Reporting irregularities: protect your SA business in 2026
Executive Summary
- South African SMEs are subject to strict reporting laws for unlawful acts causing financial or public harm.
- Proper reporting, recordkeeping, and compliance culture are essential to avoid penalties and business closure.
- Continuous, disciplined financial management and expert support can reduce the risk of irregularities and investigations.
Most South African SME owners assume financial irregularities are a problem for listed companies and large corporations. The reality is sharply different. Regulators like SARS, CIPC, and IRBA actively monitor businesses of all sizes, and the consequences of missing a reporting obligation can be severe. Whether you are dealing with suspected fraud, a bookkeeping error that crossed a legal line, or unprofessional conduct by an accountant, knowing your duties is not optional. This guide walks you through what counts as a reportable irregularity, how to report it correctly, and how to build the kind of compliance culture that keeps your business protected.
Table of Contents
- Understanding reportable irregularities in South Africa
- The process: How to report irregularities
- Compliance essentials for SMEs: Recordkeeping and audit triggers
- What happens after you report: Outcomes, resolutions, and risks
- The uncomfortable truth about reporting irregularities in South Africa
- Easier compliance and reporting: How Ready Accounting can help
- Frequently asked questions
Key Takeaways
| Point | Details |
|---|---|
| Know what’s reportable | Understanding the definition of reportable irregularities helps prevent costly mistakes for your business. |
| Follow the right process | Use official channels like CIPC or SARS and keep thorough records when reporting any misconduct or irregularity. |
| Prioritise compliance | Staying audit-ready with strong recordkeeping reduces risk and helps you avoid heavy penalties. |
| Act decisively | Address irregularities early to limit legal, financial, and reputational harm for your business. |
Understanding reportable irregularities in South Africa
A reportable irregularity (RI) is not just any financial mistake. Under Regulation 29 of the Companies Regulations, an RI is a specific unlawful act or omission by a person responsible for managing a company’s affairs. It must involve a material risk of financial loss to stakeholders, harm to the public, or a serious breach of key legislation.
“A reportable irregularity is any unlawful act or omission by a person responsible for the management of a company that has caused or is likely to cause material financial loss to the company or its stakeholders, or that represents a threat to the public interest.”
For SME owners, this definition is broader than most people expect. Common examples include:
- Misappropriation of company funds by a director or employee
- Fraudulent invoicing or expense claims
- Failure to pay PAYE or VAT to SARS
- Material misstatements in annual financial statements
- Deliberate falsification of financial statement basics records
The legal duty to report does not fall only on auditors. Directors, prescribed officers, and in some cases business owners themselves carry obligations depending on the company’s structure and size. Registered auditors are specifically required by law to report RIs to the Companies and Intellectual Property Commission (CIPC) and, where relevant, to the Independent Regulatory Board for Auditors (IRBA).
It is important to understand the difference between reporting channels. CIPC handles company law breaches and RI notifications. IRBA handles complaints about registered auditors or accountants. SARS handles tax-related misconduct and fraud. Sending a report to the wrong body delays resolution and can expose you to further risk.
| Issue type | Reporting body | Relevant legislation |
|---|---|---|
| Company fraud or mismanagement | CIPC | Companies Act 71 of 2008 |
| Auditor or accountant misconduct | IRBA | Auditing Profession Act |
| Tax fraud or underreporting | SARS | Tax Administration Act |
| Unprofessional conduct by tax practitioner | SARS | Tax Administration Act |
Understanding the company law handbook framework helps you act quickly and correctly when something goes wrong.
The process: How to report irregularities
Knowing what to report is only half the battle. The other half is knowing how to do it correctly, and in the right sequence. Missteps here can complicate investigations and even expose you to liability.
Here is a practical step-by-step process for SMEs:
- Identify the issue clearly. Determine whether what you are dealing with is an internal dispute, a compliance gap, or a genuine irregularity as defined by law. Not every mistake is reportable.
- Gather your evidence. Collect all relevant documents, emails, bank statements, and records before making any report. You will need these if an audit follows.
- Notify the correct body. Use CIPC for company law issues, IRBA for auditor conduct, and SARS for tax-related misconduct.
- Complete the correct form. For unprofessional conduct involving a tax practitioner, SARS uses the RUC001 form for formal complaints. Tax crime can also be reported directly through the SARS reporting portal.
- Follow up on acknowledgement. After submission, confirm receipt. Keep a copy of everything you submitted.
- Cooperate with investigators. If CIPC or SARS initiates a review, respond promptly and provide requested documents.
For auditors specifically, the notification to CIPC must happen within three business days of identifying an RI. A second report follows within 30 days if the irregularity has not been resolved.
| Scenario | Reporting channel | Form or method |
|---|---|---|
| Suspected employee fraud | CIPC | Written notification |
| Tax practitioner misconduct | SARS | RUC001 form |
| Suspected tax evasion | SARS | Online fraud reporting tool |
| Auditor misconduct | IRBA | Formal complaint submission |
For SMEs managing their own auditing financial records, keeping a clear paper trail before, during, and after any report is critical. Refer to the SARS reporting guide for the most current forms and contact details.
Pro Tip: Create a dedicated compliance folder, physical or digital, where you store all records related to any suspected irregularity. Date every entry. If an audit happens, this folder is your best defence.
Compliance essentials for SMEs: Recordkeeping and audit triggers
Prevention is always better than reporting. The most effective way to avoid triggering a formal investigation is to maintain clean, consistent records and meet every filing deadline without exception.
SARS requires businesses to retain records for at least 5 years from the date of submission of a return. CIPC, on the other hand, requires 7 years of financial records for companies that must file annual returns and financial statements, depending on their Public Interest Score (PIS). The PIS is a number calculated from factors like your turnover, number of employees, and third-party liabilities.
Common audit triggers SARS watches for include:
- Late or missing returns: VAT, PAYE, or income tax returns filed late consistently
- Cash-heavy operations: Businesses with high cash turnover and low declared income
- Expense anomalies: Large or unusual expense claims relative to revenue
- Mismatched figures: Discrepancies between VAT returns and income tax returns
- Rapid revenue changes: Sudden drops or spikes in declared income without explanation
- Industry benchmarks: Figures that fall outside the normal range for your sector
The numbers are sobering. Over 11,200 SME audits were conducted in a recent reporting period, with understatement penalties reaching up to 200% of the tax shortfall and interest charges exceeding 11% per year. These are not minor inconveniences. They can cripple a small business.
For a full breakdown of what you must keep and for how long, the record-keeping rules from SARS are a useful starting point. You should also review financial statement examples to understand what compliant records actually look like. If you are unsure whether your current setup meets the standard, a review of tax compliance for SMBs will clarify the gaps.
The SARS tax guide for small businesses also outlines sector-specific obligations worth reviewing annually.
Pro Tip: Use cloud-based accounting software that automatically timestamps transactions and flags missing records. This alone can dramatically reduce your audit risk by keeping your books current and consistent.
What happens after you report: Outcomes, resolutions, and risks
Filing a report does not mean the problem disappears. It triggers a formal process with defined stages, and understanding what comes next helps you respond appropriately rather than panic.
Here is what typically happens after a report is submitted:
- Acknowledgement: The receiving body (CIPC, IRBA, or SARS) confirms receipt of your report or complaint.
- Preliminary review: Investigators assess whether the report meets the threshold for formal investigation.
- Formal investigation: If the threshold is met, a case is opened. You may be asked to provide additional documents or attend interviews.
- Findings issued: The body issues a finding, which may include a directive to remediate, a penalty, or referral to prosecution.
- Closure or escalation: Cases are either closed with a resolution or escalated to the National Prosecuting Authority (NPA) for criminal action.
The consequences of being on the wrong side of this process are serious. Penalties, deregistration, and enforcement action are all on the table depending on the severity of the irregularity. For CIPC, non-compliance with annual returns can result in deregistration, which effectively ends your company’s legal existence.
“Deterrence, not just correction, is a primary driver of compliance. The cost of penalties and reputational harm far outweighs the cost of getting your records right from the start.”
For SME owners, the practical response after a report is to fix the root cause. Review your internal controls, address any bookkeeping mistakes that contributed to the problem, and implement a regular internal review cycle. Waiting for an external trigger to force change is always more expensive than acting early.
The uncomfortable truth about reporting irregularities in South Africa
Here is something most compliance guides will not tell you: the majority of South African SMEs that end up in trouble with SARS or CIPC did not intend to break any rules. They simply did not know what the rules were, or they assumed that small errors would go unnoticed.
That assumption is increasingly dangerous. SARS has invested heavily in data analytics and cross-referencing systems. A mismatch between your VAT return and your income tax return is now flagged automatically. The system does not care about intent.
What we have seen working consistently for SMEs is a shift in mindset. Stop thinking about compliance as a once-a-year tax season exercise. Start treating it as an ongoing operational discipline, the same way you manage stock or customer payments. Build a culture of transparency inside your business where financial records are reviewed monthly, not annually.
The burden of mandatory reporting can feel harsh, especially for small teams wearing multiple hats. But ignoring it is always riskier. Focusing on financial management best practices as a daily habit is what separates businesses that survive regulatory scrutiny from those that do not.
Easier compliance and reporting: How Ready Accounting can help
Staying on top of reporting obligations, recordkeeping requirements, and audit risks is a full-time job on its own. That is where Ready Accounting comes in. We help South African SMEs build proactive accounting systems that reduce the risk of irregularities before they become costly problems. From cloud accounting benefits that keep your records current and accessible, to expert guidance on cloud accounting for SMBs that scales with your business, we provide practical tools and personalised support. Need help understanding your SARS record-keeping guide obligations? Our team is ready to help you get compliant and stay that way.
Frequently asked questions
What qualifies as a reportable irregularity for South African SMEs?
A reportable irregularity includes any unlawful act or omission by management causing financial loss, public harm, or major non-compliance with key Acts. It is not limited to large companies.
What are common audit triggers for SMEs in South Africa?
Late returns, cash-heavy operations, poor records, and large expense swings often trigger SARS audits for SMEs. Mismatched figures between VAT and income tax returns are a particularly common flag.
What are the consequences if I do not report or fix irregularities?
Ignoring irregularities risks heavy fines, deregistration, and reputational damage. Non-compliance consequences can include the legal closure of your business by CIPC.
How long must South African SMEs keep financial records?
You must keep SARS records for 5 years and CIPC records for 7 years to meet your legal obligations under South African law.
Can any person report unprofessional or fraudulent conduct to SARS?
Yes, any individual can report tax practitioner misconduct or suspected fraud to SARS using the RUC001 form or the online fraud reporting tool.