A culture of compliance:  How to build and maintain a compliance framework

September 1st, 2021

Picture source: Gallo Images/Getty

Law firms are obliged to provide more than just good legal practitioners. Commercial capability and good business process are crucial to success in the legal sector. This article is a reflection on the application of the principles of corporate governance in the trust accounting environment, and the need and value for a compliance function.

Regulated environment

Law firms take the form of a sole proprietorship, partnerships, or private companies. In the regulated legal profession, an annual renewable Fidelity Fund Certificate is prescribed for trust account legal practitioners (see s 84(1) read with s 86(1) of the Legal Practice Act 28 of 2014 (LPA)). A private company used by legal practitioners to operate a practice is the only form of a commercial juristic entity that is permitted to operate a trust bank account (s 34(7) of the LPA). A private company is a ‘personal liability company’ (s 8(2)(c) Companies Act 71 of 2008) and the directors/shareholders are the risk-bearers in the management of a private company. In terms of s 19(3) of the Companies Act, the directors are jointly and severally liable, together with the company. The personal liability of a legal practitioner conducting a trust account, for which indemnity is prescribed in s 74(1)(a) of the LPA, is designed for the protection of the trust funds against the risk of misappropriation.

Section 34(7)(a) of the LPA provides that a private company may conduct a practice if its shareholding is comprised exclusively of legal practitioners. In an incorporated company equity/ownership is concentrated on the inside and there are no outside shareholders. There is no separation of ownership and control, and the presence of shareholder(s) in the governing body is inevitable. The independent board requirement to check on the autonomy of managers is thus untenable in a trust accounting environment (Deloitte ‘Private company governance: Independent board members can be a valuable resource for private companies’ (www2.deloitte.com, accessed 10-8-2021)). The trust accounting environment thus poses a unique challenge in the application of the principles of corporate governance. The absence of outsiders in the composition of the governing body of a partnership or incorporated legal practice will thus have to be resolved through different mechanisms.

Compliance function

The creation of a compliance function to maintain sound risk management and internal control in the operations of a trust account legal practice is apposite. ‘The compliance function is a crucial function within firms, responsible for identifying, assessing, monitoring and reporting on the firm’s compliance risk’ (European Securities and Markets Authority Final Report: Guidelines on certain aspects of the MiFID II compliance function requirements (2020) (www.esma.europa.eu, accessed 10-8-2021)). The compliance function is required to mitigate against the danger of self-review. One of the compliance focuses is to act independently in the oversight of compliance (Ellen McCarthy ‘Independence of the Compliance Function: A Critical Component of the Three Lines Model’ www.corporatecomplianceinsights.com, accessed 10-8-2021). The compliance function should not have a limited focus or be perceived as an internal police officer. The responsibility of the compliance function provides a clear mandate to manage the compliance risk of the practice (David Strachan and Rebecca Walsh ‘Targeting compliance: The changing role of compliance in the Financial Services Industry’ (www2.deloitte.com, accessed 10-8-2021)). The compliance function explains the consequences for not following the policy by persuasive, motivational nudging. The purpose of the compliance function is to ensure that legal practitioners act with integrity. It provides advice rooted in law. ‘[E]ffective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship’ (Organisation for Economic Co-operation and Development Corporate Governance: Risk Management and Corporate Governance (2014) (www.oecd.org, accessed 10-8-2021). Risk management is an essential element of business governance.

Internal controls

Rule of the Legal Practice Council Rules made under the authority of ss 95(1), 95(3) and 109(2) of the LPA, requires the legal practitioner to implement and design internal controls to provide reasonable assurance of reliable financial reporting and to ensure that they operate effectively, and are monitored regularly throughout the reporting period. ‘[T]he auditor’s engagement on a legal practitioner’s trust accounts covers only the legal practitioner’s financial statements to the extent that these may affect the auditor’s opinion on whether the trust accounts were maintained in compliance with the Act and the Rules’ (Independent Regulatory Board of Auditors (IRBA) Proposed Guide for Registered Auditors: Engagements on Legal Practitioners’ Trust Accounts (revised November 2019) (www.irba.co.za, accessed 10-8-2021)). The monitoring of the implementation and design of internal controls is the responsibility of the legal practitioner. The internal control systems must be ingrained into the DNA of the firm/practice and these must be followed in everyday management or actual operations (International Federation of Accountants (IFAC) Good Practice Guidance: Evaluating and Improving Internal Control in Organisations (2012) (www.ifac.org, accessed 10-8-2021)). Reporting on internal control improves the quality of financial reporting and reduces governance problems (Rafat Salameh Salameh ‘What Is the Impact of Internal Control System on the Quality of Banks’ Financial Statements in Jordan?’ (2019) 23 Academy of Accounting and Financial Studies Journal (www.abacademies.org, accessed 10-8-2021)).

Monitoring of the internal control mechanism is crucial for ensuring that credible rather than self-serving voluntary information is disclosed (IFAC (op cit) at para 4H). The accuracy and reliability of financial information reporting by legal practitioners are of critical importance in ensuring a fair, efficient, and transparent practice. The existence of a satisfactory internal control structure reduces the probability of errors and irregularities and can be another vehicle to improve corporate governance structures (David M Willis and Susan S Lightle ‘Management Reports on Internal Controls: What do they say about your company?’ (2000) Journal of Accountancy (www.journalofaccountancy.com, accessed 10-8-2021)). Low internal controls imply high risk (Ben Kwame Agyei-Mensah ‘Internal control information disclosure and corporate governance: Evidence from an emerging market’ (2016) 16 Corporate Governance (www.emerald.com, accessed 10-8-2021)).

Trust funds

The obligations of a trust account legal practitioner are set out in s 87 of the LPA. The key rules on holding trust funds re-emphasise the sanctity of the trust funds. They are:

  • The practice’s accounting records must ‘distinguish in readily discernible form between business account transactions and trust account transactions’ (r 54.8).
  • ‘Trust accounts not to be in debit’ (r 54.14.9).
  • Update and balance trust accounting records monthly (r 54.10).
  • Funds in trust must be ‘kept separate from other money’ (r 54.11).
  • ‘[P]ay any amount due to a client within a reasonable time’ (r 54.13).
  • Trust monies must be deposited promptly (r
  • Trust balances must not exceed trust monies actually held (r 54.14.8).
  • ‘Transfer from trust bank account to business bank account’ (r 54.14.12).
  • ‘Withdrawals from trust banking account’ (r 54.14.14).

Trust account risks are a significant risk exposure that should be on top of the agenda of the practitioners. ‘A trust account trial balance that balances is not an indication that transactions have been correctly recorded’ (Jannie Dannhauser ‘Trust account risk and risk to the practice’s business’ 2016 (Sept) DR 17). A system that allows for checking and reporting functions will assist in managing the trust account risks. Relying on the annual audit to ascertain whether the trust account books are satisfactory is inadequate. Liquidity in a trust accounting environment is a significant risk, the management of which is specifically regulated in r 54.10, r 54.14.8 – 9 and r 54.14.14. The duties in respect of compliance ultimately lie with the legal practitioner. Fidelity cover does not reduce risk and is a weak form of control (Info-Entrepreneurs ‘Manage risk’ (www.infoentrepreneurs.org, accessed 10-8-2021)).

Disclosure practices

One of the important ways for firms to ensure proper compliance is to normalise the disclosure of internal control information to the regulator, namely, ‘disclosure-by-design’, not least because the legislation or regulations demand it. One way of achieving that objective is by ensuring timely disclosure of accurate information on important firm-related matters. Information disclosure is crucial in discouraging inappropriate practices. RSO Wallace, K Naser, and A Mora suggest that organisations with greater liquidity are operating better business and are prone to disclose more information voluntarily, namely, voluntary disclosure level is related to liquidity (RSO Wallace, K Naser, and A Mora ‘The relationship between the comprehensiveness of corporate annual reports and firm characteristics in Spain’ (1994) 25 Accounting and Business Research 41 as cited in Nermeen F Shehata, Khaled Dahawy and Tariq Ismail ‘The Relationship between Firm Characteristics and Mandatory Disclosure Level: When Egyptian Accounting Standards Were First Adopted’ (2014) 5 Mustang Journal of Accounting and Finance 85 (www.researchgate.net, accessed 10-8-2021)). ‘According to Ho and Wong (2001), the impact of corporate governance on information disclosure may be complementary or it may be substantive’ (Yau M Damagum and Emmanuel Ib Chima ‘The Impact of Corporate Governance on Voluntary Information Disclosures of Quoted Firms in Nigeria: An Empirical Analysis’ (2013) 4 Research Journal of Finance and Accounting 166 (https://core.ac.uk, accessed 10-8-2021)). Reporting on internal control improves the quality of financial reporting, and ‘[a]ccording to Gale (2003) in Kateba (2010:27), the low quality of financial reporting greatly reduces the quality of the institution itself’ (Aristanti Widyaningsih ‘Internal Control System on the Quality of Financial Statement Information and Financial Accountability in Primary Schools in Bandung, Indonesia’ (2016) 7 Research Journal of Finance and Accounting 10).

The holding of trust funds demands financial accountability regarding financial integrity disclosure and compliance with the legislation. ‘The impact of accountability and transparency in financial reporting on the governance of an organisation is usually related in the level of quality of financial reporting (Sanni, 2011)’ (Widyaningsih (op cit)). The disclosure of internal control information in law firms needs to be encouraged. It is expected that ownership concentration will influence the disclosure of internal control information (Agyei-Mensah (op cit)).

Culture of compliance

Active monitoring to evaluate all efforts, regular training on compliance obligations, is essential in building a culture of compliance into operations of the organisation, from C-suite to the post-room  (Deloitte Building world-class ethics and compliance programs: Making a good program great (2015) (www2.deloitte.com, accessed 10-8-2021)). Each practice – sole proprietor/partnership/incorporated company – should design, develop, implement and maintain a compliance framework that will be appropriate to the practice (Carwyn Evans ‘Establishing Effective Compliance Structures’ (2016) (www.cclcompliance.com, accessed 10-8-2021)). This will include a compliance policy, charter, manual and organisational structure that supports a compliance culture. ‘The charter is a formal document approved by the governing body’ and improves the organisation’s operations (The Institute of Internal Auditors The Internal Audit Charter: A Blueprint to Assurance Success (2019) (https://na.theiia.org, accessed 10-8-2021)). It is an outward statement that seeks to determine compliance with the spirit of the law. It goes beyond a policy, is functional, defining operations – anything operational is included in the charter (Deloitte Audit Committee Resource Guide (www2.deloitte.com, accessed 10-8-2021)). ‘The organisation’s control framework/procedures should have the necessary compliance requirements embedded therein’ (Compliance Institute of Southern Africa (CISA) King III Practice Note: The Compliance Universe (2007) (www.associatedcompliance.co.za, 10-8-2021)).

It is prudent to develop a compliance checklist (Institute of Directors in Southern Africa (IoDSA) Practice note: King III Chapter 6 Compliance Guidance (2009) (https://cdn.ymaws.com, accessed 10-8-2021)). This should be underpinned by the development, approval and implementation of a compliance policy, charter, and manual, which will serve as a platform to institutionalise a compliance process (CISA (op cit)). The purpose of a compliance program is prevention, detection and correction to ensure that an organisation complies with any laws or regulations that apply to it (Matt Kelly ‘Corporate Compliance Programs: Everything You Need to Know’ (www.ganintegrity.com, accessed 10-8-2021)). The identification and assessment of compliance risks can take some time to complete and should be undertaken with a view to enabling the organisation to manage its business in compliance with applicable laws, regulations, codes and standards (IoDSA (op cit)).

The legal practitioner is responsible for supervising the practice concerning the design and efficacy of the internal risk management and control systems, risks inherent in the practice’s activities and compliance with laws, regulations and internal rules from the compliance management plan perspective. The control environment is the ‘tone’ of the organisation and is the foundation for all other controls. ‘One of the largest factors influencing the control environment in an organisation is the “tone at the top”. This is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behaviour’ (Boise State University ‘Basics of Internal Controls: Understanding internal Controls’ www.boisestate.edu, accessed 10-8-2021).

Regulatory efforts

In matters involving the legal practice of Garlicke and Bousfield, the law firm was sued by a client. It was alleged that one Cowan, who was admittedly at the time an executive consultant of the legal practice, was authorised to represent the law firm, and did represent the law firm in an investment scheme contract. In the ratio decidendi the court remarked that had the practitioner ‘demanded a licence to operate’ an investment scheme, ‘he would have nipped the operations in the bud…’. The failure to ensure that the conditions for the operation of the investment scheme are satisfied is characteristic of risk management failure and exposed the law firm to a risk of pure economic loss (Jaffit v Garlicke and Bousfield Inc (PFK (Durban) Incorporated and Others as Third Parties) and other cases [2012] 2 All SA 95 (KZP)).

‘Internal controls are the processes designed, implemented and maintained by a legal practitioner to provide reasonable assurance about the … reliable financial reporting and compliance with the [LPA] and the Rules; while compliance is to ascertain whether or not the legal practitioner complied specifically with the requirements of the [LPA] and the Rules’ (IRBA Guide for Registered Auditors: Engagements on Legal Practitioners’ Trust Accounts (revised March 2020) (www.lssa.org.za, accessed 10-8-2021)). The corporate law of compliance extends beyond fiduciary duties and includes substantive regulatory statutes, criminal laws, guidance from administrative agencies, codes of best practices, internal corporate rules, and other governing norms (Deloitte Duties of Directors (2017) (www2.deloitte.com, 10-8-2021)). The effective external enforcement of the regulations needs to be improved and the ability to enforce the regulations, as well as active devices for their effective enforcement will ensure good corporate governance in the legal sector.

Law firms in South Africa are also accountable institutions for the Financial Intelligence Centre Act 38 of 2001 and the Protection of Personal Information Act 4 of 2013 and have extensive reporting and monitoring duties. ‘A good governance system will ensure that:

  • comprehensive risk management occurs as a normal course of events; and
  • there is transparent disclosure to shareholders and regulators of the nature, extent, and management of the risks’ (Ben Kwame Agyei-Mensah ‘Does the corruption perception level of a country affect listed firms’ IFRS 7 risk disclosure compliance?’ (2017) 17 Corporate Governance International Journal of Business in Society 727).

It is advisable to make use of a phased approach in the implementation of a compliance framework and process, since the development of a fully effective compliance function, however structured, can take some time before the value thereof is realised (CISA (op cit)). Smaller firms can engage part-time resources dedicated to compliance (Strategic Management Services, LLC ‘When is Having a Part-Time Compliance Officer a Viable Option?’ www.compliance.com, accessed 10-8-2021). The implementation of the principles of good governance needs to be encouraged and its external enforcement mechanism strengthened. The Law Society of South Africa Legal Services Sector Charter (2007) (https://justice.gov.za, accessed 10-8-2021) enjoins the regulator to develop and implement an effective mechanism to ensure compliance with the charter and to adopt a good governance policy.

Sipho Nkosi BProc (UKZN) (CISA) is a legal consultant at Integrity Governance Advisory in Ekurhuleni.

This article was first published in De Rebus in 2021 (Sept) DR 20.

De Rebus