subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now
The process of conducting a lifestyle audit may uncover unexplained assets or other evidence that an individual is living beyond their means. Picture: 123RF
The process of conducting a lifestyle audit may uncover unexplained assets or other evidence that an individual is living beyond their means. Picture: 123RF

SA continues to experience high levels of corruption, as illustrated by its two-place year-on-year decline to a rank of 72nd out of 180 in the 2022 Corruption Perceptions Index (CPI) published by Transparency International. Given the corruption risks present in SA, organisations operating in the country should implement appropriate controls to mitigate these risks. Lifestyle audits are an excellent measure for organisations to consider incorporating as part of their control arsenal.  

For some time, lifestyle audits have been used as a proactive mechanism in the fight against corruption, and their use is becoming more widespread, particularly after the decision by former public service administration minister Ayanda Dlodlo to make lifestyle audits compulsory for all national and provincial government departments from April 1 2021. 

Lifestyle audits involve the comparison between an individual’s lifestyle, as indicated by their identifiable assets, and their known legitimate source(s) of income.  

The process of conducting a lifestyle audit may uncover unexplained assets or other evidence that an individual is living beyond their means, potentially indicating that the individual is receiving funds from an illicit source.

The lifestyle audit process may also identify other potential early indicators of corruption and misconduct, such as undisclosed corporate associations.    

Risk-based approach

Though useful, lifestyle audits must be implemented in a lawful and responsible manner, particularly in light of the various obligations imposed in terms of the Protection of Personal Information Act (Popia) of 2013. 

There are several important factors that should be considered by organisations before undertaking lifestyle audits, including who will be subject to lifestyle audits and why; what the lifestyle audit process will entail and what information sources will be considered as part of the process; who will conduct the lifestyle audits; whether existing policies and procedures are sufficient to govern the process, or whether a stand-alone lifestyle audit policy is required; the nature and extent of employees’ obligations during the lifestyle audit process; and what steps will be taken to ensure the provisions of Popia are adhered to.  

These and other relevant considerations should be borne in mind before conducting lifestyle audits. A risk-based approach is advisable when determining both the scope of a lifestyle audit process and the individuals to be selected for audit. While lifestyle audits serve a legitimate function, care should be taken to balance the interests of the organisation in mitigating corruption risks with the privacy interests of the individual subject to the audit.  

Though an interpretation of Popia in the context of lifestyle audits has not yet come before the courts, it appears likely that a risk-based approach will assist in ensuring the process is consistent with the requirement of “minimality” prescribed by Popia, which requires the processing of personal information to be adequate, relevant and not excessive.  

Subject to any particular risks that may be present, it is typically advisable to commence with less invasive enquiries focusing on public records only, and only extending the process to more extensive enquiries if concerns or red flags are identified. In addition, a risk-based approach may have the added benefit of ensuring the lifestyle audit process is as cost-effective as possible. 

While lifestyle audits serve a legitimate function, care should be taken to balance the interests of the organisation in mitigating corruption risks with the privacy interests of the individual subject to the audit.

Popia provides that personal information may be processed without first obtaining the data subject’s consent where processing is necessary for pursuing the legitimate interests of the responsible party. The term “legitimate interests” is not defined in Popia and has not yet received judicial consideration in this context, but it is submitted that an employer’s interests in the prevention and detection of fraud and corruption will likely be considered “legitimate interests” for purposes of the Act.  

Notwithstanding the above, it is advisable to have adequate clauses in employment contracts in terms of which employees voluntarily, specifically and unconditionally consent to the organisation processing their personal information as defined in Popia, including specifically processing for purposes of conducting lifestyle audits.  The company may then be in a position to rely on the underlying consent to process employees’ personal information in the context of lifestyle audits, provided the other requirements of Popia are complied with. 

While it is not a legal requirement for an organisation to adopt a lifestyle audit policy before undertaking lifestyle audits, there are clear advantages to doing so. A lifestyle audit policy will act as a governing document prescribing, among others factors, who may be subject to lifestyle audits and when; how lifestyle audits will be conducted and by whom; employees’ rights and obligations during the lifestyle audit process; the consequences for noncompliance if an employee breaches such obligations; and, critically, information concerning the applicable provisions of Popia, and how they will be adhered to by the company when lifestyle audits are conducted. 

Lifestyle audits can operate as a useful tool in managing an organisation’s corruption risks. However, Popia has introduced several obligations that affect the lifestyle audit process and it is therefore imperative that care is taken to ensure lifestyle audits are conducted lawfully.  

• Powell is head of the forensics department and Roux senior associate: forensics, at ENSafrica. 

subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now

Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.