king iii it governance sustainability reporting the role of internal audit l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
King III, IT Governance, Sustainability Reporting – The role of Internal Audit PowerPoint Presentation
Download Presentation
King III, IT Governance, Sustainability Reporting – The role of Internal Audit

Loading in 2 Seconds...

play fullscreen
1 / 27

King III, IT Governance, Sustainability Reporting – The role of Internal Audit - PowerPoint PPT Presentation


  • 585 Views
  • Uploaded on

www.pwc.com/za. King III, IT Governance, Sustainability Reporting – The role of Internal Audit. Shirley Machaba – IIASA President and Partner – National Enterprise Risk and Internal Audit Leader – PwC IMFO conference 13 September 2011. Changing environment.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'King III, IT Governance, Sustainability Reporting – The role of Internal Audit' - broderick


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
king iii it governance sustainability reporting the role of internal audit
www.pwc.com/za

King III, IT Governance, Sustainability Reporting– The role of Internal Audit

Shirley Machaba – IIASA President and Partner – National Enterprise Risk and Internal Audit Leader – PwC

IMFO conference

13 September 2011

changing environment
Changing environment
  • Global pressure to sharpen risk focus
  • Revolutionary transparency
  • Collaboration & connectivity
  • Climate change
  • Governance no longer mindless compliance
  • Population growth
  • Information required to predict the future
  • Internal Financial Control assurance
  • “One view – one risk aggregation” – Combined Assurance
  • Managing the cost of compliance
  • Not prepared for the scale, speed & severity of recent crisis
  • Many risks happened simultaneously
  • Risk models and internal audit functionality did not cope with the complexity of factors impacting the chaos
  • Stakeholder expectations and needs – e.g. civil society
  • Risk Governance did not link strategy, risk management & risk bearing capacity

IMFO Conference

slide3

Corporate Governance - Context

  • New RSA constitution
  • Legislation of public interest
    • Employment Equity
    • Access to information
    • Skills development
    • BBBEE
    • Companies Act, May 2011
  • Focus on corporate citizenship
  • Corporate scandals/failures
  • Fraud and Corruption
  • Financial related Acts ( PFMA, MFMA, Treasury Regulations, Systems Act, Structures Act etc )
  • Preference for self regulation
    • King III/Batho Pele
    • Departmental policies

IMFO Conference

big tickets from king s counsel
Big Tickets from ‘King’s Counsel’

King III drafted using Companies Act, 2008 as a baseline

  • ‘More’ information to the Audit Committee
  • Assuring Sustainability
  • Governing Risk
  • Integrating assurance
  • IT Governance
  • Transforming Internal Audit’s approach
  • Designing, implementing, testing and maintaining Internal Financial Control
  • Assurance over Integrated Reporting

IMFO Conference

13 September 2011

PwC

4

implications for organisations boards of directors and audit committees
Implications for organisations, boards of directors and audit committees
  • Scope of corporate governance framework in South Africa widened
  • Organisations are encouraged to tailor the Code principles as appropriate to the size, nature and complexity of their businesses
  • The board or those charged with governance should explain to stakeholders where a specific principle or recommendation has not been applied
  • Municipalities will be required to dedicate time and resources to the preparation of the annual report
  • The responsibility of audit committee has been extended beyond financial reporting to include sustainability reporting
  • The expansion of responsibilities of board, other committees, management and internal audit has a direct impact on the required skill set

IMFO Conference

13 September 2011

PwC

5

chapter 2 board of directors
Chapter 2Board of Directors
  • The focal point for and custodian of corporate governance
  • Strategy, risk, performance and sustainability are inseparable
  • The organisation has an effective and independent audit committee
  • Responsible for the governance of risk
  • Responsible for IT governance
  • An effective risk-based internal audit
  • Ensure the integrity of the organisation’s integrated report
  • Commence business rescue proceedings as soon as the organisation is financially distressed
  • Chairman of the board who is an independent non executive director. The CEO of the organisation should not be chairman of the board
  • The speaker is designated chairperson of Council in terms of Section 36 (1) of the Municipal Structures Act and is elected by the Councillors

IMFO Conference

13 September 2011

PwC

6

chapter 2 board of directors and impact on council cont
Chapter 2Board of Directors and impact on Council (cont.)
  • The board should comprise a balance of executives and non-executive directors, with a majority of non-executive directors
  • Directors should be appointed through a formal process
  • The evaluation of the board, its committees and the individual directors should be performed annually
  • A governance framework should be agreed between the group and its subsidiary boards
  • Organisations should remunerate directors and executives fairly and responsibly
  • The number of councillors is determined in line with Section 20 of the Municipal Structures Act and may not be fewer than three or more than 270
  • The board should meet at least four times a year and Section 18(2) of Municipal structures Act requires councils to meet at least quarterly

IMFO Conference

13 September 2011

PwC

7

chapter 2 board and directors and impact on council cont
Chapter 2Board and Directors and impact on Council (cont.)
  • A programme ensuring staggered rotation of non-executive directors should be put in place
  • Rotation of board members should be structured so as to retain valuable skills, to have continuity of knowledge and experience and to introduce persons with new ideas and expertise
  • At least one of third of non-executive directors should retire by rotation at the organisation’s AGM or other general meetings. The retiring board members may be re-elected, provided they are eligible
  • Councillors are elected for a term of not more than four years according to Section 159 of the Constitution of South Africa
  • The memorandum of incorporation of the organisation should allow the board to remove any director from the board, including executive directors, without shareholder approval being necessary

IMFO Conference

13 September 2011

PwC

8

chapter 3 audit committees
Chapter 3Audit Committees
  • The organisation has an effective and independent audit committee
  • Audit committee members should be suitably skilled and experienced independent non-executive directors – one to have performance management expertise – regulations 14 (2) (b) of local government
  • Chaired by an independent non-executive director
  • The audit committee should oversee integrated reporting
  • A combined assurance model should be applied to provide a coordinated approach to all assurance activities
  • Responsible for the oversight of internal audit
  • An integral part of the risk management process
  • Report to the board and shareholders on how it has discharged its duties
  • Audit committee to meet as frequently as is necessary – at least twice, Section 166 (4) (b) of the MFMA require audit committee to meet at least quarterly

IMFO Conference

13 September 2011

PwC

9

chapter 3 sustainability reporting
Chapter 3Sustainability reporting
  • King II did not address:
    • Oversight; or
    • Assurance of sustainability reporting
  • King III requirements for audit committee:
    • Review sustainability reporting for reliability and consistency with financial information
    • Recommend the need to engage an external assurance provider
    • No longer “Made in”, but “Made how”
    • How has the organisation made its money? - labour practice, sustainable produces and services, recycling
    • Sustainability reporting is a competitive advantage
    • Whatever organisations do should be a fit for purpose
    • Should be part of organisations long term thinking
    • Stakeholders including regulators must see if organisation is sustainable or adding to crisis

IMFO Conference

13 September 2011

PwC

10

skills required of audit committee
Skills required of audit committee
  • Audit committee collectively have understanding of:
  • Permitted to consult with specialists
  • The AC and performance AC may be combined as provided in Regulations 14 (2) (c) of performance management Regulations, 2001

Integrated reporting

Risk management

Internal financial controls

Sustainability reporting

Internal and external audit process

IT Governance relating to integrated reporting

Applicable legislation

Governance processes

IMFO Conference

13 September 2011

PwC

11

chapter 4 the governance of risk
Chapter 4The governance of risk
  • Determine the levels of risk tolerance
  • The risk committee or audit committee should assist the board in carrying out its risk responsibilities
  • Management has the responsibility to design, implement and monitor the risk management plan
  • Risk assessments and risk management is a continuous cycle
  • Framework and methodologies are implemented to increase the probability of anticipating unpredictable risks
  • Management considered and implements appropriate risk responses
  • Continuous risk monitoring by management and the Board
  • The board should receive combined assurance regarding the effectiveness of the risk management process
  • RISK IS THE CORNERSTONE OF GOVERNANCE
  • The IIA’s new certification is Risk Management Assurance (CRMA)
  • Apply for the CRMA through the Professional Experience Recognition Provision (October 2011 – January 2012)
  • Launching in 2013

IMFO Conference

13 September 2011

PwC

12

king iii it governance chapter 5 7 principles 48 recommendations
King III IT Governance – Chapter 57 Principles, 48 Recommendations
  • 5.1 The board should be responsible for IT governance
  • 5.2 IT should be aligned with the performance and sustainability objectives of the organisation
  • 5.3 The board should delegate to management the responsibility for the implementation of an IT governance framework
  • 5.4 The board should monitor and evaluate significant IT investments and expenditure
  • Recommendation analysis: The board responsible for:
    • Implement an IT Governance Framework
    • IT Governance framework to include:
      • Reporting structures
      • Roles and responsibilities
      • Accountability clearly assigned
      • Decision making structures and processes defined
      • IT policies and standards defined
    • IT Strategy defined and aligned with business strategy + authorised by board
    • Value delivery of IT measured and reported
    • IT aligned with sustainability objectives organisation
    • Appointment CIO (with a business focus)
    • IT to report to board on the performance of IT
    • Independent assurance on functioning of IT
    • Measure value delivery of IT and ROI
    • Information and IP in Systems protected
    • Governance on acquisition and disposal IT assets
    • Project management
    • Independent assurance outsourced functions and big projects

IMFO Conference

13 September 2011

PwC

13

king iii it governance 7 principles 48 recommendations
King III IT Governance 7 Principles, 48 Recommendations
  • 5.5 IT should form an integral part of the organisation’s risk management
  • 5.6 The board should ensure that information assets are managed effectively
  • 5.7 A risk committee and audit committee should assist the board in carrying out its IT responsibilities
  • Recommendation analysis:
    • IT risk management part of overall risk management
    • IT risk management includes:
      • Disaster Recovery Planning
      • IT legal risks
      • Compliance to laws, rules, codes, standards
      • IT to be used for risk management & compliance
    • Implementation formal information security management system
    • Identification of personal and sensitive information
    • IT risks identified by risk management and processes developed to manage these
    • The audit committee is responsible for IT as it relates to financial reporting

IMFO Conference

13 September 2011

PwC

14

role of internal audit on it governance
Role of internal audit on IT Governance
  • Perform an assessment of the current IT governance arrangements against King III and other generally accepted practices such as ISO38500, ISO 27001/2, ValIT etc
  • Provide independent assurance over the effectiveness over the IT internal control framework e.g. CobiT, ITIL etc
  • Provide independent assurance over the IT governance controls supporting outsourced third party service providers
  • Provide independent assurance over the IT governance framework
  • Provide independent assurance over IT governance processes such as IT risk management, IT compliance, disaster recovery, IT sustainability, IT project management, IT value delivery and performance management, information security etc
  • Provide consulting and benchmarking services on IT Governance.
slide16

“A strategically positioned, competent and independent internal audit function is required to provide a written assessment of the organisation’s system of internal control, after having conducted a risk based internal audit. This function must have direct relationships with the audit, corporate governance and risk committees and must be strategically positioned.”

internal audit
Internal Audit
  • There is an effective risk based internal audit – in line with Section 165 (2)(a) of the MFMA
    • Evaluating the organisation’s governance processes
    • Objective assessment of the effectiveness of risk management and the internal control framework
    • Analysing and evaluating business process and associated controls
    • Adhere to the IIA Standards and Code of ethics
    • Written assessment of internal financial controls to the audit committee
  • Should follow a risk based approach to its plan
    • Informed by the strategy and risks of the organisation – IDP and SDBIP
    • Assess the organisation’s risks and opportunities

IMFO Conference

13 September 2011

PwC

17

chapter 7 internal audit cont
Chapter 7Internal Audit (cont.)
  • The audit committee should be responsible for the oversight of internal audit – Section 165 (2) (b) of the MFMA
  • Should be strategically positioned to achieve its objectives
    • The CAE should have standing invitation to attend executive committee council or other meetings of a strategic nature
    • Skilled and resourced as is appropriate for the complexity and volume of risk and assurance needs
    • The CAE should develop and maintain a quality assurance and improvement programme
    • The CAE must have attributes such as Chameleon, leadership skills, communicator, strategic mindset, networker, quality deliverer, value enhancer, emotional intelligent, Ability to understand risk management concepts and business analyst

IMFO Conference

13 September 2011

PwC

18

risk based internal audit

Stakeholder Value Based Approach

“Top-down” approach where coverage is driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic issues of the organisation.

Identify Stakeholder Value Creating Activities

Understanding Enterprise Risks (Strategic, Financial, Operations, Compliance)

Evaluate Impact to Stakeholder Value

Audit plan

Traditional Approach

Traditional “bottom-up” approach based on stakeholder interviews and analysis. Focus is on coverage of identified risk areas, geography and business operations.

Evaluate Impact of Risks within Audit Universe

Identify Risks (Financial Operations, Compliance)

Define Audit Universe (e.g., geography, business unit, etc.)

Risk based Internal Audit

IMFO Conference

13 September 2011

PwC

19

examples of internal audit department balanced performance dashboard metrics
Examples of internal audit department balanced performance dashboard metrics

Internal Audit Customer Service

Key metrics based on results of auditee satisfaction questionnaires

Measurement of enhanced shareholder value through cost reductions, reduced revenue leakage, increased working capital, and/or enhanced cash flow

Percentage of audit activities and resources allocated to addressing key business risks

Number of meetings with senior management to discuss business objectives, goals, and risks

Number of best practices identified and communicated within the organisation by the internal audit department

Status of internal audit recommendations implemented by management

Number of special requests from management received and completed

Number of personnel transferred out of internal audit into other departments or business units

Reliance on internal audit work by external audit

Chapter 7

King III

slide21

Chapter 8

Governing stakeholder relationships

  • Appreciate how stakeholder’s perceptions affect a company’s reputation
  • Management to proactively deal with stakeholder relationships
  • Strive to achieve the appropriate balance between its various stakeholders groupings in the best interests of the organisation
  • Equitable treatment of shareholders
  • Transparent and effective communication with stakeholders
  • Disputes are resolved as effectively and expeditiously as possible

IMFO Conference

slide22

Chapter 7

Stakeholders’ perspectives on the future of Internal Audit (cont.)

  • A heightened focus on the cost of IA versus the value added
  • IA will be expected to deliver a written assessment on the adequacy of the entire system of internal control and internal financial control
  • IA will be expected to become a strategic partner to the Board

IMFO Conference

Slide 22

statement on effectiveness of internal financial controls by the board of directors
Statement on effectiveness of internal financial controls by the board of directors
  • Board responsible for the integrity of financial reporting systems
  • Board to make a statement in the integrated report on the effectiveness of internal controls
  • Audit committee should report to the board on effectiveness of internal financial controls annually
  • Management (or internal audit) to conduct a formal documented review of design, implementation and effectiveness of internal financial controls on an annual basis – Sections 62 (1) (b) and (c) of MFMA – MM accountable
  • King III does not require external audit attestation on IFC

IMFO Conference

13 September 2011

PwC

23

combined assurance

Managementt

External assurance providers

Internal Assurance providers

Combined assurance

Combined assurance

IMFO Conference

13 September 2011

PwC

24

combined assurance25
Combined Assurance
    • Combined Assurance is about assurance providers working more closely together to ensure:
      • the right amount of assurance
      • in the right areas
      • from people with the best and most relevant skills
      • as cost effectively as possible
  • Provides comfort to the Board that they have made an informed decision on the optimal assurance model for the business, identifying:
      • Gaps in the existing assurance framework
      • Areas of duplication/overlap
      • Opportunity to adopt best practice
    • Implementing a combined assurance model should provide an overall assurance framework which is more efficient, comprehensive, appropriately focused and effective.

IMFO Conference

13 September 2011

PwC

25

corporate governance framework integrating your report

INTERNAL FINANCIAL CONTROL

ACCOUNTABILITY

CORPORATE

CULTURE

COMPLIANCE

REQUIREMENTS

ETHICS

LEGAL

CONDUCT

REGULATORY

Corporate Governance FrameworkINTEGRATING YOUR REPORT

STRATEGY

COMBINED ASSURANCE

OPERATIONS

RISK

MANAGEMENT

FINANCIAL

PURPOSE

PEOPLE

VALUE

SYSTEMS

SOCIAL &

ETHICAL

ENVIRON-

MENTAL

PROCESS

GOALS

INTERNAL

CONTROLS

POLICY

AUTHORITIES

PERFORMANCE

MEASUREMENT

STRUCTURE

IMFO Conference

13 September 2011

PwC

26

slide27

King III @ September 2011

(Shirley Machaba – shirley.machaba@za.pwc.com – 012 429 0037)

“Every day you may make progress. Every step may be fruitful. Yet there will stretch out before you an ever-lengthening, ever-ascending, ever-improving path. You know you will never get to the end of the journey. But this, so far from discouraging, only adds to the joy and glory of the climb.”

Sir Winston Churchill

© 2009 PricewaterhouseCoopers Inc. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. PricewaterhouseCoopers Inc is an authorised financial services provider.