380 likes | 1.47k Views
www.pwc.com/za. King III, IT Governance, Sustainability Reporting – The role of Internal Audit. Shirley Machaba – IIASA President and Partner – National Enterprise Risk and Internal Audit Leader – PwC IMFO conference 13 September 2011. Changing environment.
E N D
www.pwc.com/za King III, IT Governance, Sustainability Reporting– The role of Internal Audit Shirley Machaba – IIASA President and Partner – National Enterprise Risk and Internal Audit Leader – PwC IMFO conference 13 September 2011
Changing environment • Global pressure to sharpen risk focus • Revolutionary transparency • Collaboration & connectivity • Climate change • Governance no longer mindless compliance • Population growth • Information required to predict the future • Internal Financial Control assurance • “One view – one risk aggregation” – Combined Assurance • Managing the cost of compliance • Not prepared for the scale, speed & severity of recent crisis • Many risks happened simultaneously • Risk models and internal audit functionality did not cope with the complexity of factors impacting the chaos • Stakeholder expectations and needs – e.g. civil society • Risk Governance did not link strategy, risk management & risk bearing capacity IMFO Conference
Corporate Governance - Context • New RSA constitution • Legislation of public interest • Employment Equity • Access to information • Skills development • BBBEE • Companies Act, May 2011 • Focus on corporate citizenship • Corporate scandals/failures • Fraud and Corruption • Financial related Acts ( PFMA, MFMA, Treasury Regulations, Systems Act, Structures Act etc ) • Preference for self regulation • King III/Batho Pele • Departmental policies IMFO Conference
Big Tickets from ‘King’s Counsel’ King III drafted using Companies Act, 2008 as a baseline • ‘More’ information to the Audit Committee • Assuring Sustainability • Governing Risk • Integrating assurance • IT Governance • Transforming Internal Audit’s approach • Designing, implementing, testing and maintaining Internal Financial Control • Assurance over Integrated Reporting IMFO Conference 13 September 2011 PwC 4
Implications for organisations, boards of directors and audit committees • Scope of corporate governance framework in South Africa widened • Organisations are encouraged to tailor the Code principles as appropriate to the size, nature and complexity of their businesses • The board or those charged with governance should explain to stakeholders where a specific principle or recommendation has not been applied • Municipalities will be required to dedicate time and resources to the preparation of the annual report • The responsibility of audit committee has been extended beyond financial reporting to include sustainability reporting • The expansion of responsibilities of board, other committees, management and internal audit has a direct impact on the required skill set IMFO Conference 13 September 2011 PwC 5
Chapter 2Board of Directors • The focal point for and custodian of corporate governance • Strategy, risk, performance and sustainability are inseparable • The organisation has an effective and independent audit committee • Responsible for the governance of risk • Responsible for IT governance • An effective risk-based internal audit • Ensure the integrity of the organisation’s integrated report • Commence business rescue proceedings as soon as the organisation is financially distressed • Chairman of the board who is an independent non executive director. The CEO of the organisation should not be chairman of the board • The speaker is designated chairperson of Council in terms of Section 36 (1) of the Municipal Structures Act and is elected by the Councillors IMFO Conference 13 September 2011 PwC 6
Chapter 2Board of Directors and impact on Council (cont.) • The board should comprise a balance of executives and non-executive directors, with a majority of non-executive directors • Directors should be appointed through a formal process • The evaluation of the board, its committees and the individual directors should be performed annually • A governance framework should be agreed between the group and its subsidiary boards • Organisations should remunerate directors and executives fairly and responsibly • The number of councillors is determined in line with Section 20 of the Municipal Structures Act and may not be fewer than three or more than 270 • The board should meet at least four times a year and Section 18(2) of Municipal structures Act requires councils to meet at least quarterly IMFO Conference 13 September 2011 PwC 7
Chapter 2Board and Directors and impact on Council (cont.) • A programme ensuring staggered rotation of non-executive directors should be put in place • Rotation of board members should be structured so as to retain valuable skills, to have continuity of knowledge and experience and to introduce persons with new ideas and expertise • At least one of third of non-executive directors should retire by rotation at the organisation’s AGM or other general meetings. The retiring board members may be re-elected, provided they are eligible • Councillors are elected for a term of not more than four years according to Section 159 of the Constitution of South Africa • The memorandum of incorporation of the organisation should allow the board to remove any director from the board, including executive directors, without shareholder approval being necessary IMFO Conference 13 September 2011 PwC 8
Chapter 3Audit Committees • The organisation has an effective and independent audit committee • Audit committee members should be suitably skilled and experienced independent non-executive directors – one to have performance management expertise – regulations 14 (2) (b) of local government • Chaired by an independent non-executive director • The audit committee should oversee integrated reporting • A combined assurance model should be applied to provide a coordinated approach to all assurance activities • Responsible for the oversight of internal audit • An integral part of the risk management process • Report to the board and shareholders on how it has discharged its duties • Audit committee to meet as frequently as is necessary – at least twice, Section 166 (4) (b) of the MFMA require audit committee to meet at least quarterly IMFO Conference 13 September 2011 PwC 9
Chapter 3Sustainability reporting • King II did not address: • Oversight; or • Assurance of sustainability reporting • King III requirements for audit committee: • Review sustainability reporting for reliability and consistency with financial information • Recommend the need to engage an external assurance provider • No longer “Made in”, but “Made how” • How has the organisation made its money? - labour practice, sustainable produces and services, recycling • Sustainability reporting is a competitive advantage • Whatever organisations do should be a fit for purpose • Should be part of organisations long term thinking • Stakeholders including regulators must see if organisation is sustainable or adding to crisis IMFO Conference 13 September 2011 PwC 10
Skills required of audit committee • Audit committee collectively have understanding of: • Permitted to consult with specialists • The AC and performance AC may be combined as provided in Regulations 14 (2) (c) of performance management Regulations, 2001 Integrated reporting Risk management Internal financial controls Sustainability reporting Internal and external audit process IT Governance relating to integrated reporting Applicable legislation Governance processes IMFO Conference 13 September 2011 PwC 11
Chapter 4The governance of risk • Determine the levels of risk tolerance • The risk committee or audit committee should assist the board in carrying out its risk responsibilities • Management has the responsibility to design, implement and monitor the risk management plan • Risk assessments and risk management is a continuous cycle • Framework and methodologies are implemented to increase the probability of anticipating unpredictable risks • Management considered and implements appropriate risk responses • Continuous risk monitoring by management and the Board • The board should receive combined assurance regarding the effectiveness of the risk management process • RISK IS THE CORNERSTONE OF GOVERNANCE • The IIA’s new certification is Risk Management Assurance (CRMA) • Apply for the CRMA through the Professional Experience Recognition Provision (October 2011 – January 2012) • Launching in 2013 IMFO Conference 13 September 2011 PwC 12
King III IT Governance – Chapter 57 Principles, 48 Recommendations • 5.1 The board should be responsible for IT governance • 5.2 IT should be aligned with the performance and sustainability objectives of the organisation • 5.3 The board should delegate to management the responsibility for the implementation of an IT governance framework • 5.4 The board should monitor and evaluate significant IT investments and expenditure • Recommendation analysis: The board responsible for: • Implement an IT Governance Framework • IT Governance framework to include: • Reporting structures • Roles and responsibilities • Accountability clearly assigned • Decision making structures and processes defined • IT policies and standards defined • IT Strategy defined and aligned with business strategy + authorised by board • Value delivery of IT measured and reported • IT aligned with sustainability objectives organisation • Appointment CIO (with a business focus) • IT to report to board on the performance of IT • Independent assurance on functioning of IT • Measure value delivery of IT and ROI • Information and IP in Systems protected • Governance on acquisition and disposal IT assets • Project management • Independent assurance outsourced functions and big projects IMFO Conference 13 September 2011 PwC 13
King III IT Governance 7 Principles, 48 Recommendations • 5.5 IT should form an integral part of the organisation’s risk management • 5.6 The board should ensure that information assets are managed effectively • 5.7 A risk committee and audit committee should assist the board in carrying out its IT responsibilities • Recommendation analysis: • IT risk management part of overall risk management • IT risk management includes: • Disaster Recovery Planning • IT legal risks • Compliance to laws, rules, codes, standards • IT to be used for risk management & compliance • Implementation formal information security management system • Identification of personal and sensitive information • IT risks identified by risk management and processes developed to manage these • The audit committee is responsible for IT as it relates to financial reporting IMFO Conference 13 September 2011 PwC 14
Role of internal audit on IT Governance • Perform an assessment of the current IT governance arrangements against King III and other generally accepted practices such as ISO38500, ISO 27001/2, ValIT etc • Provide independent assurance over the effectiveness over the IT internal control framework e.g. CobiT, ITIL etc • Provide independent assurance over the IT governance controls supporting outsourced third party service providers • Provide independent assurance over the IT governance framework • Provide independent assurance over IT governance processes such as IT risk management, IT compliance, disaster recovery, IT sustainability, IT project management, IT value delivery and performance management, information security etc • Provide consulting and benchmarking services on IT Governance.
“A strategically positioned, competent and independent internal audit function is required to provide a written assessment of the organisation’s system of internal control, after having conducted a risk based internal audit. This function must have direct relationships with the audit, corporate governance and risk committees and must be strategically positioned.”
Internal Audit • There is an effective risk based internal audit – in line with Section 165 (2)(a) of the MFMA • Evaluating the organisation’s governance processes • Objective assessment of the effectiveness of risk management and the internal control framework • Analysing and evaluating business process and associated controls • Adhere to the IIA Standards and Code of ethics • Written assessment of internal financial controls to the audit committee • Should follow a risk based approach to its plan • Informed by the strategy and risks of the organisation – IDP and SDBIP • Assess the organisation’s risks and opportunities IMFO Conference 13 September 2011 PwC 17
Chapter 7Internal Audit (cont.) • The audit committee should be responsible for the oversight of internal audit – Section 165 (2) (b) of the MFMA • Should be strategically positioned to achieve its objectives • The CAE should have standing invitation to attend executive committee council or other meetings of a strategic nature • Skilled and resourced as is appropriate for the complexity and volume of risk and assurance needs • The CAE should develop and maintain a quality assurance and improvement programme • The CAE must have attributes such as Chameleon, leadership skills, communicator, strategic mindset, networker, quality deliverer, value enhancer, emotional intelligent, Ability to understand risk management concepts and business analyst IMFO Conference 13 September 2011 PwC 18
Stakeholder Value Based Approach “Top-down” approach where coverage is driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic issues of the organisation. Identify Stakeholder Value Creating Activities Understanding Enterprise Risks (Strategic, Financial, Operations, Compliance) Evaluate Impact to Stakeholder Value Audit plan Traditional Approach Traditional “bottom-up” approach based on stakeholder interviews and analysis. Focus is on coverage of identified risk areas, geography and business operations. Evaluate Impact of Risks within Audit Universe Identify Risks (Financial Operations, Compliance) Define Audit Universe (e.g., geography, business unit, etc.) Risk based Internal Audit IMFO Conference 13 September 2011 PwC 19
Examples of internal audit department balanced performance dashboard metrics Internal Audit Customer Service Key metrics based on results of auditee satisfaction questionnaires Measurement of enhanced shareholder value through cost reductions, reduced revenue leakage, increased working capital, and/or enhanced cash flow Percentage of audit activities and resources allocated to addressing key business risks Number of meetings with senior management to discuss business objectives, goals, and risks Number of best practices identified and communicated within the organisation by the internal audit department Status of internal audit recommendations implemented by management Number of special requests from management received and completed Number of personnel transferred out of internal audit into other departments or business units Reliance on internal audit work by external audit Chapter 7 King III
Chapter 8 Governing stakeholder relationships • Appreciate how stakeholder’s perceptions affect a company’s reputation • Management to proactively deal with stakeholder relationships • Strive to achieve the appropriate balance between its various stakeholders groupings in the best interests of the organisation • Equitable treatment of shareholders • Transparent and effective communication with stakeholders • Disputes are resolved as effectively and expeditiously as possible IMFO Conference
Chapter 7 Stakeholders’ perspectives on the future of Internal Audit (cont.) • A heightened focus on the cost of IA versus the value added • IA will be expected to deliver a written assessment on the adequacy of the entire system of internal control and internal financial control • IA will be expected to become a strategic partner to the Board IMFO Conference Slide 22
Statement on effectiveness of internal financial controls by the board of directors • Board responsible for the integrity of financial reporting systems • Board to make a statement in the integrated report on the effectiveness of internal controls • Audit committee should report to the board on effectiveness of internal financial controls annually • Management (or internal audit) to conduct a formal documented review of design, implementation and effectiveness of internal financial controls on an annual basis – Sections 62 (1) (b) and (c) of MFMA – MM accountable • King III does not require external audit attestation on IFC IMFO Conference 13 September 2011 PwC 23
Managementt External assurance providers Internal Assurance providers Combined assurance Combined assurance IMFO Conference 13 September 2011 PwC 24
Combined Assurance • Combined Assurance is about assurance providers working more closely together to ensure: • the right amount of assurance • in the right areas • from people with the best and most relevant skills • as cost effectively as possible • Provides comfort to the Board that they have made an informed decision on the optimal assurance model for the business, identifying: • Gaps in the existing assurance framework • Areas of duplication/overlap • Opportunity to adopt best practice • Implementing a combined assurance model should provide an overall assurance framework which is more efficient, comprehensive, appropriately focused and effective. IMFO Conference 13 September 2011 PwC 25
INTERNAL FINANCIAL CONTROL ACCOUNTABILITY CORPORATE CULTURE COMPLIANCE REQUIREMENTS ETHICS LEGAL CONDUCT REGULATORY Corporate Governance FrameworkINTEGRATING YOUR REPORT STRATEGY COMBINED ASSURANCE OPERATIONS RISK MANAGEMENT FINANCIAL PURPOSE PEOPLE VALUE SYSTEMS SOCIAL & ETHICAL ENVIRON- MENTAL PROCESS GOALS INTERNAL CONTROLS POLICY AUTHORITIES PERFORMANCE MEASUREMENT STRUCTURE IMFO Conference 13 September 2011 PwC 26
King III @ September 2011 (Shirley Machaba – shirley.machaba@za.pwc.com – 012 429 0037) “Every day you may make progress. Every step may be fruitful. Yet there will stretch out before you an ever-lengthening, ever-ascending, ever-improving path. You know you will never get to the end of the journey. But this, so far from discouraging, only adds to the joy and glory of the climb.” Sir Winston Churchill © 2009 PricewaterhouseCoopers Inc. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. PricewaterhouseCoopers Inc is an authorised financial services provider.