Add to collection(s) Add to saved
  1. Business

Audit committees and combined assurance

advertisement 
Audit committees and
combined assurance
Mariaan Roos
Lecturer: Military Academy
Faculty of Military Science, University of Stellenbosch
1.INTRODUCTION
Audit committees and the fulfilment of their roles and
responsibilities are receiving increasing attention from a variety
of stakeholders including boards of directors, municipal and
provincial councils, the Auditor-General South Africa (AGSA),
internal auditors, users of financial statements, academics and
researchers. These stakeholders consider the audit committee
report that is included in the annual report and which,
according to the Treasury Regulations, needs to report on the
effectiveness of internal control, the quality of in-year
management reports and the evaluation of the annual financial
statements (National Treasury Republic of South Africa 2005:9),
to be a very important source of information not least for review
and planning processes. The scope of the responsibilities and
the expectations to be fulfilled by the audit committee members
are increasing, and are reflected upon in the next section of this
article. The particular focus of this article is the responsibilities
of audit committee members as related to the concept of
combined assurance.
2.
The traditional role of the audit committee
The importance of the role and the extent of the responsibilities
of the audit committee has been recognised in various public
sector publications in South Africa. Traditionally the roles and
responsibilities described in these documents included oversight
over adequacy of internal control, financial statement
information and the provision of a forum for communication
between management and the internal and external auditors.
The Protocol on Corporate Governance in the Public Sector
states that the audit committee is responsible for improving
management reporting by overseeing audit functions, the
adequacy of internal controls and the financial reporting
process. The audit committee should help the entity and its
directors to comply with their obligations under the Public
Finance Management Act, and should disclose appropriate
information to the board. The audit committee should also
disclose in the annual report whether the audit committee has
fulfilled its responsibilities for the year (Department of Public
Enterprises 2002: 22-23).
The second King Report on Governance for South Africa, 2002
(King II) formalised the approach that board committees and
audit committees were expected to follow in order to
competently review financial statements, monitor the corporate
risk assessment processes, review the internal control systems
(including the internal and external audit reports), and to
oversee work performed by internal auditors (KPMG: 42).
The Treasury Regulations issued in terms of the Public Finance
Management Act (PFMA), require the audit committee to
Summer
review the following: the effectiveness of internal control
systems; the effectiveness of the internal audit; the operational
risk areas being covered in the scope of internal and external
audits; any accounting and auditing concerns; compliance with
legal and regulatory provisions, and the activities of the internal
audit function.
Of particular importance for this article is paragraph 3.1.11 of
the Treasury Regulations which requires the audit committee to
have explicit authority to investigate matters within its powers,
as identified in the audit committee’s written terms of reference.
The paragraph also states that the audit committee should be
provided with the resources it needs to investigate such matters.
The Treasury Regulations further require of the audit committee
that it reports to the relevant executive authority if the
accounting officer is implicated in fraud either by the internal
audit function or any other investigation.
In the PFMA sections 38(1)(a)(i) and 51(1)(a)(i) require the
accounting officers/authorities to ensure that their institutions
have and maintain effective, efficient and transparent systems of
risk management and internal control and sections 62(1)(c)(i)
and 95(c)(i) of the Municipal Finance Management Act (MFMA)
require the accounting officers to ensure that their municipalities
and municipal entities have and maintain effective, efficient and
transparent systems of risk management. National Treasury, in
response to the legislative requirements, developed a Public
Sector Risk Management Framework (Framework), including
guideline documents, templates and implementation tools.
An audit committee is described in the National Treasury Public
Sector Risk Management Framework as “An independent
committee constituted to review the control, governance and
risk management within the Institution, established in terms of
section 77 of the PFMA, or section 166 of the MFMA.”
In most of these documents reference is made to the need for
audit committee members to have the required financial skills.
However, the roles and responsibilities and the associated skills
set required by audit committee members was considerably
expanded with the release of The King Report on Governance
for South Africa, 2009 (King III) and this is discussed further in
the next section.
3. Expanded role of the audit committee after King III was released
King III recognises the vital role an independent audit committee
plays in corporate governance, including its role in ensuring the
integrity of integrated reporting and internal financial controls
and identifying and managing financial risks.
In its recommendations, King III refers to the need for the audit
2011/12
31
committee as a whole to have sufficient qualifications and
experience to fulfil its duties. There should also be an agreed
process in terms of which the committee is permitted to consult
with specialists (PricewaterhouseCoopers 2010:31). The King III
report also includes additional responsibilities (over and above
those mentioned in section 2 above) for the audit committee.
These include requirements to: oversee integrated reporting;
ensure that a combined assurance model is applied to provide a
coordinated approach to all assurance activities; satisfy itself as to
the expertise, resources and experience of the company’s
finance function and to be an integral component of the risk
management process. The audit committee report should
include reference to compliance with the institution’s statutory
duties, the independence of the external audit, the view on the
financial statements and the accounting practices, and whether
internal
financial
controls
have
been
effective
(PricewaterhouseCoopers 2010:39).
The AGSA, in his evaluation of governance, includes an
assessment on whether the audit committee has promoted
accountability and service delivery through evaluating and
monitoring responses to risks, and whether the committee has
provided oversight over the effectiveness of the internal control
environment, including financial and performance reporting and
compliance with laws and regulations. The responsibility of the
audit committee to ensure that a combined assurance model is
applied will be further explored next.
third lines of defence.
Different assurance providers could include internal auditors,
insurance surveyors, occupational health and safety auditors,
environmental auditors, quality auditors, external auditors,
forensic auditors, information technology auditors and service
providers for significant investigations. These assurance providers
each have their own mandates, objectives, scope, responsibilities
and legislative requirements and will tend to focus on specific
areas of risk within their domains. However, there is also a need
to ensure that all strategic risks and identified significant risks are
properly mitigated and covered by assurance providers.
5.
The responsibilities of the audit committee in the area of combined assurance
The previous section demonstrated the close link between risk
management and combined assurance and it is considered
necessary to reflect on the functions of the audit committee with
respect to risk management next, and then to discuss its functions
in terms of combined assurance.
According to the Public Sector Risk Management Framework
issued by National Treasury, the audit committee is an
independent committee responsible for oversight of the
institution’s control, governance and risk management, and
should provide an independent and objective view of the
institution's risk management effectiveness. Responsibilities
4. Meaning of “combined assurance” and the
should include reviewing and recommending disclosures on risk
relationship between risk management and
in the annual report, providing feedback on the adequacy and
combined assurance
effectiveness of risk management, including recommendations
for improvement, ensuring internal and external plans are
National Treasury in its Guide on Risk
aligned to the organisation's risk profile,
Management states that assurance refers
and satisfying itself that financial reporting
The
audit
committee
report
should
to the verification of risk mitigation and
risks, internal financial control and
include reference to compliance with
internal control covered by the tasks of
information technology risks are
the institution’s statutory duties, the
the internal audit, management reviews
appropriately addressed.
independence of the external audit, the
and specialised audits that test and
view on the financial statements and
validate the control environment. The
Chapter 3 Principle 3.5 of King III states
guide further states that the terms
that the audit committee should ensure
the accounting practices, and whether
“combined assurance” and “integrated
that a combined assurance model is
internal financial controls have
assurance” refer to the idea that a
applied to provide a coordinated
been effective...
planned approach to arranging all of the
approach to all assurance activities, and
various assurance providers is adopted.
that it includes as recommended practice
The objectives of combined assurance are to reduce duplications
the principle that the audit committee should ensure that the
in audit processes and to prevent any risks and key controls from
combined assurance is appropriate to address all the significant
being missed by assurance. King III requires audit committees to
risks facing the company, and furthermore, should monitor the
ensure that a combined assurance model is applied that will
relationship between the external assurance providers and the
provide a coordinated approach to all assurance activities. King
company.
III defines combined assurance as “integrating and aligning
assurance processes in a company to maximise risk and
It should be reiterated that the audit committee’s responsibilities
governance oversight and control efficiencies, and optimise
for combined assurance have now been expanded to include all
overall assurance to the audit and risk committee, considering
significant risks and is not limited to financial and information
the company’s risk appetite”. All organisations should strive to
technology risks only.
become more efficient and effective. Assurance functions need
to be planned and co-ordinated in such a manner as to
With combined assurance the audit committee will be able to
contribute to efficiency and effectiveness by eliminating
fulfil the oversight function much more effectively and efficiently.
duplication but without compromising the high quality of
Combined assurance can be used to provide the audit committee
assurance services.
with the comfort that significant risks, including strategic risks,
and the actions to mitigate the risks, have been subjected to
The description of “combined assurance” by National Treasury
assurance procedures.
demonstrates the essential link between risk management and
combined assurance. A planned approach to coordinate the
6. Tools and support available for the
activities of the different assurance providers is needed and the
implementation of combined assurance
planned approach could be documented in an annual assurance
plan, for which National Treasury has developed a template. Risk
The intention and scope of this article is not to investigate and
registers are an important source of information to assist in the
analyse the different tools available for the implementation of
design of annual assurance plans.
combined assurance. The National Treasury website includes the
Framework, and offers guideline documents, templates and
According to the PricewaterhouseCoopers information paper on
implementation tools. The National Treasury website also
combined assurance (PwC 2010), assurance is provided through
includes a guideline for a Combined Assurance Plan. The
three lines of defence, the first being management oversight, the
Combined Assurance Plan should link the high risk areas and risk
second being the formal and effective risk management
management activities to assurance activities by the identified
framework and the third the independent and objective
sources of assurance in order to mitigate the risks to an
assurance that is the role of the audit committee supported by
acceptable level. The Combined Assurance Plan will serve as the
internal audit, external audit and other credible assurance
measurement and monitoring tool for the audit committee to
providers. Assurance is provided primarily by the second and
identify any areas of potential assurance gaps. The guideline
32
Summer
2011/12
provided on Treasury’s website includes a spreadsheet template
that links the risks/controls with the validation provided by the
different assurance providers, and the recommended frequency
of such actions.
PwC has also developed and distributed an information paper on
implementing a combined assurance approach. This five-step
approach comprises:
providers, with an indication of the frequency of the
actions.
•Where internal audit has been identified in the combined
assurance plan as responsible for co-ordinating the inputs
received from the different assurance providers on the
execution of the plan, the audit committee needs to
review quarterly reports from internal audit that reflect
actual performance by the different assurance providers
and compare this with the combined assurance plan. The
audit committee should also review the corrective actions
taken where identified risks are not being covered by
assurance activities.
Step 1:Establish the business case by getting an overview of the
status of the assurance profile. As part of the process
strategic and operational processes are mapped and
linked to the three lines of defence (management, risk
and independent assurance) and categorised as being
covered by either extensive, moderate or inadequate
•Where internal audit has been identified in the combined
assurance. This profile could be used by the audit
assurance plan as one of the assurance providers, the audit
committee to commission further work on establishing
committee needs to ensure that the activities allocated to
combined assurance because
internal audit in terms of the
the profile should indicate
combined assurance plan are
...the audit committee is an independent
gaps and duplication.
included in the scope of coverage and
committee responsible for oversight of the
in the internal audit plan.
institution’s control, governance and risk
Step 2:Perform an assurance reality
check to assess the actual
•Where external audit has been
management, and should provide an
assurance provided – identify
identified in the combined assurance
independent and objective view of the
by whom it is provided – and
plan as one of the assurance providers,
institution's risk management
the quality of that assurance.
the audit committee needs to confirm
effectiveness.
This step can also be used to
with external audit that the work
identify assurance providers
performed by them will warrant such
that need to be consulted to make combined assurance
reliance.
work in practice. Internal audit can play a key role in this
reality check and needs to provide prompt and accurate
•
The audit committee should consider the extent to which
feedback to the audit committee.
they were able to fulfil their combined assurance
responsibilities and reflect that appropriately in the audit
Step 3:Risk mapping – this should indicate what strategic, key
committee report.
operational and business-unit level risks are assured and
by whom, and identify the gaps where risks are not being
8.Conclusion and considerations for audit
assured. Internal audit should play a key role in this
committees
mapping and analysis task.
With the addition of the combined assurance responsibilities, the
Step 4:Combined assurance design that will identify an
audit committee’s oversight function is expanded considerably.
approach designed to address the gaps.
Audit committees need to investigate to what extent the
combined assurance functions and responsibilities are
Step 5:Making combined assurance a continuing reality.
incorporated in the terms of reference or in the audit committee
charter.
Taking the requirements for combined assurance into account, it
is necessary to review the minimum steps that need to be taken
Serious consideration should also be given to the composition of
by the audit committee to fulfil its responsibilities.
the audit committee with specific reference to the members'
collective skills set. Mere possession of financial skills might not
7. Minimum steps the audit committee members
be sufficient to effectively address the expanded role of the audit
should take in terms of their responsibilities
committee. If the current skills base does not adequately equip
related to combined assurance
the committee to fulfil its responsibilities, the audit committee
should consider to what extent they need to make use of their
In the absence of clear guidelines to audit committees on their
authority in terms of paragraph 3.1.11 of the Treasury Regulations,
roles and responsibilities relating to combined assurance, the
as endorsed by the King III report, that refer to the need for an
following are some suggested minimum generic steps that audit
agreed process to be put in place that allows the committee to
committees could consider taking:
consult with specialists.
•
Ensure that the responsibilities of the audit committee for
combined assurance are appropriately reflected in the
audit committee charter.
•
Review, provide input and adopt the developed combined
assurance framework or the combined assurance plan.
•
Review the combined assurance framework/plan and
ensure that the framework/plan can be clearly linked to
the risk analysis, and that all the high risk areas identified
in the risk analysis are covered in the combined assurance
plan. This would include ensuring that when the risk
profiles change, the combined assurance plan is updated.
Risk analysis should include the strategic risks and the
significant risks within the different assurance areas,
including for example, but not limited to, forensics, legal,
AGSA, environmental, occupational health and safety. The
combined assurance plan should link the risks to the
activities/mitigating actions and the responsible assurance
Summer
Audit committee members should also consider to what extent
they can justify making a statement in the audit committee report
saying that they are satisfied that their responsibilities for the year
have been fulfilled in compliance with the committee's terms of
reference.
References
Department National Treasury of South Africa. Example:
Combined Assurance Plan. V1.0608.
Department of Public Enterprises. 2002. Protocol on Corporate
Governance in the Public Sector. pp 1-54. Government Printers.
Institute of Directors Southern Africa. 2009. King Code of
Governance for South Africa 2009.
KPMG. No date. Toolkit for the Company Director. Second
Edition. pp 1-241.
2011/12
33
National Treasury Republic of South Africa. 2005. Treasury
Regulations for departments, trading entities, constitutional
institutions and public entities.
PricewaterhouseCoopers. 2010. Corporate Governance.
Executive guide to King III in national, provincial and local
government. pp 1-116.
PwC. 2010. Combined Assurance. Implementing a combined
assurance approach in the era of King III.
Internet source
h t t p : / / o a g . t r e a s u r y. g o v. z a / R M F / R M F % 2 0 D o c u m e n t s /
Examples/04.%20Example%20Combined%20Assurance%20
Plan.pdf (accessed 5 September 2011).
The Southern African Institute of
Government Auditors
…manages various projects to advance accountability…
SAIGA
•
determines the Common Body of
Knowledge and Skills (syllabus) for Registered
Government Auditors (RGAs)
•
SAIGA
sets the practical experience standards for
RGAs
SAIGA
•
formally assesses the technical
competence of RGA- candidates through a 12-hour
qualifying examination
•
SAIGA
supervises a system of continued
professional development for RGAs
•
SAIGA
provides financial management training
courses for the public sector
•
SAIGA
advances research in accountability and
auditing through its various publications
SAIGA: advancing accountability and auditing
34
Summer
2011/12
Related documents
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Internal control framework
Internal control framework
Strategic Risk Register
Strategic Risk Register
975 Senior Director Quality – Global, MA
975 Senior Director Quality – Global, MA
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Clinical audit application
Clinical audit application
Program Quality Assurance Process Audit (PQAPA)
Program Quality Assurance Process Audit (PQAPA)
November-Section 2012
November-Section 2012
Presentation Slides
Presentation Slides
Download
advertisement