kingiiiexecutive guide to
TRANSCRIPT
-
7/31/2019 KINGIIIExecutive Guide To
1/96
Understanding and unlocking the benets
o sound corporate governance
*connectedthinking
Corporate governance
Executive guide to King III
Kings Counsel*
-
7/31/2019 KINGIIIExecutive Guide To
2/96
-
7/31/2019 KINGIIIExecutive Guide To
3/96
2 September 2009
A code o principles can only ever be as good as ones ability to put it into practice. It is rom this
standpoint that PricewaterhouseCoopers is committed to engaging the recommendations o the
King Report on Governance for South Africa 2009 and practically supporting our clients in implementing
and applying them.
This guide embodies our thought leadership on key elements o the Report at the time o publication
and we envisage that it will be revised and updated as our thinking, knowledge and capabilities around
corporate governance continue to advance.
We trust that it will assist in providing practical advice and guidance to our clients and all business
stakeholders in South Arica.
Suresh Kana
Chie Executive Ocer
PricewaterhouseCoopers Southern Arica
-
7/31/2019 KINGIIIExecutive Guide To
4/96
-
7/31/2019 KINGIIIExecutive Guide To
5/96
Introduction 1
Chapters o the Code
1. Ethical leadership and corporate citizenship 5
2. Boards and directors 9
3. Audit committees 19
4. The governance o risk 29
5. The governance o inormation technology 35
6. Compliance with laws, rules, codes and standards 43
7. Internal audit 49
8. Governing stakeholder relationships 55
9. Integrated reporting and disclosure 61
Our view on specifc issues raised in the Code
10. Business rescue 65
11. Alternative dispute resolution 69
12. Internal nancial control 73
13. Solvency and liquidity tests 79
14. Remuneration o directors and senior executives 83
Table o contents
-
7/31/2019 KINGIIIExecutive Guide To
6/96
A note on terminology
For the purposes o this guide:
The third King Report on Governance for South Africa 2009 is reerred to as the Report.
The provisions o the Report are based on principles enshrined in the Code of Governance Principles for South Africa2009, reerred to as the Code.
The Report and the Code are collectively reerred to as King III.
The Companies Bill, 2008 , (which constitutes a revision o the Companies Act, 1973) had not been enacted at the time
o the release o King III. Nevertheless, it is reerred to as the Act both in King III and here.
King III applies to all entities regardless o the manner and orm o their incorporation or establishment. The use o the
terms organisation, company and business should be interpreted accordingly.
Although the terms company, boards and directors are used, King III reers to the unctional responsibility o thosecharged with governance in any entity.
-
7/31/2019 KINGIIIExecutive Guide To
7/96
The release o King III on 1 September 2009 represents a signicant milestone in the evolution o corporate
governance in South Arica and brings with it signicant opportunities or organisations that embrace its
principles.
At PricewaterhouseCoopers (PwC), we believe that ree enterprise prospers in an environment o good
and balanced corporate governance. While we understand that achieving good governance is a complex
task, we believe that sound governance practices oer numerous practical benets and that organisations
should integrate such practices into their operational processes.
Introduction
Executive guide to King III
PricewaterhouseCoopers
1
-
7/31/2019 KINGIIIExecutive Guide To
8/96
The need or King III
King III became necessary because o the
anticipated new Companies Act and changing trendsin international governance. As with King I andKing II, the King Committee endeavoured to be at theoreront o governance internationally and this hasagain been achieved by ocusing on the importanceo reporting annually on how a company has bothpositively and negatively aected the economic lieo the community in which it operated during theyear under review. In addition, emphasis has beenplaced on the requirement to report on how thecompany intends to enhance those positive aspectsand eradicate or ameliorate any possible negative
impacts on the economic lie o the community inwhich it will operate in the year ahead.
The benets o sel-regulation
In addressing the link between governance principlesand law, the introduction to the Report observes:
The ultimate compliance ocer is the companysstakeholders who will let the board know by theircontinued support o the company i they acceptthe departure rom a recommended practice and the
reasons urnished or doing so.
It can be convincingly argued that sel-regulation,in which an organisation voluntarily monitors itsown adherence to legal and ethical standards, is
ar preerable to having an outside agency such asgovernment monitor and enorce those standards.This approach allows organisations to maintain
control over the standards to which they are heldby successully sel-policing themselves. Apart romthe bureaucratic burden that would be imposed byexternal enorcement, the cost o setting up such amechanism is also avoided.
Key principles o King III
King III has broadened the scope o corporategovernance in South Arica with its core philosophyrevolving around leadership, sustainability andcorporate citizenship.
These key principles are given prominence:
Good governance is essentially about eectiveleadership. Leaders need to dene strategy,provide direction and establish the ethics andvalues that will infuence and guide practicesand behaviour with regard to sustainabilityperormance.
Sustainability is now the primary moral andeconomic imperative and it is one o the mostimportant sources o both opportunities and
risks or businesses. Nature, society, andbusiness are interconnected in complex waysthat need to be understood by decision makers.Incremental changes towards sustainability arenot sucient we need a undamental shit in the
way companies and directors act and organisethemselves.
Innovation, airness, and collaboration are keyaspects o any transition to sustainability innovation provides new ways o doing things,including protable responses to sustainability.Fairness is vital because social injustice isunsustainable and collaboration is oten aprerequisite or large-scale change.
Social transormation and redress is importantand needs to be integrated within thebroader transition to sustainability. Integratingsustainability and social transormation in astrategic and coherent manner will give rise to
greater opportunities, eciencies, and benets,or both the company and society.
King II required companies to implementsustainability reporting as a core aspect ocorporate governance. Since 2002, sustainabilityreporting has become a widely accepted practiceand South Arica is an emerging market leader inthe eld. However, sustainability reporting is inneed o renewal in order to respond to:
The lingering trust decit among civil society othe intentions and practices o big business
Concerns among business decision makers
that sustainability reporting is not ullling theirexpectations in a cost-eective manner.
Introduction
Executive guide to King III
PricewaterhouseCoopers
2
-
7/31/2019 KINGIIIExecutive Guide To
9/96
Governance ramework
King III has opted or an apply or explain
governance ramework. Where the board believesit to be in the best interests o the company, it canadopt a practice dierent rom that recommended inKing III, but must explain it. Explaining the dierentpractice adopted and an acceptable reason or it,results in consistency with King III principles.
The ramework recommended by King III isprinciples-based and there is no one size tsall solution. Entities are encouraged to tailor theprinciples o the Code as appropriate to the size,nature and complexity o their organisation. This is
good news or companies in South Arica as it avoidssome o the pitalls seen in the United States wherea one size ts all approach was initially adopted.
Application o the Code
In contrast to King I and King II, King III applies toall entities regardless o the manner and orm oincorporation or establishment. Principles are dratedon the basis that, i they are adhered to, any entitywould have practiced good governance.
It is recommended that all entities disclose whichprinciples and/or practices they have decided notto apply or explain. This level o disclosure will allowstakeholders to comment on and challenge the
board to improve the level o governance within anorganisation.
The philosophy o the Reportrevolves around leadership,
sustainability and corporate
citizenship Mervyn King
New requirements
Some o the requirements introduced by King IIIinclude:
The need or an annual integrated report that
ocuses on the impact o the organisation in theeconomic, environmental and social spheres
A statement by the audit committee to the boardand shareholders on the eectiveness o internalnancial controls to be included in the integratedreport
The consideration o the strategic role o IT and itsimportance rom a governance perspective
The positioning o internal audit as a strategicunction that conducts a risk-based internal
audit and provides a written assessment o thecompanys system o internal control, includinginternal nancial controls
The governance o risk through ormal riskmanagement processes.
Our involvement in the King Committee
Suresh Kana, PwCs Chie Executive Ocer, andAnton van Wyk, our Global Internal Audit Leader,served as members o the King Committee andalso chaired the Accounting and Auditing andInternal Audit subcommittees respectively. As aresult o our involvement, PricewaterhouseCoopershas deep insight into the recommendations othe King Committee and is well placed to oerpractical guidance and encourage debate aroundimplementation to enable the real benets o good
governance to be realised.
Competitive advantage is increasingly beingconerred on businesses that create and maintaina culture o integrity-driven perormance. However,managing the shit to a higher level o principledbusiness practice raises a number o newchallenges. PricewaterhouseCoopers has made aconsiderable investment in compliance solutionson a global and local scale to help our clients meetthese challenges. Our experience and know-howensures that our investment can be practicallyapplied or the benet o our clients.
Introduction
Executive guide to King III
PricewaterhouseCoopers
3
-
7/31/2019 KINGIIIExecutive Guide To
10/96
-
7/31/2019 KINGIIIExecutive Guide To
11/96
1. Ethical leadership and corporatecitizenship
Overview
Responsible corporate citizenship implies an ethical relationship between the company and the society in
which it operates.
The notion o corporate citizenship is not new, but King III gives it more credence and concrete expression
than ever beore, while continually highlighting the unbroken chain that links ethical leadership, company
strategy and sustainability.
Executive guide to King III
PricewaterhouseCoopers
55
-
7/31/2019 KINGIIIExecutive Guide To
12/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 1. Ethical leadership and corporate citizenship
Leadership 1.2. The board should ensure thatthe company is and is seen to be aresponsible corporate citizen
The board should:
1.2.1. consider not only nancialperormance but also the impact o thecompanys operations on society andthe environment
1.2.2. protect, enhance and invest inthe wellbeing o the economy, societyand the environment
1.2.3. ensure that the companys
perormance and interaction withits stakeholders is guided by theConstitution and the Bill o Rights
1.2.4. ensure that collaborative eortswith stakeholders are embarked uponto promote ethical conduct and goodcorporate citizenship
1.2.5. ensure that measurablecorporate citizenship programmes areimplemented
1.2.6. ensure that managementdevelops corporate citizenship policies
Similar to King II
Ethical leadership and corporate citizenship
Executive guide to King III
PricewaterhouseCoopers
6
-
7/31/2019 KINGIIIExecutive Guide To
13/96
Implications
The leadership o an organisation, including its
directors, boards and committees, will have toreview the corporate values that drive their behaviourto ensure that they and the organisation refectsocietal norms and accepted governance guidelines.To this end, leaders are expected to support andunderstand the ull implications o the stakeholderinclusive model put orward in the previous Kingreports and again emphasised in King III.
Leaders will also have to give due considerationto the ull range o material economic, social andenvironmental dimensions and impacts that the
company and its processes have on the communityin which it operates, when developing corporatestrategy.
Expert opinion
Entities cannot operate in a vacuum. A licence tooperate aorded by a multitude o stakeholders isbased on trust, integrity and a solid track recordo taking into account a balanced approach tolegitimate stakeholder issues.
Corporate citizenship is an ethical concept, whichnds expression in sustainable development acrossthe economic, social and environmental aspects othe business.
Key questions directors should be asking
Corporate citizenship, sustainability and1.
stakeholder inclusivity requires judgement,balance and compromise. Does the board havethe right composition, skills and reliable data tomake these types o judgement calls?
Have we assessed the moral and economic2.imperatives o corporate citizenship? Have wetaken this into account when reviewing ourcorporate strategy?
Citizenship and sustainability risks may be3.obscure or indirect. How do we identiy andmanage these risks as well as opportunities?
Do we have policies in place that will guide4.every level o the business in terms o expectedbehaviours and practices and with reerence toour interaction with all material stakeholders?
Do we measure the impact or lack thereo, o our5.corporate citizenship initiatives?
How we can help you
Successul businesses are sustainable businesses.As a cornerstone o sustainability, sound ethics andleadership are increasingly proving their worth asdrivers o competitive advantage. We oer a rangeo services to assist organisations to achieve theircorporate objectives:
Review o corporate values
Development o values, business principles andkey perormance indicators
Sustainable development strategy ormulation
Development o codes and policies in support oethics, corporate citizenship and sustainability
Board evaluation to assess composition, skillsand other key criteria
Socioeconomic impact assessments.
Contacts
Alison Ramsden
DirectorTel: +27 11 797 4658E-mail: [email protected]
Alan WitherdenSenior ManagerTel: +27 11 797 5590E-mail: [email protected]
Yvette LangeManagerTel: +27 11 797 4430
E-mail: [email protected]
Ethical leadership and corporate citizenship
Executive guide to King III
PricewaterhouseCoopers
7
-
7/31/2019 KINGIIIExecutive Guide To
14/96
-
7/31/2019 KINGIIIExecutive Guide To
15/96
2. Boards and directors
Overview
Boards and directors, acting in the best interests o the company, orm the ocal point o corporate
governance with responsibilities extending to shareholders and other stakeholders: Companies should be
headed by a board that should direct, govern and be in eective control o the company.
The chapter discusses key governance responsibilities that directors are expected to consider, including:
The role and unction o the board and its committees
The composition and perormance evaluation o the board and its committees
The board appointment process
Director development
Remuneration o dir ectors, senior executives, group boards and company secretaries.
Executive guide to King III
PricewaterhouseCoopers
9
-
7/31/2019 KINGIIIExecutive Guide To
16/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
Role and unction o the board 2.1. The board should act as the ocalpoint or and custodian o corporategovernance
The board is responsible or ensuringthe continued success o the companyand is guided by its charter. It isthe link between management andstakeholders and should meet at leastour times per year.
Similar to King II
2.2. The board should appreciatethat strategy, risk, perormance andsustainability are inseparable
The board should inorm and approvethe companys strategy and satisyitsel that business plans are notencumbered by unexamined risks. Indoing so it identies key perormanceand risk areas. The board also
ensures that the strategy will result insustainable outcomes and considerssustainability to be a businessopportunity.
Greater emphasis on opportunity asopposed to only risk.
2.3. The board should provide eectiveleadership based on an ethicaloundation
Explained in chapter 1 Reer to chapter 1
2.4. The board should ensure thatthe company is and is seen to be aresponsible corporate citizen
Explained in chapter 1 Reer to chapter 1
2.5. The board should ensure that
the companys ethics are managedeectively
Explained in chapter 1 Reer to chapter 1
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
10
-
7/31/2019 KINGIIIExecutive Guide To
17/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
2.6. The board should ensure thatthe company has an eective andindependent audit committee
Explained in chapter 3 Reer to chapter 3
2.7. The board should be responsibleor the governance o risk
Explained in chapter 4 Reer to chapter 4
2.8. The board should be responsibleor inormation technology (IT)governance
Explained in chapter 5 Reer to chapter 5
2.9. The board should ensure that thecompany complies with applicablelaws and considers adherence to non-
binding rules, codes and standards
Explained in chapter 6 Reer to chapter 6
2.10. The board should ensure thatthere is an eective risk-based internalaudit
Explained in chapter 7 Reer to chapter 7
2.11. The board should appreciate thatstakeholders perceptions aect thecompanys reputation
Explained in chapter 8 Reer to chapter 8
2.12. The board should ensure theintegrity o the companys integratedreport
Explained in chapter 9 Reer to chapter 9
2.13. The board should report on the
eectiveness o the companys systemo internal controls
Explained in section on internal
nancial controls
Reer to section on internal nancial
controls
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
11
-
7/31/2019 KINGIIIExecutive Guide To
18/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
2.14. The board and its directorsshould act in the best interests o thecompany
Directors act in the best interests o thecompany by, amongst other actions,disclosing conficts where they exist,dealing in securities only as allowedby internal policies and by adheringto legal standards o conduct. Whererequired, they should be permitted totake independent advice.
Similar to King II
2.15. The board should considerbusiness rescue proceedings or otherturnaround mechanisms as soon asthe company is nancially distressed
as dened in the Act
Explained in chapter 10 Reer to chapter 10
2.16. The board should elect achairman o the board who is anindependent non-executive director.The CEO o the company should notalso ull the role o chairman o theboard
Where the guidelines in the principleare not applied, a lead independentdirector should be appointed anddisclosure provided in the integratedreport. The role o the chairman shouldbe ormalised and assessed annuallyand a succession plan put in place.The chairman should consider thenumber o chairmanships held.
King II did not contain a requirementthat the CEO should not become thechairman until three years has elapsed.
Lead independent director conceptalready introduced in King II andrened in King III.
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
12
-
7/31/2019 KINGIIIExecutive Guide To
19/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
2.17. The board should appoint thechie executive ocer and establisha ramework or the delegation oauthority
The board ensures that the role o theCEO is ormalised and his perormanceevaluated against specied criteria.It also makes recommendationsregarding senior managementappointments and its own assessmento materiality or the company.
Similar to King II
2.18. The board should comprise abalance o power, with a majority onon-executive directors. The majorityo non-executive directors should beindependent
The majority o non-executivedirectors should be independent, withindependence assessed annually.
As a minimum, the CEO and directorresponsible or nance should be
appointed to the board. The sectionalso deals with the re-appointment,rotation and removal o directors.
King II did not contain a requirementthat the CEO and directors responsibleor nance be appointed to the board.
2.19. Directors should be appointedthrough a ormal process
The director appointment processshould be transparent and includebackground and reerence checks. Itis the responsibility o the nominationcommittee to identiy suitablemembers.
King II required the board to comprisea balance o executive and non-executive directors, preerably with amajority o non-executive directors owhich sucient should be independento management.
King II did not suggest that thememorandum o incorporation o
the company should allow the boardto remove any director rom theboard, including executives, withoutshareholder approval.
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
13
-
7/31/2019 KINGIIIExecutive Guide To
20/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
2.20. The induction o and ongoingtraining and development o directorsshould be conducted through ormalprocesses
New and inexperienced directorsshould be suitably trained throughormal induction and mentorshipprogrammes. Directors should bekept up to date through regularbriengs and continuing proessionaldevelopment programmes.
Similar to King II
2.21. The board should be assistedby a competent, suitably qualied andexperienced company secretary
The board appoints and removes thecompany secretary. The requirementso the Companies Act in relation tothe company secretary apply to listedand state-owned companies. King III
urther elaborates on the duties o thecompany secretary.
King II did not contain the same levelo detail regarding the responsibility othe company secretary.
2.22. The evaluation o the board, itscommittees and the individual directorsshould be perormed every year
Annual evaluations o the board, itscommittees and directors (includingevaluations o the chairman, CEOand other executive directors) shouldbe perormed by the chairman or anindependent service provider. Theoverview o the process should bedisclosed in the integrated report. Theperormance evaluation o directorsassists in identiying their training
needs and should be a requisite beorereappointment.
King III requires the board to considerwhether the evaluation o perormanceshould be done by the chairman orindependently by proessional serviceproviders.
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
14
-
7/31/2019 KINGIIIExecutive Guide To
21/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 2. Boards and directors
2.23. The board should delegatecertain unctions to well-structuredcommittees but without abdicating itsown responsibilities
Committees should be appropriatelyconstituted and should ormulateterms o reerences that are reviewedannually. The need or audit, risk,nomination and remunerationcommittees is also discussed.Committees (with the exception othe risk committee) should comprisea majority o non-executive directorso which the majority should beindependent.
King II required that, at a minimum,companies have an audit andremuneration committee.
2.24. A governance ramework should
be agreed between the group and itssubsidiary boards
Governance matters related to listed
subsidiaries, the nomination odirectors to the boards o subsidiariesand the disclosures coupled theretorequired in the integrated report, arediscussed.
King II did not address interaction with
subsidiaries.
2.25. Companies should remuneratedirectors and executives airly andresponsibly
Reer to section on remuneration Reer to section on remuneration
2.26. Companies should disclosethe remuneration o each individualdirector and certain senior executives
Reer to the section on remuneration Reer to section on remuneration
2.27. Shareholders should approve thecompanys remuneration policy Reer to the section on remuneration Reer to section on remuneration
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
15
-
7/31/2019 KINGIIIExecutive Guide To
22/96
Implications
The board and its committees must have clear terms
o reerence in place. These need to be reviewedannually to ensure that there are no gaps or overlaps.
The composition o the board and its committees willneed to be reassessed to cover both nancial andsustainability roles and responsibilities.
Perormance evaluations o executive and non-executive directors are key, not only to assesseciency and competence, but also to appraisereappointment and training needs.
A ormal process or the appointment o directorsmust be in place and this should be disclosed in theintegrated report.
Obtaining suciently skilled directors who are non-executive and independent as suggested by King IIIwill require careul recruitment.
Expert opinion
The role o the board as the ocal point o
governance is vital to the success o anyorganisation. As a result, the board must have theappropriate balance o skills and experience withinits ranks to ull its mandate. The composition andperormance o the board and its committees arekey actors that will determine the success o theorganisation.
In order to maximise the benet that the companyobtains rom the board, regular perormanceevaluations need to be conducted and areas oimprovement identied. This is essential not onlyto improve the eciency and eectiveness o theboard, but also to develop individual directors toenable them to better add value.
The principle that governance, strategy andsustainability are inseparable is one o theundamental tenets o King III. The interplay betweenthese elements and the manner in which thecompany incorporates them into its processes willbe keenly watched.
Key questions directors should be asking
Do we have the right people in place to lead and1.
manage all aspects o our business?Is the board suciently independent o2.management?
Do we need to get external expert advice?3.
Will we get greater value rom board and4.committee evaluations i we employ anindependent service provider?
Are we comortable that we have satised our5.overarching responsibilities adequately where wehave delegated unctions to subcommittees?
Are we spending our time eciently in meetings6.and dealing only with material issues?
Is there a need to revise our board and7.committee charters?
In which committee should we deal with8.sustainability issues?
Are the current roles and structures o our9.subsidiary boards adding value?
How do we incorporate strategy, risk,10.perormance and sustainability into our decision
making philosophy?
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
16
-
7/31/2019 KINGIIIExecutive Guide To
23/96
How we can help you
The Sustainable Business Solutions group within
PwC oers a range o integrated solutions to assistboards and directors to meet the demands andexpectations o their stakeholders. Tailored andrelevant to your needs, these embrace:
Independent, comprehensive board andcommittee evaluations
Thorough independent individual evaluations ooce bearers including directors, CEOs, CFOs,chairmen and company secretaries
Review and development o board and committeedocumentation
Review and development o board and committeesystems and processes
Governance and director training.
Contacts
Alison Ramsden
DirectorTel: +27 11 797 4658E-mail: [email protected]
Alan WitherdenSenior ManagerTel: +27 11 797 5590E-mail: [email protected]
Yvette LangeManagerTel: +27 11 797 4430E-mail: [email protected]
Shirley-Ann BauristheneDirectorTel: +27 31 271 2007E-mail: [email protected]
Boards and directors
Executive guide to King III
PricewaterhouseCoopers
17
-
7/31/2019 KINGIIIExecutive Guide To
24/96
-
7/31/2019 KINGIIIExecutive Guide To
25/96
3. Audit committees
Overview
An independent audit committee ulls a vital role in corporate governance. The audit committee is vital to,
among other things, ensure the integrity o integrated reporting and internal nancial controls and identiy
and manage nancial risks.
In order to carry out their mandate to the ull extent, audit committees should be suitably skilled and
qualied to deal with their responsibilities o overseeing integrated reporting and co-ordinating the activitieso the various assurance providers.
Executive guide to King III
PricewaterhouseCoopers
19
-
7/31/2019 KINGIIIExecutive Guide To
26/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.1. The board should ensure thatthe company has an eective andindependent audit committee
While listed and state-ownedcompanies are required by law toestablish audit committees, all othercompanies should also establishthis committee and dene itscomposition, purpose and duties in thememorandum o incorporation. Theterms o reerence o the committeeshould be approved by the board.
The audit committee should meet asoten as is necessary, but at least twice
a year, and meet with internal andexternal auditors at least once a yearwithout management being present.
King II required aected companies toestablish audit committees.
King II did not address the requency omeetings nor discussions with internal
audit without management beingpresent.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
20
-
7/31/2019 KINGIIIExecutive Guide To
27/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.2. Audit committee members shouldbe suitably skilled and experiencedindependent non-executive directors
The audit committee should consist oat least three members, all o whomshould be independent non-executivedirectors. It should not be chaired by,nor have as a member, the chairman othe board. The committee as a wholeshould have sucient qualicationsand experience to ull its duties, withmembers keeping up-to-date withdevelopments. An agreed processshould be in place to allow thecommittee to consult with specialists.Should vacancies arise, these shouldbe lled by the board.
King II did not address the minimumnumber o members required or theaudit committee and required that onlythe majority o members should beindependent non-executive directors.
Audit committees at subsidiary levelwere not addressed in King II.
King III species minimum areas overwhich audit committees should havesucient expertise, while King II onlyrequired the majority o members to benancially literate.
3.3. The audit committee should bechaired by an independentnon-executive director
The board should elect the chairman othe audit committee. The chairman othe audit committee should participatein and agree the agenda o thecommittee and should be present atthe AGM.
King II required the audit committeeto elect the chairman o the auditcommittee.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
21
-
7/31/2019 KINGIIIExecutive Guide To
28/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.4. The audit committee shouldoversee integrated reporting
The audit committee should reviewthe nancial statements includedin the integrated report and shouldhave regard to all actors and risksthat may impact on the integrity othe integrated report. It should alsoreview the disclosure o sustainabilityissues in the integrated report toensure that it does not confict with thenancial inormation. Where there arematerial sustainability issues, it shouldrecommend to the board whether toengage an external assurance provider.
The audit committee should considerthe need or summarised inormationand engage external auditors toprovide assurance on the summarisedresults.
King II did not discuss the auditcommittees responsibility orsustainability in the detail that King IIIdoes.
King II did not address summarisedsustainability inormation.
3.5. The audit committee shouldensure that a combined assurancemodel is applied to provide acoordinated approach to all assuranceactivities
The audit committee should monitorthe relationship between the externalassurance providers and the companyand should ensure that combinedassurance is given to address all thesignicant risks acing the company.
Combined assurance was notdiscussed in King II in the level o detailcontained in King III.
3.6. The audit committee should satisyitsel o the expertise, resources andexperience o the companys nanceunction
The review o the nance unctionshould be perormed annually andthe results thereo disclosed in theintegrated report.
King II did not require a review o thenance unction.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
22
-
7/31/2019 KINGIIIExecutive Guide To
29/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.7. The audit committee should beresponsible or overseeing o internalaudit
The audit committee should beresponsible or the perormancemanagement o the chie audit ocer,approve the internal audit plan andensure the internal audit unction issubject to an independent qualityreview as and when the committeedeems appropriate.
King III did not address an independentquality review o the internal auditunction.
3.8. The audit committee should bean integral component o the riskmanagement process
Guided by its charter, which shouldset out its responsibilities regardingrisk management, the audit committeeshould specically have oversight o
nancial reporting risks and internalnancial controls as well as raudand IT risks as they relate to nancialreporting.
Responsibilities dened in thenew Companies Act have beenincorporated into King III.
King II did not specically assignoversight o IT risk as it relatesto nancial reporting to the auditcommittee.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
23
-
7/31/2019 KINGIIIExecutive Guide To
30/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.9. The audit committee is responsibleor recommending the appointment othe external auditor and overseeing theexternal audit process
The audit committee:
3.9.1. must nominate the externalauditor or appointment
3.9.2. must approve the terms oengagement and remuneration or theexternal audit engagement
3.9.3. must monitor and report on theindependence o the external auditor
3.9.4. must dene a policy or non-audit services provided by theexternal auditor and must approve thecontracts or non-audit services
3.9.5. should be inormed o anyReportable Irregularities identied andreported by the external auditor
3.9.6. should review the quality andeectiveness o the external auditprocess.
King II did not address reportableirregularities.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
24
-
7/31/2019 KINGIIIExecutive Guide To
31/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 3. Audit committees
3.10. The audit committee shouldreport to the board and shareholderson how it has discharged its duties
The audit committee should reportinternally to the board on its statutoryduties and duties assigned to it by theboard.
The audit committee must report to theshareholders on its compliance withits statutory duties, the independenceo the external auditor; its view onthe nancial statements and theaccounting practices; and whether theinternal nancial controls are eective.
It should also recommend theintegrated report or approval by theboard and provide details o its role,composition, number o meetings andactivities.
King II did not contain reportingresponsibilities to shareholders or theaudit committee.
King II did not assign responsibility orrecommending sustainability reportingor approval by the board to the auditcommittee.
Audit committees
Executive guide to King III
PricewaterhouseCoopers
25
-
7/31/2019 KINGIIIExecutive Guide To
32/96
Implications
The board and management o any company,
regardless o size, should be ully committed to thegoal o supporting and maintaining an eective auditcommittee:
Responsibility o the audit committee has beenextended beyond nancial reporting to includesustainability reporting
The constitution, size and suciency andappropriateness o the skills set o the auditcommittee may need to be reconsidered by theboard
An assessment o in-house skills and thequalications/track record o external assuranceproviders should be perormed
Audit committees are to coordinate the utilisationo appropriate assurance providers in theassurance model to provide assurance on theidentied risks
Increased time and resource commitments areneeded or audit committees, managementand internal audit to adequately review internalnancial controls.
Expert opinion
The need or summarised inormation, the
assessment o internal nancial controls andeectiveness and the assessment o the integratedreport will all be areas where the audit committee willbe required to apply its mind in arriving at the mostecient and eective governance solution. This willbe unique to every company and audit committeeswill need to ensure that they have the appropriateblend o skills and experience in order to dischargetheir responsibilities.
The audit committee takes primary responsibilityor and has the ultimate decision-making abilityregarding its statutory responsibilities in terms othe Companies Act. This may result in confictswith the board should dierences o opinion ariseregarding these matters. The board should devise amechanism or resolving such dierences o opinion.
Key questions directors should be asking
Does the audit committee have the appropriate1.
blend o skills to discharge its responsibilities,specically the skills required to overseeintegrated reporting?
Has a process been approved by the board2.to allow the audit committee to consult withspecialists or consultants to assist the auditcommittee with the perormance o its unctions?
Is there eective communication and3.coordination o the boards oversight activities toensure that the audit committee is inormed o allsignicant actual or potential nancial and non-nancial risks?
Does the internal audit unction have appropriate4.skills and resources to deliver on expectationsregarding the review o internal nancialcontrols?
Does a mechanism exist or resolving dierences5.o opinion between the audit committee and theboard regarding the audit committees statutoryresponsibilities should such dierences arise?
Audit committees
Executive guide to King III
PricewaterhouseCoopers
26
-
7/31/2019 KINGIIIExecutive Guide To
33/96
How we can help you
A primary unction o the audit committee will
be to oversee the integrity o the organisationsintergrated report and to assess its continuing abilityto operate as a going concern, assumptions andconclusions relating to which should be ormallyrecorded. It should also ensure that there is sucientcooperation between the organisations variousassurance providers, including the external auditor,the internal audit unction, the risk ocer andcompliance ocer. The internal audit unction shouldannually review the organisations internal controlsystem and should specically report its ndings oninternal nancial controls to the audit committee. Itshould place particular emphasis on internal nancialcontrol and the eect that inormation technologyhas on processes and internal controls. The auditcommittee should ensure that all pertinent risksare covered by audit activities and, specically,should monitor the eectiveness o the internal auditunction. PwC has specialists in all these areas andwe oer specic expertise in:
External audit
Internal audit
Risk management
Internal nancial control
Forensics
Embedded compliance
Audit committee structures and charters.
Contacts
Anton van Wyk
DirectorTel: +27 11 797 5338E-mail: [email protected]
Rob NewsomeDirectorTel: +27 11 797 5560E-mail: [email protected]
Alison RamsdenDirectorTel: +27 11 797 4658E-mail: [email protected]
Zubair WadeeDirectorTel: +27 11 797 5875E-mail: [email protected]
Nicholas GanzDirectorTel: +27 11 797 5568E-mail: [email protected]
Shirley-Ann Bauristhene
DirectorTel: +27 31 271 2007E-mail: [email protected]
Annerie PretoriusAssociate DirectorTel: +27 11 797 4199
E-mail: [email protected]
Rob LouwSenior ManagerTel: +27 11 797 4657E-mail: [email protected]
Audit committees
Executive guide to King III
PricewaterhouseCoopers
27
-
7/31/2019 KINGIIIExecutive Guide To
34/96
-
7/31/2019 KINGIIIExecutive Guide To
35/96
4. The governance o risk
Overview
The essential ocus o the Code is that the board should exercise leadership to prevent risk management
rom becoming a series o activities that are detached rom the realities o the companys business. In this
context, risk is positioned as a cornerstone o corporate governance and risk governance is substantially
dierent to the requirement to implement risk management. Greater emphasis is placed on the board to
ensure that it is satised with the management o risk.
Executive guide to King III
PricewaterhouseCoopers
29
-
7/31/2019 KINGIIIExecutive Guide To
36/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 4. The governance o risk
The boards responsibility or riskgovernance
4.1. The board should be responsibleor the governance o risk
This responsibility must bedemonstrated.
No dierence
4.2. The board should determine thelevels o risk tolerance
The board should understand the risklevels that it has the ability to tolerateversus the risk that it is willing to take(risk appetite).
No requirement to articulate riskappetite/tolerance
4.3. The risk committee or auditcommittee should assist the board incarrying out its risk responsibilities
The board can delegate theresponsibility to a committee o theboard.
No dierence
Managements responsibility or riskmanagement
4.4. The board should delegate tomanagement the responsibility to
design, implement and monitor the riskmanagement plan
The risk management plan requiresspecic activities to be completed.
No requirement in respect o a riskmanagement plan
Risk assessment 4.5. The board should ensure thatrisk assessments are perormed on acontinual basis
The board should ensure that riskassessments are perormed on acontinuous basis (minimum annually)using a top-down approach.
Minimum o annual assessment
4.6. The board should ensure thatrameworks and methodologies areimplemented to increase the probabilityo anticipating unpredictable risks
Risks should be prioritised andranked to ocus the responses andinterventions on those risks outside theboards risk tolerance limits.
No explicit requirement on theadoption o rameworks andmethodologies
Risk response 4.7. The board should ensurethat management considers andimplements appropriate risk responses
Annual risk management planapproval, implementation andmonitoring.
No requirement in respect o a riskmanagement plan
The governance o risk
Executive guide to King III
PricewaterhouseCoopers
30
-
7/31/2019 KINGIIIExecutive Guide To
37/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 4. The governance o risk
Risk monitoring 4.8. The board should ensurecontinuous risk monitoring bymanagement
Annual risk management planapproval, implementation andmonitoring.
No requirement in respect o a riskmanagement plan
Risk assurance 4.9. The board should receiveassurance regarding the eectivenesso the risk management process
Combined assurance requires activeconsideration o the assurance theboard receives on the risks to whichthe organisation is exposed.
No requirement
Risk disclosure 4.10. The board should ensure thatthere are processes in place enablingcomplete, timely, relevant, accurateand accessible risk disclosure tostakeholders
The board should disclose how it hassatised itsel that risk assessments,responses and interventions areeective as well as any undue,unexpected or unusual risks and any
material losses.
Disclosure only on how riskmanagement is applied
The governance o risk
Executive guide to King III
PricewaterhouseCoopers
31
-
7/31/2019 KINGIIIExecutive Guide To
38/96
Implications
The requirement to disclose how the board has
satised itsel that risk assessments, responses andinterventions are eective will need to be eectivelyevidenced. Due care and diligence will need to beexercised and disclosed.
This due care and diligence is achieved through:
The structures o governance risk/auditcommittee
Adoption and implementation o an annual riskmanagement plan
Eective risk management practices through
the application o recognised rameworks,methodologies, continuous assessments andmonitoring
Applying risk considerations into the decision-making rameworks (appetite and tolerance) andon specic decisions
Ensuring that the board receives adequateassurance on the eectiveness o the riskmanagement process and on the management ospecic risks
Disclosing how the board is satised with theeectiveness o risk management.
Expert opinion
Corporate governance requires active consideration
o risk management. This should be the last reasonor applying risk management into a businessor organisation. The uture is uncertain and riskmanagement deals explicitly with uncertainty.Eective risk management is a undamentalrequirement or businesses and organisations tosucceed and survive.
There are now a signicant number o authoritativeglobally relevant guidelines (e.g. ISO 31000, COSOand rating agency ERM criteria) on how eective riskmanagement can be applied. While King III sets outthe principles, the challenge is to make the principles
real and practical through reerence to these globalguidelines.
Combined assurance should be based on identiedrisks and how assurance is achieved and reported tothe board. This will be one o the biggest challengesacing businesses and organisations in adoptingKing III. However, it oers tangible benets thatextend well beyond proving compliance, including:
Coordinated and relevant assurance eortsocussing on key risk exposures
Minimised business/operational disruptions
Comprehensive and prioritised tracking o
remedial action on identied improvementopportunities/weaknesses
Improved reporting to the board and committees,
including reducing the repetition o reports beingreviewed by the dierent committees
Possible reduced assurance costs.
Key questions directors should be asking
Do we understand how risk appetite and1.tolerance is applied in our organisation?
How do we know that the biggest risk exposures2.to our organisation are being adequatelymanaged?
When last did we participate in a risk assessment3.activity?
How oten have we considered the same risk-4.related issue in the various management andgovernance meetings?
Is ICT risk actively considered in our risk5.management process?
Do we specically consider compliance risk and,6.i so, how satised are we that it is eectivelycovered?
Are risks prioritised and ranked to ocus the7.responses and interventions on those risksoutside the boards risk tolerance limits?
The governance o risk
Executive guide to King III
PricewaterhouseCoopers
32
-
7/31/2019 KINGIIIExecutive Guide To
39/96
Do we have an approved annual risk8.management plan?
Who assures non nancial risks, such as plant9.
availability, sta capacity and competency, theimpact o legislative changes on the business/organisation etc? And to which management orboard committee is the assurance provided? Arewe satised that this assurance is reliable?
Do we have a raud risk plan to consider our10.raud exposure and prevention?
Does our disclosure on the eectiveness o risk11.management refect the actual position o ourbusiness/organisation?
How we can help you
PricewaterhouseCoopers has invested substantially,in risk management solutions both locally andglobally. Our experience and hands-on expertiseensures that this investment can be practicallyapplied or our clients benet and in a number oways:
Advising on risk governance and riskmanagement plans
Articulating risk appetite and tolerance
Linking perormance and risk management
Developing eective risk managementrameworks and methodologies
Facilitating risk assessments
Benchmarking risk and risk mitigation activities
Addressing ICT risk management
Advising and providing solutions on compliancerisk
Assisting in embedding risk management
Assessing the eectiveness o risk management
Assessing current assurance providers existence and eectiveness
Developing a combined assurance prole and risk
governance reporting ramework
Creating a raud risk response plan together withmanagement.
Contacts
Rob Newsome
DirectorTel: +27 11 797 5560E-mail: [email protected]
Peter GossDirectorTel: +27 12 429 0331E-mail: [email protected]
Naeem LaherDirectorTel: +27 11 797 4048E-mail: [email protected]
Dalene RohdeAssociate DirectorTel: +27 12 429 0066E-mail: [email protected]
Steve RobertsDirectorTel: +27 21 529 2009E-mail: [email protected]
Shirley-Ann Bauristhene
DirectorTel: +27 31 271 2007E-mail: [email protected]
The governance o risk
Executive guide to King III
PricewaterhouseCoopers
33
-
7/31/2019 KINGIIIExecutive Guide To
40/96
-
7/31/2019 KINGIIIExecutive Guide To
41/96
5. The governance o inormation technology
Overview
King III recognises that inormation technology (IT) has become an integral part o doing business today,
as it is undamental to the support, sustainability and growth o organisations. IT cuts across all aspects,
components and processes in business and is thereore not only an operational enabler or a company,
but an important strategic asset which can be leveraged to create opportunities and to gain competitive
advantage.
As well as being a strategic asset to the company, IT also presents organisations with signicant risks. The
strategic asset o IT and its related risks and constraints should be well governed and controlled to ensure
that IT supports the strategic objectives o the organisation.
King III stipulates that in exercising their duty o care, directors should ensure that prudent and reasonable
steps have been taken with respect to IT governance.
Executive guide to King III
PricewaterhouseCoopers
35
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
42/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 5. The governance o inormation technology
5.1. The board should be responsibleor inormation technology (IT)governance
IT has an important role to play inmany organisations and should bedirected and controlled eectively bythe board through the establishment oan IT governance ramework.
The IT governance ramework supportseective and ecient managementand decision making around theutilisation o IT resources to acilitatethe achievement o the companysobjectives and the management oIT-related risk. It includes a charter,
policies, decision-making structures,accountability ramework, IT reportingand an IT internal control ramework.
Was not part o King II
5.2. IT should be aligned with theperormance and sustainabilityobjectives o the company
IT should be exploited in a way thatmost eectively supports and enablesthe business strategy, delivers valueand improves perormance. The boardshould ensure that the IT strategy isintegrated into the companys strategicand business processes and that ITadds value.
Was not part o King II
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
36
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
43/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 5. The governance o inormation technology
5.3. The board should delegate tomanagement the responsibility or theimplementation o an IT governanceramework
Responsibility or the implementationo IT governance should be assignedto the CIO, as appointed by the CEO.
The CIO should act as an intermediarybetween the board and managementon IT-related issues and should bethe bridge between IT and business.IT should report to the board on theperormance o the IT unction.
Was not part o King II
5.4. The board should monitor andevaluate signicant IT investments and
expenditure
Value delivery and return on investmento IT should be monitored by the
board.
The board should ensure that theinormation and intellectual propertycontained in the inormation systemsare protected.
The board should require independentassurance over IT governance controlssupporting outsourced IT services.
The board is responsible or ensuringgood governance principles are in
place or the acquisition and disposalo IT goods and services.
IT management should ensure goodproject management principles areapplied.
Was not part o King II
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
37
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
44/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 5. The governance o inormation technology
5.5. IT should orm an integral part othe companys risk management
The board should ensure that IT risk isconsidered as part o the companysrisk management activities.
IT risk management should includedisaster recovery planning, IT legalrisks, compliance to laws, rules, codesand standards.
The board should evaluate how ITcan be used to aid the company inmanaging its risk and compliancerequirements.
Was not part o King II
5.6. The board should ensure thatinormation assets are managedeectively
The board should ensure thatprocesses have been established toensure a ormal inormation securitymanagement system is in place toensure:
The condentiality, integrity andavailability o inormation
That company inormation isadequately protected
That personal and sensitive
inormation has been identied andis protected according to relevantlaws and regulations.
Was not part o King II
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
38
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
45/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 5. The governance o inormation technology
5.7. A risk committee and auditcommittee should assist the board incarrying out its IT responsibilities
The risk committee should measureand understand the companys overallexposure to IT risks and ensure properprocesses are in place to managethese.
IT as it relates to nancial reporting andthe status o the company as a goingconcern should be the responsibility othe audit committee.
Was not part o King II
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
39
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
46/96
Implications
The requirement to disclose how the board hassatised itsel that IT governance is eective willneed to be positively evidenced. Due care anddiligence will need to be exercised and disclosed.
This due care and diligence is achieved through:
An IT governance ramework, which includes:
Decision structures or IT decisions
Accountability structures or IT
IT governance processes
IT reporting structures
IT policies and standards
IT compliance
IT controls and risk mitigation
Inormation security management practices
Business and disaster recovery
Inormation technology strategy as part o thestrategic business planning process
Project management practices
IT benets realisation processes
IT value and perormance measurementprocesses
IT acquisition and disposal processes
IT strategy
Understanding the current state o IT governanceand determining improvements required in an ITgovernance plan
Eective IT governance practices throughthe application o recognised rameworks,methodologies, continuous assessments andmonitoring
Reporting on the state and initiatives o ITgovernance and IT in general to the board
Ensuring that the board receives adequateassurance on the eciency and eectiveness o
the IT and IT governance processes and on themanagement o specic IT-related issues
Disclosing how satised the board is with theeectiveness o IT governance.
Expert opinion
Corporate governance now requires activeconsideration o IT governance. Due to the criticalnature o IT in enabling business processes, and theintellectual property and other inormation resourcesthat are exposed through technology channels, IT
governance is an essential component in ensuringthe ecient and secure operation o the business.
While King III sets out principles, the challenge is toimplement them in a practical way. A combination othe most relevant best practices can be utilised toachieve this and a signicant number o authoritativeand globally relevant guidelines is already available.
Any well-run and ormalised IT environment shouldalready have such practices in place. The taskwill now be to report on these and make themunderstandable to the board.
It is recommended that organisations start byperorming a current state assessment againstKing III and determining areas or improvement.This should be translated into an improvementprogramme, which should be presented andapproved by the board. Subsequent progress
against it should be on the boards agenda, inaddition to reporting on the general state o IT andIT governance.
While King III may appear daunting to some, it oerstangible benets that extend well beyond provingcompliance. These include:
Claried decision-making and accountability
Improved understanding o overall IT costs andtheir input to ROI cases
Improved risk management, security, eciency
and eectiveness o IT and making this visible (i.e.IT will deliver value)
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
40
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
47/96
Enhancement and protection o reputation andimage
Positioning o IT as a business partner and
clariying ITs role in the businessImproved and more proessional relationshipswith key IT partners (vendors and suppliers)
Improved responsiveness to market challengesand opportunities
Clear identication o whether an IT service orproject supports business as usual or is intendedto provide uture added value
A ocus on perormance improvement that willlead to the attainment o best practices
Avoidance o unnecessary expenditure asspending can be demonstrably matched tobusiness goals
Enabling an integrated approach to meetingexternal legal and regulatory requirements.
Key questions directors should be asking
Do we understand how IT decisions are taken1.and who is accountable?
Do we have an IT governance ramework in place2.
which denes and supports decision models,governance structures, accountability andgovernance processes?
Is IT involved in strategic business decisions and3.planning?
Is the investment in IT understood?4.
Is our intellectual property, company and client5.inormation properly protected?
How do we ensure compliance o IT with laws,6.rules, codes, standards and regulations?
How is the value delivered by IT measured?7.
Is the approach towards IT risks acing the8.organisation clear? (Risk avoidance vs. risktaking)
Is the board regularly brieed on IT risks to which9.the enterprise is exposed?
Is IT a regular item on the agenda o the board10.and is it addressed in a structured manner?
Does the board have a clear view on the major IT11.investments rom a risk and return perspective?
Does the board obtain regular progress reports12.on major IT projects?
Is the board getting independent assurance13.on the achievement o IT objectives and thecontainment o IT risks?
How we can help you
PwC has invested substantially in IT governancesolutions both locally and globally. Ourmethodologies, experience and hands-on expertiseensure that we can accelerate and reduce the cost oyour King III IT governance programme.
PwC can support you by:
Providing an assessment o your current ITgovernance arrangements against King III andother best practices such as ITIL, CobiT,ISO 38500, ISO 17799, Val IT
Supporting you in determining the King III
principles to apply within your organisationDeveloping an IT governance implementationprogramme aligned to King III requirementsand implementing the required IT governanceimprovements
Supporting the implementation o improvementsin IT governance by utilising PwCs proprietaryICT governance ramework and methodologies.
The governance o inormation technology
Executive guide to King III
PricewaterhouseCoopers
41
The governance o inormation technology
-
7/31/2019 KINGIIIExecutive Guide To
48/96
Contacts
Angeli HoekstraDirectorTel: +27 11 797 4162E-mail: [email protected]
Binesh RajkaranDirectorTel: +27 31 271 2016E-mail: [email protected]
Rudolph LaubscherAssociate DirectorTel: +27 51 503 4100E-mail: [email protected]
Francois le RouxSenior ManagerTel: +27 21 529 2014E-mail: [email protected]
Chris KnoxAssistant ManagerTel: +27 43 707 9600E-mail: [email protected]
e go e a ce o o a o ec o ogy
Executive guide to King III
PricewaterhouseCoopers
42
6 C li ith l l d d
-
7/31/2019 KINGIIIExecutive Guide To
49/96
6. Compliance with laws, rules, codes andstandards
Overview
Companies must comply with all applicable laws. Laws should be understood not only in terms o the
obligations that they create, but also or the rights and protection that they aord. The board is responsible
or the companys compliance with applicable laws and with those non-binding rules, codes and standards
with which the company has elected to comply. One o the most important responsibilities o the board is
to monitor the companys compliance with all applicable laws, rules, codes and standards.
Executive guide to King III
PricewaterhouseCoopers
43
Compliance with laws, rules, codes and standards
-
7/31/2019 KINGIIIExecutive Guide To
50/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 6. Compliance with laws, rules, codes and standards
6.1. The board should ensure that thecompany complies with applicablelaws and considers adherence to non-binding rules, codes and standards
A strongly linked ethical responsibilitythat must be demonstrated anddisclosed including the extent oadoption o non-binding rules andstandards.
The board is now to ensure legal andregulatory compliance as part o itsrisk management and internal controlactivities.
6.2. The board and each individualdirector should have a workingunderstanding o the eect o theapplicable laws, rules, codes andstandards on the company and itsbusiness
The board must ensure that theapplicable laws (and changes thereto)are identied and understood.
As above
6.3. Compliance should orm an
integral part o the companys riskmanagement process
A systematic risk management
approach to compliance isrecommended, understanding thatcompliance is compulsory.
As above
p
Executive guide to King III
PricewaterhouseCoopers
44
Compliance with laws, rules, codes and standards
-
7/31/2019 KINGIIIExecutive Guide To
51/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 6. Compliance with laws, rules, codes and standards
6.4. The board should delegate tomanagement the implementation o aneective compliance ramework andprocesses
A legal compliance policy should beestablished and monitored.
Compliance should be achievedthrough integration with business/organisational processes, ethics andculture.
Disclosure is required as to howeectively compliance has beenachieved and o signicant nes andpenalties paid.
A delegated compliance unction/ocer is recommended.
As above
Executive guide to King III
PricewaterhouseCoopers
45
Compliance with laws, rules, codes and standards
-
7/31/2019 KINGIIIExecutive Guide To
52/96
Implications
The compliance with laws, rules, codes andstandards has always been an explicit statutory/legalrequirement. King III now provides recommendedprinciples and practices to adopt to ensure thatcompliance is achieved.
Compliance can be achieved by:
Identiying the laws and regulatory obligations thatare applicable, including the non-binding rulesand standards to which an entity/organisationwishes to comply
Ensuring that the board and board members
understand the requirements and are updatedon the changes. This can be part o the boardscontinuing education programme
Implementing a comprehensive compliance policyand regularly monitoring compliance to the policythrough the governance structures and inclusionon the board agenda
Managing compliance risk through the riskmanagement process adopted
Embedding compliance in the operations andprocess, ethical conduct and culture o the
business/organisation
Appointing a compliance ocer or establishing acompliance unction to assist in the managemento compliance
Disclosing how eective compliance has been
achieved and any signicant nes and penaltiespaid.
Expert opinion
Legal and regulatory compliance is a statutoryobligation and an accepted corporate governancerequirement. King III has devoted a chapter tothis to emphasise the importance o complianceand how, by applying the principles, the boardcan demonstrate that it has achieved eective
compliance.
The key aspects o King III are that it recommendsproactive consideration o compliance, how thecompliance risk is managed and how it is integratedinto an organisations operations. There are manyorganisations that only consider compliance whenthere is a breach with specic consequences suchas nes paid or contraventions o the competitionlaws.
Highly regulated organisations, such as banks, havevery mature compliance approaches and have been
proactively managing compliance or years.
King III has raised the level o awareness othe importance o being able to demonstratecompliance. This can be achieved through:
Regularly (annually) reviewing the complianceuniverse and determining which laws, regulationsand non-binding rules and standards apply to thebusiness/organisation
Assessing the basis o how compliance isachieved to these laws and regulations
Receiving assurance through the riskmanagement and assurance processes thatcompliance is achieved
Designing specic compliance activities toevidence the actions taken to ensure compliance or example annual declarations, records ocompliance-related training completed andmonitoring o remedial action where compliancebreakdowns have or could potentially occur
Embedding compliance activities into theoperational processes where applicable, orexample controls required to be evidenced whenopening an account in terms o the NationalCredit Act.
Executive guide to King III
PricewaterhouseCoopers
46
Compliance with laws, rules, codes and standards
-
7/31/2019 KINGIIIExecutive Guide To
53/96
Key questions directors should be asking
What are the key statutory and regulatory1.obligations to which our organisation needs tocomply?
Are we in compliance with these requirements? I2.so, how have we received this assurance and arewe satised that the assurance is credible?
When last did we consider compliance at the3.board?
Are we aware that many Acts, such as the4.National Credit Act, can impact our organisationeven though we are not a nancial institution?
How are we appraised o changes in the legal5.
and regulatory landscape?
Do we have sucient evidence to deend our6.organisation in court or to prove to a regulatorthat we have complied with a specic act?
Does our disclosure on the eectiveness o7.compliance refect the actual position in ourbusiness/organisation?
How we can help you
Regulatory compliance and reporting should bea natural extension o the governance dutiesshouldered by boards and directors. The exerciseo good governance can ensure that compliance isaligned with the companys business objectives andrisk management strategies. In this way compliancecan add real value and not just be a cost to theorganisation.
PricewaterhouseCoopers has made a considerableinvestment in compliance solutions on a global andlocal scale. Our people can help you at the strategiclevel to maximise competitive advantage romregulation and at the operational level to minimise
costs and disruptions to your business.
Our range o compliance services includes:
Advising on what laws and regulations areapplicable
Recommending approaches on how to achieveeective compliance
Benchmarking the compliance responses tospecic acts/regulations nationally and globally
Developing specic compliance databases to
evidence compliance
Hosting o compliance databases through ourEnterprise Compliance Portal (ECP) PwC usesthis to manage its own global compliance
Facilitating compliance risk assessments
Assisting in embedding specic compliancerequirements into the business and operationalprocesses
Assuring the eectiveness o complianceachieved
Providing a gap analysis o compliance to speciclaws and regulations.
Contacts
Rob NewsomeDirectorTel: +27 11 797 5560E-mail: [email protected]
Feroz KhanDirectorTel: +27 11 797 5480E-mail: [email protected]
Hentus HoniballAssociate Director
Tel: +27 11 797 4458E-mail: [email protected]
Executive guide to King III
PricewaterhouseCoopers
47
-
7/31/2019 KINGIIIExecutive Guide To
54/96
7 Internal audit
-
7/31/2019 KINGIIIExecutive Guide To
55/96
7. Internal audit
Overview
King ll eectively dispensed with the notion o compliance-based, cyclical auditing and embraced risk-
based auditing. As this approach has matured over time, the imperative to appropriately position risk-
based auditing is a central ocus o King III. The repositioned risk-based approach directs internal audit
to address strategic, operational, nancial and sustainability issues in its quest to deliver value to the
organisation. Value is now seen to vest in the relevance o a unction. As such, the head o internal audit
needs to understand the organisations strategy and to direct the unction accordingly.
Governance is underpinned by an acceptance o accountability and responsibility or action. Accordingly,
the chie audit executive is required to provide an annual assessment o an organisations control
environment. This refects the congruence o introspection rom the internal audit raternity and the call or
improved governance in general highlighting calls or internal audit to rise and deliver on its contribution
to eective governance!
Executive guide to King III
PricewaterhouseCoopers
49
Internal audit
-
7/31/2019 KINGIIIExecutive Guide To
56/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 7. Internal audit
The need or and role o internal audit 7.1. The board should ensure that there
is an eective risk-based internal audit
The board should demonstrate how
adequate assurance was obtainedon an eective governance, riskmanagement and internal controlenvironment; in the event o theabsence o an internal audit unction.
Evaluation o governance processes,including ethics, especially tone at thetop.
A senior or executive or director to beresponsible or internal audit where
internal audit is ully outsourced.
Board to demonstrate how eective
internal control, processes andsystems assurance were obtained
Ethics not specically mentioned
No mention o custodian unction in anoutsourced scenario
Internal audits approach and plan 7.2. Internal audit should ollow a risk-based approach to its plan
Internal audit planning should beinormed by the strategy o theorganisation.
The chie audit executive shoulddiscuss the adequacy and resources oskills available to address risk identiedwith the audit committee.
Not a requirement in King II
Not a requirement in King II
Executive guide to King III
PricewaterhouseCoopers
50
Internal audit
-
7/31/2019 KINGIIIExecutive Guide To
57/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 7. Internal audit
7.3. Internal audit should provide a
written assessment o the eectivenesso the companys system o internalcontrols and risk management
Internal audit should orm an integral
part o the combined assurancemodel and should provide a writtenassessment o the eectiveness o thecompanys system o internal controland risk management.
Not a requirement in King II
7.4. The audit committee should beresponsible or overseeing internalaudit
Internal audit pay, bonus and benetsto be determined separately to processundertaken or the rest o the businessto ensure appropriate independence.
Internal audit to perorm the pivotalrole o eecting combined assurance.
Not a requirement in King II
Only mention o the avoidance oduplication o assurance eort inKing II
Internal audits status in the company 7.5. Internal audit should bestrategically positioned to achieve itsobjectives
The chie audit executive to have astanding invitation to attend EXCO asan invitee to protect independence.
Internal audit to report unctionally tothe chairman o the audit committee.
Internal audit should establish andmaintain a quality assurance andimprovement programme.
Not a requirement o King II
Internal audit should report to anappropriate level in the organisation
Not a requirement o King II
Executive guide to King III
PricewaterhouseCoopers
51
Internal audit
-
7/31/2019 KINGIIIExecutive Guide To
58/96
Implications
The challenge that the board aces is how itconcludes that an eective internal audit unction
was operational or the period covered by theintegrated report. While the execution o a risk-basedplan would have been sucient or this purpose inthe past, King lll requires a more holistic approachthat is related to other areas as well. Practically, thismeans a challenging o the norms and exploration oconcepts that will move internal audit in the directiono real progress. These include:
Annual report disclosure in the event thatan eective internal audit unction was notmaintained
An organisational custodian unction in situationswhere internal audit is outsourced
Reviewing organisational ethics
Cost optimisation and the prevention oassurance atigue
An assessment o the control environment
The relationship between internal audit and auditcommittees
The role and attributes o a chie audit executive
The implementation o an internal audit qualityassurance and improvement programme
The interdependency between internal auditand other assurance providers such as riskmanagement
Expert opinion
Adequacy o suitable skills and an understandingo the true absorbed cost o internal audit will beinstrumental in the assessment o the potential ointernal audit to deliver value to organisations asenvisaged in King lll. In this environment, diligentaudit committees will ask the dicult questions andmore assurance than in a compliance-based qualityreview will be required to provide committees with areasonable level o comort.
The maturity o other unctions such as ethicsand risk management with which internal auditis expected to interact may be cause or someconcern. Immature unctions that orm part o acombined assurance view are likely to complicateassessments o control environments, even whereinternal audit has been eective.
Leadership, strategic inquisitiveness and otherattributes will need to drive the expectations o thechie audit executive. This, coupled with stronganalytical skills and the ability to interact at the
highest levels o the organisation, are undamentalto internal audit using the opportunities it is aordedin King lll to reach a level that populists conclude is
internal audits rightul place. Appropriate technologyleverage in the perormance o internal auditbecomes non-negotiable.
Ultimately, internal audit will have to make combinedassurance work and help organisations realisethe benets o cost optimisation, preventiono assurance atigue and a business partnerrelationship that adds real value by siting throughthe irrelevant and ocusing on the critical.
Key questions directors should be asking
Is internal audit aligned to strategy and does its1.plan ocus on areas that are most likely to impactstakeholder value?
Is internal audit eective and requent enough in2.its communications with the audit committee andus?
When last was an objective assessment done3.to ascertain whether internal audit has theappropriate level o technical and analytical skillsrequired to address the industry risk and riskrequirements o our business?
Is our internal audit unction poised to lead a4.combined assurance initiative?
Is there sucient assurance o our ethics and5. risk management programmes?
Executive guide to King III
PricewaterhouseCoopers
52
Internal audit
-
7/31/2019 KINGIIIExecutive Guide To
59/96
Does internal audit utilise technology in its6.processes and use existing systems and dataeectively in the perormance o its work?
What were our most recent loss events and what7. comort did internal audit provide us with onthese?
How does our internal audit unction compare8.against its peers in benchmark studies?
Is our chie audit executive subjected to a robust9.annual assessment based on key attributesrelevant to our business?
What is our true absorbed cost o internal audit?10.
Is our internal audit agile enough to address11.emerging business issues?
Does the internal audit unction have the12.necessary and diverse skills required to giveassurance to the audit committee on internalnancial control?
How we can help you
We have a team o proessionals that are readyand able to assist you with the implementation othe requirements o King lll in all its aspects. Theseinclude:
Strategic assurance reviews that go beyond aquality assurance checklist and align to yourorganisational strategy
Assistance in the ormulation o a controlenvironment assessment
Assistance in the implementation o a combinedassurance model
Assessment o internal audit technology leverage
Development o appropriate perormance metricsor your internal audit unction
Benchmarking your internal audit unction againsta community o peers (industry, headcount andrevenues)
Awareness and training
Conducting an eective audit o an ethics unction
Formulation o governance rameworks, includingreporting protocols
Optimising the orm and content o internal auditcommunications.
Contacts
Anton van WykDirectorTel: +27 11 797 5338E-mail: [email protected]
Avendth TilakdariDirectorTel: +27 11 797 4480
E-mail: [email protected]
Shirley MachabaDirectorTel: +27 12 429 0037E-mail: [email protected]
Rob NewsomeDirectorTel: +27 11 797 5560E-mail: [email protected]
Shirley-Ann BauristheneDirectorTel: +27 31 271 2007E-mail: [email protected]
Steve RobertsDirectorTel: +27 21 529 2009E-mail: [email protected]
Jacques Eybers
DirectorTel: +27 43 707 9600E-mail: [email protected]
Connie HertzogDirectorTel: +27 51 503 4100E-mail: [email protected]
Glory KhumaloDirectorTel: +27 15 291 0100
E-mail: [email protected]
Executive guide to King III
PricewaterhouseCoopers
53
-
7/31/2019 KINGIIIExecutive Guide To
60/96
8 Governing stakeholder relationships
-
7/31/2019 KINGIIIExecutive Guide To
61/96
8. Governing stakeholder relationships
Overview
The stakeholder-inclusive approach to corporate governance is not a new concept in the King reports and
eective stakeholder engagement is recognised as essential to good corporate governance. The days
when boards could merely pay lip service to concerns such as corporate responsibility, ethical business
practices and sustainability are over.
Stakeholder relationships provide a platorm or the board to take into account the concerns and objectives
o the companys stakeholders in its decision making, which is undamental to the process o integrated
reporting
King III provides guidance and recommendations on how stakeholder relationships should be dealt with.
Executive guide to King III
PricewaterhouseCoopers
55
Governing stakeholder relationships
-
7/31/2019 KINGIIIExecutive Guide To
62/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 8. Governing stakeholder relationships
8.1. The board should appreciate that
stakeholders perceptions aect acompanys reputation
8.1.1. The gap between stakeholder
perceptions and the perormance othe company should be managed andmeasured to enhance or protect thecompanys reputation
8.1.2. The companys reputationand its linkage with stakeholderrelationships should be a regular boardagenda item
8.1.3. The board should identiyimportant stakeholder groupings
Similar to King II
Executive guide to King III
PricewaterhouseCoopers
56
Governing stakeholder relationships
-
7/31/2019 KINGIIIExecutive Guide To
63/96
Governance element Principle/s Summary recommendation/s Dierence to King II
Chapter 8. Governing stakeholder relationships
8.2. The board should delegate to
management to proactively deal withstakeholder relationships
8.2.1. Management should develop a
strategy and ormulate policies or themanagement o relationships with eachstakeholder grouping
8.2.2. The board should considerwhether it is appropriate to publish itsstakeholder policies
8.2.3. The board should oversee theestablishment o mechanisms andprocesses that support stakeholdersin constructive engagement with the
company
8.2.4. The board should encourageshareholders to attend AGMs
8.2.5. The board should considernot only ormal, but also inormal,processes or interaction with thecompanys stakeholders
8.2.6. The board should disclose inits integrated report the nature o the
companys dealings with stakeholdersand the outcomes o these dealings
Similar to King II
Executive guide to King III
PricewaterhouseCoopers
57
Governing stakeholder relationships
-
7/31/2019 K