The importance of developing internal controls in legal practices

September 1st, 2018

By Thomas Harban

The statistics received from the Attorneys Fidelity Fund (the Fund) indicate that as at 31 May the Fund had 1 166 contingent claims on record with a combined value of R 550 961 864. Most of the contingent claims arise from conveyancing related matters (43%), followed by estate related matters (20%) and Road Accident Fund (RAF) related matters (19%).

The pie chart below gives a breakdown of the contingent claims at the Fund as at 31 May.

The theft of money and property entrusted to attorneys is a serious cause for concern and practitioners must put appropriate measures in place in their firms to mitigate against this risk. Section 34(7)(c)(ii) of the Legal Practice Act 28 of 2014 (the LPA), provides that all present and past shareholders of commercial juristic entity (in other words, an incorporated practice), partners or members, as the case may be, are jointly and severally liable, together with the commercial juristic entity, in respect of any theft committed during their term of office.

One of the most effective ways of proactively mitigating the risk of professional indemnity (PI) claims and the theft of trust funds is the development and implementation of appropriate internal controls in the firm. The appropriate internal controls to be developed in each firm will depend on the individual structure and circumstances of the firm.

The attorney’s duty of care in respect of trust funds is well-established in South African law. A claim will lie against the practitioner whether the loss is caused by theft or negligence. In Du Preez and Others v Zwiegers 2008 (4) SA 627 (SCA) (at para 19) the court held that ‘[a]n attorney is under a legal duty to deal with trust account money in such a way that loss is not negligently caused, inter alia, to the depositor’.

The Supreme Court of Appeal (SCA) in considering whether or not there was a legal duty on an attorney to deal with funds in their trust account without negligence, set the following four principles in the matter of Hirschowitz Flionis v Bartlett and Another 2006 (3) SA 575 (SCA) (at para 30):

  • The appellant, being a firm of practising attorneys, proclaimed to the public that it possessed the expertise and trustworthiness to deal with trust money reasonably and responsibly.
  • The depositor of the funds (the respondent) relied on that, and particularly on the fact that the money would be in the appellant’s trust account, until he instructed otherwise.
  • Even where an attorney discovers an anonymous and unexplained deposit it requires minimal management to transfer the money to a trust suspense account.
  • Unreasonable conduct that might put the money at risk would, as a reasonable foreseeability, cause loss to the depositor or beneficiary. ‘The legal convictions of the community would undoubtedly clamour for liability to exist in these circumstances.’

The court, in this case, thus found that indeed there was a duty on the attorney to deal with the money in his trust account without negligence. The identity of the depositor of the funds in that case was unknown to the attorney at the time that the deposit was made.

The rules for practitioners, which will come into effect under the LPA, were published in July (GN401 GG41781/20-7-2018) and provides that:

‘54.14.7 A firm shall ensure:

Internal controls that adequate internal controls are implemented to ensure compliance with these rules and to ensure that trust funds are safeguarded; and in particular to ensure – that the design of the internal controls is appropriate to address identified risks; that the internal controls have been implemented as designed; that the internal controls which have been implemented operate effectively throughout the period; that the effective operation of the internal controls is monitored regularly by designated persons in the firm having the appropriate authority.’

The provisions in r 54.14.7 are similar to those in the current rules (r 35.13.7, which came into effect on 1 March 2016). While r 54.14.7 (and r 35.13.7) specifically refers to the accounting functions, the underlying principles can be applied to all areas of the practice. Internal controls can be developed to cover all the functions and operational areas in the practice. An enterprise-wide internal control system would be most effective in addressing any gaps and risks identified.

The development of the internal controls should not be viewed as a tick box exercise and the value of such controls for the protection of the firm and all stakeholders (including practitioners, staff and clients) must be recognised. There is no ‘one size fits all’ solution to the development of the internal controls and practitioners must avoid simply copying from controls developed in another context or within another entity. The advice of auditors or other risk management disciplines, for example, can be called on in assisting the practitioners with the development of the internal controls. Staff across the firm can be involved in developing the controls and must be trained on the implementation, application, and adherence to the controls.

Some steps that firms can consider implementing are:

  • Conducting an assessment of the internal and external environments in which firms operate in order to identify the applicable risks. It is only after this exercise has been conducted that the necessary controls can be designed to address the identified risks.
  • Implementing the controls in accordance with the risk assessment exercise. The effectiveness of the controls in addressing the identified risks must be assessed. The controls can be embedded in the minimum operating procedures of the firm and must be based on the risks. There should be controls in place for each risk identified. The effectiveness of the controls must be monitored and documented.
  • Ensuring that the responsibility for the regular monitoring of the implementation and effectiveness of the internal controls is given to a member of the firm with sufficient seniority and authority to ensure that the controls are effectively applied. The responsibility for ensuring compliance with the LPA and the rules relating to trust accounts are complied with lies with every partner of a firm, every director of an incorporated practice and every advocate practising with a Fidelity Fund Certificate in terms of
    s 34(2)(b) of the LPA (see r 54.19). The liability of partners, directors and members of the firm arising from s 34(7)(c)(ii) must also be taken into account.
  • Implementation of a proper system of segregation of duties. This is particularly important in relation to the finance function. A situation where, for example, one party is responsible for the requisition, authorisation and release of payments is a huge risk for any law firm no matter how trustworthy or reliable that person is. The underlying reason for every payment made and the details of the payee must be properly documented and scrutinised.
  • Proper supervision of staff and all aspects of the operations of the firm.
  • Conducting regular audits. This will assist the practice in regularly monitoring the effectiveness of the internal controls and ensuring that controls are effective.
  • The consideration of risk transfer measures, such as the purchase of insurance. Insurance products, such as, misappropriation of trust fund cover, fidelity guarantee cover, cybercrime cover or commercial crime policies can be considered by the firm. Section 47(1)(e) of the Attorneys Act 53 of 1979 and s 56(1)(c) of the LPA limit the liability of the Fund, where the fidelity of the practitioner has been guaranteed by another person, to the extent of such guarantee. The insurance policy in place will thus need to respond before the Fund will be liable in appropriate cases. Clause 16(c) of the Attorneys Insurance Indemnity Fund NPC (AIIF) Master Policy contains a similar provision to the effect that that policy will not respond to a liability for compensation, which is insured or could more appropriately be insured under any other valid and collectible insurance available to the practitioner.
  • The employment of suitably qualified staff. Proper background checks and a thorough vetting of all staff should take place before any appointment is made.
  • Taking appropriate action against any person in the firm who breaches the internal controls. Where a crime has been committed (such as the misappropriation of trust funds), this must be immediately reported to the law society and the law enforcement agencies.

We trust that practitioners will heed the warnings and take active steps to proactively manage the risks faced by their firms. The staff at the AIIF and the Fund have extensive experience in dealing with the risks faced by practices and are available to give firms guidance in the development of internal controls where necessary.

Thomas Harban BA LLB (Wits) is the General Manager of the Attorneys Insurance Indemnity Fund NPC in Centurion.

This article was first published in De Rebus in 2018 (September) DR 15.