King III September 2009 Anton van Wyk anton

  • Slides: 33
Download presentation
King III @ September 2009 (Anton van Wyk – anton. b. van. wyk@za. pwc.

King III @ September 2009 (Anton van Wyk – anton. b. van. [email protected] pwc. com – 011 797 5338) King III – Apply or Explain Pw. C

Global “Governance events” over the centuries Mississippi Company Bubble France 1720 South Sea Bubble

Global “Governance events” over the centuries Mississippi Company Bubble France 1720 South Sea Bubble UK 1720 Tulip Mania Railroads Bubble Victorian Land Boom UK Australia 1846 1890 Holland 1800 1700 1637 Panic of 1825 import from Bank established of England dollar coinage Depression of 1780 s Panic of 1837 paper credit overexpands Panic of 1893 extension of 1873 Panic of 1857 Panic of 1873 ends Gold Rush spurs US move expansion to gold standard King III Pricewaterhouse. Coopers September 2009 Slide 2

Masterbond 1997 Mexican Peso Crisis 1994 Japanese Asset Price Bubble 1985 - 89 ERM

Masterbond 1997 Mexican Peso Crisis 1994 Japanese Asset Price Bubble 1985 - 89 ERM Exchange Rate Crisis Sweden, Norway, Finland, UK, Spain, Italy 1992 – 93 Nordic Banking Crisis Sweden, Norway, Finland 1990 - 92 Asian Financial Crisis Indonesia, Malaysia, South Korea, Thailand 1992 - 97 Brazilian Real Crisis 1999 Argentine Peso Crisis 2001 International banking crisis 2008 – Regal Treasury 2001 Housing Bubble UK, Ireland, Spain 2006 - Leisurnet 2000 Announcement of International Stimulus Packages 2008 S&L Crisis 1986 – 95 Gulf War Oil Spike Stock Market 1990 - 91 Crash 1987 Panic of 1901 first NYSE crash Banker’s Panic Ponzi’s Kricker Bocker Scheme Trust run 1919 - 20 1907 Florida Building Bubble 1926 King III Pricewaterhouse. Coopers 2100 1900 2000 Nokia Bubble Latin American Sweden, Norway, Debt Crisis Finland 1982 1985 - 89 British Banking Crisis UK 1990 – 92 Ruble Crisis Russia 1998 9/11 attack and global recession 2001 - 02 King I 1994 Mortgage Liquidity Crisis 2008 Credit Crisis 2008 King III 2009 King II 2002 Dot. Com Bubble 1995 - 2001 The Great Crash & Depression 1929 - 39 Long-Term Capital Management hedge fund collapse 1998 Housing Bubble And Subprime Crisis 2003 - September 2009 Slide 3

Recent trends • • • BC – AD Again, huge failings in the last

Recent trends • • • BC – AD Again, huge failings in the last 2 years Pressures emerging to sharpen risk assessment focus Business durability, collaboration, balance & connectivity Information required to predict the future Internal Financial control assurance Searching for the “right” resources “One view – one risk aggregation” – Combined Assurance ‘Cost of compliance’ Searching for assurance value People/stakeholders/investors thinking differently Perverse incentive / bonus payments – rewarding failure. King III Pricewaterhouse. Coopers September 2009 Slide 4

Recent events • • Globe unprepared for the scale, speed & severity of recent

Recent events • • Globe unprepared for the scale, speed & severity of recent crisis Many things happening simultaneously Existing risk models and internal audit functionality couldn’t cope with the complexity of factors impacting the chaos Risk Governance not linking strategy, risk management & risk bearing capacity The weak were eliminated – at huge cost The resilient will (mostly) prevail – cash is King Well capitalised banks survived Stock markets worked The future will still offer less predictable outcomes – there will be more crises, will we be better prepared. We have though, once again shown we are one of the most resilient countries (and people) on earth. King III Pricewaterhouse. Coopers September 2009 Slide 5

Applicability of the Code King III King II Applicability Applies to all entities, regardless

Applicability of the Code King III King II Applicability Applies to all entities, regardless of their nature, size or form of incorporation • Listed companies • Financial institutions • Public sector enterprises Positive statement of compliance Similar requirements to King II The directors should report in the annual report that the Code has been adhered to. Reasons should be given for non-compliance Governance framework King III Pricewaterhouse. Coopers “Apply or explain” as opposed to “comply or else” “Comply or explain” as opposed to “comply or else” September 2009 Slide 6

Implications for companies, boards of directors and audit committees • Scope of corporate governance

Implications for companies, boards of directors and audit committees • Scope of corporate governance framework in South Africa widened • Entities encouraged to tailor the Code’s principles as appropriate to the size, nature and complexity of their businesses • The board or those charged with governance should explain to stakeholders where a specific principle or recommendation has not been applied September 2009 Pricewaterhouse. Coopers

King III chapters Chapter 1 Ethical Leadership and Corporate Citizenship Chapter 2 Boards and

King III chapters Chapter 1 Ethical Leadership and Corporate Citizenship Chapter 2 Boards and Directors Chapter 3 Audit committees Chapter 4 The Governance of Risk Chapter 5 Chapter 6 The Governance of Information, Communication and Technology (ICT) Compliance with laws, rules and standards Chapter 7 Internal Audit Chapter 8 Governing stakeholder relationships Chapter 9 Integrated Reporting and Disclosure King III Pricewaterhouse. Coopers September 2009 Slide 8

Big Tickets from ‘King’s Counsel’ • • Integrated Reporting - Assurance over the final

Big Tickets from ‘King’s Counsel’ • • Integrated Reporting - Assurance over the final report Sustainability - Content assurance - The role of Internal Audit? Combined assurance - Key integration by Internal Audit. Strategically focussed Internal Audit - A Transformed Approach Informing the Audit Committee - Creating better relationships Internal Financial Control - Testing and maintenance - Internal audit’s assessment statement Governance of Risk - Correlation of Risk Appetite and Risk Tolerance - Resilience - Fraud risk IT Governance - Knowing this space September 2009 Pricewaterhouse. Coopers

Chapter 4 The governance of risk • • • Absolute board leadership Risk embedded

Chapter 4 The governance of risk • • • Absolute board leadership Risk embedded within Strategy and Business Processes Balancing Risk and Reward – taking calculated ‘smart’ risks Assessment of cost of risk, including lost opportunities CEO as Risk Champion Determine the levels of risk tolerance • The risk committee or audit committee should assist the board in carrying out its risk responsibilities King III Pricewaterhouse. Coopers September 2009 Slide 10

Chapter 4 The governance of risk • Management has the responsibility to design, implement

Chapter 4 The governance of risk • Management has the responsibility to design, implement and monitor the risk management plan • Risk assessments are performed on a continuous basis • Framework and methodologies are implemented to increase the possibility of anticipating unpredictable risks • Management considered and implements appropriate risk responses • Continuous risk monitoring by management • The board should receive combined assurance regarding the effectiveness of the risk management process • 10 Minutes on Managing Risk. . Riskpwc-10 minutes-managing-risk. pdf King III Pricewaterhouse. Coopers September 2009 Slide 11

Forces of globalisation cross the spectrum of risk Risks Economic & financial / Energy

Forces of globalisation cross the spectrum of risk Risks Economic & financial / Energy costs, price volatility, currency fall, asset price collapse Environmental / Climate change, weather, water, catastrophe Geopolotocal / Globalisation retrenchment, risk governance, war, terrorism, crime Societal / Diseases dle rgy ne ng r, e risi , w ate to ing od nd Fo spo re / Re su d/ res an Re so urc ep de m ct du Pro mid ser vic e ds, oo /F en ce flu on tc Ma rke Fa st l/ ve ina isti og le l xib , fle n/ tio ica Tra un mm Co nce cs a ve, nsi xpe Ine tor s fac tion lisa ba Glo King III Pricewaterhouse. Coopers , g nd ins tan tra n t, o spo rt mn s ipr ese cla nt ss Technological / Critical system failure or attack, nanotechnologies September 2009 Slide 12

Key questions for management – Risk • • • Do we understand how risk

Key questions for management – Risk • • • Do we understand how risk appetite and tolerance is applied in our organisation? How do we know that the biggest risk exposures to our organisation are being adequately managed? When last did we participate in a risk assessment activity? How often have we considered the same risk-related issue in the various management and governance meetings? Is ICT risk actively considered in our risk management process? Do we specifically consider compliance risk and, if so, how satisfied are we that it is effectively covered? September 2009 Pricewaterhouse. Coopers

Key questions for management – Risk • • • Are risks prioritised and ranked

Key questions for management – Risk • • • Are risks prioritised and ranked to focus the responses and interventions on those risks outside the board’s risk tolerance limits? Do we have an approved annual risk management plan? Who assures non financial risks, such as plant availability, staff capacity and competency, the impact of legislative changes on the business/organisation etc? And to which management or board committee is the assurance provided? Are we satisfied that this assurance is reliable? Do we have a fraud risk plan to consider our fraud exposure and prevention? Does our disclosure on the effectiveness of risk management reflect the actual position of our business/organisation? September 2009 Pricewaterhouse. Coopers

“A strategically positioned, competent and independent internal audit function is required to provide a

“A strategically positioned, competent and independent internal audit function is required to provide a written assessment of the company’s system of internal control, after having conducted a risk based internal audit. This function must have direct relationships with the audit, corporate governance and risk committees and must be strategically positioned. ” © 2009 Pricewaterhouse. Coopers Inc. All rights reserved. “Pricewaterhouse. Coopers” refers to the network of member firms of Pricewaterhouse. Coopers International Limited, each of which is a separate and independent Pricewaterhouse. Coopers legal entity. Pricewaterhouse. Coopers Inc is an authorised financial services provider. Pw. C September 2009

Chapter 7 Internal Audit • There is an effective risk based internal audit -

Chapter 7 Internal Audit • There is an effective risk based internal audit - Evaluating the company’s governance processes - Objective assessment of the effectiveness of risk management and the internal control framework - Analysing and evaluating business process and associated controls - Adhere to the IIA Standards and Code of ethics • Should follow a risk based approach to its plan - Informed by the strategy and risks of the company - Assess the company’s risks and opportunities King III Pricewaterhouse. Coopers September 2009 Slide 16

Internal Audit - continues • • • Provide a written assessment of the effectiveness

Internal Audit - continues • • • Provide a written assessment of the effectiveness of the company’s system of internal controls and risk management - An integral part of the combined assurance model as internal assurance provider - Internal controls should be established not only over financial matters, but also operational, compliance and sustainability issues - Internal audit should provide a written assessment of internal controls and risk management to the board - Written assessment of internal financial controls to the audit committee The audit committee should be responsible for the oversight of internal audit - Subjected to an independent quality review Should be strategically positioned to achieve its objectives - The CAE should have standing invitation to attend executive committee meetings - Internal audit function should be appropriately resourced and have sufficient budget allocated to the function - Skilled and resourced as is appropriate for the complexity and volume of risk and assurance needs - The CAE should develop and maintain a quality assurance and improvement programme - Written assessment of internal financial controls made available to the audit committee King III Pricewaterhouse. Coopers September 2009 Slide 17

Here are highlights of what the respondents to the Pw. C ‘State of the

Here are highlights of what the respondents to the Pw. C ‘State of the Profession’ 2009 survey, had to say about internal audit budgets and resources: • • • 19% reported budget reductions in 2008 compared with 10% in 2007. 49% expect budgets to remain flat and 36% expect a decrease in the coming year, compared with projections of 49% and 14%, respectively, in the prior year’s survey. 51% of Fortune 500 respondents believe that there is a medium-to-high risk of the economic downturn causing an unexpected reduction in the internal audit budget during 2009. King III Pricewaterhouse. Coopers September 2009 Slide 18

Risk based Internal Audit Identify Stakeholder Value Creating Activities Understanding Enterprise Risks (Strategic, Financial,

Risk based Internal Audit Identify Stakeholder Value Creating Activities Understanding Enterprise Risks (Strategic, Financial, Operations, Compliance) Evaluate Impact to Stakeholder Value Based Approach “Top-down” approach where coverage is driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic issues of the organisation. Audit plan Traditional Approach Traditional “bottom-up” approach based on stakeholder interviews and analysis. Focus is on coverage of identified risk areas, geography and business operations. Evaluate Impact of Risks within Audit Universe Identify Risks (Financial Operations, Compliance) Define Audit Universe (e. g. , geography, business unit, etc. ) September 2009 Pricewaterhouse. Coopers

Composition of auditing activities Financial 57 % 21 % Operational 53 % 34 %

Composition of auditing activities Financial 57 % 21 % Operational 53 % 34 % Compliance 33 % 30 % Information Technology 31 % 36 % Strategic / Business 13 % 38 % Consulting 9% 28 % Percentage of internal audit departments that contribute 25 % or more of their resources to key categories of risks Percentage of internal audit departments that increased coverage in each area during 2008 King III Pricewaterhouse. Coopers September 2009 Slide 20

Stakeholders’ perspectives on the future of Internal Audit • • • Internal Audit focus

Stakeholders’ perspectives on the future of Internal Audit • • • Internal Audit focus should evolve to align with emerging/changing risks Internal Audit should balance its focus on all key elements in the risk domain The portfolio of stakeholders will expand to include business unit management and other key executives, as well as other committees of the Board Internal Audit should enhance its understanding of (and focus on) risk management in general and ERM in particular. Internal Audit should become a key source of insight on the risks facing the organisation. Internal Audit needs to enhance its communications with management and the Board. Communications need to become more impactful and timely. Internal Audit management and staff need to develop greater business knowledge and enhance IT skills • A heightened focus on the cost of IA versus the value added • IA will be expected to deliver a written assessment on the adequacy of the entire system of internal control • IA will be expected to become a strategic partner to the Board King III Pricewaterhouse. Coopers September 2009 Slide 21

Risk-based internal audit Implications for companies, boards of directors and audit committees • Internal

Risk-based internal audit Implications for companies, boards of directors and audit committees • Internal audit planning and approach should be risk-based rather than compliance-based • A CAE of appropriate stature, who has the respect and cooperation of the board and management, should be appointed • Internal audit reporting lines to be evaluated – internal audit should report at a level in the company that allows it to remain independent and objective to ensure it fully achieves its responsibilities • CAE invited to attend company’s executive committee September 2009 Pricewaterhouse. Coopers

Key questions for management – Internal Audit • • • Is internal audit aligned

Key questions for management – Internal Audit • • • Is internal audit aligned to strategy and does its plan focus on areas that are most likely to impact stakeholder value? Is internal audit effective and frequent enough in its communications with the audit committee and us? When last was an objective assessment as to whether internal audit has the appropriate level of technical and analytical skills required to address the industry risk and risk requirements of your business? Is our internal audit function poised to lead a combined assurance initiative? Is there sufficient assurance of our ethics and risk management programmes? Does internal audit utilise technology in its processes and use existing systems and data effectively in the performance of its work? What were our most recent loss events and what comfort did internal audit provide us with on these? How does our internal audit function compare against its peers in benchmark studies? Is our Chief Audit Executive subjected to a robust annual assessment based on key attributes relevant to our business? What is our true absorbed cost of internal audit? Is our internal audit agile enough to address emerging business issues? September 2009 Pricewaterhouse. Coopers

The practical application of King III ‘Exotics’ ‘Boards and directors, acting in the best

The practical application of King III ‘Exotics’ ‘Boards and directors, acting in the best interests of the company, form the focal point of corporate governance’ September 2009 Pricewaterhouse. Coopers

Observation on the Impact of Internal Financial Control It is worth noting that Sarbanes-Oxley

Observation on the Impact of Internal Financial Control It is worth noting that Sarbanes-Oxley legislation established a new paradigm for corporate accountability. Responsibilities of the audit committee, CEO and CFO were clearly established at higher levels than in the past. It created a new standard for companies regarding the reporting of internal control effectiveness and has raised the bar for the design, documentation, and operation of financial internal control. Good internal control will ensure sustained business development! September 2009 Pricewaterhouse. Coopers

Typical Internal Financial Control Project Approach Continuous Improvement Management Initiate Proje ct And Assess

Typical Internal Financial Control Project Approach Continuous Improvement Management Initiate Proje ct And Assess Risk Document and Evaluate Control Design Remediate Internal Auditor Test Operat ing Effective ness Prepare Report on Internal Control and embed through Training & accountability Monitor and Report Project Management Support September 2009 Pricewaterhouse. Coopers

Audit committee expectations of internal audit function • Internal audit required to - Identify

Audit committee expectations of internal audit function • Internal audit required to - Identify risks to financial reporting - Evaluate whether financial controls exist to address the risks identified - Evaluate design, implementation and operation of identified controls - Document the review in a comprehensive manner to support its conclusions Adequate skilled resources in internal audit function The changing role of the audit committee Pricewaterhouse. Coopers September 2009 Slide 27

Cost Benefit Analysis Benefits § § § Increased executive management and audit committee confidence

Cost Benefit Analysis Benefits § § § Increased executive management and audit committee confidence Enhanced control environment, awareness and discipline Improved Audit Committee oversight Increased knowledge of internal business processes Identification of improvement opportunities in both controls and processes Fewer control failure embarrassments Increased comfort for senior management Better quality audits (internal and external) Formalisation of processes and controls Increased awareness of internal controls at various levels within the business End to end process ownership and accountability September 2009 Pricewaterhouse. Coopers

Key questions for management – Internal Financial Control • • Is there a control

Key questions for management – Internal Financial Control • • Is there a control framework (e. g. COSO) governing financial reporting in the organisation? Have we identified and documented all probable risks to fair presentation in the financial statements and disclosures? (Fair presentation implies that the numbers and disclosures are not materially misstated). Are there controls in place to address these risks and are they adequately designed to prevent or detect material misstatements in the financial statements and disclosures? Do the controls identified operate as they are supposed to and are they appropriately evidenced? Have we examined or tested the controls identified above to ensure that our report to the audit committee is accurate and complete? Have we appropriately evidenced our assessment? Is a process in place to ensure that the framework remains relevant over time? September 2009 Pricewaterhouse. Coopers

Combined assurance What is combined assurance? A coordinated approach to all assurance activities to

Combined assurance What is combined assurance? A coordinated approach to all assurance activities to ensure that assurance provided by - management; - internal assurance providers (such as internal audit); and - external assurance providers (such as external audit or sustainability assurance providers) adequately addresses significant risks facing the company and that suitable controls exist to mitigate and reduce these risks “Integrating and aligning assurance processes in an organisation to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the Audit and Risk Committee, considering the organisation’s risk appetite” September 2009 Pricewaterhouse. Coopers

Combined assurance (continued) What is combined assurance? Management Internal assurance providers External assurance providers

Combined assurance (continued) What is combined assurance? Management Internal assurance providers External assurance providers Combined assurance September 2009 Pricewaterhouse. Coopers

Combined assurance Implications for audit committees • Audit committees are able to assess significant

Combined assurance Implications for audit committees • Audit committees are able to assess significant risks facing the company with information to hand • Assessment to be made of in-house skills and qualifications and track record of external service providers • Audit committees to coordinate the utilisation of appropriate assurance providers in the assurance model (management, internal or external assurance providers) to provide assurance on the identified risks • May result in the increased utilisation of external assurance providers September 2009 Pricewaterhouse. Coopers

Corporate Governance Framework Internal Audit’s journey RISK MANAGEMENT COMBINED ASSURANCE SOCIAL & ETHICAL FINANCIAL

Corporate Governance Framework Internal Audit’s journey RISK MANAGEMENT COMBINED ASSURANCE SOCIAL & ETHICAL FINANCIAL INTEGRATED REPORT ACCOUNTABILITY OPERATIONS ETHICS INTERNAL CONTROLS ENVIRONMENTAL LEGAL CORPORATE CULTURE COMPLIANCE REQUIREMENTS CONDUCT PEOPLE SYSTEMS PROCESS POLICY STRUCTURE REGULATORY AUTHORITIES STRATEGY PURPOSE VALUES GOALS PERFORMANCE MEASUREMENT September 2009 Pricewaterhouse. Coopers