kingiiiexecutive guide to

7/31/2019 KINGIIIExecutive Guide To

1/96

Understanding and unlocking the benets

o sound corporate governance

*connectedthinking

Corporate governance

Executive guide to King III

Kings Counsel*


2/96


3/96

2 September 2009

A code o principles can only ever be as good as ones ability to put it into practice. It is rom this

standpoint that PricewaterhouseCoopers is committed to engaging the recommendations o the

King Report on Governance for South Africa 2009 and practically supporting our clients in implementing

and applying them.

This guide embodies our thought leadership on key elements o the Report at the time o publication

and we envisage that it will be revised and updated as our thinking, knowledge and capabilities around

corporate governance continue to advance.

We trust that it will assist in providing practical advice and guidance to our clients and all business

stakeholders in South Arica.

Suresh Kana

Chie Executive Ocer

PricewaterhouseCoopers Southern Arica


4/96


5/96

Introduction 1

Chapters o the Code

1. Ethical leadership and corporate citizenship 5

2. Boards and directors 9

3. Audit committees 19

4. The governance o risk 29

5. The governance o inormation technology 35

6. Compliance with laws, rules, codes and standards 43

7. Internal audit 49

8. Governing stakeholder relationships 55

9. Integrated reporting and disclosure 61

Our view on specifc issues raised in the Code

10. Business rescue 65

11. Alternative dispute resolution 69

12. Internal nancial control 73

13. Solvency and liquidity tests 79

14. Remuneration o directors and senior executives 83

Table o contents


6/96

A note on terminology

For the purposes o this guide:

The third King Report on Governance for South Africa 2009 is reerred to as the Report.

The provisions o the Report are based on principles enshrined in the Code of Governance Principles for South Africa2009, reerred to as the Code.

The Report and the Code are collectively reerred to as King III.

The Companies Bill, 2008 , (which constitutes a revision o the Companies Act, 1973) had not been enacted at the time

o the release o King III. Nevertheless, it is reerred to as the Act both in King III and here.

King III applies to all entities regardless o the manner and orm o their incorporation or establishment. The use o the

terms organisation, company and business should be interpreted accordingly.

Although the terms company, boards and directors are used, King III reers to the unctional responsibility o thosecharged with governance in any entity.


7/96

The release o King III on 1 September 2009 represents a signicant milestone in the evolution o corporate

governance in South Arica and brings with it signicant opportunities or organisations that embrace its

principles.

At PricewaterhouseCoopers (PwC), we believe that ree enterprise prospers in an environment o good

and balanced corporate governance. While we understand that achieving good governance is a complex

task, we believe that sound governance practices oer numerous practical benets and that organisations

should integrate such practices into their operational processes.

Introduction


PricewaterhouseCoopers

1


8/96

The need or King III

King III became necessary because o the

anticipated new Companies Act and changing trendsin international governance. As with King I andKing II, the King Committee endeavoured to be at theoreront o governance internationally and this hasagain been achieved by ocusing on the importanceo reporting annually on how a company has bothpositively and negatively aected the economic lieo the community in which it operated during theyear under review. In addition, emphasis has beenplaced on the requirement to report on how thecompany intends to enhance those positive aspectsand eradicate or ameliorate any possible negative

impacts on the economic lie o the community inwhich it will operate in the year ahead.

The benets o sel-regulation

In addressing the link between governance principlesand law, the introduction to the Report observes:

The ultimate compliance ocer is the companysstakeholders who will let the board know by theircontinued support o the company i they acceptthe departure rom a recommended practice and the

reasons urnished or doing so.

It can be convincingly argued that sel-regulation,in which an organisation voluntarily monitors itsown adherence to legal and ethical standards, is

ar preerable to having an outside agency such asgovernment monitor and enorce those standards.This approach allows organisations to maintain

control over the standards to which they are heldby successully sel-policing themselves. Apart romthe bureaucratic burden that would be imposed byexternal enorcement, the cost o setting up such amechanism is also avoided.

Key principles o King III

King III has broadened the scope o corporategovernance in South Arica with its core philosophyrevolving around leadership, sustainability andcorporate citizenship.

These key principles are given prominence:

Good governance is essentially about eectiveleadership. Leaders need to dene strategy,provide direction and establish the ethics andvalues that will infuence and guide practicesand behaviour with regard to sustainabilityperormance.

Sustainability is now the primary moral andeconomic imperative and it is one o the mostimportant sources o both opportunities and

risks or businesses. Nature, society, andbusiness are interconnected in complex waysthat need to be understood by decision makers.Incremental changes towards sustainability arenot sucient we need a undamental shit in the

way companies and directors act and organisethemselves.

Innovation, airness, and collaboration are keyaspects o any transition to sustainability innovation provides new ways o doing things,including protable responses to sustainability.Fairness is vital because social injustice isunsustainable and collaboration is oten aprerequisite or large-scale change.

Social transormation and redress is importantand needs to be integrated within thebroader transition to sustainability. Integratingsustainability and social transormation in astrategic and coherent manner will give rise to

greater opportunities, eciencies, and benets,or both the company and society.

King II required companies to implementsustainability reporting as a core aspect ocorporate governance. Since 2002, sustainabilityreporting has become a widely accepted practiceand South Arica is an emerging market leader inthe eld. However, sustainability reporting is inneed o renewal in order to respond to:

The lingering trust decit among civil society othe intentions and practices o big business

Concerns among business decision makers

that sustainability reporting is not ullling theirexpectations in a cost-eective manner.

Introduction



2


9/96

Governance ramework

King III has opted or an apply or explain

governance ramework. Where the board believesit to be in the best interests o the company, it canadopt a practice dierent rom that recommended inKing III, but must explain it. Explaining the dierentpractice adopted and an acceptable reason or it,results in consistency with King III principles.

The ramework recommended by King III isprinciples-based and there is no one size tsall solution. Entities are encouraged to tailor theprinciples o the Code as appropriate to the size,nature and complexity o their organisation. This is

good news or companies in South Arica as it avoidssome o the pitalls seen in the United States wherea one size ts all approach was initially adopted.

Application o the Code

In contrast to King I and King II, King III applies toall entities regardless o the manner and orm oincorporation or establishment. Principles are dratedon the basis that, i they are adhered to, any entitywould have practiced good governance.

It is recommended that all entities disclose whichprinciples and/or practices they have decided notto apply or explain. This level o disclosure will allowstakeholders to comment on and challenge the

board to improve the level o governance within anorganisation.

The philosophy o the Reportrevolves around leadership,

sustainability and corporate

citizenship Mervyn King

New requirements

Some o the requirements introduced by King IIIinclude:

The need or an annual integrated report that

ocuses on the impact o the organisation in theeconomic, environmental and social spheres

A statement by the audit committee to the boardand shareholders on the eectiveness o internalnancial controls to be included in the integratedreport

The consideration o the strategic role o IT and itsimportance rom a governance perspective

The positioning o internal audit as a strategicunction that conducts a risk-based internal

audit and provides a written assessment o thecompanys system o internal control, includinginternal nancial controls

The governance o risk through ormal riskmanagement processes.

Our involvement in the King Committee

Suresh Kana, PwCs Chie Executive Ocer, andAnton van Wyk, our Global Internal Audit Leader,served as members o the King Committee andalso chaired the Accounting and Auditing andInternal Audit subcommittees respectively. As aresult o our involvement, PricewaterhouseCoopershas deep insight into the recommendations othe King Committee and is well placed to oerpractical guidance and encourage debate aroundimplementation to enable the real benets o good

governance to be realised.

Competitive advantage is increasingly beingconerred on businesses that create and maintaina culture o integrity-driven perormance. However,managing the shit to a higher level o principledbusiness practice raises a number o newchallenges. PricewaterhouseCoopers has made aconsiderable investment in compliance solutionson a global and local scale to help our clients meetthese challenges. Our experience and know-howensures that our investment can be practicallyapplied or the benet o our clients.

Introduction



3


10/96


11/96

1. Ethical leadership and corporatecitizenship

Overview

Responsible corporate citizenship implies an ethical relationship between the company and the society in

which it operates.

The notion o corporate citizenship is not new, but King III gives it more credence and concrete expression

than ever beore, while continually highlighting the unbroken chain that links ethical leadership, company

strategy and sustainability.



55


12/96

Governance element Principle/s Summary recommendation/s Dierence to King II

Chapter 1. Ethical leadership and corporate citizenship

Leadership 1.2. The board should ensure thatthe company is and is seen to be aresponsible corporate citizen

The board should:

1.2.1. consider not only nancialperormance but also the impact o thecompanys operations on society andthe environment

1.2.2. protect, enhance and invest inthe wellbeing o the economy, societyand the environment

1.2.3. ensure that the companys

perormance and interaction withits stakeholders is guided by theConstitution and the Bill o Rights

1.2.4. ensure that collaborative eortswith stakeholders are embarked uponto promote ethical conduct and goodcorporate citizenship

1.2.5. ensure that measurablecorporate citizenship programmes areimplemented

1.2.6. ensure that managementdevelops corporate citizenship policies

Similar to King II

Ethical leadership and corporate citizenship



6


13/96

Implications

The leadership o an organisation, including its

directors, boards and committees, will have toreview the corporate values that drive their behaviourto ensure that they and the organisation refectsocietal norms and accepted governance guidelines.To this end, leaders are expected to support andunderstand the ull implications o the stakeholderinclusive model put orward in the previous Kingreports and again emphasised in King III.

Leaders will also have to give due considerationto the ull range o material economic, social andenvironmental dimensions and impacts that the

company and its processes have on the communityin which it operates, when developing corporatestrategy.

Expert opinion

Entities cannot operate in a vacuum. A licence tooperate aorded by a multitude o stakeholders isbased on trust, integrity and a solid track recordo taking into account a balanced approach tolegitimate stakeholder issues.

Corporate citizenship is an ethical concept, whichnds expression in sustainable development acrossthe economic, social and environmental aspects othe business.

Key questions directors should be asking

Corporate citizenship, sustainability and1.

stakeholder inclusivity requires judgement,balance and compromise. Does the board havethe right composition, skills and reliable data tomake these types o judgement calls?

Have we assessed the moral and economic2.imperatives o corporate citizenship? Have wetaken this into account when reviewing ourcorporate strategy?

Citizenship and sustainability risks may be3.obscure or indirect. How do we identiy andmanage these risks as well as opportunities?

Do we have policies in place that will guide4.every level o the business in terms o expectedbehaviours and practices and with reerence toour interaction with all material stakeholders?

Do we measure the impact or lack thereo, o our5.corporate citizenship initiatives?

How we can help you

Successul businesses are sustainable businesses.As a cornerstone o sustainability, sound ethics andleadership are increasingly proving their worth asdrivers o competitive advantage. We oer a rangeo services to assist organisations to achieve theircorporate objectives:

Review o corporate values

Development o values, business principles andkey perormance indicators

Sustainable development strategy ormulation

Development o codes and policies in support oethics, corporate citizenship and sustainability

Board evaluation to assess composition, skillsand other key criteria

Socioeconomic impact assessments.

Contacts

Alison Ramsden

DirectorTel: +27 11 797 4658E-mail: [email protected]

Alan WitherdenSenior ManagerTel: +27 11 797 5590E-mail: [email protected]

Yvette LangeManagerTel: +27 11 797 4430

E-mail: [email protected]

Ethical leadership and corporate citizenship



7


14/96


15/96

2. Boards and directors

Overview

Boards and directors, acting in the best interests o the company, orm the ocal point o corporate

governance with responsibilities extending to shareholders and other stakeholders: Companies should be

headed by a board that should direct, govern and be in eective control o the company.

The chapter discusses key governance responsibilities that directors are expected to consider, including:

The role and unction o the board and its committees

The composition and perormance evaluation o the board and its committees

The board appointment process

Director development

Remuneration o dir ectors, senior executives, group boards and company secretaries.



9


16/96


Chapter 2. Boards and directors

Role and unction o the board 2.1. The board should act as the ocalpoint or and custodian o corporategovernance

The board is responsible or ensuringthe continued success o the companyand is guided by its charter. It isthe link between management andstakeholders and should meet at leastour times per year.

Similar to King II

2.2. The board should appreciatethat strategy, risk, perormance andsustainability are inseparable

The board should inorm and approvethe companys strategy and satisyitsel that business plans are notencumbered by unexamined risks. Indoing so it identies key perormanceand risk areas. The board also

ensures that the strategy will result insustainable outcomes and considerssustainability to be a businessopportunity.

Greater emphasis on opportunity asopposed to only risk.

2.3. The board should provide eectiveleadership based on an ethicaloundation

Explained in chapter 1 Reer to chapter 1

2.4. The board should ensure thatthe company is and is seen to be aresponsible corporate citizen


2.5. The board should ensure that

the companys ethics are managedeectively


Boards and directors



10


17/96



2.6. The board should ensure thatthe company has an eective andindependent audit committee


2.7. The board should be responsibleor the governance o risk


2.8. The board should be responsibleor inormation technology (IT)governance


2.9. The board should ensure that thecompany complies with applicablelaws and considers adherence to non-

binding rules, codes and standards


2.10. The board should ensure thatthere is an eective risk-based internalaudit


2.11. The board should appreciate thatstakeholders perceptions aect thecompanys reputation


2.12. The board should ensure theintegrity o the companys integratedreport


2.13. The board should report on the

eectiveness o the companys systemo internal controls

Explained in section on internal

nancial controls

Reer to section on internal nancial

controls




11


18/96



2.14. The board and its directorsshould act in the best interests o thecompany

Directors act in the best interests o thecompany by, amongst other actions,disclosing conficts where they exist,dealing in securities only as allowedby internal policies and by adheringto legal standards o conduct. Whererequired, they should be permitted totake independent advice.

Similar to King II

2.15. The board should considerbusiness rescue proceedings or otherturnaround mechanisms as soon asthe company is nancially distressed

as dened in the Act


2.16. The board should elect achairman o the board who is anindependent non-executive director.The CEO o the company should notalso ull the role o chairman o theboard

Where the guidelines in the principleare not applied, a lead independentdirector should be appointed anddisclosure provided in the integratedreport. The role o the chairman shouldbe ormalised and assessed annuallyand a succession plan put in place.The chairman should consider thenumber o chairmanships held.

King II did not contain a requirementthat the CEO should not become thechairman until three years has elapsed.

Lead independent director conceptalready introduced in King II andrened in King III.




12


19/96



2.17. The board should appoint thechie executive ocer and establisha ramework or the delegation oauthority

The board ensures that the role o theCEO is ormalised and his perormanceevaluated against specied criteria.It also makes recommendationsregarding senior managementappointments and its own assessmento materiality or the company.

Similar to King II

2.18. The board should comprise abalance o power, with a majority onon-executive directors. The majorityo non-executive directors should beindependent

The majority o non-executivedirectors should be independent, withindependence assessed annually.

As a minimum, the CEO and directorresponsible or nance should be

appointed to the board. The sectionalso deals with the re-appointment,rotation and removal o directors.

King II did not contain a requirementthat the CEO and directors responsibleor nance be appointed to the board.

2.19. Directors should be appointedthrough a ormal process

The director appointment processshould be transparent and includebackground and reerence checks. Itis the responsibility o the nominationcommittee to identiy suitablemembers.

King II required the board to comprisea balance o executive and non-executive directors, preerably with amajority o non-executive directors owhich sucient should be independento management.

King II did not suggest that thememorandum o incorporation o

the company should allow the boardto remove any director rom theboard, including executives, withoutshareholder approval.




13


20/96



2.20. The induction o and ongoingtraining and development o directorsshould be conducted through ormalprocesses

New and inexperienced directorsshould be suitably trained throughormal induction and mentorshipprogrammes. Directors should bekept up to date through regularbriengs and continuing proessionaldevelopment programmes.

Similar to King II

2.21. The board should be assistedby a competent, suitably qualied andexperienced company secretary

The board appoints and removes thecompany secretary. The requirementso the Companies Act in relation tothe company secretary apply to listedand state-owned companies. King III

urther elaborates on the duties o thecompany secretary.

King II did not contain the same levelo detail regarding the responsibility othe company secretary.

2.22. The evaluation o the board, itscommittees and the individual directorsshould be perormed every year

Annual evaluations o the board, itscommittees and directors (includingevaluations o the chairman, CEOand other executive directors) shouldbe perormed by the chairman or anindependent service provider. Theoverview o the process should bedisclosed in the integrated report. Theperormance evaluation o directorsassists in identiying their training

needs and should be a requisite beorereappointment.

King III requires the board to considerwhether the evaluation o perormanceshould be done by the chairman orindependently by proessional serviceproviders.




14


21/96



2.23. The board should delegatecertain unctions to well-structuredcommittees but without abdicating itsown responsibilities

Committees should be appropriatelyconstituted and should ormulateterms o reerences that are reviewedannually. The need or audit, risk,nomination and remunerationcommittees is also discussed.Committees (with the exception othe risk committee) should comprisea majority o non-executive directorso which the majority should beindependent.

King II required that, at a minimum,companies have an audit andremuneration committee.

2.24. A governance ramework should

be agreed between the group and itssubsidiary boards

Governance matters related to listed

subsidiaries, the nomination odirectors to the boards o subsidiariesand the disclosures coupled theretorequired in the integrated report, arediscussed.

King II did not address interaction with

subsidiaries.

2.25. Companies should remuneratedirectors and executives airly andresponsibly

Reer to section on remuneration Reer to section on remuneration

2.26. Companies should disclosethe remuneration o each individualdirector and certain senior executives

Reer to the section on remuneration Reer to section on remuneration

2.27. Shareholders should approve thecompanys remuneration policy Reer to the section on remuneration Reer to section on remuneration




15


22/96

Implications

The board and its committees must have clear terms

o reerence in place. These need to be reviewedannually to ensure that there are no gaps or overlaps.

The composition o the board and its committees willneed to be reassessed to cover both nancial andsustainability roles and responsibilities.

Perormance evaluations o executive and non-executive directors are key, not only to assesseciency and competence, but also to appraisereappointment and training needs.

A ormal process or the appointment o directorsmust be in place and this should be disclosed in theintegrated report.

Obtaining suciently skilled directors who are non-executive and independent as suggested by King IIIwill require careul recruitment.

Expert opinion

The role o the board as the ocal point o

governance is vital to the success o anyorganisation. As a result, the board must have theappropriate balance o skills and experience withinits ranks to ull its mandate. The composition andperormance o the board and its committees arekey actors that will determine the success o theorganisation.

In order to maximise the benet that the companyobtains rom the board, regular perormanceevaluations need to be conducted and areas oimprovement identied. This is essential not onlyto improve the eciency and eectiveness o theboard, but also to develop individual directors toenable them to better add value.

The principle that governance, strategy andsustainability are inseparable is one o theundamental tenets o King III. The interplay betweenthese elements and the manner in which thecompany incorporates them into its processes willbe keenly watched.


Do we have the right people in place to lead and1.

manage all aspects o our business?Is the board suciently independent o2.management?

Do we need to get external expert advice?3.

Will we get greater value rom board and4.committee evaluations i we employ anindependent service provider?

Are we comortable that we have satised our5.overarching responsibilities adequately where wehave delegated unctions to subcommittees?

Are we spending our time eciently in meetings6.and dealing only with material issues?

Is there a need to revise our board and7.committee charters?

In which committee should we deal with8.sustainability issues?

Are the current roles and structures o our9.subsidiary boards adding value?

How do we incorporate strategy, risk,10.perormance and sustainability into our decision

making philosophy?




16


23/96

How we can help you

The Sustainable Business Solutions group within

PwC oers a range o integrated solutions to assistboards and directors to meet the demands andexpectations o their stakeholders. Tailored andrelevant to your needs, these embrace:

Independent, comprehensive board andcommittee evaluations

Thorough independent individual evaluations ooce bearers including directors, CEOs, CFOs,chairmen and company secretaries

Review and development o board and committeedocumentation

Review and development o board and committeesystems and processes

Governance and director training.

Contacts

Alison Ramsden


Alan WitherdenSenior ManagerTel: +27 11 797 5590E-mail: [email protected]

Yvette LangeManagerTel: +27 11 797 4430E-mail: [email protected]

Shirley-Ann BauristheneDirectorTel: +27 31 271 2007E-mail: [email protected]




17


24/96


25/96

3. Audit committees

Overview

An independent audit committee ulls a vital role in corporate governance. The audit committee is vital to,

among other things, ensure the integrity o integrated reporting and internal nancial controls and identiy

and manage nancial risks.

In order to carry out their mandate to the ull extent, audit committees should be suitably skilled and

qualied to deal with their responsibilities o overseeing integrated reporting and co-ordinating the activitieso the various assurance providers.



19


26/96


Chapter 3. Audit committees

3.1. The board should ensure thatthe company has an eective andindependent audit committee

While listed and state-ownedcompanies are required by law toestablish audit committees, all othercompanies should also establishthis committee and dene itscomposition, purpose and duties in thememorandum o incorporation. Theterms o reerence o the committeeshould be approved by the board.

The audit committee should meet asoten as is necessary, but at least twice

a year, and meet with internal andexternal auditors at least once a yearwithout management being present.

King II required aected companies toestablish audit committees.

King II did not address the requency omeetings nor discussions with internal

audit without management beingpresent.

Audit committees



20


27/96



3.2. Audit committee members shouldbe suitably skilled and experiencedindependent non-executive directors

The audit committee should consist oat least three members, all o whomshould be independent non-executivedirectors. It should not be chaired by,nor have as a member, the chairman othe board. The committee as a wholeshould have sucient qualicationsand experience to ull its duties, withmembers keeping up-to-date withdevelopments. An agreed processshould be in place to allow thecommittee to consult with specialists.Should vacancies arise, these shouldbe lled by the board.

King II did not address the minimumnumber o members required or theaudit committee and required that onlythe majority o members should beindependent non-executive directors.

Audit committees at subsidiary levelwere not addressed in King II.

King III species minimum areas overwhich audit committees should havesucient expertise, while King II onlyrequired the majority o members to benancially literate.

3.3. The audit committee should bechaired by an independentnon-executive director

The board should elect the chairman othe audit committee. The chairman othe audit committee should participatein and agree the agenda o thecommittee and should be present atthe AGM.

King II required the audit committeeto elect the chairman o the auditcommittee.

Audit committees



21


28/96



3.4. The audit committee shouldoversee integrated reporting

The audit committee should reviewthe nancial statements includedin the integrated report and shouldhave regard to all actors and risksthat may impact on the integrity othe integrated report. It should alsoreview the disclosure o sustainabilityissues in the integrated report toensure that it does not confict with thenancial inormation. Where there arematerial sustainability issues, it shouldrecommend to the board whether toengage an external assurance provider.

The audit committee should considerthe need or summarised inormationand engage external auditors toprovide assurance on the summarisedresults.

King II did not discuss the auditcommittees responsibility orsustainability in the detail that King IIIdoes.

King II did not address summarisedsustainability inormation.

3.5. The audit committee shouldensure that a combined assurancemodel is applied to provide acoordinated approach to all assuranceactivities

The audit committee should monitorthe relationship between the externalassurance providers and the companyand should ensure that combinedassurance is given to address all thesignicant risks acing the company.

Combined assurance was notdiscussed in King II in the level o detailcontained in King III.

3.6. The audit committee should satisyitsel o the expertise, resources andexperience o the companys nanceunction

The review o the nance unctionshould be perormed annually andthe results thereo disclosed in theintegrated report.

King II did not require a review o thenance unction.

Audit committees



22


29/96



3.7. The audit committee should beresponsible or overseeing o internalaudit

The audit committee should beresponsible or the perormancemanagement o the chie audit ocer,approve the internal audit plan andensure the internal audit unction issubject to an independent qualityreview as and when the committeedeems appropriate.

King III did not address an independentquality review o the internal auditunction.

3.8. The audit committee should bean integral component o the riskmanagement process

Guided by its charter, which shouldset out its responsibilities regardingrisk management, the audit committeeshould specically have oversight o

nancial reporting risks and internalnancial controls as well as raudand IT risks as they relate to nancialreporting.

Responsibilities dened in thenew Companies Act have beenincorporated into King III.

King II did not specically assignoversight o IT risk as it relatesto nancial reporting to the auditcommittee.

Audit committees



23


30/96



3.9. The audit committee is responsibleor recommending the appointment othe external auditor and overseeing theexternal audit process

The audit committee:

3.9.1. must nominate the externalauditor or appointment

3.9.2. must approve the terms oengagement and remuneration or theexternal audit engagement

3.9.3. must monitor and report on theindependence o the external auditor

3.9.4. must dene a policy or non-audit services provided by theexternal auditor and must approve thecontracts or non-audit services

3.9.5. should be inormed o anyReportable Irregularities identied andreported by the external auditor

3.9.6. should review the quality andeectiveness o the external auditprocess.

King II did not address reportableirregularities.

Audit committees



24


31/96



3.10. The audit committee shouldreport to the board and shareholderson how it has discharged its duties

The audit committee should reportinternally to the board on its statutoryduties and duties assigned to it by theboard.

The audit committee must report to theshareholders on its compliance withits statutory duties, the independenceo the external auditor; its view onthe nancial statements and theaccounting practices; and whether theinternal nancial controls are eective.

It should also recommend theintegrated report or approval by theboard and provide details o its role,composition, number o meetings andactivities.

King II did not contain reportingresponsibilities to shareholders or theaudit committee.

King II did not assign responsibility orrecommending sustainability reportingor approval by the board to the auditcommittee.

Audit committees



25


32/96

Implications

The board and management o any company,

regardless o size, should be ully committed to thegoal o supporting and maintaining an eective auditcommittee:

Responsibility o the audit committee has beenextended beyond nancial reporting to includesustainability reporting

The constitution, size and suciency andappropriateness o the skills set o the auditcommittee may need to be reconsidered by theboard

An assessment o in-house skills and thequalications/track record o external assuranceproviders should be perormed

Audit committees are to coordinate the utilisationo appropriate assurance providers in theassurance model to provide assurance on theidentied risks

Increased time and resource commitments areneeded or audit committees, managementand internal audit to adequately review internalnancial controls.

Expert opinion

The need or summarised inormation, the

assessment o internal nancial controls andeectiveness and the assessment o the integratedreport will all be areas where the audit committee willbe required to apply its mind in arriving at the mostecient and eective governance solution. This willbe unique to every company and audit committeeswill need to ensure that they have the appropriateblend o skills and experience in order to dischargetheir responsibilities.

The audit committee takes primary responsibilityor and has the ultimate decision-making abilityregarding its statutory responsibilities in terms othe Companies Act. This may result in confictswith the board should dierences o opinion ariseregarding these matters. The board should devise amechanism or resolving such dierences o opinion.


Does the audit committee have the appropriate1.

blend o skills to discharge its responsibilities,specically the skills required to overseeintegrated reporting?

Has a process been approved by the board2.to allow the audit committee to consult withspecialists or consultants to assist the auditcommittee with the perormance o its unctions?

Is there eective communication and3.coordination o the boards oversight activities toensure that the audit committee is inormed o allsignicant actual or potential nancial and non-nancial risks?

Does the internal audit unction have appropriate4.skills and resources to deliver on expectationsregarding the review o internal nancialcontrols?

Does a mechanism exist or resolving dierences5.o opinion between the audit committee and theboard regarding the audit committees statutoryresponsibilities should such dierences arise?

Audit committees



26


33/96

How we can help you

A primary unction o the audit committee will

be to oversee the integrity o the organisationsintergrated report and to assess its continuing abilityto operate as a going concern, assumptions andconclusions relating to which should be ormallyrecorded. It should also ensure that there is sucientcooperation between the organisations variousassurance providers, including the external auditor,the internal audit unction, the risk ocer andcompliance ocer. The internal audit unction shouldannually review the organisations internal controlsystem and should specically report its ndings oninternal nancial controls to the audit committee. Itshould place particular emphasis on internal nancialcontrol and the eect that inormation technologyhas on processes and internal controls. The auditcommittee should ensure that all pertinent risksare covered by audit activities and, specically,should monitor the eectiveness o the internal auditunction. PwC has specialists in all these areas andwe oer specic expertise in:

External audit

Internal audit

Risk management

Internal nancial control

Forensics

Embedded compliance

Audit committee structures and charters.

Contacts

Anton van Wyk


Rob NewsomeDirectorTel: +27 11 797 5560E-mail: [email protected]

Alison RamsdenDirectorTel: +27 11 797 4658E-mail: [email protected]

Zubair WadeeDirectorTel: +27 11 797 5875E-mail: [email protected]

Nicholas GanzDirectorTel: +27 11 797 5568E-mail: [email protected]

Shirley-Ann Bauristhene


Annerie PretoriusAssociate DirectorTel: +27 11 797 4199


Rob LouwSenior ManagerTel: +27 11 797 4657E-mail: [email protected]

Audit committees



27


34/96


35/96

4. The governance o risk

Overview

The essential ocus o the Code is that the board should exercise leadership to prevent risk management

rom becoming a series o activities that are detached rom the realities o the companys business. In this

context, risk is positioned as a cornerstone o corporate governance and risk governance is substantially

dierent to the requirement to implement risk management. Greater emphasis is placed on the board to

ensure that it is satised with the management o risk.



29


36/96


Chapter 4. The governance o risk

The boards responsibility or riskgovernance

4.1. The board should be responsibleor the governance o risk

This responsibility must bedemonstrated.

No dierence

4.2. The board should determine thelevels o risk tolerance

The board should understand the risklevels that it has the ability to tolerateversus the risk that it is willing to take(risk appetite).

No requirement to articulate riskappetite/tolerance

4.3. The risk committee or auditcommittee should assist the board incarrying out its risk responsibilities

The board can delegate theresponsibility to a committee o theboard.

No dierence

Managements responsibility or riskmanagement

4.4. The board should delegate tomanagement the responsibility to

design, implement and monitor the riskmanagement plan

The risk management plan requiresspecic activities to be completed.

No requirement in respect o a riskmanagement plan

Risk assessment 4.5. The board should ensure thatrisk assessments are perormed on acontinual basis

The board should ensure that riskassessments are perormed on acontinuous basis (minimum annually)using a top-down approach.

Minimum o annual assessment

4.6. The board should ensure thatrameworks and methodologies areimplemented to increase the probabilityo anticipating unpredictable risks

Risks should be prioritised andranked to ocus the responses andinterventions on those risks outside theboards risk tolerance limits.

No explicit requirement on theadoption o rameworks andmethodologies

Risk response 4.7. The board should ensurethat management considers andimplements appropriate risk responses

Annual risk management planapproval, implementation andmonitoring.


The governance o risk



30


37/96


Chapter 4. The governance o risk

Risk monitoring 4.8. The board should ensurecontinuous risk monitoring bymanagement

Annual risk management planapproval, implementation andmonitoring.


Risk assurance 4.9. The board should receiveassurance regarding the eectivenesso the risk management process

Combined assurance requires activeconsideration o the assurance theboard receives on the risks to whichthe organisation is exposed.

No requirement

Risk disclosure 4.10. The board should ensure thatthere are processes in place enablingcomplete, timely, relevant, accurateand accessible risk disclosure tostakeholders

The board should disclose how it hassatised itsel that risk assessments,responses and interventions areeective as well as any undue,unexpected or unusual risks and any

material losses.

Disclosure only on how riskmanagement is applied




31


38/96

Implications

The requirement to disclose how the board has

satised itsel that risk assessments, responses andinterventions are eective will need to be eectivelyevidenced. Due care and diligence will need to beexercised and disclosed.

This due care and diligence is achieved through:

The structures o governance risk/auditcommittee

Adoption and implementation o an annual riskmanagement plan

Eective risk management practices through

the application o recognised rameworks,methodologies, continuous assessments andmonitoring

Applying risk considerations into the decision-making rameworks (appetite and tolerance) andon specic decisions

Ensuring that the board receives adequateassurance on the eectiveness o the riskmanagement process and on the management ospecic risks

Disclosing how the board is satised with theeectiveness o risk management.

Expert opinion

Corporate governance requires active consideration

o risk management. This should be the last reasonor applying risk management into a businessor organisation. The uture is uncertain and riskmanagement deals explicitly with uncertainty.Eective risk management is a undamentalrequirement or businesses and organisations tosucceed and survive.

There are now a signicant number o authoritativeglobally relevant guidelines (e.g. ISO 31000, COSOand rating agency ERM criteria) on how eective riskmanagement can be applied. While King III sets outthe principles, the challenge is to make the principles

real and practical through reerence to these globalguidelines.

Combined assurance should be based on identiedrisks and how assurance is achieved and reported tothe board. This will be one o the biggest challengesacing businesses and organisations in adoptingKing III. However, it oers tangible benets thatextend well beyond proving compliance, including:

Coordinated and relevant assurance eortsocussing on key risk exposures

Minimised business/operational disruptions

Comprehensive and prioritised tracking o

remedial action on identied improvementopportunities/weaknesses

Improved reporting to the board and committees,

including reducing the repetition o reports beingreviewed by the dierent committees

Possible reduced assurance costs.


Do we understand how risk appetite and1.tolerance is applied in our organisation?

How do we know that the biggest risk exposures2.to our organisation are being adequatelymanaged?

When last did we participate in a risk assessment3.activity?

How oten have we considered the same risk-4.related issue in the various management andgovernance meetings?

Is ICT risk actively considered in our risk5.management process?

Do we specically consider compliance risk and,6.i so, how satised are we that it is eectivelycovered?

Are risks prioritised and ranked to ocus the7.responses and interventions on those risksoutside the boards risk tolerance limits?




32


39/96

Do we have an approved annual risk8.management plan?

Who assures non nancial risks, such as plant9.

availability, sta capacity and competency, theimpact o legislative changes on the business/organisation etc? And to which management orboard committee is the assurance provided? Arewe satised that this assurance is reliable?

Do we have a raud risk plan to consider our10.raud exposure and prevention?

Does our disclosure on the eectiveness o risk11.management refect the actual position o ourbusiness/organisation?

How we can help you

PricewaterhouseCoopers has invested substantially,in risk management solutions both locally andglobally. Our experience and hands-on expertiseensures that this investment can be practicallyapplied or our clients benet and in a number oways:

Advising on risk governance and riskmanagement plans

Articulating risk appetite and tolerance

Linking perormance and risk management

Developing eective risk managementrameworks and methodologies

Facilitating risk assessments

Benchmarking risk and risk mitigation activities

Addressing ICT risk management

Advising and providing solutions on compliancerisk

Assisting in embedding risk management

Assessing the eectiveness o risk management

Assessing current assurance providers existence and eectiveness

Developing a combined assurance prole and risk

governance reporting ramework

Creating a raud risk response plan together withmanagement.

Contacts

Rob Newsome


Peter GossDirectorTel: +27 12 429 0331E-mail: [email protected]

Naeem LaherDirectorTel: +27 11 797 4048E-mail: [email protected]

Dalene RohdeAssociate DirectorTel: +27 12 429 0066E-mail: [email protected]

Steve RobertsDirectorTel: +27 21 529 2009E-mail: [email protected]

Shirley-Ann Bauristhene





33


40/96


41/96

5. The governance o inormation technology

Overview

King III recognises that inormation technology (IT) has become an integral part o doing business today,

as it is undamental to the support, sustainability and growth o organisations. IT cuts across all aspects,

components and processes in business and is thereore not only an operational enabler or a company,

but an important strategic asset which can be leveraged to create opportunities and to gain competitive

advantage.

As well as being a strategic asset to the company, IT also presents organisations with signicant risks. The

strategic asset o IT and its related risks and constraints should be well governed and controlled to ensure

that IT supports the strategic objectives o the organisation.

King III stipulates that in exercising their duty o care, directors should ensure that prudent and reasonable

steps have been taken with respect to IT governance.



35

The governance o inormation technology


42/96


Chapter 5. The governance o inormation technology

5.1. The board should be responsibleor inormation technology (IT)governance

IT has an important role to play inmany organisations and should bedirected and controlled eectively bythe board through the establishment oan IT governance ramework.

The IT governance ramework supportseective and ecient managementand decision making around theutilisation o IT resources to acilitatethe achievement o the companysobjectives and the management oIT-related risk. It includes a charter,

policies, decision-making structures,accountability ramework, IT reportingand an IT internal control ramework.

Was not part o King II

5.2. IT should be aligned with theperormance and sustainabilityobjectives o the company

IT should be exploited in a way thatmost eectively supports and enablesthe business strategy, delivers valueand improves perormance. The boardshould ensure that the IT strategy isintegrated into the companys strategicand business processes and that ITadds value.





36



43/96



5.3. The board should delegate tomanagement the responsibility or theimplementation o an IT governanceramework

Responsibility or the implementationo IT governance should be assignedto the CIO, as appointed by the CEO.

The CIO should act as an intermediarybetween the board and managementon IT-related issues and should bethe bridge between IT and business.IT should report to the board on theperormance o the IT unction.


5.4. The board should monitor andevaluate signicant IT investments and

expenditure

Value delivery and return on investmento IT should be monitored by the

board.

The board should ensure that theinormation and intellectual propertycontained in the inormation systemsare protected.

The board should require independentassurance over IT governance controlssupporting outsourced IT services.

The board is responsible or ensuringgood governance principles are in

place or the acquisition and disposalo IT goods and services.

IT management should ensure goodproject management principles areapplied.





37



44/96



5.5. IT should orm an integral part othe companys risk management

The board should ensure that IT risk isconsidered as part o the companysrisk management activities.

IT risk management should includedisaster recovery planning, IT legalrisks, compliance to laws, rules, codesand standards.

The board should evaluate how ITcan be used to aid the company inmanaging its risk and compliancerequirements.


5.6. The board should ensure thatinormation assets are managedeectively

The board should ensure thatprocesses have been established toensure a ormal inormation securitymanagement system is in place toensure:

The condentiality, integrity andavailability o inormation

That company inormation isadequately protected

That personal and sensitive

inormation has been identied andis protected according to relevantlaws and regulations.





38



45/96



5.7. A risk committee and auditcommittee should assist the board incarrying out its IT responsibilities

The risk committee should measureand understand the companys overallexposure to IT risks and ensure properprocesses are in place to managethese.

IT as it relates to nancial reporting andthe status o the company as a goingconcern should be the responsibility othe audit committee.





39



46/96

Implications

The requirement to disclose how the board hassatised itsel that IT governance is eective willneed to be positively evidenced. Due care anddiligence will need to be exercised and disclosed.

This due care and diligence is achieved through:

An IT governance ramework, which includes:

Decision structures or IT decisions

Accountability structures or IT

IT governance processes

IT reporting structures

IT policies and standards

IT compliance

IT controls and risk mitigation

Inormation security management practices

Business and disaster recovery

Inormation technology strategy as part o thestrategic business planning process

Project management practices

IT benets realisation processes

IT value and perormance measurementprocesses

IT acquisition and disposal processes

IT strategy

Understanding the current state o IT governanceand determining improvements required in an ITgovernance plan

Eective IT governance practices throughthe application o recognised rameworks,methodologies, continuous assessments andmonitoring

Reporting on the state and initiatives o ITgovernance and IT in general to the board

Ensuring that the board receives adequateassurance on the eciency and eectiveness o

the IT and IT governance processes and on themanagement o specic IT-related issues

Disclosing how satised the board is with theeectiveness o IT governance.

Expert opinion

Corporate governance now requires activeconsideration o IT governance. Due to the criticalnature o IT in enabling business processes, and theintellectual property and other inormation resourcesthat are exposed through technology channels, IT

governance is an essential component in ensuringthe ecient and secure operation o the business.

While King III sets out principles, the challenge is toimplement them in a practical way. A combination othe most relevant best practices can be utilised toachieve this and a signicant number o authoritativeand globally relevant guidelines is already available.

Any well-run and ormalised IT environment shouldalready have such practices in place. The taskwill now be to report on these and make themunderstandable to the board.

It is recommended that organisations start byperorming a current state assessment againstKing III and determining areas or improvement.This should be translated into an improvementprogramme, which should be presented andapproved by the board. Subsequent progress

against it should be on the boards agenda, inaddition to reporting on the general state o IT andIT governance.

While King III may appear daunting to some, it oerstangible benets that extend well beyond provingcompliance. These include:

Claried decision-making and accountability

Improved understanding o overall IT costs andtheir input to ROI cases

Improved risk management, security, eciency

and eectiveness o IT and making this visible (i.e.IT will deliver value)




40



47/96

Enhancement and protection o reputation andimage

Positioning o IT as a business partner and

clariying ITs role in the businessImproved and more proessional relationshipswith key IT partners (vendors and suppliers)

Improved responsiveness to market challengesand opportunities

Clear identication o whether an IT service orproject supports business as usual or is intendedto provide uture added value

A ocus on perormance improvement that willlead to the attainment o best practices

Avoidance o unnecessary expenditure asspending can be demonstrably matched tobusiness goals

Enabling an integrated approach to meetingexternal legal and regulatory requirements.


Do we understand how IT decisions are taken1.and who is accountable?

Do we have an IT governance ramework in place2.

which denes and supports decision models,governance structures, accountability andgovernance processes?

Is IT involved in strategic business decisions and3.planning?

Is the investment in IT understood?4.

Is our intellectual property, company and client5.inormation properly protected?

How do we ensure compliance o IT with laws,6.rules, codes, standards and regulations?

How is the value delivered by IT measured?7.

Is the approach towards IT risks acing the8.organisation clear? (Risk avoidance vs. risktaking)

Is the board regularly brieed on IT risks to which9.the enterprise is exposed?

Is IT a regular item on the agenda o the board10.and is it addressed in a structured manner?

Does the board have a clear view on the major IT11.investments rom a risk and return perspective?

Does the board obtain regular progress reports12.on major IT projects?

Is the board getting independent assurance13.on the achievement o IT objectives and thecontainment o IT risks?

How we can help you

PwC has invested substantially in IT governancesolutions both locally and globally. Ourmethodologies, experience and hands-on expertiseensure that we can accelerate and reduce the cost oyour King III IT governance programme.

PwC can support you by:

Providing an assessment o your current ITgovernance arrangements against King III andother best practices such as ITIL, CobiT,ISO 38500, ISO 17799, Val IT

Supporting you in determining the King III

principles to apply within your organisationDeveloping an IT governance implementationprogramme aligned to King III requirementsand implementing the required IT governanceimprovements

Supporting the implementation o improvementsin IT governance by utilising PwCs proprietaryICT governance ramework and methodologies.




41



48/96

Contacts

Angeli HoekstraDirectorTel: +27 11 797 4162E-mail: [email protected]

Binesh RajkaranDirectorTel: +27 31 271 2016E-mail: [email protected]

Rudolph LaubscherAssociate DirectorTel: +27 51 503 4100E-mail: [email protected]

Francois le RouxSenior ManagerTel: +27 21 529 2014E-mail: [email protected]

Chris KnoxAssistant ManagerTel: +27 43 707 9600E-mail: [email protected]

e go e a ce o o a o ec o ogy



42

6 C li ith l l d d


49/96

6. Compliance with laws, rules, codes andstandards

Overview

Companies must comply with all applicable laws. Laws should be understood not only in terms o the

obligations that they create, but also or the rights and protection that they aord. The board is responsible

or the companys compliance with applicable laws and with those non-binding rules, codes and standards

with which the company has elected to comply. One o the most important responsibilities o the board is

to monitor the companys compliance with all applicable laws, rules, codes and standards.



43

Compliance with laws, rules, codes and standards


50/96


Chapter 6. Compliance with laws, rules, codes and standards

6.1. The board should ensure that thecompany complies with applicablelaws and considers adherence to non-binding rules, codes and standards

A strongly linked ethical responsibilitythat must be demonstrated anddisclosed including the extent oadoption o non-binding rules andstandards.

The board is now to ensure legal andregulatory compliance as part o itsrisk management and internal controlactivities.

6.2. The board and each individualdirector should have a workingunderstanding o the eect o theapplicable laws, rules, codes andstandards on the company and itsbusiness

The board must ensure that theapplicable laws (and changes thereto)are identied and understood.

As above

6.3. Compliance should orm an

integral part o the companys riskmanagement process

A systematic risk management

approach to compliance isrecommended, understanding thatcompliance is compulsory.

As above

p



44



51/96


Chapter 6. Compliance with laws, rules, codes and standards

6.4. The board should delegate tomanagement the implementation o aneective compliance ramework andprocesses

A legal compliance policy should beestablished and monitored.

Compliance should be achievedthrough integration with business/organisational processes, ethics andculture.

Disclosure is required as to howeectively compliance has beenachieved and o signicant nes andpenalties paid.

A delegated compliance unction/ocer is recommended.

As above



45



52/96

Implications

The compliance with laws, rules, codes andstandards has always been an explicit statutory/legalrequirement. King III now provides recommendedprinciples and practices to adopt to ensure thatcompliance is achieved.

Compliance can be achieved by:

Identiying the laws and regulatory obligations thatare applicable, including the non-binding rulesand standards to which an entity/organisationwishes to comply

Ensuring that the board and board members

understand the requirements and are updatedon the changes. This can be part o the boardscontinuing education programme

Implementing a comprehensive compliance policyand regularly monitoring compliance to the policythrough the governance structures and inclusionon the board agenda

Managing compliance risk through the riskmanagement process adopted

Embedding compliance in the operations andprocess, ethical conduct and culture o the

business/organisation

Appointing a compliance ocer or establishing acompliance unction to assist in the managemento compliance

Disclosing how eective compliance has been

achieved and any signicant nes and penaltiespaid.

Expert opinion

Legal and regulatory compliance is a statutoryobligation and an accepted corporate governancerequirement. King III has devoted a chapter tothis to emphasise the importance o complianceand how, by applying the principles, the boardcan demonstrate that it has achieved eective

compliance.

The key aspects o King III are that it recommendsproactive consideration o compliance, how thecompliance risk is managed and how it is integratedinto an organisations operations. There are manyorganisations that only consider compliance whenthere is a breach with specic consequences suchas nes paid or contraventions o the competitionlaws.

Highly regulated organisations, such as banks, havevery mature compliance approaches and have been

proactively managing compliance or years.

King III has raised the level o awareness othe importance o being able to demonstratecompliance. This can be achieved through:

Regularly (annually) reviewing the complianceuniverse and determining which laws, regulationsand non-binding rules and standards apply to thebusiness/organisation

Assessing the basis o how compliance isachieved to these laws and regulations

Receiving assurance through the riskmanagement and assurance processes thatcompliance is achieved

Designing specic compliance activities toevidence the actions taken to ensure compliance or example annual declarations, records ocompliance-related training completed andmonitoring o remedial action where compliancebreakdowns have or could potentially occur

Embedding compliance activities into theoperational processes where applicable, orexample controls required to be evidenced whenopening an account in terms o the NationalCredit Act.



46



53/96


What are the key statutory and regulatory1.obligations to which our organisation needs tocomply?

Are we in compliance with these requirements? I2.so, how have we received this assurance and arewe satised that the assurance is credible?

When last did we consider compliance at the3.board?

Are we aware that many Acts, such as the4.National Credit Act, can impact our organisationeven though we are not a nancial institution?

How are we appraised o changes in the legal5.

and regulatory landscape?

Do we have sucient evidence to deend our6.organisation in court or to prove to a regulatorthat we have complied with a specic act?

Does our disclosure on the eectiveness o7.compliance refect the actual position in ourbusiness/organisation?

How we can help you

Regulatory compliance and reporting should bea natural extension o the governance dutiesshouldered by boards and directors. The exerciseo good governance can ensure that compliance isaligned with the companys business objectives andrisk management strategies. In this way compliancecan add real value and not just be a cost to theorganisation.

PricewaterhouseCoopers has made a considerableinvestment in compliance solutions on a global andlocal scale. Our people can help you at the strategiclevel to maximise competitive advantage romregulation and at the operational level to minimise

costs and disruptions to your business.

Our range o compliance services includes:

Advising on what laws and regulations areapplicable

Recommending approaches on how to achieveeective compliance

Benchmarking the compliance responses tospecic acts/regulations nationally and globally

Developing specic compliance databases to

evidence compliance

Hosting o compliance databases through ourEnterprise Compliance Portal (ECP) PwC usesthis to manage its own global compliance

Facilitating compliance risk assessments

Assisting in embedding specic compliancerequirements into the business and operationalprocesses

Assuring the eectiveness o complianceachieved

Providing a gap analysis o compliance to speciclaws and regulations.

Contacts


Feroz KhanDirectorTel: +27 11 797 5480E-mail: [email protected]

Hentus HoniballAssociate Director

Tel: +27 11 797 4458E-mail: [email protected]



47


54/96

7 Internal audit


55/96

7. Internal audit

Overview

King ll eectively dispensed with the notion o compliance-based, cyclical auditing and embraced risk-

based auditing. As this approach has matured over time, the imperative to appropriately position risk-

based auditing is a central ocus o King III. The repositioned risk-based approach directs internal audit

to address strategic, operational, nancial and sustainability issues in its quest to deliver value to the

organisation. Value is now seen to vest in the relevance o a unction. As such, the head o internal audit

needs to understand the organisations strategy and to direct the unction accordingly.

Governance is underpinned by an acceptance o accountability and responsibility or action. Accordingly,

the chie audit executive is required to provide an annual assessment o an organisations control

environment. This refects the congruence o introspection rom the internal audit raternity and the call or

improved governance in general highlighting calls or internal audit to rise and deliver on its contribution

to eective governance!



49

Internal audit


56/96


Chapter 7. Internal audit

The need or and role o internal audit 7.1. The board should ensure that there

is an eective risk-based internal audit

The board should demonstrate how

adequate assurance was obtainedon an eective governance, riskmanagement and internal controlenvironment; in the event o theabsence o an internal audit unction.

Evaluation o governance processes,including ethics, especially tone at thetop.

A senior or executive or director to beresponsible or internal audit where

internal audit is ully outsourced.

Board to demonstrate how eective

internal control, processes andsystems assurance were obtained

Ethics not specically mentioned

No mention o custodian unction in anoutsourced scenario

Internal audits approach and plan 7.2. Internal audit should ollow a risk-based approach to its plan

Internal audit planning should beinormed by the strategy o theorganisation.

The chie audit executive shoulddiscuss the adequacy and resources oskills available to address risk identiedwith the audit committee.

Not a requirement in King II




50

Internal audit


57/96


Chapter 7. Internal audit

7.3. Internal audit should provide a

written assessment o the eectivenesso the companys system o internalcontrols and risk management

Internal audit should orm an integral

part o the combined assurancemodel and should provide a writtenassessment o the eectiveness o thecompanys system o internal controland risk management.


7.4. The audit committee should beresponsible or overseeing internalaudit

Internal audit pay, bonus and benetsto be determined separately to processundertaken or the rest o the businessto ensure appropriate independence.

Internal audit to perorm the pivotalrole o eecting combined assurance.


Only mention o the avoidance oduplication o assurance eort inKing II

Internal audits status in the company 7.5. Internal audit should bestrategically positioned to achieve itsobjectives

The chie audit executive to have astanding invitation to attend EXCO asan invitee to protect independence.

Internal audit to report unctionally tothe chairman o the audit committee.

Internal audit should establish andmaintain a quality assurance andimprovement programme.

Not a requirement o King II

Internal audit should report to anappropriate level in the organisation

Not a requirement o King II



51

Internal audit


58/96

Implications

The challenge that the board aces is how itconcludes that an eective internal audit unction

was operational or the period covered by theintegrated report. While the execution o a risk-basedplan would have been sucient or this purpose inthe past, King lll requires a more holistic approachthat is related to other areas as well. Practically, thismeans a challenging o the norms and exploration oconcepts that will move internal audit in the directiono real progress. These include:

Annual report disclosure in the event thatan eective internal audit unction was notmaintained

An organisational custodian unction in situationswhere internal audit is outsourced

Reviewing organisational ethics

Cost optimisation and the prevention oassurance atigue

An assessment o the control environment

The relationship between internal audit and auditcommittees

The role and attributes o a chie audit executive

The implementation o an internal audit qualityassurance and improvement programme

The interdependency between internal auditand other assurance providers such as riskmanagement

Expert opinion

Adequacy o suitable skills and an understandingo the true absorbed cost o internal audit will beinstrumental in the assessment o the potential ointernal audit to deliver value to organisations asenvisaged in King lll. In this environment, diligentaudit committees will ask the dicult questions andmore assurance than in a compliance-based qualityreview will be required to provide committees with areasonable level o comort.

The maturity o other unctions such as ethicsand risk management with which internal auditis expected to interact may be cause or someconcern. Immature unctions that orm part o acombined assurance view are likely to complicateassessments o control environments, even whereinternal audit has been eective.

Leadership, strategic inquisitiveness and otherattributes will need to drive the expectations o thechie audit executive. This, coupled with stronganalytical skills and the ability to interact at the

highest levels o the organisation, are undamentalto internal audit using the opportunities it is aordedin King lll to reach a level that populists conclude is

internal audits rightul place. Appropriate technologyleverage in the perormance o internal auditbecomes non-negotiable.

Ultimately, internal audit will have to make combinedassurance work and help organisations realisethe benets o cost optimisation, preventiono assurance atigue and a business partnerrelationship that adds real value by siting throughthe irrelevant and ocusing on the critical.


Is internal audit aligned to strategy and does its1.plan ocus on areas that are most likely to impactstakeholder value?

Is internal audit eective and requent enough in2.its communications with the audit committee andus?

When last was an objective assessment done3.to ascertain whether internal audit has theappropriate level o technical and analytical skillsrequired to address the industry risk and riskrequirements o our business?

Is our internal audit unction poised to lead a4.combined assurance initiative?

Is there sucient assurance o our ethics and5. risk management programmes?



52

Internal audit


59/96

Does internal audit utilise technology in its6.processes and use existing systems and dataeectively in the perormance o its work?

What were our most recent loss events and what7. comort did internal audit provide us with onthese?

How does our internal audit unction compare8.against its peers in benchmark studies?

Is our chie audit executive subjected to a robust9.annual assessment based on key attributesrelevant to our business?

What is our true absorbed cost o internal audit?10.

Is our internal audit agile enough to address11.emerging business issues?

Does the internal audit unction have the12.necessary and diverse skills required to giveassurance to the audit committee on internalnancial control?

How we can help you

We have a team o proessionals that are readyand able to assist you with the implementation othe requirements o King lll in all its aspects. Theseinclude:

Strategic assurance reviews that go beyond aquality assurance checklist and align to yourorganisational strategy

Assistance in the ormulation o a controlenvironment assessment

Assistance in the implementation o a combinedassurance model

Assessment o internal audit technology leverage

Development o appropriate perormance metricsor your internal audit unction

Benchmarking your internal audit unction againsta community o peers (industry, headcount andrevenues)

Awareness and training

Conducting an eective audit o an ethics unction

Formulation o governance rameworks, includingreporting protocols

Optimising the orm and content o internal auditcommunications.

Contacts

Anton van WykDirectorTel: +27 11 797 5338E-mail: [email protected]

Avendth TilakdariDirectorTel: +27 11 797 4480


Shirley MachabaDirectorTel: +27 12 429 0037E-mail: [email protected]


Shirley-Ann BauristheneDirectorTel: +27 31 271 2007E-mail: [email protected]

Steve RobertsDirectorTel: +27 21 529 2009E-mail: [email protected]

Jacques Eybers


Connie HertzogDirectorTel: +27 51 503 4100E-mail: [email protected]

Glory KhumaloDirectorTel: +27 15 291 0100




53


60/96

8 Governing stakeholder relationships


61/96

8. Governing stakeholder relationships

Overview

The stakeholder-inclusive approach to corporate governance is not a new concept in the King reports and

eective stakeholder engagement is recognised as essential to good corporate governance. The days

when boards could merely pay lip service to concerns such as corporate responsibility, ethical business

practices and sustainability are over.

Stakeholder relationships provide a platorm or the board to take into account the concerns and objectives

o the companys stakeholders in its decision making, which is undamental to the process o integrated

reporting

King III provides guidance and recommendations on how stakeholder relationships should be dealt with.



55

Governing stakeholder relationships


62/96


Chapter 8. Governing stakeholder relationships

8.1. The board should appreciate that

stakeholders perceptions aect acompanys reputation

8.1.1. The gap between stakeholder

perceptions and the perormance othe company should be managed andmeasured to enhance or protect thecompanys reputation

8.1.2. The companys reputationand its linkage with stakeholderrelationships should be a regular boardagenda item

8.1.3. The board should identiyimportant stakeholder groupings

Similar to King II



56



63/96


Chapter 8. Governing stakeholder relationships

8.2. The board should delegate to

management to proactively deal withstakeholder relationships

8.2.1. Management should develop a

strategy and ormulate policies or themanagement o relationships with eachstakeholder grouping

8.2.2. The board should considerwhether it is appropriate to publish itsstakeholder policies

8.2.3. The board should oversee theestablishment o mechanisms andprocesses that support stakeholdersin constructive engagement with the

company

8.2.4. The board should encourageshareholders to attend AGMs

8.2.5. The board should considernot only ormal, but also inormal,processes or interaction with thecompanys stakeholders

8.2.6. The board should disclose inits integrated report the nature o the

companys dealings with stakeholdersand the outcomes o these dealings

Similar to King II



57


7/31/2019 K

kingiiiexecutive guide to

Documents