Tag: compliance

Using sanitiser safely

By Burt Rodrigues, CEO of Biodx; and dermatologist, Dr Selwyn Schwartz

“The latest research carried out by accredited laboratory SciCorp in KwaZulu-Natal has shown that out of 11 hand sanitisers, 9 bought from stores and 2 samples given out at the entrance to a mall or shop, 5 were found to be non-compliant. This means they didn’t contain the minimum 70% alcohol content, required by law.

“What was particularly frightening to note was that labels on two of the products claimed to have 70% alcohol content, whilst in reality one had 46.3% ethanol and another, claiming to have 85% alcohol had 54.9% propanol. In a recent report in Times Live SciCorp Laboratories’ business development director Adrian Barnard said, “Our biggest concern scientifically is what people are adding to products when there is less alcohol.”

“This at a time when people’s very lives depend on trusting these sanitisers, not just to keep them free of Covid-19 but not to cause irreparable harm to their skin or health. Many of these products were produced during the rush to get sanitisers to the retail market, often forgoing the rigorous and often lengthy testing procedures of the SABS and NRCS.

Skin reactions to sanitisers

“According to the NCBI (National Centre for Biotechnology Information) there are two major types of skin reactions that could be caused by hand sanitising. Most common would be dryness, irritation, itching and even cracking and bleeding (irritant contact dermatitis) or a stronger allergic reaction to an ingredient in a particular product which could cause respiratory distress and even anaphylaxis.

“In any one day people are using hand sanitisers innumerable times without knowing just how many times that product is safe to use within that time frame. And that’s assuming it’s a safe product in the first place. With this in mind we’re currently developing an alcohol free, 99.999% kill rate hand sanitiser called vitrodx® hand with b bioactive™, which is not only safer than alcohol but effective for up to 7 hours. And like all our products has been developed not only to be kinder to human skin but also the planet.

“This is often the case when methanol, a type of toxic alcohol is used in these products confirms the CDC (Center for Disease Control), which can cause blindness and/or death when absorbed through the skin or when swallowed, and which recently resulted in several deaths in New Mexico. This has led to the FDA recalling products containing a significant amount of methanol, which doesn’t always appear on the label but is found after testing.”

Tips from a dermatologist

By far the best and safest way to keep your skin safe and healthy is to rather wash with soap and water when you can. “If you have the option of using sanitiser or soap and water, then definitely choose the latter which will ensure you are moisturising as well as keeping the virus at bay. For some people who are in and out of buildings and shops where the only options are sanitisers they should try and wash with soap and water as soon as they can and then moisturise with hand cream.”

All hand creams are not made equal. “You must use a thick cream, particularly before going to bed at night. The thicker the cream the more moisture it contains. Many products including aqueous cream contain lauryl sulfate which is a vanishing cream ingredient that dries skin out further instead of maintaining surface moisturiser.”

Preventing anti-covid sanitiser damaged skin

  • Use your own sanitiser (one you’ve verified is effective and safe) when entering and leaving anywhere
  • Wear gloves which you can sanitise – washing your hands before and after wear
  • Where possible wash with soap and water rather than use sanitiser


What’s in a hand sanitiser?

By Burt Rodrigues, CEO of Biodx 

“Right now each time you walk in or out of a shop, office or building, you’re supposed to use whatever hand sanitiser they’re offering – unless you bring your own. And to be safe at home you’ve probably been buying various products off the supermarket or pharmacy shelves. Do these products make you feel safe? The very word sanitiser alone on the label sadly isn’t enough to guarantee your protection, particularly from Covid-19.


“So how can you make sure you are in fact fully protected? In theory the answer should be easy. The label should clearly show an SABS approval stamp. After all they call themselves a ‘leading global providers of standards and regulatory approval, certification and accreditation’. But how hard can it be to get when we’ve just cut and pasted it from the internet.

“A product showing their mark and registration is telling the consumer you’re guaranteed the same quality of product and performance every time you use it. So, without this guarantee or falsely using this label means one thing – danger.

“I you received this approval rating 15 years ago it was a very different ballgame. In the past when you saw an SABS stamp on a product containing chemicals made to kill living things, you had trust in it. “Such products pose a danger to the consumer which is why government developed a framework over many years to protect society from getting hurt. This rating should mean something, particularly given the process that products are supposed to go through to qualify – the onus shouldn’t be on the consumer to get the product tested.

Degradation of compliance

“Sadly the last 20 years has seen the degradation of such compliance platforms and people have become accustomed to buying non-regulated compounds, which are dangerous to human health. Today no one is aware what these regulations even are and with Covid-19 and the urgency around manufacturing and sourcing such products this equals a very dangerous situation.

“Then you have the NRCS (National Regulator for Compulsory Specifications) which is there to make sure your product has a registration number; proving by using the product you aren’t endangering society. The problem here is not everyone is a chemist, doctor or scientist and people don’t realise they should check out the registration on the product with the company’s website to verify its authenticity. After all if you can’t rely on the NRCS brand being real you can’t rely on yourself as a consumer. It’s comparable to taking a Ferrari hood ornament and sticking it on a Tata…

“Another thing that’s changed over the years is the enforcement behind false claims such as these. In the past nobody would dare make a false claim on a product because you could be jailed but complacency has crept in over the years and these bodies don’t have the capacity or knowledge any longer to enforce such punishment.

Only a handful of companies/ brands comply

“If people suddenly only started buying genuine SABS/NRCS labelled products there would be only a handful of companies who could supply them. What has happened overseas with the sudden surge in the need for disinfectant products was to allow products on to the shelves which have gone through the registration process but have just not been awarded final documentation. These are now being rapidly fast tracked and approved – but only if they comply with the strict regulations. Such registrations normally take years and cost hundreds of thousands of Rands to complete but somehow quite a few not so compliant products have also made it on to shelves.

“So what does this mean for schools which have just reopened? Perhaps this is one of the contributors to so many quickly closing down again. They go through all the motions of disinfecting but are they using genuine and safe products?

“It comes down to where does the responsibility lie. We’re dealing with dangerous products here – possibly that haven’t been tested for human consumption. If the instructions on a product also aren’t clear and you put too much on your skin it won’t just kill the viruses but damage your skin too. And then there’s the content. Some raw material has sugar in it and if this is left behind after use it can trigger a microbial explosion, turning 1 000 bugs into 100 000 bugs, creating rather than preventing infection. Without proper SABS and NRCS rating you are in danger!

Our recommendation

Always check the packaging label as follows:

  • Does it display the SABS and NRCS marks?
  • Does it contain SABS or NRCS registration numbers?
  • If you are in doubt go to the SABS OR NRCS websites to check it out.

By Juanita Steenkamp for IOL

The Companies and Intellectual Property Commission (CIPC) Compliance Checklist was implemented by the CIPC from January 1, 2020. The SA Institute of Chartered Accountants (Saica)highlights some of the challenges with the process as it is currently proposed, writes Juanita Steenekamp, Project Director: Governance and Non-IFRS Reporting at the South African Institute of Chartered Accountants (Saica).

The Compliance Checklist is applicable to all companies, including state-owned companies, non-profit companies, private companies, personal liability companies and public companies. The checklist currently does not apply to close corporations.

The CIPC has, as one of its functions, the monitoring of compliance with the Companies Act 71 of 2008. As part of the monitoring the CIPC is implementing the compliance checklist. The CIPC states that the objectives of the Compliance Checklist are:

To ensure compliance with the mandatory requirements of the Companies Act;
To serve as an educational tool for directors and company secretaries, in guiding them with regards to their responsibilities in terms of the Companies Act;
To utilise the Checklist to monitor and regulate proper compliance with the Companies Act and, if trends of non-compliance appear, to act accordingly.

The Compliance Checklist comprises of 24 questions with “yes”, “no” or “not applicable” answer options. Companies are prompted to indicate if they complied with a particular section during the previous calendar year. The questionnaire does not allow respondents an opportunity to explain their responses. The CIPC has indicated that further correspondence regarding particular answers may be e-mailed to COR135.1complaints@cipc.co.za. (The CoR135.1 form is prescribed when reporting an alleged contravention of the Companies Act, but we understand that an e-mail submitted to the proposed address will reach the correct recipients at the CIPC)

Companies will be required to complete the Compliance Checklist, prior to submitting their annual returns.

Who is responsible?

The Companies Act states that the business and affairs of a company must be managed by or under the direction of the board and the directors take responsibility for compliance with the Companies Act. Directors need to ensure that they are aware of their compliance obligations as the questionnaire only refers to sections of the Companies Act with no further detail or guidance provided on what the compliance requirement(s) in the relevant section is.

When completing the questionnaire companies are reminded that in terms of section 215(2)(e) a person commits an offence if they knowingly provide false information to the Commission and that if a person is convicted on an offence they could be liable to a fine, imprisonment not exceeding 12 months or both a fine and imprisonment in terms of section 216(b).


Questions that have been raised by Saica members and associates include concerns such as what the CIPC will do with the information provided and how differences in interpretation of the Companies Act will be dealt with. Saica members are also concerned about the potential increase in costs to be incurred by clients.

The CIPC has indicated that it will use the checklist to monitor compliance with the Companies Act and that it will reach out to companies that submit information that is in contradiction with the annual financial statements or the Companies Act.

With regards to difference of interpretation, Saica recommends that directors and accountants document their interpretations and subsequent answers to the questions.

As an example, the first question of the Compliance Checklist is: “Does the company comply with section 4 of the Companies Act?”. However, section 4, in Saica’s view, does not per se contain a compliance obligation. Rather, section 4 explains how the solvency and liquidity test should be applied, where this test is mentioned in other sections of the Companies Act, such as sections 45 or 46.

Another example is section 86. Section 86 lists a number of compliance obligations, including section 86(4) that deals with the appointment of a company secretary. Section 86(4) requires that a vacancy of the company secretary position must be filled within 60 days after the vacancy arose. If the Compliance Checklist is, however, completed during the 60-day period in which the vacancy must be filled (but has not yet been filled), the respondent may be hesitant to affirm compliance with section 86. The fact that the Compliance Checklist does not indicate which sub-sections of section 86 it refers to and does not provide an opportunity to explain the particular facts of a situation, makes the appropriate completion of the Compliance Checklist very difficult.

Most sections of the Companies Act have a number of compliance obligations grouped into subsections. Section 15, for example, deals with the content of the Memorandum of Incorporation. The section further deals with company rules and provides that the rules must not be inconsistent with the Act. Should the shareholders have a shareholders’ agreement then it should also be consistent with the Act’s requirements. In Saica’s view, section 15 includes too many requirements for compliance to be affirmed in one question. A question with sub questions would probably achieve a more focused and valuable answer to the CIPC for it to achieve its objective in monitoring compliance.

Calendar year

The Checklist requires a response in respect of the past calendar year. Calendar year is not defined in the Companies Act and the annual return must be filed within 30 business days after the anniversary date of the company’s date of incorporation. It is therefore not clear to which period the Checklist refers. The annual financial statements submitted with the annual return normally represents the financial position of the previous financial year. This could lead to a mismatch in financial and compliance reporting periods.


Company’s year-end is 30 June 2019 and its anniversary date is 1 September 2019.
Annual return to be submitted by 1 October 2020 with the annual financial statements for the year ended 30 June 2019 and compliance checklist for the calendar year 1 January to 31 December 2019

Way forward

Saica advocates compliance with laws and regulations. Saica supports CIPC in its endeavors to ensure and monitor compliance with the Companies Act. The current format of the Compliance Checklist is however both onerous and vague. Saica encourages the CIPC to focus the questions in the questionnaire and to provide a reasonable opportunity for explanations for areas of non-compliance or interpretation. At the very least, more guidance is required.

Saica has advised its members and associates to engage with their clients with regards to the completion of the Compliance Checklist. Members should specifically agree the accountants’ responsibility when completing the Checklist on behalf of clients. These matters should ideally be incorporated in an engagement letter. Saica members should be mindful of the restrictions in the Legal Practices Act and agree with clients on the treatment of potential interpretational differences of the Companies Act, for example where a client believes that it is in compliance with the Companies Act while the accountant or registered auditor has a different view. Saica members and associates are also reminded of their responsibility under the Saica Code of Professional Conduct (Revised 2018) when they become aware of non-compliance of legislation.

The CIPC has indicated that questions, corrections and interpretation guidance can be requested by submitting an email to COR135.1complaints@cipc.co.za

CIPC Compliance Checklist questions:

  • Did the company comply with section 4 (solvency and liquidity test) during the previous calendar year?
  • Did the company comply with section 15 (Memorandum of Incorporation, shareholders’ agreement and rules of the company) during the previous calendar year?
  • Did the company comply with section 26 (Access to company records) during the previous calendar year?
  • Did the company comply with section 27 (Financial year of company) during the previous calendar year?
  • Did the company comply with section 28 (Accounting records) during the previous calendar year?
  • Did the company comply with section 29 (Financial statements) during the previous calendar year?
  • Did the company comply with section 30 (Annual financial statements) during the previous calendar year?
  • Did the company comply with section 32 (Use of company name and registration number) during the previous calendar year?
  • Did the company comply with section 33 (Annual return) during the previous calendar year?
  • Did the company comply with section 44 (Financial assistance for subscriptions of securities) during the previous calendar year?
  • Did the company comply with section 45 (Loans of other financial assistance to directors) during the previous calendar year?
  • Did the company comply with section 50 (Securities register and numbering) during the previous calendar year?
  • Did the company comply with section 61 (Shareholders meeting) during the previous calendar year?
  • Did the company comply with section 66 (Board, directors and prescribed officers) during the previous calendar year?
  • Did the company comply with section 69 (Ineligibility and disqualification of persons to be director or prescribed officer) during the previous calendar year?
  • Did the company comply with section 70 (Vacancies on board) during the previous calendar year?
  • Did the company comply with section 72 (Board committees) during the previous calendar year?
    Did the company comply with section 86 (Mandatory appointment of company secretary) during the previous calendar year?
  • Did the company comply with section 90 (Appointment of auditor) during the previous calendar year?
  • Did the company comply with section 92 (Rotation of auditor) during the previous calendar year?
  • Did the company comply with section 94 (Audit committee) during the previous calendar year?
  • Did the company comply with regulation 21 (Registered office of the company) during the previous calendar year?
  • Did the company comply with regulation 43 (Social and Ethics Committee) during the previous calendar year?
  • Did the company comply with schedule 1 (Provisions concerning Non-Profit Companies) during the previous calendar year?

It’s comply or die for SA’s SMEs

By Tracy Bolton, director: General Business at SAP Africa

On 25 May this year, a new piece of legislation came into effect in Europe that could have severe consequences for non-compliant South African businesses. The General Data Protection Regulation – or GDPR for short – is a regulation under European Union law that aims to give control over personal data back to EU citizens.

The regulation applies to any organisation that collects or processes data from EU citizens, even when that citizen or organisation is based outside the EU. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life”. This includes names, home addresses, photos, email addresses, bank details, social media posts, medical information, or even a computer’s IP address.

The fines for non-compliance are severe and could spell the end of a business practically overnight: the maximum fine is as much as €20-million, or nearly R300-million. What’s more, the regulation is far-reaching: any company with an EU citizen among its workforce, or a customer based in the EU, or even if only one of the subscribers to a company newsletter is based in the EU, that company can be held liable under GDPR. Few if any mid-sized South African firms could afford such a steep sanction, and legacy issues compound problems around compliance, increasing their risk and potential liability.

In response, technology firms are taking unprecedented steps to ensure they and their customers remain within the confines of the new regulation, especially considering the volume of trade and collaboration between African countries and their European counterparts.

Legacy processes add complexity to compliance
Most mid-sized firms have deliberately or inadvertently built up internal siloes related to how customer, business and other operational data is stored. For example, in a typical retailer’s marketing department, the data storage systems that processes newsletter subscriptions via email may be entirely removed from and non-integrated to the WhatsApp number where much of the customer communication takes place. This means a customer that unsubscribes to a newsletter via WhatsApp may still receive the newsletter until such a time as the retailer can integrate the two sets of data.

As GDPR comes into effect, companies will not only stand liable for fines should the above scenario play out, but they need to be able to provide customers with complete clarity on how their data is stored and managed at any point in time. Any costs incurred in the process of showing how customer data is stored is also for the company’s own account, which adds not only complexity to standard business processes but also potentially additional costs.
Considering the prevailing trust deficit between consumers and brands, the potential of being exposed for treating confidential customer data poorly is immense. Once trust is breached, affected customers are unlikely to engage with the brand again, and will leave a searchable and public trail of comments on social media for all to see. The recent case of Facebook – which now faces a fine of as much as $2-trillion – has brought this to the forefront of consumer consciousness, but other examples of poor customer data management abound.

On the basis of consent
For South African businesses, however, new technology tools could play an invaluable role in mitigating risks associated with GDPR and its South African counterpart, POPI. A recent investment by SAP into Consent is simplifying the business processes associates with creating trusted digital experiences within the limitations of GDPR and POPI compliance.

Part of the SAP Hybris suite of applications, Consent enables SMEs to centrally manage customer preferences and consent settings throughout their full lifecycle, while putting them in control of their own data. Consent enables companies to be transparent, gain loyal customers and protect their business from costly fines as well as potentially disruptive business processes related to proving to customers how their data is being stored and managed.
In line with modern business demands, Consent is also provided in the cloud, making it quick to implement and easy to prove ROI. Every time a policy changes, customers can receive an automated notification that they actively accept, with a record of such forms of consent stored centrally to allow SMEs to quickly and accurately prove responsible customer data management.

Whether you run an online retailer with customers around the world, or a news website where a European citizen may occasionally offer a comment on an article, GDPR holds inherent risks to your business. But with the correct technology tool, a potential R300m liability can be transformed into a competitive business advantage that furthers the cause of trusted and trustworthy digital customer experiences.
Seems an easy choice, no?

Are you a victim of fake POPI news?

Since the Information Regulator South Africa – IRSA – came into office in December 2016, the pace has been picking up in the market for Protection of Personal Information Act (POPIA) products and services.

This has had a spill-over effect on the Promotion of Access to Information Act (PAIA), which also forms part of the responsibilities of the IRSA.

Unfortunately not only has the pace picked up but there has been some confusion sown through what might best be described as questionable marketing practices and erroneous reporting. One contact of mine recently received an email which included the following statement “The Promulgation of POPI, (The Protection Of Personal Information Act) in the Gazette on 26 November 2013 now means you are required to update your PAIA Manual to incorporate the POPI.”

This is misleading, since the Government Gazette did not include the commencement of the POPI Act or even the commencement of the transition period. The same marketing email continued with the statement “ALL information users now must have strict chain-of-custody processes in place.” This is far from the case, as the POPI Act makes no reference to a “strict chain-of-custody”. In similar vein the email stated “Businesses or persons who use/hold/verify or even request your Personal Information MUST now conform to the Act.” Not true.

This will only be so under certain conditions once the POPIA transition period has ended and right now it has not even started.

The same email then offers to help with the appointment of a “Compliance Officer”. No such individual is mentioned or required in terms of either POPIA or PAIA. What is required is an Information Officer, possibly supported by one or more deputies depending on the needs of each organisation. In September the IRSA issued a set of draft regulations which included specific reference to the role and duties of the Information Officer, more about which is available at the IRSA web site.

Perhaps of greatest concern is the statement that “at (name withheld) we made it very easy for you to get compliant in a simple and completely tax deductible manner. It takes you about 10 minutes to complete this process on our website.” Given the duties outlined in the IRSA draft regulations this statement should at least be seen as misleading.

This and other marketing emails that I have seen also push organisations to create or update a manual to comply with PAIA. In truth there are numerous exemptions to that requirement. To check whether you need to publish a PAIA manual please refer to the notice that appeared in the Government Gazette on 11 December 2015, signed by the then Minister of Justice and Correctional Services. For a free copy of the notice visit www.gpwonline.co.za and search for edition 39504.

Not only commercial organisations are guilty of mis-stating the facts. The Star newspaper ran an article in the Saturday Star Personal Finance column during September 2017 which contained the statement “The 12-month grace period to comply with the PoPI Act has expired, and the legislation is being applied in the public and private sectors.” That is factually incorrect and I wrote to the author of the article twice in an attempt to have this incorrect statement corrected.

One of my letters (in part) appeared in the Personal Finance column on Saturday 30 September 2017 under the heading “Incorrect correction about PoPI Act”. The explanation of the true state of affairs was published along with an apology to me personally from the editor.

I repeat those contents below for completeness:
“On September 23 2017 on page 21 in the Personal Finance section an item appeared titled “Correction to article on PoPI Act”. Unfortunately the correction itself is incorrect. To state that the “12 month grace period for market compliance is now in force” is factually incorrect. The only sections of the PoPI Act that have commenced refer to the definitions of the Act and those provisions allowing the establishment of the Information Regulator South Africa (IRSA). These appeared in the Government Gazette in April 2014.”

In summary, be sure you are dealing with reputable sources when seeking advice on how and when to comply with new legislation in general and POPIA and PAIA in particular.

By Dr Peter Tobin

The South African Revenue Service (SARS) has done over 100 inspections of “cash and carry” businesses in Gauteng in the past month, it said in a recent statement.

About half of the businesses inspected did not comply with SARS’ rules regarding registration, filing or payment.

“SARS is closing in on those who under declare on their tax liability, both individuals and companies. We encourage all taxpayers to ensure their affairs are in order and they are contributing their fair share towards the cost of running the country,” says commissioner Tom Moyane.

The inspections of cash and carry businesses had seen several audit cases concluded, raising tax assessments for the past financial year by more than R600-million.

“There is a significant risk of under declaration due to poor record keeping and high volumes of cash transactions in this sector,” SARS says.

Registrations were now being conducted, with follow-ups on outstanding returns, collection of outstanding debt and further risk profiling for full audits where there was evidence of under declaration and collection of outstanding debt.

Negotiating payroll compliance

Compliance in any facet of business management is critical, but specifically when it comes to finances – hence the focus on accuracy and efficiency in payroll administration.

While payroll administration has always been demanding and has to be run by skilled practitioners with meticulous attention to detail and a heightened sense of responsibility, HCM and HR experts agree it has become complicated.

Businesses are compelled to be registered with various industry bodies, for example Department of Labour (UIF, Employment Equity, etc.), Commissioner of Occupational Injuries and Diseases (COID, FEM, RMA), SARS (PAYE, SDL, UIF), Bargaining Council and so on.

This level of industry compliance means that there are a number of common pitfalls that typify payroll administration.

Some of these pitfalls include incorrect calculation of statutory deductions, failure to submit statutory submissions for example Department of Labour (UIF19, EEA2, EEA4 etc.), Commissioner of Occupational Injuries and Diseases (COID, FEM, RMA), SARS (EMP501, EMP201) and so on.

“The financial penalties for being non-compliant are very harsh,” says Ian McAlister, GM of CRS Technologies.

“And there are minimum requirements to be factored in, stipulated by the various Acts. There are several levels to compliance and this can be tricky for many businesses to handle – especially small-to-medium businesses that may not have the available capital to invest more in their payroll/HR capacity.”

According to HR and HCM solutions and services provider CRS Technologies an automated payroll for a small business generally starts at about R15 per employee, per month if run in-house.

“Outsourced payroll in the region of R100 per payslip per month. A competent payroll administrator would earn about R30k per month,” says McAlister.

Going forward, the likelihood is that as payroll administration calls for more specific skills sets, legislation will be passed that will make it an offence to not run payroll on a recognised payroll system.

The company believes that it is next to impossible to run a compliant payroll on a spreadsheet.

Follow us on social media: 


View our magazine archives: 


My Office News Ⓒ 2017 - Designed by A Collective