Several corporate scandals and instances of poor governance have tarnished South Africa's reputation as an investment destination. Listed CFOs need to pay careful attention to the JSE's new listing requirements, which require enhanced accountability and transparency.
In November 2019, the Johannesburg Stock Exchange (JSE) announced amendments to its listings requirements. These changes, which affect both primary and secondary listings, are a response to the corporate blow-outs that characterised local financial markets in 2017 and 2018, which underlined the need for the JSE to review its responsibilities as a regulator.
"Our role as the regulator is to ensure that we continue to build trust and confidence in our market. We protect investors by ensuring continuous enhancement in the level of disclosures so that they can make informed decisions," says Andre Visser, general manager of issuer regulation at the JSE.
The amendments were approved by parliament in November and became effective from 2 December 2019. The JSE has, however, provided a guidance letter to support implementation and allows for a transition period allowing companies more time to comply with the required disclosures.
Increased CEO and CFO accountability
Listed companies need to appreciate the gravity of these amendments and develop new processes to meet the new governance requirements, disclosures and statements.
One of the amendments require the CEO and financial director to sign responsibility statements affirming the accuracy and completeness of the annual financial statements and the adequacy and efficacy of internal financial controls.
The responsibility statement includes the wording ‘no facts have been omitted or untrue statements made that would make the annual financial statements false or misleading’. In a large, complex organisation this statement is difficult to verify, given that the C-suite cannot be involved in every action that management takes.
For Milton Segal, senior executive for corporate reporting at SAICA, the challenge with this statement lies with the rigidity of wording used and how to caveat or qualify some of the absolute statements without causing undue concern. “Words like ‘no’ are definitive. Our guidance document will place these words in context and assist financial directors in interpreting and applying these practically.”
For Mark Hoffman, partner: assurance services at Deloitte, the propensity to err in a financial report is greater today due to an increasingly volatile, complex and disruptive world. CFOs are challenged by increasingly complex accounting rules and integrated business models and structures.
“This requirement seems quite straightforward. However, to make this bold statement, you must ensure that you have due process to ensure that the right controls are in place together with appropriate monitoring mechanisms. If things go wrong and insufficient due process was followed, the culpability of the CEO and CFO also increases.”
More thinking, less ticking
The JSE has not prescribed a control framework unlike the US Securities Exchange Commission’s Sarbanes Oxley (SOX) requirements. SOX requirements come with a prescribed and robust control framework with extensive assurance and reporting requirements. The JSE did not want this ‘one size fits all approach’ for the South African market, acknowledging that what works for a top-40 company may be excessive for a medium-sized entity.
“Regulation must be measured, balancing cost versus benefit. We want issuers to give governance careful consideration, to ensure that their processes and system fit their unique circumstances, business risks, complexities and size. We want to drive behaviour to ensure that internal financial control systems are effective, not behaviour that creates unnecessary paperwork,” comments Visser.
Rather than another regulatory burden, Hoffman sees this as a chance to take a health check of the organisation relative to the risks that it faces. This is especially relevant in an age where a viable business model can become redundant within 12 months through disruption. “It is an opportunity to step back and assess the adequacy of controls and safeguards relative to the risks of what could go wrong given our increasingly complex environment,” says Hoffman.
Driving better risk management
Hoffman recommends that companies first conduct a comprehensive risk assessment – and outline the worst-case scenarios of what could go wrong. In the absence of a prescribed framework, he recommends the Committee of Sponsoring Organizations (COSO) internal controls framework developed specifically for listed companies. COSO was founded in the US in 1985, as an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting.
While firms like Deloitte can assist with gap analysis and benchmarking, Hoffman is adamant that “money can’t buy good controls”. He notes that a failure in governance is really the culmination of a number of actions or inactions over a period of time that create an enabling environment for the failure to realise. Corporate criminals thrive in a chaotic, uncontrolled environment.
Cost and team
Richard Walker, national head of risk advisory services at BDO, believes that the new requirements provide a platform for listed companies to build trust and confidence with its stakeholders: “It allows for transparency as the CEO and CFO explain the action taken on the prevention of fraud and the state of the system of internal controls operating over the financial reporting process.”
Most listed entities already have some sort of combined assurance model in place. This is due to the requirement of King IV principle 15 on combined assurance.
For Walker, any new regulation carries a cost:
“Management would need to consider the pool of resources, our expectation would be a demand on finance and technology skills, and the amount of time dedicated to ensure the organisation can meet this new requirement.”
He sees the internal audit department as well as external assurance providers are pivotal to the success of the adoption of a control framework, roll-out of control self-assessment and assurance mapping. “C-suite executives will question their assurance providers on the level of assurance they provide over Internal Financial Reporting Controls (IFCR) and possible future requirements. This could include quarterly certifications, control-self assessments and testing plans.”
The road ahead
According to Segal, the real consequences of the new amendments will emerge when it starts being regulated. “Another challenge is of course, the unknown. With every new requirement or rule, there is always some form of unintended consequence. However, the challenges being faced are also leading to robust discussions internally and externally and that in itself is a positive step in the right direction.”
SAICA is preparing a guideline document to clarify what the listings requirements mean, and the implications for the CEO and CFO. The document will provide input from stakeholders including the JSE, audit firms and CFOs.