Governance responses to hacking in the banking sector of South Africa : an exploratory study

Roos, Christiaan J.

20 November 2013

D.Comm. (Auditing) / Organisations today are critically dependent on IT to enable business operations and ensure competitiveness in a growing international marketplace. At the same time, IT also introduces significant risks, such as hacking. The board of directors is ultimately responsible for mitigating IT risk as a component of business risk. This task is included in its corporate governance responsibilities, which, in the South African context, is underpinned by the King Code of Corporate Governance. The board of directors also plays a key role in identifying and enabling the most appropriate responses to IT risk, including hacking. This inevitably necessitates greater focus on and understanding of risks such as hacking. The determined and elusive nature of hackers makes them a significant threat to organisations today. Not only are hackers characterised by various profiles and motives, but they are also exceptionally skilled in exploiting weak security practices and software vulnerabilities, with attack techniques which range from non-technical social engineering to advanced technical attacks and exploits. Hackers are role-players in cybercrime and cyber warfare, as is evident from the media and information security survey results explored in this thesis, in particular within the banking sector, which is the financial backbone of the country. It is for this reason that the South African banking sector has been selected as the target population for this study. This study considers the meaning and nature of hacking, viewing it as either a risk or an event, which requires preventative or detective responses. The effect of hacking on business risks is explored next by identifying common business risks and common IT risks themes, where after the fundamental links between hacking and the IT risk themes are established. This study further argues that business risks are increased by IT risks, which implies that, by indirect association, business risks are increased by hacking. A response to this threat is required, in particular from a governance perspective, with the board of directors playing a fundamental role in supporting the appropriate responses. This study explores the advantages and disadvantages of various responses to hacking, highlighting the point that most traditional responses are not effective enough in fully mitigating the hacking threat. It is argued that ethical hacking is an effective response to the threat of hacking. The nature of ethical hacking is explored, including its objectives, motivation, advantages and disadvantages. The multi-faceted nature of the ethical hacking response is also considered. In order to explore the risks and responses to hacking in the banking sector in South Africa, an analysis of annual reports was conducted and two questionnaires were administered. The analysis of the annual reports of the 16 locally registered banks in South Africa highlighted differences in disclosure practices around IT risk, IT governance and hacking. This was followed by empirical testing in the local banking sector, by using a mixed-method approach in order to solicit mostly quantitative, but also qualitative, responses from company secretaries and individuals responsible for IT at the 16 locally registered banks. The results of the questionnaires indicated that the board of directors is not fully embracing its IT governance responsibilities and that IT matters are mostly dealt with by risk management committees at board level or IT steering committees at executive management level. The effect of IT risks on business risks such as human resource risk and physical risk is underestimated. Respondents were unclear about the effect of hacking on IT risks, such as IT human resource risk and lack of software development. The local banking sector is not fully aware of how hacking can affect organisations, and banks are not making enough use of ethical hacking as a response to the hacker threat. This is the first study of its kind to explore ethical hacking in the context of governance responses. The study breaks new ground by providing a unique in-depth analysis of the link between business risk, IT risk and hacking. It is also the first study into the various responses to hacking in the SA banking sector and will assist not only the banking industry but business at large in defining appropriate preventative and detective responses to hacking.

Computer security - Auditing

Computer hackers

Risk management

The functioning of the information technology internal audit departments at metropolitan municipalities in South Africa

Mamaile, Lukishi Jacob

09 December 2013

M.Comm. (Computer Auditing) / The internal auditors play an important role in any organisation, irrespective of the type of audit they perform. Metropolitan municipalities (Category A municipalities) in South Africa are established in terms of Section 155.1(a) of the South African Constitution as municipalities that execute all the functions of local government for a city and that have sufficient resources to perform municipal functions, as opposed to areas that are primarily rural, where the local government is divided into district municipalities and local municipalities. Recently, many weaknesses have been reported regarding these municipalities. This is evident when looking at the recent billing problems experienced within the City of Johannesburg metropolitan municipality, during which the city blamed its Project Phakama, an IT system intended to integrate municipal services accounts into one database for effective accounts management, for any deficiencies. The above considerations triggered the need to conduct this study. The study focuses on the types of internal IT audits that are conducted within these municipalities, the independence of the internal audit departments, the audit standards/guidelines/legislation followed, the roles and responsibilities of IT auditors, the knowledge expected from IT auditors, the IT audit skills (both core skills and soft skills) required to perform the audits and the IT audit tools and techniques that are applied while performing the internal audits. The study was therefore conducted to establish the functioning of the information technology internal audit departments at metropolitan municipalities in South Africa, given the above background. A quantitative research methodology was followed in the study, in which a detailed questionnaire was designed and sent to all heads of IT audits/Chief Audit Executives (CAE) in all eight metropolitan municipalities in order to find answers that would achieve the above-mentioned objectives. Seven out of the eight metropolitan municipalities in South Africa participated in the study. This study revealed the following key results, general controls reviews were the most performed type of audit, and municipalities were found to forward their internal audit reports to both municipal managers and audit committees. Computer knowledge is considered to be the main expected knowledge from the IT auditors, audit and technical skills are considered to be the most important core skills required from any IT auditor. The Municipal Finance Management Act (MFMA) is found to be used by all municipalities while conducting their internal audits. The detection role is singled out as the main role played by IT auditors in municipalities, followed by the oversight role. Ensuring that IT policies, procedures, laws and regulations are managed in accordance with standards, as well as identifying and evaluating IT risks are considered by internal auditors in municipalities as the most important responsibilities they perform on daily basis.

Public administration - Data processing

Electronic data processing - Auditing

Information technology - Management

Essays on corporate governance and audit quality within family business groups : evidence from Hong Kong

Wang, Wenming

01 January 2011

No description available.

Auditing

China

Corporate governance

Family-owned business enterprises

Hong Kong

Moral and ethical aspects

Quality control

La fraude fiscale : Une analyse théorique et expérimentale / Tax Compliance Dynamics : Theoretical and Experimental Evidence

Pavel, Raluca

11 December 2015

Cette thèse étudie la question des incitations dynamiques des agents économiques à frauder. Le premier chapitre introduit un modèle dynamique de fraude fiscale afin d’étudier l’impact de l’audit rétroactif sur le respect des obligations fiscales des agents économiques.Il permet de montrer qu’un accroissement de la période de prescription entraîne une diminution de la fraude fiscale et de déterminer le montant des recettes fiscales attendues par l’autorité fiscale pour différentes politiques d’audit. On établit que les audits rétroactifs génèrent des recettes fiscales espérées supérieures à celles des audits statiques. Le deuxième chapitre propose une approche théorique et expérimentale des incitations dynamiques des agents économiques à frauder. Les résultats expérimentaux confirment les prédictions théoriques : un accroissement de la période de prescription implique une augmentation des déclarations de revenus des agents. Le dernier chapitre introduit une deuxième étude expérimentale en laboratoire, dans le but de comparer l’efficience des deux politiques d’audit fiscal : l’audit rétroactif et l’audit statique (restreint à la période courante). Le principal résultat suggère que les politiques d’audit rétroactif sont plus efficaces pour réduire la fraude fiscale que les politiques d’audit statique fondées sur des fréquences d’audit élevées. / This thesis studies taxpayers' dynamic incentives to evade taxes. The first chapter introduces a dynamic model of tax evasion. We prove that higher limitation periods increase tax compliance. We also determine the expected tax revenues generated by retroactive and static auditing policies, with respect to the levels of tax rates and expected discounted penalties. We obtain that retroactive auditing generates higher expected tax revenues than static auditing. The second chapter provides theoretical and experimental evidence about subjects' incentives to evade taxes, with respect to a retroactive inspection policy. Our experimental results confirm theoretical predictions, i.e. higher limitation periods increase agents' compliance. The third chapter introduces a second laboratory experiment, in order to compare the efficiency of two main audit schemes: retroactive versus static auditing. We find that retroactive auditing policies are more efficient in enhancing tax compliance, than policies of static auditing accompanied by high audit rates.

Audit rétroactif

Délais de prescription

Incitations dynamiques

Tax evasion dynamics

Retroactive auditing

Statute of limitations

Fraud

Dynamic incentives

The effect of HIV/AIDS on the control environment: an internal audit perspective

Coetzee, G.P. (Philna)

31 May 2004

The internal auditing profession has undergone considerable changes during the past few years. A new definition has been formulated in 1999 for the profession and the Professional Practices Framework, including the Standards, has had to be adapted to incorporate this new definition. An internal auditor, in addition to being a control specialist, must now also assist management in a consulting capacity with risk management and corporate governance. According to the new Standards, an internal auditor should assist his or her organisation in maintaining effective controls by evaluating its effectiveness and efficiency and by continuously promoting improvement. The basis for the control system is a control environment that provides an atmosphere in which people conduct their activities and this has a direct influence on the way activities are structured, objectives are established and risk is addressed. HIV/AIDS is a disease that threatens the world as a whole, global economies, individual countries, governments and also the business world, especially individual organisations. It is therefore vital that the consequences of this potential risk on an organisation are studied. Various studies done on this subject have indicated that managements are aware of the possible risk of HIV/AIDS to their organisations, but no study has at yet investigated the role that internal auditors can play or the effect of HIV/AIDS on the control environment. This study firstly investigated whether HIV/AIDS has an effect on the control environment of an organisation. Secondly, the knowledge of internal auditors regarding the potential risk of HIV/AIDS to the organisation and the role they should play in assisting management with this risk, including its effect on the control environment, was investigated. The research findings showed that HIV/AIDS does have an effect on certain elements of the control environment, namely the competence of the workforce, organisational structure and the human resources policies and practices. The study also concluded that internal auditing should treat the risk of HIV/AIDS like all other risks threatening the organisation. Thus they should assist management in managing the risk and giving assurance to all stakeholders that the risk is being adequately managed. It was also concluded that although internal auditors are aware of the risk of HIV/AIDS to their organisations, especially the control environment, only a few internal auditing departments were performing their responsibilities in full. The level of commitment to managing this risk varied from total ignorance of HIV/AIDS in a business environment, to internal auditors performing audits on certain aspects in the management of this risk. HIV/AIDS is not a normal business risk. Factors such as additional legislation, the disease being non-notifiable, the stigma associated with the illness, the fact that no cure is available, and many more make this a difficult risk to understand and to manage, thus complicating the responsibilities of internal auditors. Professional guidance is needed for the internal auditor on how to handle this risk. / Dissertation (MCom(Internal auditing))--University of Pretoria, 2005. / Auditing / unrestricted

Risk management

Control environment

Hiv/aids

Internal auditing

Consequences of hiv/aids

UCTD

Kvinnliga revisorer bankar på glastaket : En studie av revisionsbyråer i Stockholm

Mårtensson, Sofia, Österdahl, Emma

January 2017

The Glass ceiling is a metaphor used to explain how women can be limited from reaching the top positions in their careers by being stuck under a transparent glass ceiling. Despite the fact that Sweden is one of the most gender equal countries in the world, the current statistics show that women in Sweden generally earn less than men, take larger responsibility of parenting and only represent a minority in boards and leading positions. Previous research on the Glass ceiling has been supported by factors such as motherhood, women’s views on their own possibilities and women being promoted to more precarious leading positions. The current study focuses on the auditor sector and is limited to Stockholm. The study aims to contribute to an understanding of the inequalities between men’s and women’s careers by measuring the existence of the Glass ceiling. The research emanated from previous research and affiliated theories aiming to confirm or reject the Glass ceiling. The study was conducted through semi-structured interviews with auditors operating in Stockholm, during spring of 2017. The current study showed evidence for Homosocial reproduction in top positions in the auditor business in that men tend to choose other men when promoting to top positions. The Pipeline perspective theory was also corroborated due to the industry gradually becoming more gender equal. Furthermore, evidence was found of the Leaky pipeline theory on women resigning from the auditor business as they become mothers, due to the auditor business’ seasonally intense workload. The Glass ceiling was hence partly confirmed. / Glastaket är en metafor vilken används för att förklara vissa kvinnors begränsningar till att avancera till de högre positionerna inom sitt yrke. Trots att Sverige är ett av världens mest jämställda länder visar statistiken att kvinnor i Sverige generellt har lägre lön än män, tar större ansvar för barnomsorg, tar ut mer föräldraledighet och tar enbart upp en minoritet av styrelse- och ledarpositioner i stora bolag. Tidigare forskning har förklarat Glastaket som en konsekvens av moderskap och kvinnors synsätt på sina egna möjligheter. Studien inriktar sig på revisionsbranschen och avgränsas till Stockholmsområdet. Studiens syfte är att genom tidigare forskning och teorier relaterade till Glastaket bidra till en djupare förståelse genom studiens undersökning. Undersökningen skedde genom semistrukturerade intervjuer med revisorer i Stockholmsområdet under våren 2017. Resultaten visade att studien kunde finna bevis för Homosocial reproduktion i toppositionerna inom revisionsbranschen genom att män tenderar att välja andra män till befordran inom branschen. Även Pipeline perspective-teorin fick belägg i studien då revisionsbranschen tidigare varit mansdominerad, men successivt blir mer jämställd. Vidare fann studien även evidens för Leaky pipeline-teorin där kvinnor oftare säger upp sig från revisorsyrket då de skaffar barn på grund av att yrket ofta innebär mycket arbete vilket kan vara svårt att kombinera med familjeliv. Därmed bekräftar dessa teorier delvis Glastaket.

Glass ceiling

equality

career advancement

women in work

auditing

Business Administration

Företagsekonomi

THE RISKS OF ENVIRONMENTAL ACTIVITIES : How are these risks handled by the corporate governance and the external auditor?

Hallström, Viktor, Strand, Emma

January 2017

The purpose of this study is to examine external auditors´ current practices when performing an audit of companies with environmentally hazardous activities, i.e. if the environmental risks are taken into account by the auditor of an audit. To understand what the auditors should review, this study also examines how these companies control their environmental risks. A qualitative method has been conducted based on ten semi-structured interviews, consisting of auditors experienced in auditing industrial companies as well as corporate managers of the largest industrial companies within the Stockholm Stock Exchange. Furthermore, information has also been obtained from annual reports of the companies. This study shows that the auditors` practices, when conducting audits of environmental hazardous companies, do not include a comprehensive investigation of risks arising from environmental hazardous activities. Furthermore, the study shows that big, listed industrial companies have a strong internal control that manages their environmental risks. The companies are aware that they are exposed to risks due to their operations and they are taking adequate actions to control them such as different management systems.

Auditing

Environmental risk

Hazardous activities

Internal control

Risk management

Business Administration

Företagsekonomi

An evaluation of treasury oversight and budget under-spending in selected Eastern Cape Provincial Departments

Daniels, Nokuthula

January 2015

The investigation of this study focused on the ability of provincial government departments in South Africa to spend allocated revenues on activities adequately, with a direct bearing on social and economic development. The research presents an analysis of two selected Eastern Cape Provincial Government departments’ expenditure for a three-year timeframe (the fiscal years from 2009–2012), with a focus on the oversight role played by the Provincial Planning and Treasury department in instilling fiscal discipline in the provinces, and the potentially detrimental effect of under-spending on provincial service delivery. Among other things mentioned and discussed are, firstly, the fiscal policy; secondly, the funding of provincial departments; thirdly, the role and responsibilities of the Provincial Planning and Treasury department. The study adopted a qualitative methodology which focussed on the perspective of the insider who has experienced first-hand the activities or procedures under scrutiny in the selected provincial departments. Further, the qualitative researcher believed that first-hand experience provides the most meaningful data. In support of this, the respondents were asked twenty-two questions, the first five of which were based on the need to understand their personal particulars. A semi-structured questionnaire was distributed to 43 officials and 22 of those questionnaires were returned.

Expenditures, Public

The role of internal auditors with specific reference to fraud investigation

Labuschagne, Mario

January 2015

The role of internal auditors is evolving to enable them to provide stakeholders with assurance and to assist organisations to achieve objectives and remain competitive to ensure the future existence of their organisations. The research for this study was guided by the question of whether the Institute of Internal Auditors guidance pronouncements provide sufficient guidance in the light of expectations of both the institute and management (stakeholders) relating to the role of internal auditors in respect of fraud investigation. Literature reviewed on the role of internal auditors showed that there is limited guidance provided with regards to fraud investigation, knowledge and skills required by an internal auditor to perform fraud investigations. The research methodology used for this study consisted of a qualitative case study of the Nelson Mandela Metropolitan University committees, namely, Council, Senate and MANCO as well as a combination of deductive and inductive interpretative analysis methods. Semi-structured interviews were used to obtain data from participants who were randomly selected from Nelson Mandela Metropolitan University Council, Senate and MANCO committees. The interviews revolved around three themes, namely, the role of internal audit, the information expected from internal audits and the role that the internal audit plays with regard to fraud. The interviews were recorded by means of a digital voice recorder which were transcribed by a qualified transcriber. The collected data was then manually coded by making use of standardised coding methods to assist with the analyses of the data. After considering the participant responses in relation to the themes, it could be deduced that a greater awareness needed to be created regarding the role of the internal audit and the services which internal audits could provide to organisations and management structures. The results of the analyses revealed that an expectation gap existed with regard to the Institute of Internal Auditors, guidance pronouncements and stakeholder expectations of internal auditor roles with specific reference to fraud investigations. This study showed that the IIA’s guidance pronouncements do not provide sufficient and adequate guidance in respect of the knowledge, skills and competency capabilities in relation to fraud investigations.The results of the study further showed that the expected role of internal auditors in an organisation should include fraud investigations.

Investigating variables that have impact on annual financial statement audit report outcomes in local government

Sigcau, Ntsikelelo

January 2013

The third sphere of government (Local Government) has been persistently clouded by unfavourable Annual Financial Statement (AFS) audit reports. This results in local government losing credibility and its stakeholders losing confidence in the institutions or municipalities. In-depth analysis of the root cause of this dilemma is an opportunity for the municipality to reorganise its house and redeem its dignity and credibility to its stakeholders through addressing the identified challenges. The importance of the study can be attributed to the need to investigate the root causes of unfavourable audit opinion and recommend possible remedies that can assist municipalities to improve their audit report outcomes which in turn will improve the confidence of its stakeholders. The primary objective of the study was to investigate variables that impact on the audit report outcomes on annual financial statements of the municipalities that are within Alfred Nzo District (AND) Jurisdiction, including Alfred Nzo District Municipality (ANDM). This was achieved through investigating the root causes of the audit report outcomes with specific focus on the relationship that exists between the management role and audit outcomes of the Alfred Nzo District Municipalities. This was measured by the municipality’s leadership, governance, internal controls and human capital management. Convenient sampling was used wherein 150 questionnaires (30 per municipality) were sent out to the selected employees in all the municipalities in the Alfred Nzo District. Out of the questionnaires that were sent out, 103 responses were received. These were analysed to draw findings, conclusion and recommendations. The empirical results of the study revealed that there is strong evidence that leadership, governance and human capital management have a positive influence on the municipality’s AFS audit report outcomes. It also revealed that there is overwhelming evidence that internal controls have a positive influence on the municipality’s AFS audit report outcomes. The study recommends how leadership, governance, internal controls and human capital management must be improved. It also provides future research recommendations to improve this study.

Finance, Public -- South Africa