduce all the risks to very minimal levels. They tend to be more expensive and require
more support. There are other systems that cost very little but provide minimal levels of control.

If you become too cautious, spend too much money and introduce too many controls your
business will become less efficient and your costs will increase.
If you have few controls and relatively high risks you will contain costs, but may suffer
losses that could throw you out of business.
You, as a manager or owner, are expected and required to ensure that the computer system
you use has sufficient control to reduce your risks to a level that will not cause significant
loss to your organisation.

Items for consideration

A manager or owner of a business needs to understand the risks that the business runs before a
reasonable decision can be made as to how extensively a computer system should be controlled.
Typical issues that might be considered include:

The number of people employed by the business - If the business only employs three or four
people then the manager can observe or review the actions each person has taken and
identify errors and problems.
The skill levels of your employees and the complexity of the decisions they may be required
to make - If running your business requires that simple decisions be made and your staff are
trained to make those decisions, then the risk would be relatively low. If, however, decisions
were complex and very few of your staff were able to make them correctly your risk would
be much higher.
The commodity you deal in - If you manufacture and sell plastic coat hangers, which have
an inherently low cost and are not easily transported in large volumes without detection,
then your risk might be low. If, like a bank, you deal with money the your risk is much
higher because the commodity is valuable and easily transported.
The number of transactions you process each day or each month - If the business only
processes one transaction a day, that transaction can be checked to ensure that it is correct
and the risk is relatively low. If the business processes millions of transactions a day (for
example: a supermarket chain) then the consequences of an error might be very expensive
and the risk is correspondingly high.
How competitive your business is - If your business is in a highly competitive market and
information about your product could help a competitor of yours, your risk is relatively high.
For example: if you manufacture parts for motor cars and a competitor finds out what your
cost and selling price are before you submit a major tender, your company could lose the
tender and the business. Perhaps your company could even be put out of business. The risk
here is obviously high. If your business has no competitors then obviously the risk is low.
The degree of reliance your business places on processed information - A small business
selling household products can look at the shelves of goods for resale every evening and
decide how many of each product should be ordered the next day. The business may even
decide to discontinue a product because it does not sell well.
A major supermarket chain, with branches all round the country, cannot do this so it needs
to aggregate all the information for each supermarket together. With this aggregated
information the company can decide what to re-order and where it should be delivered. The
company may even move stock from one shop to and other to reduce stock levels before
discontinuing a product.
The lower the reliance on processed information the lower the risk the business runs.

The degree of integration of your systems with those of other businesses. - In many large
companies computer systems actually order the goods needed for production automatically,
if this fails then the company cannot produce and loses money. Also these companies often
sell by allowing their customers to link into their systems and order goods electronically.
These two techniques are often used to keep costs down as far as possible and 'lock'
customers into the company. A business with none of these facilities will not lose production
or sales if the computer systems fail.
The lower the degree of integration between the systems operated by the business and those
operated by their suppliers and customers the lower the risk.
The environment in which you operate - All computers require reasonably clean
surroundings and a source of power should the mains supply fails. More complex systems
require air-conditioning and cooling systems whereas personal computers (PC) and PC
based systems do not.
Once you have considered these risk related issues (and any others you may have thought
of) you need to consider the type of computer system that you require, or already have, and
what sort of measures (known as 'controls') you need to implement to reduce the risks to
acceptable levels.

Application of Controls
Controls need to be applied in a number of different areas, which are discussed later on in this
document. Broadly, you should look for controls covering at least the following areas:

Operating system
Application software
Management of the data held on disk
The personnel that manage and operate the systems

Systems that can be purchased may have comprehensive controls in place or may rely on you, the
user of the system, to apply controls. Typically, the less you pay the less you are likely to get.
Obtaining Evidence and Prosecuting Computer Crimes
Introduction
The complicated nature of computer systems makes the presentation of evidence in a court of law
difficult, even supposing the crime is discovered in time to prosecute. In South Africa this is doubly
difficult because at the time of writing there is no specific criminal legislation covering computer
evidence. In the USA the Stanford Research Institute has calculated that the odds are 22,000 to 1 in
favour of a computer fraudster not going to prison. In South Africa, with our lack of legal
sophistication and inadequate legislation in this sphere, the odds in the criminal's favour are even
greater. It is not without reason that the in latest fraud survey in South Africa 97% of the companies
surveyed identified computer fraud as their biggest concern. The investigation of computer crime is
a specialist activity, but there are steps which the manager can and should take.
A further problem arises from the fact that, in many organisations, there are insufficient controls in
place to give the presentation of evidence a fair chance. The following section, "Preparing to save a
case", gives some indication of the issues that might be critical in establishing the validity of the
evidence.
The Computer Specialist

As part of the Crime Response Plan discussed in detail at Section four of this pamphlet, there is a
requirement to pre-select a computer expert. Depending on the size of the organisation, this expert
may be either in-house or a carefully selected consultant. For the reasons given below, it is
important that this expert is not involved in the day to day data processing activities of the
organisation.
Determine if a Crime has been Committed
One of the commonest problems that investigators find is that management is often reluctant to act
on suspicion alone. Usually vital time is lost as management turns first to their auditors and next to
one of their own data processing employees to help them discover the truth. More often than not
this leads directly to the loss of evidence and the subsequent failure of the case. It is essential that
the computer crime specialist is tasked as soon as a crime is suspected and that the specialist is
controlled by the person who controls the enquiry, referred to in this document as the Enquiry
Controller.
Not unlike other internal crimes, most computer crimes come to light either because the company is
hurting or because someone has passed on information; the latter being the most frequent. The
manager or Enquiry Controller should satisfy himself/herself on the following questions:
a. How credible is the source of information?
i.
ii.
iii.
b.
c.
d.
e.
f.
g.
h.

How was it obtained?

Is the information first hand?
What evidence supports the allegation?

What is the motive in reporting the crime'.?

Will the source provide a sworn statement?
Will the source testify as a witness?
Will the source be a credible witness?
How, when and where was the crime committed?
What is the loss or damage?
What was the perpetrator's motive?

The manager or Enquiry Controller should analyse the answers to these questions to determine
whether or not to proceed with the investigation. It is vital that this assessment is made with
absolute despatch and the computer expert called in at the earliest possible moment, as the
successful preservation of computer evidence depends on the speed of reaction by the person doing
the preservation.
Gathering Computer Evidence
The gathering of computer evidence is a specialist activity but it is important that management is
aware of the basics involved. The fundamentals are speed and secrecy. As computer crime evidence
can be destroyed with just a few key strokes, extremely swift and confidential action must be taken
to protect computer-related evidence from modification or destruction. It is vital that this is pre
planned as part of the Crime Response Plan.
The first action likely by the computer expert will be to immediately make two copies of all media
(this must include the operating system, application programmes as well as the data) and remove the
originals from the site. He will also require all activity and access logs together with magnetic
media records. These will also be moved off site. In order to permit normal operations to continue,

it is normal to leave other copies on site. In the case of a bridge of Local Area Networks (LANS) it
may be necessary to simultaneously collect media and records from several sites. A bridge of LANs
is a series of separate locations each with it's own LAN that processes separately, but is linked to
other LANs by bridges or "gateways". The principle of moving the media to another secure site
applies whether the system is a mainframe, mini, LAN, or PC. Care must be taken during this
activity not to destroy the chain of evidence. It is also important that when the evidence is produced
in court, it is in a similar condition as it was when discovered. This will mean careful storage in an
air-conditioned and controlled environment.
When the investigation analysis of the copied media takes place it should be on a system that is
substantially the same as the original system. Photographs of both installations may have to be
produced in court and it may also be necessary for impartial experts to attest to the similarities.
Computer files may have to be converted into a form that a court of law can understand. It is
imperative that no one can argue that the evidence has been fabricated or tampered with. The
expert, or experts, will have to swear in court how the information was obtained and exactly what
steps were taken to obtain and preserve it. Special arrangements have to be made to mark the
evidence as the expert could be called upon to state under oath the method by which he/she is able
to identify the evidence.
The Conduct of the Investigation
The Enquiry Controller or Security Manager should lead the investigation rather than the Computer
Manager or Internal Auditor, because it may be argued in court that the latter posts are privileged
and that they had pre-knowledge of the computer system and were in a position to modify evidence
to obtain a conviction. It might also be argued in court that because of their pre-knowledge, they
were aware of the accused's actions. The Security Manager or Enquiry Controller will require the
support of an external computer expert/consultant.
The amount of tedious detail to be covered and annotated in a computer crime investigation is
gargantuan. The average computer crime will take much longer to investigate than an equivalent
non data processing crime. The investigators will need assistance from other members of the
organisation, for example directors, user managers, computer managers and auditors. None are
however above suspicion and they should not be privy to the investigative detail. The use of
temporary staff, like students, might be required to sift through the detail. Secrecy of the
investigation must be maintained at all times.
Computer Crime is not a one off event
Once a computer crime has been successfully investigated and prosecuted and controls
implemented to ensure that it does not reoccur, it is wrong to assume that the organisation can relax
and that that is the end of the matter. The problem has not usually gone away. The organisations'
ethos is still the same, recruitment rules and procedures are generally unchanged and employees
attitudes are unaltered. Unlike lighting strikes, the chances of a computer crime happening again are
good.
Some simple fraud prevention techniques
Many of the topics raised earlier dealt with the prevention of fraud, although the connections may
not have been immediately obvious. Despite precautions, fraud still occurs and will continue to do
so in the future. To enable a successful prosecution and recovery of loss, an organisation needs to
takes steps to ensure that it has the information available to commence litigation.

The onus will be on you prove beyond 'reasonable doubt that the defendant did commit fraudulent
activity. A defence lawyer is likely to try and show that the prosecution cannot prove beyond
reasonable doubt that his client actually participated in the actions that resulted in the loss.
Typically, an argument in support of this approach might suggest that the controls in your
organisation are sufficiently weak that your organisation cannot positively identify the source of a
transaction and/or cannot prove that it has not been altered subsequently by another person.
You can minimise this sort of situation, so far as it pertains to computers, through the following
steps:

Ensure that each user of the computer system is identified to the system by at least an 'userid' and a password. The passwords must be sufficiently good that they are unlikely to be
guessed. Allow the user to change a password any time they wish. Don't allow another
person to change their passwords for them.
Ensure that no person has any way to obtain the password of another person. Passwords
should be encrypted and there should be no utilities to allow de-encryption. Passwords
should not be written down and should not display on screen when they are entered.
Give people sufficient privileges on the computer system to do their job and no more. If you
give them more the risk of fraud increases, if you give them less they will have to share their
facilities (and passwords) simply to get their jobs done.
Communicate, in writing, the responsibility of each user to safeguard the organisations
assets. Stress the importance of passwords being kept secret to each user. Stress the fact that
they will personally be held responsible for any transaction recorded under their user-id.
Make them acknowledge their rights and responsibilities in writing and retain a copy in their
staff files.
Promote security awareness amongst your staff, stress that you are looking after their
interests as well as your own.
Ensure that your software records the user-id of the person initiating or amending the
transaction and, if possible, the date and time that the amendment took place and the
terminal where it was carried out. Ensure that this information is secured against access by
any other person.
Ensure that any attempts to change details of an existing transaction are logged to a separate
file. Ensure that this file is secured against unauthorised access.
Ensure that all security violations are followed up and that all security policies are strictly
enforced
Ensure that all back-up routines are strictly controlled and that library procedures prevent
unauthorised access to back-up media (such as tapes, cartridges or CD-ROM).

Be prepared to show that your organisation is committed to computer security, has security policies
that protect both the organisation and the individual and is prepared to enforce those policies. Be
prepared to demonstrate that your organisation has reliable systems and operations and that the
evidence you will present is reliable.

Conclusion
We tried to keep this document as simple as possible. Despite this, by now you might be worried or
confused or, worse still, convinced that there is an ugly monster that requires a disproportionate
amount of effort to control. It is not that bad! Most of the topics we discussed are very simple and,
in many cases, can be implemented with the equipment you already have and a healthy dose of
common sense!

We don't expect you to personally make all the changes that have been discussed, only to
understand the risks and get someone, either inside or outside your organisation, to tell you how
well you are covered.

Glossary of terms
The purpose of this section of the document is to provide a reference showing some of the
terminology you may encounter in dealing with computer equipment. It is not comprehensive but
covers most of the terms used in this document and should give you enough information to enable
you to understand the concepts and communicate with knowledgeable people.
Term

Meaning

May be known as...

Access control

The controlling of users, programmes and data so Logical access control

that each is restricted to what is needed to
operate effectively. Normally this is controlled
by security software or the operating system.
This is the computer equivalent of "division of
duty".

Audit trail

Log
A record of events or transactions that have
occurred. The audit trail can be reviewed to see if
unusual events have occurred.

Back-up

A process in which data, which could be

Backup
programmes or information, is copied from one
media to another. Typically, this involves
backup
copying from expensive media, such as fixed
disk, to cheaper removable media, such as tape
or cartridge. May also refer to an object such as a
'back-up' tape.
Off-site back-up refers to copies of data that have
been made and then stored in another location
from the computer system.

Code

Generally refers to the programmes used to run

computer systems. "Source code" is the language
and commands that humans understand and write
the programmes in while "executable code" is
source code translated by the computer into
commands that it understands.

Directory

An area on a disk where files are stored. If you

imagine a tree; the trunk is known as the, root
directory while the main branches are known as
'directories'. The branches coming off the main
branches are known as sub-directories'.

Disk

A generic term for a hard or fixed disk. If

Fixed Disk
interpreted literally it could be applied to floppy
or micro-floppy disks as well as fixed disks but Hard Disk
is generally used to refer to fixed disk.

Diskette

A generic term to describe a floppy ormicro-

Folder

floppydisk.
EDP

Electronic Data Processing (an older term IS, IT

superseded by IS and then IT)

Encryption

A technique of altering the way that characters

are stored or displayed so that they cannot be
deciphered. If someone tried to read the
password be671th in an encrypted file all they
would see is something that might resemble $4##olop.

Environment

A general term that describes the configuration

and overall layout of the computer systems.
Typically this might include a description of the
operating system, networks and the means of
processing.

Fixed disk

see hard disk

Floppydisk

A disk that is 5.25" diameter and flexible. This

form of storage is being discontinued in favour
of the micro-floppy.

Folder

see directory

Directory

Hard disk

A disk that is fixed in the machine and stores

large capacities of information, typically
measured in megabytes (mb).

Fixed Disk

Integration

Generally describes the ability of programmes to

pass information to other programmes or the
ability of many programmes to access shared
("common") information. In a disintegrated
system information produced by one programme
is not available to another and has to be entered
again so that the second one can use it. 1 n a
highly integrated system information is only
entered once and all programmes have access to
it.

Is

Information Systems

IT, EDP

IT

Information Technology

IS, EDP

LAN

Local Area Network. A collection of computer

equipment that is linked together using cable and
/ or infrared.
If the areas linked together are within the same
building then the network is generally referred to
as a LAN, if it spans a large area (from town to
town) then it is referred to as a Wide Area
Network (WAN).
If the areas linked span internationally then it is
referred to as a Global Area Network (GAN).

Live machine

In many big computer sites the organisation has Production Machine

more than one computer. One of those is used for

Hard Disk

doing the work of the organisation, printing

statements, raising invoices etc. This is generally
referred to as the live machine. The other is used
for development of programmes, testing and as a
back-up if the live machine fails.
Log

A record of events or transactions that have

occurred. The log can be reviewed to see if
unusual events have occurred.

Media

Refers to means of storing data or any electronic

information. For example, fixed disks might be
referred to as "fixed media". Tapes, floppy disks,
cartridges and other media that can be removed
from the computer and stored elsewhere are
generally described as "removable media".

Micro-floppy

A disk that is 3.5" diameter and enclosed in a

rigid plastic case.

Packaged software

Software that is bought from another party for

use on your system. Generally, for an additional
fee, the other party will agree to maintain and
update your software for you.
NOTE: normally you do not obtain ownership of
the software but only a licence to use it for your
own purposes.

Password

A combination of characters that confirms that

the person who types the user-id petersbO4 is
actually the 4th BPeters. In a reasonably secure
system the password never shows on screen and
cannot be read by anyone who has access to the
computer system. A good password is relatively
long and has unusual characters in it, for
example:
Be671th
has easily guessed characters, for example:
Fred
A reasonably secure system shows the entry of
the password be671th as:
*******
on the screen. Typically, passwords are
encrypted so that if anyone ever sees the file
containing the passwords they cannot guess what
they are.

Restore

To take information that has been backed up and

copy it from the back-up media to disk.

Security software

Software that allows users, data and programmes

to be separated and permits each to have access
only to what is needed. Typically, security
software records security violations and reports
these.

Security violation

A situation where a user or a programme has

Audit Trail

Stiffy

attempted to do something that is forbidden by

the system. In a good system this is recorded and
reported automatically by the computer system.
Sub-directory

see Directory above

Uninterruptible Power
Supply (UPS)

A device that sits between the mains power

UPS
supply and the power input to the computer
system. The mains feeds a battery in the device
and the computer draws it's power from the
battery. If there is a power failurethen the(UPS)
warns of the failure and the computer continues
to draw power from the UPS and is protected
from the power failure.
CAUTION: normally the UPS will only continue
to provide power for a period between three
minutes and a few hours. Any UPS installed in
your organisation should be able to provide
power for so long as the computer needs it, you
should consider your business needs before
purchasing one.If there is a power failure you
should shut down your computer systems
properly before the UPS time limit is reached.

User

A person who uses a computer system

User-id

An abbreviation of the expression user identity'.

Normally this is a unique combination of
characters that uniquely identify a user to a
computer system, for example:
PetersbO4
identifies a user whose real name is B Peters and
is the 4 B Peters in the organisation.

Verify

Depending on the complexity of the computer

system, information that is written to disk or tape
may or may not be verified. In the back-up
process, verification involves copying
information from disk to tape then reading the
tape and comparing it to what was originally on
disk. If the two are the same then the verification
was successful.
Many smaller machines have the capability to
verify but require that it be selected by the user
because it normally takes at least twice as long to
copy and verify as to simply copy.

Section 9
REFERENCES
British Bankers' Association publication "Fraud Manager's Handbook".
Professor (Dr) R B Jain "Public Service Ethics: An Indian Perspective"
Paper delivered at the "Ethics in the Public Service" Conference, Queensland Australia August5-9
1996.
Organisation for Economic Co-operation and Development paper issued in Paris in 1996
"Implementation of the Recommendations on Bribery in International Transactions".
"International Action Against Corruption - the Council of Europe's Multidisciplinary Group on
Corruption". Paper issued by the Directorate of Legal Affairs, Council of Europe in 1996.
Address by Advocate K.P.C.O. von Lieres und Wilkau, Attorney-General Witwatersrand Local
Division to the SACOB Conference on Ethics and Corruption at Randburg on October 14 1993.
Presentation by T Derksen and Anneke Osse from the College for Criminal Investigation and Crime
Control, The Netherlands at the Fourteenth International Symposium on Economic Crime, Jesus
College, Cambridge, UK, September 1996.
Deaux, K and L S Wrightman's book "Social Psychology in the 80's, 4th edition 1984"
Brooks Cole Publishing Company, California.
"Corruption as a Process" paper presented by M Johnston at the fifth International AntiCorruption
Conference, 1993.
City of London Police in partnership with Coopers and Lybrand pamphlet "Fraudstop".
Michael J Corner's book Corporate Fraud, 1997. McGraw-Hill Book Company (UK) Limited.
Australian Law Enforcement Board's "Best Practice for Fraud Control".