Time for the board to take information governance seriously?

This year, the JSE-listed Tongaat-Hulett Group announced that it would need to restate its 2018 financial results pending a review of “past practices” that appear to have inflated profit by between R3.5 and R4.5-billion.

This story has received remarkably little public attention, possibly because it pales somewhat by comparison to scandals such as African Bank, Steinhoff, Resilient, VBS Bank, EOH, and various municipalities and state owned entities (such as Eskom and Transnet) that have seen their value destroyed.

Tongaat’s share has lost nearly 90% of its value over the last year – declining from R107.50 to R13.27, when trading was officially suspended by the Johannesburg and London Stock Exchanges. This affects many of us indirectly, as we may have exposure through pension funds or unit trusts.

The bigger concern is the impact on investor confidence.

Our economy is already struggling. If investors begin to shy away from the JSE this will cause a ripple effect of reduced growth, higher interest rates and higher inflation.

A failure of corporate governance

“The summarised consolidated financial statements for the year ended 31 March 2018 have been prepared in accordance with the JSE Limited Listings Requirements for provisional reports, the framework concepts and the measurement and recognition requirements of International Financial Reporting Standards (IFRS), the SAICA Financial Reporting Guides as issued by the Accounting Practices Committee, Financial Reporting Pronouncements as issued by the Financial Reporting Standards Council, and as a minimum, contains the information as required by International Accounting Standard 34: Interim Financial Reporting and the requirements of the Companies Act of South Africa.”  Financial Statement of Tongaat-Hulett

According to the company, the financial results were prepared in accordance with international and local standards, and were “audited by Deloitte and Touche.

The difficulty for investors is that, like Steinhoff, Tongaat’s results appeared to pass scrutiny, even by the auditors. This raises broader concerns over the standards of both the internal accounting practices and external audits of listed South African companies, that may scare off investors.

In a fascinating exposé, shareholder activist Dave Woollam unpacks the Tongaat saga in some detail.

Woollam brings attention to several fundamentals that are impeding investors’ (and auditors’) ability to identify issues timeously, including:

  • the complexity of IFRS makes it difficult to identify manipulated results;
  • the control of company boards by charismatic CEOs reducing oversight;
  • the lack of oversight at AGMs;
  • the lack of forensic experience and approach from auditors;
  • regulators not showing their teeth by imposing penalties.

At their heart, Woollam’s criticisms can be summed up as financial results need to be more transparent and easier to understand.

Learning from BCBS 239

In 2007/2008 the global financial crisis sent us into a global recession, from which we are still recovering.

Subsequently, the Basel Committee on Banking Supervision released its Standard 239 (BCBS 239) – Principles for effective risk data aggregation and risk reporting. This standard seeks to impose information governance principles on banks’ risk data metrics – precisely to ensure accuracy of reporting to both internal and external risk managers and regulators.

BCBS 239 prescribes 14 basic principles covering:

  • Governance (Adaptability, Frequency, Distribution, and Review)
  • Data architecture
  • Data quality (accuracy, integrity, completeness, timeliness, comprehensiveness)
  • Clarity and usefulness
  • Remedial actions

In effect, BCBS 239 seeks to manage risk by ensuring that there are clear, audited lines of responsibility and oversight for risk data metrics; that reports are of high quality (we understand both where data comes from and how accurately it reflects current reality); that reports are easily understood by the reader; and that issues are identified and remedied.

These principles seem to largely address the concerns raised by Dave Woollam.

Yet, the reality is that these best practice principles are not top-of-mind for most executives, even in banking.

Far too often, information governance is dumped on the IT department, or risk management, and given very little attention.

Information governance is about changing behaviour to maximise the value of data

Proper information governance will help to ensure that executives, auditors and shareholders can trust the financial results being presented. Information governance is about changing behaviour to maximise the value of data, manage complexity and mitigate risks.

Crowd-sourcing data governance platforms, like Collibra, ensure that all relevant stakeholders are engaged in both preparing and verifying reports; ensure that the context of both the consolidated and subsidiary reports is clearly understood; and keep an audit trail of concerns raised and remedies applied.

Given the complexity of modern businesses, these audit trails help both executives and auditors to understand how results have been derived; to identify potential risks or collusion; and to provide clarifying commentary to published results. The time and costs saved in the audit process should themselves largely cover the investment, without calculating for the impact on investor confidence.

Of course, in the longer run, the investments made in understanding data can also be used to achieve other business goals, for example, to maximise customer insights; develop new digital channels; or optimise and modernise the IT environment.

Given the number and frequency of scandals related to South African companies’ financials over the last several years, isn’t it time to take information governance more seriously?