Liquidations and Insolvencies

Liquidations and Insolvencies Explained

When a business or a person is unable to pay their debts when they become due, they are considered to be insolvent. The business model is quite simple; when the money going out is more than money coming in, debts are accrued and the liabilities exceed the assets.

Sequestration

A debtor may apply for their personal estate to be sequestrated by way of voluntary sequestration or it can be sequestrated by a creditor by way of compulsory sequestration. The two most important components of applying for sequestration is that a liquidated claim should exist and an act of insolvency should be proved to have been committed.

The applicant must prove that the sequestration will be to the advantage of the general body of creditors who will ultimately receive a dividend from the proceeds of the estate. This would all form part of the Notice of Motion brought before a judge of the High Court who holds jurisdiction.

Once the final sequestration order has been granted by the High Court, the case is referred to the Master of the High Court who holds jurisdiction. The Master will then appoint an Insolvency Practitioner listed on their National Panel either by way of nomination or make a discretionary appointment. Sufficient security needs to be provided to the Master of the High Court to defray all sequestration costs until such time that a Practitioner is appointed.  All estates vest under the care of the Master of the High Court.

Insolvency Practitioners

The appointed practitioner will attend to all the administration to wind up the estate as quickly and efficiently as possible. A great deal of communication exists between the Practitioner and the creditors throughout the administration of the estate. The practitioner will collect claims, sell the assets and maintain the finances of the estate throughout the process. The Practitioner is then obligated to frame and lodge a Liquidation Account with the Master of the High Court setting out the financial situation of the estate. Should all creditors as well as the Master be satisfied with the contents of the Account, the Master will confirm the account and dividends, if any, will be paid out. In the event of a contribution being levied, the Practitioner will enforce the necessary steps to collect same. They will then proceed to finalise the winding up of the estate.

Application for Rehabilitation

The ordinary time when an application for rehabilitation by court can be made is four years after sequestration. The period in a particular case would depend on:

  • When the first account was confirmed
  • Whether the Insolvent Estate was previously sequestrated
  • Whether the Insolvent has been convicted of certain offences
  • Whether the Master recommends rehabilitation

In certain cases the insolvent may apply much earlier if:

  • After giving six weeks’ notice no claims were proved against the estate within six months from the sequestration date, the insolvent has not committed certain offences, and the estate has not been sequestrated previously
  • After the confirmation of the account providing for the payment in full of all claims of creditors with interest thereon.

Liquidation of Companies, Close Corporations and Incorporations

This is the process which precedes the dissolution of an entity. The affairs of the company are administered by tracing and taking control of assets for the payment of creditors according to their ranking of preference and the distribution of the residue amongst the shareholders according to their rights.

Types of Liquidation

Voluntary winding up may be of a solvent company or an insolvent company. Both types of voluntary winding up require the signed resolutions by members / directors which needs to comply with the following; It must be clear from the resolution that:

  • It was a special resolution,
  • Adopted by the members or directors,
  • Which provides for a creditors’ winding up of an insolvent company, or
  • Which provides for the voluntary winding up on a solvent company.

The Company, a creditor, a shareholder or a certain official may apply for the compulsory winding up of a company. The circumstances under which the company may be wound up includes:

  • Inability to pay debts, or
  • It appears to the courts that it is just and equitable that the company should be wound up.

Winding -Up

A provisional winding-up order is usually issued in the form of a rule nisi. Interested parties are invited to appear on the return date and advance reasons for the final order not to be issued. If no such reasons can be given, the court will proceed to issue the Final Liquidation Order.

Security for costs must be lodged until the appointment of a provisional liquidator. The application needs to be accompanied with a certificate from the Master of the High Court confirming that security has been lodged. A copy of the application must be served on the following:

  • The Master of the High Court
  • Registered unions
  • Employees
  • South African Revenue Service

The company will no longer be under the control of its members or directors but rather first in the Master of the High Court and then in the appointed liquidators.

Important consequences of Liquidation include:

  • Transfer of shares after liquidation are void
  • Change of status of Company or the members without approval of liquidator is void
  • Disposition of property, including claims after commencement of liquidation is void
  • All legal processes are suspended

Realisation of Assets

The appointed liquidator will proceed to realise all assets vesting in the Company and liquidate same in order to generate sufficient funds for the payment of the administration costs as well as payment of dividends to proven creditors. All creditors need to prove their claims at the official Creditors’ Meetings convened by the Master of the High Court and the appointed Liquidator.

All funds arising from the liquidation of a company need to be paid to an estate bank account which will be managed by the appointed Liquidator under the care of the Master of the High Court.

Nexia SAB&T’s Insolvency Services

Nexia SAB&T offers administration of deceased estates, both testate and intestate as well as the administration of Insolvent Estates and Liquidated Companies and Close Corporations.

Nexia SAB&T received various appointments within the Liquidation and Insolvency Industry over the years including complex and high profile estates.  Our Liquidation and Insolvency department currently has eleven liquidators on the Master of the High Court’s National Panel of which five are Senior Practicing Liquidators.

Nexia SAB&T received its very first appointment in early 2003 and has developed a fully equipped Insolvency division since then.

We have a qualified and experienced Insolvency and Deceased Estate Practitioners and Insolvency Administrators, acting as assistants and consultants to all our liquidators.

Nexia SAB&T has offices in all nine South African Provinces and take appointments nationally.

Contact Us
www.nexia-sabt.co.za
Contact: +27 21 596 5400

 

Disclaimer
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in future, and, to the extent permitted by law. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Nexia SAB&T does not accept liability for any loss arising from any action taken, or omission, on the basis of the content in this article or any documentation and external links provided.

Nexia SAB&T is a member firm of the “Nexia International” network. Nexia International Limited does not deliver services in its own name or otherwise. Nexia International Limited and the member firms of the Nexia International network (including those members which trade under a name which includes the word NEXIA) are not part of a worldwide partnership. Member firms of the Nexia International network are independently owned and operated.

Nexia International Limited does not accept liability for any loss arising from any action taken, or omission, on the basis of the content in this publication or article or any documentation and external links provided.

The trade marks NEXIA INTERNATIONAL, NEXIA and the NEXIA logo are owned by Nexia International Limited and used under licence.

References to Nexia or Nexia International are to Nexia International Limited or to the “Nexia International” network of firms, as the context may dictate.

For more information, visit www.nexia.com.

Performance Auditing an Introduction

Contextualising Performance Audit

It is important that prior to introducing the subject of performance auditing that it be correctly contextualised in relation to its integration with other audits. The various types of auditing may inter alia be categorised as follows:

Financial Auditing

The assessment of whether the financial statements of an entity fairly present its financial position at a given point in time. To achieve this opinion, the entity’s accounting and financial management systems are interrogated and assessed against predetermined standards.

Compliance Auditing

The process of determining whether a process or transaction executed by an entity has met the applicable legislative and/or regulatory guidelines that are applicable to the entity.

Audit of Predetermined Objectives

The process of determining whether reliance in all material aspects when measured against a set of predetermined criteria can be placed on the reported performance against predetermined objectives in the annual performance report of an entity.

Information Systems Auditing

The assessment of whether information technology investments made by an entity have contributed to the reduction of costs, enhanced service delivery and the quality of information being produced.

Forensic Auditing

An examination and evaluation of an entity’s financial information and accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft and fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to gather evidence for the case against an alleged criminal.

Now that we have been able to contextualise performance auditing within the audit matrix, we will attempt to provide more context to performance auditing, defining it in more detail, introducing the standards against which performance auditing is conducted and a brief chronology on how the performance auditing process is applied.

Definition of Performance Auditing

Performance auditing may thus be defined as an independent auditing process to evaluate the measures instituted by management to ensure that resources have been procured economically and are used efficiently and effectively.

The objective of performance auditing includes the following three assertions:

The main objective of performance auditing is to promote constructive economical, effective and efficient governance. It also contributes to accountability and transparency and promotes accountability by assisting those charged with governance and oversight responsibilities to improve performance. It promotes transparency by affording identified stakeholders an insight into the management and outcomes of different activities. It thus serves as a basis for learning and identifying potential improvements for the entity being audited.

Performance Audit Standards

Performance audits are benchmarked against the International Standards and Guidelines of Supreme Audit Institutions (ISSAI), which are issued by the International Organisation of Supreme Audit Institutions (INTOSAI). The following standards and guidance are normally complied with in conducting a performance audit:

  • ISSAI 300 – Fundamental Principles of Performance Auditing
  • ISSAI 3000 – Standards for Performance Auditing
  • ISSAI 3100 – Central Concepts for Performance Auditing

ISSAI 300

Provides the framework, the general principles and an overview of the nature and the elements for performance audits. It is used as the basis from which to develop performance audit standards.

ISSAI 3000

Provides the features and principles of performance auditing and a basis for good performance audit practices; 1.2 states that “performance auditing is not overly subject to specific requirements and expectations. While financial auditing tends to apply relatively fixed standards, performance auditing is more flexible in its choice of subjects, audit objects, methods, and opinions. Performance auditing is not a regular audit with formalised opinions. It is an independent examination made on a non-recurring basis. It is by nature wide ranging and open to interpretations. It must have at its disposal a wide selection of investigative and evaluative methods and operate from a quite different knowledge base to that of traditional auditing. It is not a checklist-based form of auditing.”

ISSAI 3100

Provides the guidelines which outline a common understanding of what defines high quality work in performance auditing.

The Performance Audit Process

When preparing to conduct a performance audit, the following broad processes are generally applied to ensure that the standards as mentioned above are achieved.

Most audit types, including performance auditing, comprise of three main phases:

  • Planning
  • Execution
  • Reporting

Planning Phase

The starting point in the performance audit strategic planning process is deciding what to audit from a myriad of possible activities occurring within an entity. Performance auditing should be directed toward areas where an independent audit may support the oversight function in promoting accountability, economy, efficiency and effectiveness in the use of resources at its disposal.

In determining possible areas for audit, general criterion can be used to provide guidance for areas to be focussed on in selecting an area to be audited. This criterion may be inter alia broadly described as follows:

  • Added value – where the subject has not been covered previously or in earlier audits, the greater the chance of the audit subject adding value to the entity;
  • Important problems or known problem areas – the greater the risk of consequences in terms of economy, efficiency and effectiveness the more important the problems tend to be;
  • Risk or uncertainty – the financial or budgetary amounts involved are substantial, areas which are traditionally prone to risk such as for example procurement, new or urgent activities, management structures are complex, no reliable and updated information, etc.

Once the strategic planning process has been completed, it is important that an annual plan be compiled for performance audit activities to be carried out during a financial year.

Audit Considerations for the Planning of a Performance Audit

  • Identification of important aspects of the environment in which the entity operates
  • Developing an understanding of the accountability relationships
  • Specifying the audit objectives and the tests necessary to meet them
  • Identifying key management systems and controls and carrying out a preliminary assessment to identify both strengths and weaknesses
  • Determining the materiality (both quantitative and qualitative) of matters to be considered
  • Assessing the extent of reliance that might be placed on other auditors, for example internal auditors
  • Determining the most efficient and effective audit approach

Planning Steps Included in the Audit

  • Collect information about entity and its organisation
  • Define the objectives and scope of the audit
  • Undertake a preliminary analysis to determine the approach to be adopted and the nature and extent of enquiries to be undertaken at a later stage
  • Highlight special problems anticipated during the planning of the audit
  • Familiarise the entity with the scope, objectives and assessment criteria of the audit and where necessary discuss it with them
  • Assess compliance with applicable laws and regulations when necessary to satisfy the audit objectives

Planning Procedures

  • Obtain sound understanding and knowledge of the business;
  • Identify symptoms
  • Select a potential focus area
  • Motivate the potential focus area
  • Prepare an audit planning memorandum
  • Prepare audit questions
  • Prepare audit criteria

The planning phase of a performance audit is critical to its success and at least 40 to 45% of the audit time should be spent on this phase.

Execution Phase

During the execution phase, the auditor designs tests and procedures to obtain evidence in the most cost-effective manner. Information is gathered, evaluated for its appropriateness and it is then determined whether it is sufficient to support observations about the entity’s performance.

Execution Phase Activities

  • Design audit procedures and tests
  • Carry out audit procedures and tests (audit evidence)
  • Analyse the evidence and draw conclusions – evaluate actual performance against the audit criteria that were developed
  • Evaluate the existence of sufficient and appropriate evidence
  • Develop audit findings, causes and effects

The execution phase of a performance audit should not exceed 30% of the total audit time spent on the audit.

Reporting Phase

A written report should be prepared at the end of each audit; its content should be easy to understand and free from vagueness and ambiguity and include information which is supported by competent and relevant evidence. Regarding performance audits, the report should include all significant instances of non-compliance that are pertinent to the audit objectives.

In order to recognise reasonable user needs, the report may need to have regard to expanded reporting periods or cycles.

In a performance audit, the auditor reports on economy and efficiency with which resources are acquired and used, and the effectiveness with which objectives are met. The report should not concentrate solely on criticism of the past but should be constructive.

The reporting phase of a performance audit should not exceed 25% of the total audit time spent on the audit.

In the next publication, we will provide a real-life example of a performance audit that was conducted by Nexia SAB&T, which will demonstrate how these concepts were applied

Nexia SAB&T’s Performance Audit Offering

Nexia SAB&T looks forward to assisting you with your performance audit needs. For more information please do not hesitate to contact us.

Contact Us

Naeem Hassim
naeem.hassim@nexia-sabt.co.za
www.nexia-sabt.co.za
Contact: +27 12 682 8800

Ndumi Medupe
ndumi@ nexia-sabt.co.za
www.nexia-sabt.co.za
Contact: +27 12 682 8800

 

Mandatory Audit Firm Rotation

On 2 June 2017, The South African Independent Regulatory Board for Auditors (IRBA) issued a Rule prescribing that auditors of public interest entities (PIEs) must comply with Mandatory Audit Firm Rotation (MAFR) with effect from 1 April 2023.

The New Rule stipulates that auditors can now only serve for a maximum of 10 years, after which they have to rotate off the client for a cooling off period of 5 years, before being eligible to be appointed as the auditor of the client again.

Needless to say, this has caused quite a furore in the accounting community especially with the Big 4 firms as they have serviced some clients for uninterrupted periods, in some instances exceeding a 100 years. The MAFR stands to disrupt these long-standing relationships.

Before we introspect the merits of MAFR in the South African context, it is important to get some background on the origins of MAFR. The global financial crisis brought to the fore questions surrounding the scope and quality of external audit, market concentration and auditor independence. The crisis reopened concerns about auditor tenure and its consequences for auditor independence and audit quality. More specifically, regulators expressed concerns that the desire to retain clients and the familiarity created between auditors and management might over time impair auditor independence, which in turn could adversely affect audit quality. This resulted in a global debate on how best to address the issue. After a series of deliberations, discussions and inputs from industry and the accounting fraternity, there was no clear consensus on the way forward.

The two most notable regulators in the world, namely the European Commission and the regulator in the United States, embarked on very different paths in their quest to achieve auditor independence. The EU, after having implemented partner rotation in 2006, decided in 2014 to adopt MAFR at 10 to 24 year intervals, depending on certain criteria. The US implemented mandatory partner rotation in 2002 through the Sarbanes-Oxley Act, but decided, after involving academics and public hearings, not to introduce the rule at the audit firm level, at least for now.

Coming back to the South African context, what does the IRBA aim to achieve with the introduction of MAFR? It seems that South Africa’s intention has been to respond to the current global trends and recent international legislative measures which have been implemented in respect of strengthening auditor independence. However, IRBA’s considerations are broader and pertain to the following three objectives:

  • To strengthen auditor independence and thus protect the public and investors, which is part of the regulator’s strategy;
  • To address market concentration of audit services and create a more competitive environment, which will positively influence audit quality; and
  • To promote transformation by creating more opportunities for small and mid-tier audit firms to enter certain markets, provided they are competent to audit in those markets.

These three objectives set out above do make the South African debate around MAFR somewhat different to the international debate.

“Our latest inspection findings include independence issues as one of the top five findings amongst the audits of financial statements. This is consistent with global inspections results. In a South African context, the IRBA Board has also recognised the challenges with lack of economic transformation, and domination by certain firms within the profession. Out of the 353 audit partners who sign off on the financial statements of all JSE listed companies, only nine are Black African and over 90% are audited by a few firms. We will only see true empowerment when opportunities are provided equally amongst everyone,” says IRBA CEO, Bernard Agulhas.

While these seem to be sound and reasonable objectives it has been met with opposition from certain quarters of the accounting fraternity. The opponents claim that requiring companies to rotate their auditors would not provide any additional audit quality that was not already being provided by having lead audit partners rotate. They believe that the current 5 year rotation requirement of lead audit partners already captures all the benefits of mandatory audit-firm rotation in a cost-effective manner, including the important attribute of a fresh set of sceptical eyes.

This brings us to the next and one of the most widely discussed demerits of rotation, and probably one that affects the client the most, namely the cost benefit analysis. It is argued in certain quarters that the potential cost of mandatory audit firm rotation exceeds its benefits. One cannot deny that there are set-up costs for the new auditors to obtain an understanding of the client’s business model and organisational structure, as well as costs for the client’s management to support the new auditors in these learning procedures, is a major concern, especially amongst the larger and more complex multinational JSE listed companies. Changing the auditor results in, among other things, organisational disruptions, start-up costs, increased need to compete for expensive tenders, loss of client-specific knowledge and the ability of the audit client to negotiate on audit fees.
Another concern is that the likelihood of audit failures might be greater in the initial period of an auditor-client relationship because of the lack of auditor knowledge about client-specific risks, processes and operations. If an audit firm is familiar with an organisation, it knows what reports to ask for and where to get them. It also learns the company’s terminology, which streamlines the audit process. Auditors can be more effective after they have gone through a couple of audit cycles because they have institutional knowledge. It is argued that an increase in audit tenure, builds company-specific expertise which allows auditors to rely even less on management and therefore become more, rather than less, independent.

Finally firms would need to guard against a decline in investment in people and innovation, especially in key specialist areas. If one is forced to rotate, and assuming this work is not satisfactorily replaced for that sector, it would be difficult to continue to support the desired levels of investment to continuously build intellectual property. Another disadvantage is the loss of institutional knowledge that extends to the full team. As a result, auditors are concerned about an increase in uncertainty regarding audit capacity needs and how and where to best locate talented employees with particular skill sets. In addition, there is also a danger that important longer-term investments in the development of specialised knowledge will potentially be avoided and that mandatory firm rotation might create a disincentive for audit firms to acquire specialisation because they will not be able to target specific client segments anymore.

The Regulator’s main concern about audit firm tenure is about a potential decrease in auditor independence and hence audit quality as a result of an overly tight relationship between auditor and client. The argument is that excessive familiarity with the client’s management together with the pressure to retain the client may lead to an eagerness to please the client and a lack of attention to detail. By minimising the maximum length of tenure, it is argued that auditors will be forced to pay closer attention to the details and be more sceptical in their audit approach. Auditors are supposed to be independent of their clients, closely scrutinising their operations. The proponents to MAFR argue that if the auditor is with the same client for too long, they may lose objectivity and won’t ask hard questions.

Also, the threat of routine, as reflected in excessive reliance on prior-year working papers is frequently mentioned as a drawback of tenure. It can potentially result in insufficient audit procedures and excessive reliance on static audit programs and prior year results. If the auditor has always tested an account balance a certain way, then he or she may continue to do so — even if it’s no longer the best method. This can result in a potential decrease in independence and scepticism and erosion of audit quality. MAFR rotation is aimed at increasing audit quality because it necessitates potential mitigation from such independence and routine threats.

Second, and related to the first argument, is an expected positive effect of mandatory audit firm rotation on auditor ‘independence in appearance’. In other words, according to this argument, financial statement users will perceive the auditor to be more independent after mandatory rotation, which will benefit perceptions of the financial statement and market reactions as a whole.

While we all agree that every auditor should be independent and conduct an independent audit, are we certain about what it actually means for the auditor to be independent? According to Dopuch, King and Schwartz (2003) there are two aspects of auditor independence, independence in fact and independence in appearance. Independence in fact (real independence) is related to the auditor’s ability to express an opinion about the financial statements without his or her professional judgement being affected by factors which could negatively affect his or her integrity, objectivity or professional scepticism. The auditor with independence in fact would make the audit as correct as possible. The independence in appearance (perceived independence) is related to a third party. If the auditor is not perceived as independent by the users, the auditor is not seemingly independent. Studies have concluded that auditor’s independence in appearance is viewed, especially among investors, as a pre-requisite for audit quality. Together these two aspects of auditor independence are essential to achieve the goals of auditor independence.

The mandatory rotation of audit firms is applicable on public interest entities. It is of importance to highlight the role of the investors in these companies, because the characteristic of these companies is the fact that the ownership is often separated from the management. The investors must therefore rely on the information given in financial reports by the management, the auditor aids to increase the credibility of the reports. Hence it is of paramount importance that independence in appearance also be given due consideration. The lack of independence in appearance is enough to undermine confidence in the audit and financial reporting, and potentially lead to the destabilisation of markets.

A third argument in favour of mandatory rotation is that it might provide smaller audit firms the opportunity to participate due to increasing market competition. This brings us back to the IRBA’s intention to pursue the three objectives with MAFR to improve transformation and competition in the auditing industry. While the cause is noble, the question is, is it achievable? The obvious doubt on the matter is whether a smaller audit firm, possesses the resources, international presence or the experience, to service large, complex, and global clients. Some mid-tier firms insist that a lot of second tier firms have the capability to audit JSE-listed companies but are not getting the opportunities due to longstanding relationships held by the Big 4. So what can be wrong in trying to create a levelled playfield? The client ultimately decides through its audit committee which firm is best suited for its needs, and if MAFR provides a window of opportunity for smaller firms then ultimately it is improving the standard of the auditing community as a whole.

Obviously the smaller firms must make the investment to gear up their resources and probably deal with issue of the lack of experience through Joint Audits, a consideration that IRBA should look into seriously before 2023. But with 6 years to go before the MAFR Rule comes into effect the auditing industry needs to reflect on ‘invest in moving forward or risk being left behind’.

While everyone welcomes changes that are aimed at improving the relevance and quality of audits and the promotion of sound capital markets and investor protection, there is disagreement on how this can be achieved. The opponents argue that the requirement of the Companies Act for mandatory audit partner rotation, a world-recognised Corporate Governance framework in King IV, and the new addition to the Auditor’s Report namely Key Audit Matters sufficiently addresses the issues.

The added cost to the economy as a result of mandatory audit firm rotation cannot be ignored, but if it results in improving the competency, confidence and propriety of the profession it is a cost worth bearing. While mandatory audit firm rotation will address the independence concern, it might not immediately address the need to broaden capacity and increase access to opportunity, although these outcomes could be advanced in the long term.

The rotation debate has always centred on a key question: what would make for more effective audits, a fresh pair of eyes (a new accounting firm) or deep — but perhaps compromised knowledge about the ins and outs of a complex company? Only time will tell if MAFR indeed achieves its objectives. In the meantime, it is worthwhile to note that South Africa is ranked number one in the world by the World Economic Forum for the strength of its auditing standards and has held this ranking for seven consecutive years. It is imperative that we continue to improve, invent and lead on standards and measures to protect investors in order to retain confidence in the credibility of our financial markets.

For further information and any questions relating to Mandatory Audit Firm Rotation, please contact:

Bashier Adam (CEO)
bashier@nexia-sabt.co.za

Tertius de Kock (EA Director)
tertius@nexia-sabt.co.za

Ndumi Medupe (Chairperson)
ndumi@nexia-sabt.co.za

www.nexia-sabt.co.za
info@nexia-sabt.co.za
Contact: +27 12 682 8800

Cybercrime is a Reality – Is your business cyber resilient?

The digitised world is growing at a phenomenal pace. Businesses are embracing the digital era in order to realise technological advantages as much as out of necessity to keep up with competitors, as the Internet of Things drives entrepreneurship.

The falling costs of information and communications technologies is helping Africa realise a fundamental transformation in the continent’s economic, political and social environment. Especially impressive has been digitisation’s benefits to disadvantaged consumers, such as those without bank accounts or electricity. Major drivers of the continent’s digitisation include for example the various cable systems connecting the African continent to the rest of the world such as SEACOM, East African Submarine Marine Systems (EASSy), West African Cable System (WACS), and the rapid diffusion of mobile phones and smart devices.

Companies around the world, but particularly in Africa where defences are inadequate, are highly vulnerable to cyber-attacks. Africa’s businesses and governments are several steps behind the smart operators quietly entering networks to access valuable data, disrupt activities and blackmail companies.

According to the United Nations, cybercrime covers any illegal behaviour directed by means of electronic operations that target the security of computer systems and the data processed by them.

Malware and Ransomware are now concepts that businesses need to understand as cybercriminals use these to attack their digital infrastructure, which cost business and their clients millions of Rands every year. The rise of cybercrime has been astonishing and totally under estimated.

Potential impact of a ransomware attack on your organisation:

  • Inability to trade
  • Loss of revenue
  • Loss of intellectual property
  • Loss of confidential client information
  • Loss of confidential employee information
  • Loss of reputation
  • Identity theft
  • Potential liability for damages resulting from lost data

Ransomware attacks go hand-in-hand with cyber extortion. The ransomware encrypts all your documents and denies you access to your systems or data, thereby potentially disabling your ability to trade. After the ransomware has successfully encrypted your data it will present you with a message letting you know that the key to decrypt your data will be provided to you, provided you transfer a specific amount in Bitcoin (which is an untraceable currency).

When your systems are down following a ransomware attack, you may be unable to access your information, making normal trading almost impossible due to the vast reliance on data and information organisations have.

When a company is hacked information may be stolen and that information, which could contain sensitive trade, client or employee information, is then sold on what is referred to as ‘the dark web’, which is the part of the internet the normal internet user does not have access to, and from where cybercriminals operate. Cybercriminals then use that information either to scam their targets, or to commit identity theft, using all the personal information obtained to pose as a different person to buy houses or run up massive amounts of expenses in that individual’s name. You as the company have the responsibility to look after your customers and your employee’s information, and if you don’t and that information is leaked, the company could then potentially be held liable for those damages suffered by the affected third parties.

WannaCry Global Cyber-Attack

A global cyber-attack was launched on Friday, May 12, 2017, and continued through the weekend. The attack was executed as a form of ransomware called WannaCry that encrypted the data on vulnerable computers on the networks it managed to penetrate and demanded payment to restore access to the data.

The ransomware targets a specific vulnerability on computers running the Microsoft Windows operating system, exploiting the vulnerability and then encrypting data and demanding ransom payments in the Bitcoin crypto-currency. It is one of the worst ransomware attacks to date. The attack leveraged hacking tools believed to be developed by the U.S. National Security Agency that was leaked online last month by a nefarious group known as “The Shadow Brokers.”

The attack infected more than 230,000 computers in nearly 150 countries, by spreading across local networks and the Internet to systems that have not been updated with the most recent security updates, to directly infect any exposed systems.

It even disrupted Britain’s health system and global shipper FedEx. At least 16 hospitals in the United Kingdom were forced to divert emergency patients as their systems were rendered useless and physicians unable to access electronic medical records. Perhaps this could be the beginning of a new trend for international organised crime, experts have told the BBC. http://www.bbc.com/news/av/uk-39905839/nhs-cyber-attack-the-next-step-for-organised-crime

Europol, the pan-EU crime-fighting agency, said the threat was escalating and predicted the number of ransomware victims was likely to grow across the private and public sectors. Cyber security experts said the malware could spread through computers with unpatched versions of Microsoft Windows.

https://www.theguardian.com/technology/2017/may/14/cyber-attack-escalate-working-week-begins-experts-nhs-europol-warn

South African companies and individuals have also been the victim of the WannaCry ramsonware although not to the same degree as some of the other countries as seen in the picture below.

It goes without saying that the phenomenon goes far beyond the common scams perpetrated through emails – the famous Nigerian “419” scam.

Recently, a number of South African companies’ and government institutions systems were infiltrated by cyber attackers and data was stolen or held for ransom. These incidents illustrate the risks that the use of cyberspace poses to the African continent in the 21st Century.

The Way Forward

Businesses need to embrace new technologies and understand they’re exposing themselves to new risks. The questions are how to guard against data breaches, how to mitigate damages, and how to manage cyber risk. The world is changing at a bewildering pace due to rapid digitisation and urgent solutions are needed to ensure that businesses are cyber resilient.

Security has to be on management’s and the board’s agenda. They need to be constantly thinking about the worst-case scenario: what would happen if your information were stolen? How badly would your business be damaged if one individual were bribed or blackmailed? What are all the possible ways someone could attack?

There are two key areas to consider: the regulatory environment and organisational culture.

Regulatory Environment  Organisational Culture

A crucial aspect is the impact of different regulatory environments. Today’s globalised and digitally integrated world means that most organisations are to some extent international. Whether it’s a business, which serves a global market or a manufacturer hooked into global supply chains, awareness and adherence to local rules and regulations in all areas of operation are crucial.

The EU General Data Protection Regulation (GDPR), due to come into effect in 2018, which requires every organisation operating in Europe to abide by several regulatory provisions – and this doesn’t just mean companies based in Europe, but also those offering goods or services to EU markets in a way that involves processing any European-owned data. Cyber challenges are global, and regions everywhere will need to come up with appropriate regulatory responses.  Management or the board members can’t do everything themselves. You need to build security awareness into your organisation’s culture by making it part of every employee’s roles and responsibilities. Give the employee responsibility, and encourage them to speak up.

If everyone thinks about security, they’ll ask the right questions. For example, a recruiter can consider how much a planted employee could steal. They might then be proactive and help ensure you have the right vetting processes in place. Other security issues can result from scammers working on the inside or employees not being educated about the risks of accepting for example free USB drives or bringing their own devices to work. Business owners should consult with security professionals.

If businesses do nothing, assuming a “nothing can happen to us” mentality, then it’s only a matter of time before a security hack occurs.

Companies, multinationals, government and individuals can’t avoid an attack. It’s going to happen eventually. You can do everything possible to recover what’s been stolen and catch the criminal, but eventually they’ll find that tiny hole and squeeze through.

The trick is to make sure you have layers between your systems. If your customer data is behind another wall, it’s safer. You want to make sure your most valuable information is hidden – even from your own employees. You don’t see bank vaults out on the street. They’re behind checkpoints, cameras and closed doors. Do the same with your data.

So, what can you or your organisation do? How can you protect yourself?
These are complex questions that you need to address, but for now, consider the following:

  • Get educated about cybersecurity. You can’t defend from what you don’t understand. Cybercrime is real. It’s a threat to all organisations. It’s no longer a matter of “if” but “when”.
  • Implement a cybersecurity strategy. Are you taking the proper measures to adequately protect your organisation? How will you know if a hacker is on your network?
  • Have an incident response plan. How will you bounce back after an attack? Have a plan in place to respond and bounce back after an attack.

Nexia SAB&T’s Cyber Security Offering

Nexia SAB&T offers various ICT security assessments or Security Audits, including vulnerability assessments and penetration testing covering your ICT environment and systems such as servers including mail servers, network authentication servers, file servers, network devices, database review, security awareness training, etc.

We also offer a Unified Security Management Platform. This platform will monitor network traffic for any vulnerabilities including the existence of any ransomware ,malware and other known viruses within you organisation as well as identifying the source within your ICT systems to identify the origin of the particular attack.

This article was adapted from an article published by Sujata Jaffer, CPA (T) PP; CISA of Nexia SJ, Tanzania.

Contact Us

Herman Van Der Merwe
herman@nexia-sabt.co.za
www.nexia-sabt.co.za
Contact: +27 12 682 8800

 

 

Disclaimer
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in future, and, to the extent permitted by law. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Nexia SAB&T does not accept liability for any loss arising from any action taken, or omission, on the basis of the content in this article or any documentation and external links provided.

Nexia SAB&T is a member firm of the “Nexia International” network. Nexia International Limited does not deliver services in its own name or otherwise. Nexia International Limited and the member firms of the Nexia International network (including those members which trade under a name which includes the word NEXIA) are not part of a worldwide partnership. Member firms of the Nexia International network are independently owned and operated.

Nexia International Limited does not accept liability for any loss arising from any action taken, or omission, on the basis of the content in this publication or article or any documentation and external links provided.

The trade marks NEXIA INTERNATIONAL, NEXIA and the NEXIA logo are owned by Nexia International Limited and used under licence.

References to Nexia or Nexia International are to Nexia International Limited or to the “Nexia International” network of firms, as the context may dictate.

For more information, visit www.nexia.com.