Post on 13-Aug-2015
I A ADVISERAPRIL/MAY 2015
STRATEGIES FOR INTERNAL AUDITORS TO NEGATE INTIMIDATION AND VICTIMISATION THE GREY MATTERS ON ETHICSQUESTIONS THE AUDIT COMMITTEE SHOULD ASK ABOUT IT
LEADERS FORUM8 June 2015 I Emperors Palace
The IIA SA will be hosting the Leaders Forum, exclusively for Heads of Internal Audit (CAEs).
This unique forum is an opportunity for like-minded, progressive CAEs to meet, maintain and enhance their networks, listen to high-profile speakers and be exposed to new trends. In addition, pertinent issues affecting the profession will be discussed.
Please visit the IIA SA website: www.iiasa.org.za for more information and to register.
100
IA ADVISER April/May 2015 | 3
BOARD OF DIRECTORS e-mail: directors@iiasa.org.zaChairman: Riaan Thiart CIAVice Chairman: Vonani Chauke CIADirectors: Faith Burn Paresh Lalla Paresh Lalla CIA Oupa Mbokodo CIA Tshepo Mofokeng Rudzani Nemaangani CIA Rob Newsome CIA Molefi Nkhabu Jan Opperman Dion Poole CIA Kameetha Singh Arno VorsterChief Executive Officer: Dr Claudelle von Eck Past President: Shirley MachabaPast Past President: Justine K Mazzocco
REGIONAL GOVERNORSCentral Region: Refilwe Mocwaledi Eastern Cape - Border Kei: Norman TrimaleyEastern Cape - Port Elizabeth: Veronique ReddyGauteng - Johannesburg: Bukkie Adewuyi Gauteng - Pretoria: Muthelo MadzivhandilaKwaZulu Natal: Alexander WinterbachLimpopo: Moloto MokweleMpumalanga: Tony MancosNorth West: Sikhuthali Nyangintsimbi Northern Cape: Johannes van Tonder Western Cape: James Gourrah CIALesotho: Liteboho MokuenaNamibia: Julian BeukesSwaziland: Wesley Mndzebele
23
26
Contents
MessAGe FRoM tHe CHieF exeCutive oFFiCeR 5
WelCoMe to neW MeMbeRs 8
stRAteGies FoR inteRnAl AuditoRs to neGAte
intiMidAtion And viCtiMisAtion 10
list oF oCCupAtions in HiGH deMAnd: 2014 12
MiCRoFinAnCinG: innovAtion oR CuRse 14
tHe GReY MAtteRs on etHiCs 19
Questions tHe Audit CoMMittee sHould AsK About it 23
CoRpoRAte sA is still FAilinG to inClude WoMen 26
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe 28
booK RevieWs 34
IA ADVISER April/May 2015 | 5
Institute of Internal Auditors South AfricaUnit 2, Bedfordview Office ParkBedfordview , 2008
P O Box 2290, Bedfordview, 2008
Telephone: +27 11 450 1040Facsimile: +27 11 450 1070
IIA SA Website: www.iiasa.org.zaIIA Global Website: www.globaliia.org
Business Hours: Mon - Thurs: 08h30 - 17h00 Friday: 08h30 - 16h00
Accounts / Finance: Warren Elbournee-mail: warren@iiasa.org.zafax: 086 685 0163
Bookstore: Xolisile Vuyiswa Mngwevue-mail: bookstore@iiasa.org.za fax: 086 685 0164
Certification: Tina Wolmaranse-mail: certification@iiasa.org.zafax: 086 685 0162
Communications and Business Development: Val Brazaoe-mail: val@iiasa.org.za
CPD: Jenine Dresse e-mail: seminars@iiasa.org.zafax: 086 685 0161
Learnerships:Lawrence Chetty: e-mail: lawrence@iiasa.org.za
Membership: Stephanie Erasmus e-mail: membership@iiasa.org.zafax: 086 685 0160
Regions: Nazlie Ismaile-mail: regions@iiasa.org.zafax: 086 572 4301
Technical: Charles Nel CIAe-mail: charles@iiasa.org.zafax: 086 685 0165
Advertising For advertising enquiries contact Queen Sithole: modjadji@iiasa.org.za
If you need to change your details please e-mail membership@iiasa.org.za
Editorial / Article SubmissionVal Brazao: val@iiasa.org.za Charles Nel: charles@iiasa.org.zaTo submit an article e-mail: dorah@iiasa.org.za
ISSN 2079-729X
Published by the Institute of Internal Auditors South Africa and supplied gratis to members. The IIA SA does not accept responsibility for any opinions expressed by the contributors or correspondents, nor for the ac-curacy of any information contained in contributions, advertisements or correspondence in this publication. All material submitted for consideration is subject to the discretion of the Editor and the Editorial Team. The Editor reserves the right to edit all material. Advertise-ments do not constitute an endorsement.
Although I have some really important Insti-
tute related news to share with you, it would
be remiss of me to not first pause and say a
few words around recent events that have
rocked our country and cast us in a very
bad light. The recent spate of xenophobic
attacks should probably not have come as a
surprise to us. Many of us have been warn-
ing for a while now that we are sitting on a
time bomb as the gap between the haves
and have-nots continuous to widen. While
most of us have preferred to only comment
from afar, we have now received a wake-up
call. This affects all of us and none of us can
distance ourselves from what has been fes-
tering within. It is going to take a collective
effort as South Africans and SA institutions
to combat what has become an embarrass-
ing exposure of the rot that is building up.
It is important that we send a clear message
to the world that South Africans will not al-
low a minority to define who we are as a
people. In this context the IIA SA says NO to
xenophobia and NO to violence against our
fellow human beings.
Now, having said that, let me turn to the is-
sues directly affecting the Institute. My in-
tention is to only focus on news not already
covered in our Integrated Report which is
accessible to all on our website. I am really
proud of our Integrated Report, which this
year now appears in both PDF and Flash
with video clips. I encourage you to read
the IR as it is filled with information on what
is happening in the land of the IIA SA.
Firstly, you should be aware of a significant
shift in the South African qualifications
landscape which has seen the establish-
ment of the Quality Council for Trades and
Occupations (QCTO) under the South Afri-
can Qualifications Authority (SAQA). As is
implicit in its name, SAQA is the custodian
of qualifications in South Africa. You will
start to hear more and more about SAQA,
especially in the light of the fact that we
have seen so many high profile cases of in-
dividuals falsifying their qualifications in re-
cent times. The Skills Development Act has
made provision for quality councils under
SAQA to oversee the establishment, regis-
tration and maintenance of qualifications.
These councils oversee the registration of
qualifications in the three main spheres of
education and training. While the coun-
cils for the schooling (Amalusi) and higher
education (CHE) sectors have long been
established, the council overseeing trades
and occupations has only recently been es-
tablished. As a result, professional qualifica-
tions had in the past been registered direct-
ly with SAQA. With the establishment of the
QCTO, all professional qualifications must
MessAGe FRoM tHe CHieF exeCutive oFFiCeR
6 | IA ADVISER April/May 2015
MessAGe FRoM CHieF exeCutive oFFiCeR
now be registered with the QCTO as their direct registration with
SAQA is expiring this year. This basically means that the IIA SA has
to re-register its current learnerships under the QCTO. The Institute
has therefore now kick-started the registration of the national inter-
nal audit qualifications. We have had our first scoping meeting with
the QCTO and various stakeholders and I am pleased to announce
that the IIA SA has been appointed the Development Quality Part-
ner for the registration of the internal audit qualifications. What does
this mean for our learnerships? These qualifications essentially will
be our current learnerships now recognised as national qualifications
under the QCTO and will underpin our designations IAT and PIA. This
is good news for the profession. Those currently in our programs will
not be affected, but once the national qualifications are registered,
new entrants will go through the new process. You will not feel the
difference as the process will remain much the same.
Another important piece of news that I need to share with you is the
outcome of the AGM which was held on 22nd April 2015. Beside the
election of the directors, members also voted on changes to the By-
laws and the establishment of a subsidiary under the Institute to sat-
isfy the QCTO requirements for the new national qualifications. Both
the changes to the Bylaws and the establishment of the Academy
(subsidiary) were approved by an overwhelming majority of those
who voted.
Your new Board now consists of:
Chairman Riaan Thiart Newly elected in this position
Vice Chairman Vonani Chauke Newly elected in this position
Director Rob Newsome Re-elected
Director Molefi Nkhabu Re-elected
Director Arno Vorster Re-elected
Past Chairman Shirley Machaba Vacated Chairman’s seat
Past Past Chairman Justine Mazzocco Vacated Past Chairman’s seat
CEO Claudelle von Eck Still in office. Appointed by the Board
Director Dion Poole Term end in 2016
Director Oupa Mbokodo Term end in 2016
Director Paresh Lalla Term end in 2016
Director Rudzani Nemaangani Term end in 2016
Director Jan Opperman Newly elected
Director Kameetha Singh Newly elected
Director Faith Burn Newly elected
Director Tshepo Mofokeng Newly elected
We congratulate all of those who were elected to serve on the Board.
With a professional body that has a lot of complexity to deal with, the
Board is kept very busy and is often confronted with tough decisions
to make. These are the people who make decisions on behalf of your
Institute and have a significant impact on the direction the profes-
sion takes in the local context. This is a significant burden. Exercising
leadership is not always an easy thing to do. In actual fact, more often
than not it is difficult as one has to be brave while taking people to
a new reality at a pace that the majority can absorb. It is therefore
imperative that we give the Board our support.
I do want to spend a minute talking to our members about the es-
tablishment of the Academy as it is important that you fully under-
stand the rationale for it. Currently the Institute is responsible for the
roll-out of the learnerships as well as the assessment process. Under
the QCTO’s procedures, provision is made for two functions for the
occupational qualifications. The one is the Skills Development Part-
ner (SDP) and the other the Assessment Quality Partner (AQP). The
former is responsible for offering the training that accompanies the
qualification and the latter the assessment that ascertains compe-
tence at the end of the training process. Under the QCTO these two
roles cannot be played by the same organisation. In other words, you
cannot be both player and referee on the field. It has therefore be-
come necessary for us to accelerate the establishment of a separate
entity to create a clear separation between the player and referee
aspects. In this context the Institute is applying to be AQP and the
Academy will play the role of SDP.
Thus, we are dealing with some really exciting (albeit a little scary
when one thinks of all the work involved) projects at the moment.
This is all in the name of professionalising internal audit. This profes-
sion is such an important pillar of governance in South Africa that we
cannot ignore the fact that we must ensure that internal auditors are
adequately prepared for the increasing expectations from the mar-
ket. I believe that we are on the right path. Key questions to you: Is
your internal audit function aligned to the efforts to professionalise
internal audit and are you ready to take the quantum leap with us?
Claudelle von Eck, CEO: IIA SA
IA ADVISER April/May 2015 | 7
Progress Through Sharing
IIA Membership
The Institute of Internal Auditors South Africa is the leading professional body representing the interests of Internal
Auditors in South Africa. As part of an international network, the IIA SA upholds and supports the fundamental tenets
of the profession - the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing.
The IIA SA supports the profession by providing a wide range of services dedicated to the education and advancement
of internal auditors and dynamically promoting and developing the profession in South Africa.
We serve internal auditors in South Africa by offering Technical Guidance, Professional Training Programs, Certification
Programs, Continuing Professional Development Opportunities, Conferences
and Networking Opportunities.
For more information contact the Membership Administrator on
Telephone: (011) 450 1040 or e-mail: membership@iiasa.org.za
IIA SA website: www.iiasa.org.za
8 | IA ADVISER April/May 2015
boRdeR Kei
Alfred NZO District Municipality Aviwe MtakasiDepartment of Economic Development & Environmental Affairs - Eastern Cape Neliswa NyosanaDepartment of Local Government & Trad Affairs - EC Andile MakhabeniDepartment of Roads & Public Works - Eastern Cape Sibulelo Mbam Zikhona SagwityiDepartment of Sports Recreation Arts & Culture (Eastern Cape) Nokuzola MahanjanaDepartment of Transport (Eastern Cape) Lulama Mpandana Ntikhoyo Mene Nosisa Mahlutshana Bonginkosi NyongoEastern Cape Development Corporation Sisamkele NgxawuInkwanca Municipality Asanda MkonqoLukhanji Local Municipality Ayanda Doko Asanda MagqazaLumoka Chartered Accountants Nosiphiwo Magubeni Matseliso Mfanta Mandisi MsongelwaMnquma Local Municipality Phelela Mdladlamba Xolisa MjakujoNkonkobe Local Municipality Luyolo MapitizaNyandeni Local Municipality Sinovuyo MadoloOffice of The Auditor General South Africa ( Eastern Cape) Pumza GolimpiRakoma & Associates Incorporated Tembelani TshabaneSouth African Post Office (SAPO) Leon de Vos
FRee-stAte
Central University of Technology (Student) Maite LetsoaloEthekwini Municipality Sifiso NtozakheNorthern Cape Provincial Treasury Tau PitsoProvincial Treasury - Northern Cape Tumelo GaarekweSouth African Post Office (SAPO) Lawrence PitsoUniversity of the Free State Nandi Lubbe
joHAnnesbuRG
ABSA Bank Ltd Phathiswa Nqini Charlene Chung Dingaan KhozaABSA Bank Ltd (Internal Audit) Sonia ManilalAlexander Forbes Financial Services (Pty) Ltd Ludwe MqengqeniAuditor General of South Africa (AGSA) - Pretoria Sibusisiwe NkuthaAuditor General South Africa (AGSA) Lindelihle KuneneBorwa Financial Services (Pty) Ltd Christinah ZebedielaC N Corporate Partners SA cc Cease NyamasokaDepartment of Justice Mareka TebakangDepartment of Mineral Resources Nhlonipho KhozaDepartment of Social Development Malemane KgananaDepartment of Tourism (National) Lebogang MtshaliDevelopment Bank of Southern Africa Tebogo Manakana Nakasani MurongaDiscovery Ltd Arlene AlvesEdison Group Miguel Dos SantosEskom Holdings SOC Ltd Liaqat AzamFinancial Services Board Bertha KhoeleGroup 5 Limited Mputluki MokonyaneGroup Five Construction Mosidi KomaneImperial Truck Rental Surette VorsterLand & Agricultural Bank of SA Sydney NkunaLiberty Group Limited Oupa Mokgoantle Anthon Booysen
Liberty Group Limited Mohummed AreffLloyd Viljoen Lindsey BordMNB Chartered Accountants Rhangani Mbhalati Rivalani NtuliMogale City Local Municipality Boingotlo BantaotseMRL Incorporated CA ( SA ) Molefe MorifeNational Treasury Keneiloe KgoroeadiraNetcare Management (Pty) Ltd Silindile SibiyaNexia SAB&T Lethabo MongaloNgubane & Company Ephraem SibandaNkonki Incorporated Sindi Zilwa Mahendrin Moodley Morne Kermis Varsha Chetty Khomotso Legote Mzimtsha Nkonki Tererai Dzirekwa Nomcebo Mlambo Thuto Masasa Zakhele NkosiPandell Consulting Simbarashe MlamboSAA Technical Michael MpanzaSizweNtsalubaGobodo Serame MothupiSouth African Post Office (SAPO) Stephen Masango Jeremia Mosieleng Willem FourieSouth African Reserve Bank Kavershnie MoodleyStandard Bank South Africa Phumzile Gebashe Kealeboga Mabe Lerato Dlamini Olebogeng Siko Mandisi Mzinyati Miliswa Mgavu Shoki Maditsi Oneilwe Methikge Berko Danso Fhatuwani MufamadiStateway Switchboards Nkosingiphile DokoTollserve cc Ntsoaki MokoenaTransnet Freight Rail Nthabiseng TlalangUmgeni Water Godfrey NgwenyaWatermark Auditors Inc Nyasha Kaliyati
KWAzulu nAtAl
Durban University of Technology Mohammed KharwaDurban University of Technology Student Busisiwe DhladhlaHealth System Trust Blessing MncwabeHTB Consulting Nobuhle KhuzwayoKwaDukuza Municipality Zama BekwaKZN Gaming and Betting Board Nontobeko HlengwaKZN Provincial Treasury Thobeka BasiMichaelmas College (Pty) Ltd Thembeka MngqithiNewcastle Municipality Khulakahle PoultenNexia SAB&T Pirogan MudalyNtshidi & Associates Buza BenguOMA Professional Advisory Group (KZN) Suveen Dabeepersadh Muhammad SheikProvincial Treasury - KZN Lipworth Mbonambi Duduzile DitlhaleRoad Accident Fund Mbali KhubisaSA Post Office PIA Ian BarnesSizweNtsalubaGobodo Don SaundersSumitomo Rubber South Africa (Pty) Ltd Nduduzo ChalaUmgeni Water Ronica Mhlabane
WelCoMe to neW MeMbeRs
IA ADVISER April/May 2015 | 9
liMpopo
Department of Roads & Transport - Limpopo Lindiwe NgwenyaGreater Tubatse Municipality Mahlatse MononyaneMetcash Africa Jan PietersePricewaterhouseCoopers - Polokwane Aneela MoodleySML Projects (Pty) Ltd Maano Seokotsa
MpuMAlAnGA
Finbond Mutual Bank Sicelo SitholeLekwa Local Municipality Vukile DladlaMbombela Local Municipality Nkululeko SifundaMpumalanga Provincial Legislature Rodney Zwane Nolwazi MlimiSteve Tshwete Housing Association Nomthandazo Skhosana
nAMibiA
Erongo Regional Electricity Distributor Company Karin AndimaMinistry of Finance Namibia Amutenya JacobsPricewaterhouseCoopers - Namibia Charles Matundu
noRtHeRn CApe
Mier Municipality Abigael OrangeOffice of The Auditor General South Africa Mxolisi PhalisoOrange River Cellars Wentzel Engelbrecht
noRtH West
Johannesburg Fresh Produce Market Kobeli MotsieloaMVI Group Mokaedi MabinaNgaka Modiri Molema District Municipality Goitseone MakgoloNWK Limited Beracah SehlohoRatlou Local Municipality Kgalalelo LetsapaSizweNtsalubaGobodo Kizito Aidoo Gaongalelwe ModiseSouth African Police Services Ofentse Kgope
poRt elizAbetH
Coega Development Corporation Msimelelo BoltinaCoega Development Corporation (Pty) Ltd Siphokazi MazombaDepartment of Economic Development & Enviromental Affairs - Eastern Cape Aphelele KalipaDepartment of Human Settlement (Eastern Cape) Chumani Ntlebi Sibusiso Komnga Veliswa MalasheErnst & Young Natalie Goedhals Gavin FlanaganKPMG (Port Elizabeth) Maxesibandile MbalaneKPMG (Pty) Ltd Andre De WetMkululi Mbali Financial Advisory Services cc Mkululi MbaliOffice of the Auditor General (EL) Cwayita GanaOffice Of the Premier - Eastern Cape Malungisa LujalajalaSovereign Foods Veronique Reddy
pRetoRiA
Business Innovation Group (Pty) Ltd Evasen ArcharyCompanies and Intellectual Property Commission (CIPC) Francis ManickumDepartment of Home Affairs Vincent KgwaleDepartment of Justice and Constitutional Development Lesego RamakutanaDepartment of Public Enterprises Samuel Sebola
Department of Social Development (National) Caroline DitintiDepartment of Tourism (Pretoria) Sharon BiyaFinbond Mutual Bank Petrus SelzerGrant Thornton PS Advisory Services (Pty) Ltd Karel SteenkampHernic Ferrochrome (Pty) Ltd Morné FraserHuman Sciences Research Council Tshegofatso ModibaJDG Trading (Pty) Ltd Mmantomi SeemaMasilonyana Local Municipality Motlalepula Motaung Thabo KareebosMedscheme Holdings (Pty) Ltd Mosima KwebuNexia SAB&T Vinolia Makgoba Mmakgabo Motadi Refilwe Maimela Setilo Maabane Keneilwe Pholoma Mmarungoane Manchidi Maripa Moabelo Mphoke Senamela Mashoto Mogowe Tlou SelahlaNorthwest Transport Investment Tshidi MabuselaOMA Chartered Accountants Inc Saheed FasasiPricewaterhouseCoopers - Polokwane Vusi Ntuli Morepuo KemboPricewaterhouseCoopers (Pretoria) Noluthando VilakaziRenaissance Chartered Accountants Tshianeo MadadzheSekelaXabiso Consulting Masabata ElephantSouth African Bank of Athens Monica PattichidesSouth African National Defence Force Orebotse MothokoSouth African Police Services (SAPS) Jacobus Roos Emmanuel RapholoSouth African Post Office (SAPO) Thabo Doyoyo James Ndlovu Frik SticklingTollserve cc Martha Molekoa Wiseman MfayelaUniversity of South Africa Steven Moloi
sWAzilAnd
Swazi MTN Limited Ncamsile MhlangaRoyal Swaziland Sugar Association Phinda MngomezuluRoyal Swaziland Sugar Corporation Winile Dlamini George Croucamp Philile Gumbi Nozipho MsibiSwaziland Electricity Company Sakhile DludluUniversity of Swaziland Bongani Msibi
WesteRn CApe
Cape Peninsula University of Technology (Student) Zwelithini MatsosoDepartment of The Premier - Western Cape Shane SoekoeGrant Thornton CT Kudzayi MatsangaKuhumelela Registered Accountants and Auditors Lenin NdzibaMaboya Capital (Pty) Ltd Lwazi MagayanaOakhurst Insurance Company Ltd Stephanus LouwPrescient Profile David JarmanSouth African Post Office (SAPO) Daniel Germishuys Joseph Sidonie Donald Valentyn Hendrick VolschenkThe Foschini Retail Group Nicole Andrews Radha Heera
10 | IA ADVISER April/May 2015
stRAteGies FoR inteRnAl AuditoRs to neGAte intiMidAtion And viCtiMisAtion
With internal auditors facing increasing in-
timidation, victimisation and malicious re-
porting within both the public and private
sectors, the need for internal audit profes-
sionals to find and employ effective psycho-
logical and behavioural strategies to negate
these extremely detrimental practices can-
not be overstated.
To this end, Dr. Graham du Plessis (PhD),
lecturer in the Department of Psychology at
the University of Johannesburg, and a prac-
ticing clinical psychologist who counsels a
number of internal auditors in both a thera-
peutic and consulting context, outlines a
number of such strategies which internal
auditors can develop and utilize.
“To begin with, I have observed that inter-
nal auditors often operate within a rather
stressful and complex environment where
strong people skills are very necessary.
While each case is certainly different and
requires a degree of tailoring, in the context
of threatening interactions there are a num-
ber of important principles to keep in mind,”
he explains.
First and foremost, he says, it is important in
such situations to look beyond the threat-
ening behavior in order to discern its func-
tion for the person who is doing the threat-
ening, and that to do this, it is necessary to
check our emotional reaction and to look at
the facts at hand.
“Often people threaten others as part of
a negotiation. In essence, the idea of the
threat is to elicit emotion in someone with
the intent of getting them to act in a certain
manner. Therefore, internal auditors faced
with threats need to remember that they
should see the threat as a form of negotia-
tion, and that by practicing checking their
emotional reactions of fear, shock and an-
ger, they can most effectively focus on the
task at hand.”
He continues that while there is no ‘silver
bullet’ for formulating and implementing
this strategy as each situation needs to be
specifically managed and strategized par-
ticular to the parties and context involved,
he has found two ideas to be extremely
popular, and effective, with the people and
companies he has worked with.
tHe FiRst oF tHese is boundARY settinG.
“Setting boundaries is crucial in both our
personal and work relationships, particularly
so in instances where overt and tacit threats
occur. This is because boundaries define the
line between what I am responsible for, and
what others are responsible for.”
He expounds that in order to set a bound-
ary, a person must follow three steps.
“Firstly, they should acknowledge the need
of the other person. For example, ‘you
would like for me to delete X information
from your report, and replace it with Y in-
formation.’ While this is often as simple as
repeating to that person their request or
statement, or your understanding thereof,
it does require practice to perfect.”
tHe seCond step is to set tHe boundARY.
“In this case, the person communicates the
line of responsibility clearly and without
deviation. For example, ‘I cannot remove
information from my report.’”
The final step involves offering an alternative.
“In this step, the person setting the bound-
ary gives another option to the person with
whom the boundary is being set. An ex-
ample may be, ‘…but I am willing to add in
an extra section or addendum to the report
that explains your concerns and position
regarding information Y.’ It is vital to remem-
ber all three steps in boundary setting.”
Du Plessis continues that the second popu-
lar idea is that in any communication there
are a number of levels to consider.
“We communicate through what we say
and how we say it. The content of the
words we use is only a small part of what
is being communicated. Our tone, inflec-
tion and body language while we are say-
ing something also convey a great deal of
information. When the content of what we
say matches how we say it, we are commu-
nicating in a manner that is highly authentic
and which often is most effective at making
others comfortable and in getting the best
out of relationships.”
He elaborates that when there is disagree-
ment between what is being said and how it
is being said, there is a problem in the com-
munication, and that this is often the case
in the context of threats, or when there is
some other form of relational breakdown.
“Therefore, when communicating our-
selves, it is advisable to be as congruent
in what we say and how we say it as pos-
sible. When dealing with others who are
being dissonant in their communication,
the rule of thumb is to focus on the ac-
tual content of the words, and to ignore
the non-verbal communications. The fun-
damental idea of this strategy is to com-
pel the person who is communicating in
a discordant manner to verbalize with
words the other, non-verbal message of
his or her communication.”
IA ADVISER April/May 2015 | 11
stRAteGies FoR inteRnAl AuditoRs to neGAte intiMidAtion And viCtiMisAtion
Often, threats are made through implicit
communications where the words are not
necessarily threatening but the manner in
which the non-verbals are employed com-
municates a clear implicit message, which
often is a threat.
“In these situations, emphasizing boundary
setting in relation only to the actual content
of the words is an effective strategy for han-
dling threats. It is one of the most effective
means of dealing with threats in the busi-
ness environment.”
Du Plessis maintains that another good
psychological principle to apply in regards
to people being aggressive, unfriendly or
threatening is as follows:
“As a rule you cannot cure unkindness with
kindness, and this also applies to threats. If,
when you are threatened, you accept the
threat and are very nice about it, the person
who has threatened you is simply going to
learn that this is an acceptable way to in-
teract with you in future. I certainly do not
advocate fighting back aggressively; rather
I have found that effective boundary set-
ting is a very useful manner in which to as-
sertively and implicitly communicate to the
‘threaten-er’ that this type of interaction will
not work with you.”
And he stresses that these same principles
apply after a threat has actually been car-
ried out, and to many other aspects of an in-
ternal auditors’ job, such as communicating
sensitive information, and obtaining their
stakeholders’ buy-in to implement their rec-
ommendations.
“Congruence is crucial when it comes to
communicating sensitive information. It is
also crucial, although often forgotten, to
remember that all communication is a two
way street. When communicating informa-
tion to others, and especially sensitive infor-
mation, it is of absolute importance to listen
to what the other has to say.”
Yet his clients are often surprised by this
idea, saying, “I have something that my
stakeholders need to hear. I don’t really
need information from them.”
“On a logical level they are often correct,”
says du Plessis. “However, on a psychologi-
cal level they are forgetting that in order for
other people to hear us, actually hear us, we
need to listen to them as well. It is not logi-
cal so much as psychological, which, when
working with others, is only logical.”
As for obtaining stakeholder buy-in to im-
plement their recommendations, du Plessis
asserts that as a guiding rule he would en-
courage internal auditors to make sure that
they are communicating in a very congru-
ent manner.
“Again, what you say and how you say it
should all line up into an authentic communi-
cation. The other golden rule of ‘buy-in’ is that
you need to listen carefully to others’ opinions.
I would encourage internal auditors to take
time to really listen to what their stakeholders
have to say. As a consultant clinical psycholo-
gist I have often come across the opinion that
‘because it has to be this way, there is really
no point in discussing it with the stakehold-
ers any further’. On a purely logical level this
position makes sense, but on a psychological
level it can be disastrous.”
And tHis tAKes us bACK to boundARY settinG.
“Boundary setting underscores two crucial
aspects of human nature. The first is that we
want and need to be listened to and heard,
even if our requests are not necessarily met.
What is key here is to remember that being
listened to is a practical human request.
While on the surface it may appear to have
very little to do with the work at hand, in
practice is it the most fundamental requi-
site as it lays the relational foundation for all
other work and ‘buy-in’. The second is that
we don’t like to be ‘boxed-in’. All people
have a basic need to direct their lives and
business in some way. Therefore it is crucial
to buy-in to make sure that stakeholders
have some say in what they do. This ‘say’
does not necessarily have to be around core
issues that can’t be changed, but it does
have to be there.”
Thus, in pursuing buy-in it is important for
internal auditors to remember that when
they allow stakeholders some freedom to
act, even if it is in regards to a non-core or
seemingly irrelevant aspect of implemen-
tation, they are far more likely to lay a solid
foundation for effective implementation.
In addition to these psychological and be-
havioural strategies, Du Plessis points out
that because internal auditors often work in
stressful and complex environments, they
are generally in a position where ‘self-care’
is vital.
“Broadly, this means that internal audi-
tors need to look after themselves prop-
erly. This involves paying attention to
the human sides of life, such as investing
time and energy in their personal rela-
tionships, their health, and in occasion-
ally taking some mental ‘time off ’. Most
important of all is spending time on life
works that are personally meaningful and
fun,” he concludes.
Steven Chiaberta for The Wisdom Keys Group (WKG) on behalf of the Institute of Internal Auditors South Africa (IIASA)
12 | IA ADVISER April/May 2015
intRoduCtion
Given that Internal Audit has once again appeared in the latest version of the commonly known scarce skills list under OFO code 242211 (DHET.2014/22), an introductory document was thought necessary to provide a brief overview of the aforementioned list and its origins.
bACKGRound
Aiming to influence, amongst other things: qualifications’ development; supply side planning; student fund allocation; skills development for special government projects; career guidance; and global human resource attraction strategies; 100 scarce skills in the country were identified and shared with the public on 23 May 2015 (Government Gazette No. 37678). Feedback, however, revealed the need to and desire to incorporate more skills and as such the original intent of confining the list to 100 could not be met. The commonly understood term of scarce skills was, thus, replaced by that of ‘occupations in high demand’, as published by the Department of Higher Education and Training (DHET) in the
National Government Gazette (No. 38174).
tHe developMent oF tHe list
The development of this list was based on the appeal for such information captured in several public source documents, including, amongst others, JIPSA, IPAP 2 and the NDP etc. The process started with agreeing on the terms of reference and establishing an advisory committee to guide the project. Thereafter, research was conducted and a draft list was compiled. The results of this research were supported by an interview sample of employer associations. The findings were then presented to the Advisory panel and thereafter revised according to their feedback. The revised document was then gazetted for public comment based upon which the final list was drafted and published
KeY FindinGs
The Joint Initiative on Priority Skills Acquisition (JIPSA) source documents indicated that immediate attention needs to be given to developing world class engineers for industries focused on
transport, communications, and water and energy. In addition, they emphasised the need for city, urban and regional planning and engineering skills as well as artisanal and technical skills, especially those directed towards infrastructure development, and housing and energy. Management and planning skills in education and health was also a concern as well as mathematics, science and language competence in public schooling. In addition, JIPSA made proposals to prioritise skills initiatives in the fields of tourism, information and communication technology, business process outsourcing and bio-fuels.
The Industrial Policy Action Plan (IPAP) 2 identified the following 3 areas as in need of market growth and the associated upgrading of supply capacity and capability: green industry; agro-processing; and fabrication, capital and transport equipment.
The National Development Plan (NDP) 2010-2030 suggested the need for skills in the areas of: Public service delivery; Sustainable Livelihoods; Education and Training; Research and Development; Public
list oF oCCupAtions in HiGH deMAnd: 2014
INTERNAL AUDIT
Imag
e co
urte
sy o
f ww
w.fr
eegr
eatp
ictu
re.c
om/
IA ADVISER April/May 2015 | 13
list oF oCCupAtions in HiGH deMAnd: 2014
infrastructure; and Health professionals.
The National Growth Path (NGP) identified the following disciplines in need of employment creation and growth:• Engineers: Target at least 30 000
additional engineers by 2014, changing subsidy formulae for universities as appropriate;
• Artisans:Targetatleast50000additionalartisans by 2015, with annual targets for state owned enterprises;
• Workplaceskills:Improveskillsineveryjob and target 1, 2 million workers for certified on the-job skills improvement programmes annually from 2013;
• Further education and training (FET)colleges: Colleges have a central role in providing important middle-level skills for young people; and
• Information and communicationstechnology (ICT) skills: The departments of education should ensure that computer skills are taught in all secondary schools and form part of the standard adult basic education and training (ABET) curriculum by 2015. All public servants should also receive ICT training.
The Government Strategic Infrastructure Projects (SIPs) note a dire shortage across
the disciplines with regards to engineers, technologists, technicians, and artisans.
The Job Opportunities and Unemployment Report (JOUR) noted that the high number of vacancies in the country included managers, senior public sector officials, engineers, technicians, artisans, Information Technology professionals; and maths and science teachers.The Human Resources Development Council (HRDC) report on the Production of Professionals (2013) highlights the need for the production of professionals in engineering, mining, health care and, the built environment.
The Salary and Wage Analysis (2013/2014) indicated wage growth was strong for engineers, project managers, medical personnel, artisans, and IT professionals. (DHET.2014/13-16).
sCoRinG oF oCCupAtions
The methodology used to identify occupations in high demand involved the use of a scoring system to determine eligibility for the list. The following steps were followed in scoring occupations:• Occupations were selected if source
documents identified them as “in need” or “scarce”.
• Pointswereallocatedtoeachoccupationbased on a 100-point rating scale
• The top 100 occupations in demandwere identified based on those that scored the highest
• Additionaloccupationswereincorporatedinto list based on public comments.
• Some source documents (such asthe NDP and IPAP 2) refer to clusters of occupations rather than actual occupations upon which occupations were inferred and lower scores allocated to reduce researcher bias.
• Owing to its infrastructure focus, SIPsprojects were allocated 10 points also to reduce bias.
• Occupations listed in the SectorEducation Training Authority (SETA) Pivotal Skills Lists were allocated 20 points given that they were based on recent studies (DHET.2013)
• In addition those occupations withprofessional designations (such as engineers, quantity surveyors, doctors and teachers) received higher scores due to global high demand for such professions.
Rakal Govender, Senior Research Analyst: Private Sector, IIA SA
ReFeRenCes
1. Department of Economic Development (2010). The New Growth
Path: agenda. Pretoria: EDD.
2. Department of Higher Education and Training (2013a). White
Paper for Post-School Education and Training. Pretoria: DHET.
3. Department of Higher Education and Training (2013b). Learning
pathways for SIPs scarce skills. Pretoria: DHET.
4. Department of Higher Education and Training. (2013c).
Compilation of SETA Scarce and Pivotal Skills Lists (2013/2014).
Pretoria: DHET.
5. Department of Higher Education and Training. 2014. List of
Occupations in High Demand: 2014.Pretoria: DHET
6. Department of Labour. (2013). Job Opportunities and
Unemployment in the South African Labour Market 2011-2012.
Pretoria: DoL.
7. Department of Trade and Industry 2011/12 - 2013/14. (2012).
Industrial Policy Action Plan 2. Pretoria: DTI.
8. Human Resource Development Council of SA. (2010). Human
Resource Development Strategy for South Africa (2010 - 2030) .
HRDCSA: Pretoria.
9. Human Resource Development Council of SA. (2012). Key issues
in improving the quantity and quality of professionals in South
Africa. HRDCSA: Pretoria.
10. National Planning Commission. (2012). National Development
Plan 2030. Pretoria: NPC.
11. The Presidency. (2010). Joint Initiative on Priority Skills Acquisition,
March. Pretoria: The Presidency.
14 | IA ADVISER April/May 2015
MiCRoFinAnCinG: innovAtion oR CuRse
bACKGRound
The idea of micro finance is quite simple:
to provide financial services to the poor.
It is an instrument for alleviating poverty
and providing the poor access to financial
services. It makes a range of financial ser-
vices products accessible to the lower in-
come segments of the population who do
not meet the requirements of traditional
financing.
Micro lending in developing countries is
not banking as usual. It is a unique process
that relies on social relationships in order
to overcome moral hazard, monitoring
and enforcement problems. Micro lending
has historically served customers in low-
growth, informal economies with weak
property rights and tight social control.
These individuals have limited experience
with access to capital, capital accumulation
and its effective deployment. Hence, the
business of micro lending are tying their
fortunes to a fundamentally different kind
of banking customer where the customer’s
income is smaller, irregular and unpredict-
able. As a result, a deep understanding of
the customers is a fundamental step for
successful entry into such markets. Focus-
sing purely on repayment rates, a common
practice, obscures the more complex reali-
ties of micro lending. To understand micro
lending, one needs to start with the cus-
tomer and their social environments. In mi-
cro lending the individual is the key to suc-
cess. The mission of a typical micro lender
is centred on providing access of credit for
the underprivileged. The success of mi-
cro credit programs has largely depended
upon the process of “character-based” lend-
ing which essentially means reliance on
social pressures or peer-monitoring when
extending loans.
More vulnerable households in develop-
ing countries are more concerned with
ensuring housing and securing food than
less vulnerable households. A thorough
understanding of importance of various
risks and the role household assets and
available coping mechanisms play in miti-
gating them is a milestone in designing
relevant micro finance services that will
assist households in increasing their se-
curity of priority household needs. To be
successful micro lenders should use more
household information in the screening
and portfolio segmentation process. Client
retention should be of utmost importance
as compared to further client growth. Mi-
cro finance entities should improve their
services by further adapting their products
and services to specific target groups.
Financial education plays a key role in en-
couraging responsible financial behaviour.
Borrowers default if their net equity falls
below a certain threshold or if they can-
not make their monthly payments due to
credit constraints. Non-payment behaviour
is common amongst middle and low in-
come earners. Individuals have recognised
that the causes of financial difficulties lie
primarily in their inability to manage mon-
ey and decisions regarding spending and
indebtedness. Lack of borrower education
programs was one of key reasons to high
defaults.
RisKY business
A micro finance institutions’ success and
penetration is largely influenced by both
socio-political factors as well as operational
subtleties. The business of micro finance in-
stitutions should be a constant balance be-
tween outreach (reaching large numbers of
poor clients), financial sustainability (gen-
erating sufficient revenues to cover costs)
and impact (showing a positive effect on
client’s quality of life). Factors affecting the
sustainability of micro financing institutions
is broadly divided between institutional
and environmental variables. Institutional
variables are those factors that are specific
to the institution, while environmental are
those economic settings of the country in
which the institution operates. Programs
with high operating costs are less viable
than those with lower costs. Micro finance
institutions tend to be more sustainable by
increasing the size of their operations. Sus-
tainability is a necessary long term goal for
almost all micro finance institutions.
Many risks are common to micro lenders.
Typically they are broken into 3 categories
each focussing on different perspectives of
the micro lending risk environment. Below
is a list of common risk areas with corre-
sponding approaches in managing the risk.
Although not exhaustive, it clearly gives in-
sight into the common risks:
Imag
e co
urte
sy o
f ww
w.fr
eegr
eatp
ictu
re.c
om/
IA ADVISER April/May 2015 | 15
MiCRoFinAnCinG: innovAtion oR CuRse
1. FinAnCiAl RisKs
a. Credit risk
o Risk to earnings as a result of bor-
rowers’ late or non-payment of loan
obligationsEffective approaches to managing risk
o Well-designed borrower screening,
careful loan structuring, close moni-
toring, clear collection procedures
and active oversight by management
o Good portfolio reporting that accu-
rately reflects the status and month-
ly trends in delinquency, including
a portfolio-at-risk aging schedule
and reports per loan product
o Routine comparing of credit risk
with adequacy of loan loss reserves
b. Liquidity risk
o Risk that micro finance institution
cannot meet its obligations on
timely basisEffective approaches to managing risk
o Maintaining detailed estimates of
projected cash inflows and out-
flows
o Maintaining investment accounts
that can easily be liquidated into
cash
o Anticipating the potential cash re-
quirements of new product intro-
ductions
c. Interest rate risk
o Risk of financial loss from changes
in market interest ratesEffective approaches to managing risk
o Reduce the mismatch between
short-term variable rate liabilities
and long-term fixed rate loans
d. Foreign exchange risk
o Risk for loss of earnings as a result
of fluctuations in currency values
Effective approaches to managing risk
o Avoid funding the loan portfolio
with foreign currency if it cannot
match foreign liabilities with for-
eign assets
o Use of interest rate swaps or futures
contracts to “lock-in” a certain ex-
change rate
e. Investment portfolio risk
o Risk referring to longer term invest-
ment decisions rather than short
term liquidity or cash management
decisions
Effective approaches to managing risk
o Staggering investment maturities
o Policies establishing parameters for
acceptable investment decisions in
investment portfolio
2. opeRAtionAl RisKs
a. Transaction risk
o Risk that arises daily as transactions
are processed
Effective approaches to managing risk
o Simple, standardized and consis-
tent procedures for cash transac-
tions
o Effective internal controls to reduce
human error and fraud
o Strong internal audit activity to test
and verify accuracy of information
and compliance
o Limiting manual data capturing
b. Fraud risk
o Risk of loss of earnings as a result of
intentional deception by employ-
ees or client
Effective approaches to managing risk
o Use of preventive measures to re-
duce fraud by having education
campaigns, standardize loan poli-
cies and procedures, enforce hu-
man resource policies
o Client visits to verify information
3. stRAteGiC RisKs
a. Governance risk
o Risk of having an inadequate struc-
ture to make effective decisions
Effective approaches to managing risk
o Board comprise of the right mix of
skills and experience
o Clear lines of authority for board
members and management
o Clearly communicate performance
expectations and lines of account-
ability
b. Reputation risk
o Risk to earnings as a result of from
negative public opinion
Effective approaches to managing risk
o Building relationships with clients,
funders or investors and regulators
c. External business risk
o Inherent risks as result of the exter-
nal business environment
Effective approaches to managing risk
o Contingency plans for anticipation
and possible external events that
can impact the business
d. Regulatory and compliance risk
o Risk of non-compliance with laws,
rules, regulations or ethical stan-
dards
Effective approaches to managing risk
o Establishing good working rela-
tions with regulatory authorities
Granting microloans to borrowers not only
result into credit risk but also in liquidity
risk due to the refinancing process, interest
rate risk, foreign exchange risk if applicable
and operational risk due to staff fraud. Mac-
roeconomic factors such as unemployment
and inflation is regarded as being signifi-
cant to micro finance institutions. Micro fi-
nance challenges are further compounded
by over emphasis on collateral and ignor-
ing the debtor’s willingness or ability to pay
and poor culture of repayment. The micro
finance technologies of service delivery,
screening, and monitoring significantly dif-
fer from those in the formal banking sector.
Research suggest that micro finance insti-
tutions do not always do better, and some-
times do substantially worse where institu-
tions are more advanced.
FuRtHeR ReseARCH insiGHts• Larger micro finance loans result in a
lower yield on gross portfolio. Even
though larger loans reduce operating
costs, the gains in costs is off-set by the
16 | IA ADVISER April/May 2015
MiCRoFinAnCinG: innovAtion oR CuRse
increased difficulty in finding good bor-
rowers willing to take out bigger loans.
• Stronger profit orientation leads to
higher interest rates but is also associ-
ated with higher costs.
• Micro finance institutions offering
smaller loans tend to be more efficient
than those offering larger loans. Mi-
cro finance institutions offering larger
loans do not benefit in terms of effi-
ciency from raising interest rates as a
result of competition.
• Themostefficientmicrofinancinginsti-
tutions are the ones offering small but
expensive loans. Moving towards better
off clients in an attempt to reap the ben-
efits of economies of scale, lower risk and
profit oriented investments lead to an
inefficient use of resources. Micro financ-
ing institutions that stick to the poorer
clients tend to be the most efficient.
• Micro financing institutions should be
highly discouraged from allowing bor-
rowers to enter into multiple debt con-
tracts considering that micro finance
institutions cannot improve their perfor-
mance by indiscriminately lending more
as over-lending reduces efficiencies.
iMpACt oF A FinAnCiAl CRisis And ReCession on MiCRo FinAnCinG in-stitutions
The impact of a financial crisis on both mi-
cro financing institutions and their clients
depend on several characteristics includ-
ing: the macroeconomic environment, the
level of integration of the country to the
global economy, cost and funding struc-
tures and the ability of management to
deal with the crisis.
Components of a financial crisis that are
most relevant to the micro financing indus-
try are listed below:
• Liquidity and credit crunch – defined
as the contraction of the availability of
funding.
o This creates an environment where
less funding is available as capital
streams dry up due to the lack of
confidence in the repayment ca-
pacity of counterparts.
o Cost of funds increase as percep-
tion of risk change
o Funders tend to prefer short term trans-
actions as they are less sure of getting
their outstanding credits back.
• High inflationepisodes – Inflation risk
is a common risk for micro finance insti-
tutions especially for those operating in
countries with weak monetary policies
or unsustainable economic regimes.
o Changes in food and fuel prices can
feed back into inflationary spirals
• High currency devaluation – currency
devaluations can contain serious con-
sequences for the asset- liability man-
agement of micro finance institutions.
• Global recession – This refers to mul-
tiple events associated with worldwide
economic downturn. The most relevant
of these events include:
o Higher unemployment and lower
domestic demand for goods and
services
o Lower remittances
o Increase demand for consumption-
smoothing purposes
• Foodandfuelpriceshocks–increases
in this without comparable increase in
income, forces borrowers to allocate
higher promotions of income to those
expenses and directly affect the ability
to repay loans.
Potential effects of a financial crisis on the
micro finance institution include:
o Reduction in borrower repayment
capacity as a result of inflation, dif-
ficulty in dealing with higher inter-
est rates, reduction in remittances,
increases in fuel and food prices
o Higher costs and potentially higher
interest rates for borrowers
o Reduced growth due to liquid-
ity crunch, economic recession and
food and fuel crisis
o Increased foreign exchange losses
due to currency devaluation, if ap-
plicable
o Deterioration of microcredit repay-
ment culture as a result of increase
in defaults and arrears in the rest of
financial system, political interven-
tion and competition from new fi-
nancial institutions
FindinGs in tHe soutH AFRiCAn Mi-CRo FinAnCinG industRY
The below findings are based on research
that was performed where a comparison
was made between micro financing man-
agement perceptions as compared to the
analysis of quantitative customer data. The
following key findings are noted:
Biggest Risks
Whereas management sees fraud, over
indebtedness and bad debts as the big-
gest risks, client data suggest that the big-
gest risks are bigger loan amounts, longer
term loans and loans to younger clients.
The different views and analysis are how-
ever overlapping as indebtedness possi-
bly results into bigger, longer term loans
to clients that cannot meet the necessary
obligations. According to the research the
average good micro finance client in South
Africa is a client that meets obligations of a
6 month loan and a loan amount of R3450
as per affordability calculation.
Finding Balance between Too Little and
Too Much Risk
According to management within micro
finance institutions the best way to acceler-
ate micro finance business in South Africa
is to extend the term and the amount of
loans to attract a bigger market. However,
client data indicates that the longer loan
terms and bigger loan amounts drastically
increases the possibility of non-payment.
IA ADVISER April/May 2015 | 17
MiCRoFinAnCinG: innovAtion oR CuRse
Proactively Managing Risk in Micro Fi-
nance Environment
Customer data suggest that a credit scor-
ing model is the best way of managing risk.
This is followed closely by building a cus-
tomer relationship with shorter term prod-
ucts and staff training. On the other hand,
management suggests that the best way of
optimising client service is through a real
time debtor management system.
Increasing the Success of Predicting the
Outcome of Micro Finance Credit Trans-
actions
According to management the biggest
predictor of non-payment of new clients is
the level of the client’s disposable income
after living expenses and loan instalments.
Management also suggest that the num-
ber of loans and number of judgements
are also predictors of the outcome of credit
transactions. However, client data totally
contradicts management in the sense that
the number of loans and judgements do
not materially influence the outcome pre-
dictions of credit transactions. Client analy-
sis suggest that smaller loan amounts on
shorter terms hold much less risk than loans
with bigger amounts over longer terms.
The average good micro finance client in
South Africa has the following characteristics:
• Averageageof42
• AverageloanamountofR3450
• Averageloantermof6months
• Averagenumberof25loansoverape-
riod of 5 years
• Hasabout2.34openloansatanystage
• Has an average credit exposure of
about R50 000 over a period of 5 years
The average bad micro finance client in South
Africa has the following characteristics:
• Averageageof36
• AverageloanamountofR6300
• Averageloantermof14months
• Averageofnumberof12 loansovera
period of 5 years
• Hasabout1.81openloansatanystage
• Has an average credit exposure of
about R20 000 over a period of 5 years
Other findings include:
• Intermsofrisktools,creditgrantingpol-
icies and customer affordability calcula-
tions together with internal controls and
debt collecting is rated as being more
important than credit scoring models
• Respondentsarenottotallyconvinced
that traditional banking tools can be
applied to the micro financing industry
• Arealtime,effectiveloanmanagement
system is seen as being the most ef-
ficient way to optimise client service
and reduce risk as compared to decen-
tralised credit decisions, cash disburse-
ments to clients, a call centre function
and centralised credit decisions
• External fraud is a much bigger risk
than internal fraud
• Atageof38theprobabilitythatclient
will be good or bad is equal
• Theprobabilityofdebtorsgoingbadas
a result of death is less than 1%
• Theprobabilityofclientsgoingfordebt
counselling after they became bad pay-
ers is less than 10%
Key Recommendations to Consider
Micro finance institutions in South Africa
need to eliminate the risk of fraud, both in-
ternal and external, as far as possible. This
can be done by investing in staff training,
real time loan management systems and
effective internal controls. The level of cli-
ent disposable income needs to also be
more accurately assessed in terms of af-
fordability. A credit scoring model is crucial
to match the correct product with a specific
client, based on the client’s risk profile. The
term of the loan is the main outcome of a
credit scoring model and a good predictor
of non-payment. As smaller loan amounts
over shorter periods reduces microfinance
risks drastically, it should be more actively
marketed.
A Value Add Role by Internal Audit in Mi-
cro Finance Environment
With so much risk within the micro finance
environment, internal audit would be in
the best position to provide Management
with the needed assurance in an indepen-
dent and objective manner by evaluating
the controls around the key risks. The fol-
lowing value adding comments should be
noted by Internal Audit.
Internal controls assist in promoting and
providing reasonable assurance of the fol-
lowing:
• Profitabilityandsustainability
• Adherencetomanagementpolicies
• Safeguarding of assets both physical
and non-physical
• Preventionanddetectionoffraudand
error
• Accuracyandcompletenessofaccount-
ing records
• Timelypreparationofreliablefinancial
information
• Dischargeofstatutoryresponsibilities
A weak internal control system has the fol-
lowing evident
• Lackofsegregationofduties
• Lack of supervisory or internal audit
monitoring
• Lack of independent verification of
work performed
• Lackofgoodinformationsystems
• Lackofseniormanagementtointernal
controls
The 3 most critical aspects of micro financ-
ing operations include:
• Humanresources
• Policiesandprocedures
• Informationsystems
18 | IA ADVISER April/May 2015
MiCRoFinAnCinG: innovAtion oR CuRse
Wayne Poggenpoel CIA, CCSA, CGAP, Technical Committee: IIA SA
Fraud is often detected by the increase in
delinquencies, accounting irregularities
and employee tip-offs.
From a Micro Finance Perspective, Internal
Auditors should “FOLLOW THE MONEY”.
They need to understand the flow of cash in
and out of the institution according to the
different cycles i.e. revenue cycle, expendi-
ture cycle and treasury or finance cycle.
Key Indications of Problems in Micro Fi-
nance Sector
• Over-indebtedness and Regulatory
Pressure
• Diversifying away from its core client
base
• Toostronggrowth,under-provisioning
and mispricing risk
Areas of Internal Audit Interest
FRAUD DETECTION SIGNALS
Danger Signals Examples of Problems that may Result
Employee exceeds scope of
responsibilities
Individual negotiates contracts and
assumes responsibility for approving
invoices in order to get kickbacks
Unusual reduction in or loss of regular
customer business
Key employee has silent partnership in
new competitor
Loan officer also approves a loan Financial information inflated and loans
given in order for kickbacks
Employee living beyond his/her means Employee embezzling to support lifestyle
CCSA
Lelane Brits
Chanelle Da Silva
Umaira Gani
Nkosazana Joko
Tebogo Maidi
Fortune Mkhabela
Nokukhanya Mlanduli
Sibongile Motloung
Mareda Mphaphuli
Sylishna Naidoo
Lungile Ngcobo
Ritesh Patel
Subhadra Ragubeer
Thakane Rampai
Samuel Ramuhashi
Jeremy Samuel Mark
Solomons
Willie Swart
Mlulasi Zenani
CGAPJean-Pierre Rossouw
Ritesh Patel
CFSAThembakazi Tina
Marco van der Merwe
Theo Kruger
Ramoshie Mahapa
Karen Louw
Jeremy Sanderson
CRMAAngelique Adams
Kevin Chivere
Cynthia Cornelius
Junior Dube
Elias Dlamini Elias
Gary Leong Gary
Heinrich Joodt Heinrich
Unathi Kondlo
Cecile Louw
Tuliswa Makoba
Thapelo Matsapola
Bongani Wilberforce
Mbewu
Thokozile Mthembu
Mamogobalale Phala
Willem Pieters
Kgomotso Ragoleka
Itumeleng Ramoganyaka
Thakane Rampai
Zubair Sader
Sisanda Mahlasela
Fannie Sithole
Thomas Swanepoel
Jacobus van der Westhuizen
Jacques van Zyl
Nazir Vanker
John Varga
Nicolene Waso
Thembisile P Zwane
Congratulations to CCSA, CFSA, CGAP and CRMA candidates
IA ADVISER April/May 2015 | 19
tHe etHiCs CHAllenGe
At some time or other in their lives most internal audit professionals have attended a lecture on the subject of ethics. This lecture did not necessarily entail the science of debits or credits or an intricate understanding of financial concepts but referred rather to a behavioural attribute that is expected of someone pursuing a career in internal auditing.
Today, the moral ethical bar has been raised; there is an expectation that, as an internal auditor, your ethical conduct has to be beyond reproach. Although such moral discussions centre on simple qualities such as integrity and honesty, they nevertheless provoke contentious opinions.
What is integrity? This question elicits a variety of responses, yet the meaning is simple: “Doing the right thing even when no one sees you.”
This response has had a profound influence on me, and I have realised that a career as an internal auditor requires a certain level of introspection.
The challenge in this regard relates to the fact that a person’s values and belief system have to be aligned in some way or other with the ethical requirements of the profession. It is not about role playing or separating one’s own values and beliefs from those required by the job.
By its actions and its words the internal audit activity must be seen both to be setting an example of strong ethics and actively promoting them (Verschoor, 2007, p. 20).Personal values can differ widely as they are influenced by a variety of factors including upbringing and culture. It is therefore critical to understand that they can differ from the organisational values as well. It then becomes appropriate, indeed essential, that the organisation espouses a set of values that
reflects what is acceptable in the workplace.
That having been said, there is hardly an issue of a newspaper or a business publication that does not include at least one story about a new or ongoing ethical scandal. One does not need to look far to find such scandals on the international landscape. Think about the corporate failures such as Enron, HealthSouth, MF Global, WorldCom, Parmalat, Qwest Communications and Tyco International and the Ponzi scheme masterminded by Bernard Madoff.
In a recent case in the South African context, a Pinnacle Holdings executive was allegedly involved in bribing a police officer to secure a tender. The executive was accused of offering a R5 million bribe to a member of the South African Police Service to secure a multimillion rand contract. Subsequent to the scandal the company’s share price dropped by more than 40 per cent (Eye Witness News, 2014).
Another scandal involves Aveng, one of several companies in the construction sector accused of engaging in anti- competitiveness practices by the Competition Commission. The cartel of which it had formed part had apparently engaged in various collusive practices such as holding meetings to divide markets and to agree on margins and plan collusion among firms to create the illusion of competition (IIA SA, 2013).
Bribery and corruption continue to occupy a predominant position today in our society, ranging from petty bribes to traffic officials to significant amounts of money paid as commission to secure tenders. Whilst amounts may differ the actions do not, as all such acts fundamentally amount to corruption (Schoeman, 2014, p. 17).
The incident that has captured the imagination of South Africans countrywide and has kept everyone talking is the Nkandla saga, which involves costs that
tHe GReY MAtteRs on etHiCs
20 | IA ADVISER April/May 2015
AdviseRtHe GReY MAtteRs on etHiCs
have been conservatively estimated to be in the region of R246 million for upgrading the President’s homestead. Although the Public Protector has highlighted a number of irregularities in the project, what lies at the core of this debacle is the improper ethical conduct by various stakeholders.
Consistent with the view expressed by the Public Protector, the City Press newspaper (Du Plessis, 2014) reports, “Zuma and his ministers should have acted when the Mail & Guardian blew the whistle in 2009 on the R65 million the project cost at the time, but the spending increased after that. Zuma violated the Executive Ethics Code by failing to contain state spending and benefiting from it. He wore two hats.”
Referring to the high levels of corruption in the public sector, the Public Protector asserted that “the corruption in this country has reached crisis proportions there is no two ways about it” (Madonsela, 2013)
Organisations all over the world, regardless of size, are at some time or other faced with unethical business practices. Business ethics are compromised by upper and lower management alike and, owing to the prevalence of the problem, the need for organisations to deal with ethical issues has become a global priority.
Ethical behaviour lies at the roots of the corporate scandals we read about daily. However, despite the immense efforts made by corporations to distinguish between what is acceptable and unacceptable, right and wrong there are often practices that enter the grey areas.
Very often management is faced with choices that require them to make decisions that have no clear cut resolution and are extremely problematic. Consequently, they are likely to find themselves confronted with ethical dilemmas (Ehrich, Cranston, & Kimber, 2003, p. 4).
Despite the mammoth ethical challenges faced by organisations, ethics issues are not given the platform they deserve; as a result they are often addressed reactively after the incident has taken place. At times, but unfortunately not always, perpetrators have to face the costs and consequences of their misconduct (Schoeman, 2011, p. 10)
Having said this, one does not need to occupy the CEO’s chair to realise that there is a problem with ethics in general and, to assume that the public sector alone is corrupt to the exclusion of the private sector, would be inaccurate.
Ethical issues occur in both the public and the private sector in South Africa, although it some areas they are perceived to be subtle and more pervasive. Whatever the case, the extent of the problem cannot be denied; news reports of corporate scandals and fraud are testament to the pervasive nature of the problem in both sectors.
Identifying the problem is only the first step, however equally important is to critically analyse the root causes of this problem and to identify the influencing factors. potentiAl CAuses oF tHe etHiCs dileMMA
Hofstee (2009, p. 162) points out that when proposing a sound argument, related questions often arise and it is in this way that new research is developed.What one needs to ask here, perhaps, is whether organisations are creating an environment that is conducive to an ethical culture and whether business is essentially a crucial element of the problem. To be more precise, one should ask whether the board and management have instilled the right ethical culture.
The following are some of the common reasons why employees breach ethical standards: • Lackofethicalstandards–Somepeople
make unethical choices because they are not certain about what really is the right thing to do. Often, ethical problems are complicated, and the proper choice may be far from obvious.
• Inadequate recruitmentprocess –Hiringof employees should be based on rigorous selection processes including background and reference checks. The feedback received from this process is fundamental to identifying the kind of candidate an organisation is looking to hire.
• Tone at the top – The effects of badleadership cannot be over-emphasised. Employees look up to their leaders and when they model a wrong ethical behaviour sooner or later employees inevitably begin to drop their ethical standards and model the unethical behaviour being projected by leaders.
• Pressure to perform/succeed in orderto be incentivised notwithstanding the ethical challenges–Abonus/incentive-driven culture may also impact on how ethically individuals perform their work. Are businesses setting realistic targets or are they setting targets that are not easily achievable?
• Unrealistictargets–Thereisaperceptionthat once employees perceive the targets set to be unrealistic or unattainable, the default behaviour is that employees begin to breach ethical boundaries to somehow reach targets in order to be incentivised.
• Self-interest/personal gain – Somepeople do not just do something wrong in a weak moment or because they are not sure about what the right thing to do is. Self-interest and personal gain is just two of the reasons for a great deal of the unethical activity in business.
• Lack of or poor consequence manage-ment –This plays a role in raising theethical bar or dropping it. Failure by management to act decisively and hold employees accountable for their un-ethical conduct projects an incorrect message.
IA ADVISER April/May 2015 | 21
AdviseRtHe GReY MAtteRs on etHiCs
tHe Role oF inteRnAl AuditoRs in CReAtinG An etHiCAl CultuRe
Edmund Burke, the Irish political philosopher, once said “All that is necessary for the triumph of evil is that good men do nothing.”
Therefore, having identified the extent of the ethical challenge and its influencing factors it is perhaps also prudent to ask what value internal audit can provide in ensuring that organisations have the right ethos.
In an attempt to answer this question, Elmore (2013, p. 51) points out that ethics influences everything else, such that while an audit finding may have nothing to do with fraud or illegal behaviour, the audit may still have a positive effect on the organisation’s ethical culture. Elmore further argues that ethics is not an isolated issue which is exclusive of other things. Just the mere fact that employees see their management implementing recommendations from internal audit can influence their behaviour.
Internal audit can therefore assume a number of roles as a champion for ethics. These roles include ethics officers, members of the internal ethics council or assessors of the organisation’s ethical climate.
It is thus necessary to understand that internal audit as a profession has a crucial role to play in ethics. A number of surveys conducted by internal auditors have found that companies focus little attention on the issue of ethics, which has been a fundamental contributor to some of the recent corporate scandals.
According the IIA 2010 Global Internal Audit Survey, in response to this challenge internal auditors are now required to focus less on internal controls, operations and compliance and to place greater emphasis on corporate governance, risk management and ethics audits (Boyle, Hermanson, & Wilkins, 2011, p. 3).
Accordingly, internal auditors are required to play an active role in support of an organisation’s ethical culture, in the main because they possess high levels of trust and integrity in the organisation and have the skills required to be effective advocates of ethical conduct (Verschoor, 2007, p. 20).
Moreover, there are sound arguments to support the idea that internal auditors are uniquely qualified to play a critical role in performing ethics audits, as they are well positioned within the organisation to maintain independence and objectivity (Boyle et al., 2011, p. 3).
Taking all the above factors into consideration, internal auditors have the competence, capacity and independence necessary as well as being positioned to appeal to enterprise leaders, managers and other employees to comply with legal and ethical responsibilities.
WHAt is An etHiCs Audit And WHY is it iMpoRtAnt?
Unlike a number of audits performed by internal audit, ethics audits are somewhat different and more complex. The challenge is that the actual test is not based on common controls and providing management with an idea of how effective they are, but rather such audits involve an assessment of much “softer” controls which are rooted in intangible yet critical things such as integrity and ethics that steer people in the right direction.
An ethics audit primarily assesses an organisation’s ethical climate, which includes the tone at the top and the effectiveness of the organisation in achieving the desired level of legal and ethical conduct (Boyle et al., 2011, p. 4).
Verschoor (2007, p. 21) points out that at the very least the internal audit activity should periodically assess the state of the ethical climate by reviewing the effectiveness of the strategies, processes and communications
that are geared to achieving the right level of ethical compliance.
Making an equally valid point, Schoeman (2012) argues that in order to make an impact ethics needs to extend beyond a mere “tick box” compliance aiming only to meet the minimum requirements; instead an organisation should strive to build genuine commitment to doing the right thing.
In support of the ethics efforts being undertaken by organisations, Verschoor (2007, p. 21) highlights that internal audit should evaluate the effectiveness of the following features which are indicative of a highly effective ethical culture:
• A formal code that is clear andunderstandable
• Frequent communication anddemonstrations of expected ethical attitudes and behaviours by leaders
• Explicit strategies to support anenhanced ethical culture with regular programmes to update and renew commitment to an ethical culture
• Several easily accessible ways forpeople to report allegations relating to the ethical code, policies and acts of misconduct confidentially
• Regular declaration by employees,suppliers and customers that they are aware of the ethical requirements
• Clear delegation of responsibilities toensure that ethical consequences are evaluated, confidential counselling provided, allegations of misconduct investigated and case findings properly reported
• Easy access to learning opportunitiesto enable all employees to be ethics advocates
• Positive personnel practices thatencourage employees to contribute towards the ethical climate
• Regularsurveysofemployees,suppliersand customers to determine the state of the ethical culture
• Regularreviewsofformalandinformalprocesses that could potentially create
22 | IA ADVISER April/May 2015
AdviseRtHe GReY MAtteRs on etHiCs
pressure and bias that could undermine the ethical culture
• Regular reference and backgroundchecks as part of hiring procedures
In addition to the Verschoor’s views, Boyle et al. (2011, p. 5) highlight seven practical steps for complete an ethics audit:
Step 1 –Educatetopmanagement,aswellas the board and audit committee on the value of an ethics audit and obtain their support. Though there may be some level of resistance it is important that senior management be informed throughout the process to ensure they are comfortable and supportive.Step 2–Interviewtheseniormanagement,board and audit committee to determine the ethical values desired by the organisation. Internal Audit should be mindful that some of these values may be contained in the organisation’s code of conduct. Step 3 – Identifyandassess theorganisa-tion’s risk associated with non-compliance
with the desired ethical values.Step 4 – Plan the ethics using a risk-based approach consistent with the COSO Enterprise Risk management framework.Step 5 – Conduct a structured entitylevel interview or entity-wide surveys to evaluate and assess whether values set by top management align with the views of employees at all levels of the organisation.Step 6 – Report the results to theappropriate accountable parties.Step 7–Monitoractionsandplansputinplace to address areas of improvement/remediation.
ConClusion
It would be naïve to conclude that the ethics problem is not pervasive. It is furthermore undeniable that the world at large is facing many ethical challenges. The ethical scandals highlighted in this article are just some examples attesting to the extent of the problem globally. However, although the challenge is immense, the
internal audit function is well positioned to partner with organisations on this journey.
Winston Churchill said “To each there comes in their lifetime a special moment when they are figuratively tapped on the shoulder and offered the chance to do a very special thing, unique to them and fitted to their talents. What a tragedy if that moment finds them unprepared or unqualified for that which could have been their finest hour”.
In light of these words, it is worth mentioning that internal auditors are the gatekeepers of ethics. They are the moral compass of an organisation and very often they are presented with a rare opportunity not granted to many; that is, to have the right audience and be provided with a platform to raise critical ethical concerns – failure toseize thismomentwouldbeatragedy.
Thapelo Modisagae CIA, CRMA, CCSA
Boyle, D. M., Hermanson, D. R., & Wilkins, A. (2011, November/December). Ethics sudits: Implications for internal audits. Internal Auditing,pp.3–8.
Du Plessis, C. (2014, March 19). City Press. Retrieved May 5, 2014, from www.citypress.co.za: http://www.citypress.co.za/politics/10-things-worth-knowing-madonselas-nkandla-report/
Ehrich, L., Cranston, N., & Kimber, M. (2003). Griffins University. Retrieved March 25, 2014, from www.gu.edu.au: http://eprints.qut.edu.au/1388/1/1388_2.pdf
Elmore, T. P. (2013). The role of internal auditors in creating an ethical culture.TheJournalofGovernmentFinancialManagement,49–53.
Eye Witness News. (2014, March 27). Eye Witness News. (C. Wynn, Editor) Retrieved March 28, 2014, from www.ewn.co.za: http://ewn.co.za/2014/03/27/Pinnacle-CEO-says-bribe-claims-a-surprise
Hofstee, E. (2009). Constructing a good dissertation: A practical guide to finishing a master’s, MBA or PhD on schedule. Sandton: EPE.
IIA SA. (2013, November 11). www.iiasa.org.za. Retrieved April 23, 2014, from Institure of Internal Auditors South Africa: http://www.iiasa.org.za/?page=Opinion_pieces
Madonsela, T. (2013, October 14). ENCA. Retrieved March 26, 2014, from www.enca.com: http://www.enca.com/south-africa/madonsela-warns-sa-corruption-crisis-levels
Schoeman, C. (2011, October-November). Recovering from ethical failure.Directorship,pp.10–11.
Schoeman, C. (2012, June). Ethics Monitor. Retrieved August 29, 2014, from www.ethicsmonitor.co.za: http://www.ethicsmonitor.co.za/Articles/saying-and-doing.pdf
Schoeman, C. (2014, February/March). Why corruption costs? Business Brief, p. 17.
Verschoor, C. C. (2007). Ethics and compliance: Challenges for internal auditing. Florida: The Institute of Internal Auditors Research Foundation.
ReFeRenCes
IA ADVISER April/May 2015 | 23
Questions tHe Audit CoMMittee sHould AsK About it
Gary Hardy is the owner of IT Winners, an IT
company that is based in Cape Town. Gary
has got over 30 years of experience in the IT
industry, is recognised globally as a thought
leader and expert in business and IT perfor-
mance improvement. He is a long standing
and past board member of ISACA, is one of
the originators of the COBIT® framework
and has been a contributor to COBIT since
its inception in 1992. He is a lead developer
of COBIT 5. Gary started off the presenta-
tion by explaining the pervasiveness of
IT as it is part of every strategic objective,
critical to support business operations and
integral to all business activities. IT extends
beyond the enterprise to stakeholders and
business partners.
He shared his observation that most peo-
ple wonder how success can be achieved
with IT demands resulting from changes in
culture and mind-set. This is the case with
even executive and senior management,
they employ consultant to carry out IT
technicalities and just hope that those con-
sultants know what they are doing. He cau-
tioned that this approach is not correct as it
compromises the quality of oversight that
the audit committee ought to provide. He
put emphasis on the necessity to change
the attitude that ‘IT is enterprise-wide and
not just for the IT function or just for IT Au-
dit’. Explaining about the pervasiveness of
IT, he shared insight on how the informa-
tion systems are not only being used as
enablers to business but are built into the
strategy of the business. The relevant ques-
tions to be asked at this level in order to en-
able management and/or audit committee
make informed decisions are as follows:
• WhoisaccountableforbusinessandIT
alignment?
• Howflexibleandreliablearetheinforma-
tion systems in enabling the organisation
reacts timely to new opportunities?
• Istheservicelevelsacceptable(quality,
reliability and availability)?
• Isthenetworksecurityadequatelypro-
tected?
• Is the organisation compliant to the
POPI Act?
• Is theorganisationcompliant toother
Regulations?
• Istheorganisationmakingefficientuse
of the resources (budgets, information
systems)?
• Istheorganisationmakingtherightde-
cisions and generating a ROI?
In the 21st century, it is really about time
that IT is not done at the level of scratch-
ing the surface but to the deepest level.
This can only be achieved if IT is collectively
embraced by auditors, management and
the IT department. Findings must be scru-
tinised, unpacking the root causes and not
just symptoms. Real causes of the findings
that auditors raise must be analysed, ac-
countability for addressing the root cause
must be allocated; the real business impact
of the finding must be quantified and/or
illustrated. It is pointless to raise findings
that do not serve stakeholders or just low
level impact on business objectives. When
IT audits are conducted, the recommenda-
tions must be practical and solution-driven
to the buyer of the solution (audit clients).
Imag
e co
urte
sy o
f ww
w.fr
eegr
eatp
ictu
re.c
om/
24 | IA ADVISER April/May 2015
AdviseRQuestions tHe Audit CoMMittee sHould AsK About it
ACCountAbilitY FoR it
The business should take ownership for IT-
related decisions and key role players for
strategic IT decisions should be known and
accountable. King III places IT governance
in the hands of the board of directors. This
makes sense as this is where the strategy,
investments, architecture, service levels
are managed. It also shows how much of
a strategic partner IT should be. Decisions
should be made on whether the CIO and
IT management team may make decisions
by default. The adequacy of governance
structures should also be evaluated. There
should be adequate governance of IT struc-
tures in place; these include committees,
policies, frameworks, processes and proce-
dures. The governance structure should be
effective as well; this means that the Board
and Exco must have IT on their agenda.
The organisation must also implement a
certain framework when it comes to IT gov-
ernance. The adoption of the COBIT5 has
been noted in the past few years by many
organisations. However, adopting COBIT
framework is not all; the organisational
leadership should ensure that IT risks are
understood in an organisation. IT-related
risks must be recorded in the business risk
register and be expressed as business risks.
The risk committee must monitor IT-related
business risks the same way it manages
other business risks and understand likely
IT risk scenarios. It has been noted in the
past that IT is treated as a special area and
management often shy away from asking
questions that are IT related. This should
not be happening at this time as most busi-
ness processes are being automated. IT
risks are just a subset of a business risks and
are becoming more and more relevant as
the technology is being the centre of busi-
ness. There should be adequate IT financial
controls, acquired in a cost-transparent
manner.
IT resources must be sourced cost-effec-
tively, the most effective and efficient
sourcing options should be identified and
as such; the IT operational budget must be
challenged and optimised. Establishing the
frequency and extent to which IT-related
projects go over budget. The amount of IT
effort that goes to firefighting rather than
enabling business improvements must be
quantified and substantiated. Businesses
need to learn to get more value from IT for
less cost “more for less” through simplifica-
tion, standardisation and maturity. It is not
incorrect to state that one of the greatest
advantages of IT is cost reduction and in-
creased agility.
it opeRAtions - ReliAble And seCuRe
Even when one is not an IT expert, there are
some factors that can be looked at to assess
IT Operations for reliability and security.
Firstly, the robustness of the IT operational
processes, how well reliable the infrastruc-
ture is and whether the organisation has
got an old legacy systems. It is not good to
hang on to old systems even when there
are better ways to maximise efficiencies.
It is also not particularly good to always
acquire new systems for the sake of early
adoption. The IT systems are very expen-
sive and should be changed when it is ben-
eficial to do so. There sometimes is heavy
reliance on modified systems such as SAP
and vendors; this too should be managed
as there could be a downfall to it. The or-
ganisation should have adequate technical
skills in order to support and maintain the
IT systems. Each year the business depends
more and more on IT, yet many enterprises
under invest in maintenance, processes,
knowledge management and training;
leading to dependency on other businesses
for these critical processes. When IT invest-
ment is being made, all aspects must be
carefully analysed. Businesses can acquire
the best system but if there is inadequate
training of IT specialists, there is not much
support that the IT function may provide to
the organisation. The same goes for main-
tenance, the IT systems do need ongoing
maintenance which includes removing
program and design errors, updating docu-
mentation and test data and updating user
support. This is particularly important as it
allows the IT function to adapt the IT system
to suit the functional needs. The leadership
must understand IT otherwise tracking IT
performance becomes overwhelming. The
IT performance report must also be under-
standable to the business, to enable EXCO
to monitor IT performance. IT strategy
must be linked to the strategic objectives
of the business. IT performance should be
monitored through service levels, invest-
ment returns, incidents and costs that have
been saved. The CIO must be able to act as
a bridge to business management and not
be a barrier to business understanding.
MAnAGinG supplieR oR tHiRd pARtY RisK?
The audit committee must scrutinise the
balance in dependence on external IT ser-
vice providers (Black Box Management). IT
outsourcing agreements should be man-
aged well, just like any other contractual ar-
rangement; ensuring that the organisation
obtains assurance over the performance
of the external IT service provider. The
provider’s operations should be tested for
security and reliability as the organisation
still has to comply with applicable rules
and regulations. Questions about security,
privacy and reliability of the IT processes
of the business partners should also be
raised; these have the potential to expose
risks on business transaction and compro-
mise integrity and confidentiality state of
information. It is quite shocking to hear in-
cidents where the service provider’s system
was down and that business could not be
carried out. The contractual terms should
mention system availability as basic; it does
not make any business sense to pay for ser-
vices that are not able to support the conti-
nuity of the main business.
IA ADVISER April/May 2015 | 25
AdviseR
Risks
trust
Costs
benefits
Failures
Roi
transparency
incidents
WHAt it is All About
Questions tHe Audit CoMMittee sHould AsK About it
He concluded by remarking that IT Audit
should delivering value and must be evident
that it is yielding positive ROI. There must be
business improvements as a result of IT audits;
these may be defined IT Audit performance
goals and metrics that are used as perfor-
mance measures. IT Audit procedures must
also be integrated into general or business
audits. Communicating audit reports must
be done using the business language and
the findings must be evident that auditors
are measuring the right things. Repeating the
same findings every year serves no purpose
when the same IT issues are reported on but
are not being measured.
do You HAve A FeW Minutes to spARe?The IIA SA has created a presence on various social media
platforms where members can engage with each other, view
current articles, and information on IIA SA news
and networking events.
We encourage you to join in on discussions; share your thoughts
and comment on various topics, articles and photo albums.
Click the buttons below to join the conversation.
Please note that to access these profiles, you need to have an existing Twitter / Facebook / LinkedIn personal profiles.
26 | IA ADVISER April/May 2015
Country is woefully slow to transform its corporate boards and is not taking into consideration research that shows that when you have women on boards, deci-sion-making improves
Activists campaigning for the greater par-ticipation of women on the boards of listed companies have lowered their sights and are now fighting for 30% female represen-tation in South Africa.
This month, Germany became the latest Eu-ropean country to pass legislation requir-ing major companies to allot 30% of seats on nonexecutive boards to women.
Germany joined countries such as Norway, France and Spain in introducing the quota system.
According to a report released by Grant Thornton this month, when it comes to rep-resentation at board level in South Africa, only 15% of directors in listed companies are women.
The representation of women in senior management roles is at 27%, while only 7%
of CEO and managing director positions are occupied by women.
Ahigherpercentage–21%–ofwomenarefound in the positions of chief financial of-ficer, while 26% of human resource execu-tive jobs are occupied by women.
The report also showed that 23% of listed companies have no women in senior man-agement positions, up from 21% in last year’s report.
Shannon Smith, director of advisory ser-vices at Grant Thornton KZN, said there was room for improvement in South Africa.
“The percentage of women in senior management roles in South Africa is inad-equate.
“The gender bias is subtle at the beginning of a career, but it causes a clear separation of career paths between men and women. South Africa has a fine tradition of strong women in business and female political leaders, but there is still much room for im-provement,” she said.
The empowerment movement gained im-petus under previous minister of women, children and people with disabilities, Lulu Xingwana, when she introduced the Wom-en Empowerment and Gender Equality Bill.
The bill annoyed many, especially those in business, who called it impractical and costly.
The bill lapsed when Xingwana left and was replaced by former minister of mineral resources Susan Shabangu.
Parmi Natesan, an executive at the Insti-tute of Directors in Southern Africa, said there were a number of things that could be done to improve gender diversity on boards.
“We need to get the word out to boards and shareholders about the benefit of hav-ing women on boards, and not just as a check list exercise.
“Research has shown that when you have women on boards, decision-making im-proves,” said Natesan.
A 2013 report by research firm Catalyst made a business case for having more women in senior positions and on boards. Among the benefits were improved finan-cial performance and better corporate governance for companies that had more women.
“If an economy is only using half of its most talented people, then it immediately cuts its growth potential,” said Smith.
“Women also control a large portion of consumer spending globally. So they have an understanding of what consumers want and so should have a representation on these boards,” added Natesan.
CoRpoRAte sA is still FAilinG to inClude WoMen
Imag
e co
urte
sy o
f sup
haki
t73
at F
reeD
igita
lPho
tos.n
et
IA ADVISER April/May 2015 | 27
CoRpoRAte sA is still FAilinG to inClude WoMen
But she also cautioned that women should not sit back and wait for opportunities.
“If you [as a woman] think you can add value to a board, get governance training and network.”
Meanwhile, women in business have also started a lobbying effort in the form of the 30% Club. Its objective is to provide best practices for gender mainstreaming in the South African private sector.
The organisation also wants to ensure 30% female representation in senior manage-ment by 2018.
The 30% Club concept came about as a result of a conversation between Helena Morrissey, CEO of Newton Investment Man-agement in London, and member of the UK Labour Party Mary Goudie about how few women were making it into top positions.
South Africa started its own 30% Club chapter in September 2013 and it has been endorsed by Business Unity SA (Busa).
“We agree that the level of transformation is not satisfactory, particularly for black women and women with disabilities,” said Vanessa Phala, executive director at Busa.
“What is needed to drive workplace gen-der transformation are real organisational transformation interventions that move away from numbers and percentages, but emphasise real transformation.
“This includes making sure companies have proper plans to build their pipeline of young women, supporting capacity-build-ing initiatives and most importantly, creat-ing spaces and an enabling environment for women to take over senior and execu-tive positions.”
The Grant Thornton report also showed that among the South African companies that were sampled, only 48% would sup-port the introduction of quotas for the number of women on executive boards of large listed companies, a big drop from 60% in 2013.
Although City Press tried to contact Sha-bangu, she was unavailable for comment as she was in New York. However, in a re-cent speech, she said 30% female represen-tation was not ambitious enough and 50% was what women should be aiming for.
“If you look at countries that have a sig-nificant proportion of female representa-tion on boards it is those countries that have quotas already,” said Natesan. But she added that the use of quotas did rep-resent a unique challenge. “If we don’t have quotas, we might not come right. “However, the risk of quotas is that it will be about ticking a box and men saying women were chosen based on their gen-der and not merit, similar to some of the effects of BEE.” Phala said: “The Employ-ment Equity Act provides clear penalties for noncompliance with measures aimed at achieving affirmative action; it’s not our view that additional penalties will im-prove compliance.
“What would improve compliance is the commitment from business leadership to embrace and champion transformation.” Shabangu also said her department was planning to convene national and provin-cial dialogues between now and June to discuss steps towards the attainment of female empowerment and gender equal-ity in the country. This will contribute to the development of a report on the sta-tus of women that will be released on Na-tional Women’s Day on August 9.
Proportion of senior management roles held by women
Source: Grant Thornton International Business Report Graphics24
This article was first published on City_Press, 23 March 2015 7:00 by Mamello Masote
28 | IA ADVISER April/May 2015
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
dAY 1 - MondAY, 11 AuGust 2014
Nene confirms a “season of great hope and promise for Africa”.
Finance Minister Nonhlanhla Nene was the
keynote speaker at the IIA SA national confer-
ence in August 2014, addressing the topic of
Africa’s rightful place in the leadership area.
In a detailed and informative talk, the Minis-
ter explained why he agreed with President
Jacob Zuma that “it is truly a season of great
hope and promise for Africa”. The President
had conveyed that sentiment the previous
week in his address to the national press club
in Washington DC.
Minister Nene focussed at length on the state
of the domestic economy and government’s
plans to improve the country’s economic per-
formance. In his honest talk, he frankly paint-
ed a somewhat bleak picture of the economy
and the challenges faced by government in
attempting to improve the situation.
Minister Nene pointed out that the global
economy continues to strengthen, albeit that
uneven and downside risks still remain. Very
recently, the IMF revised its global forecast for
economic growth from 3.7 to 3.4% for 2014.
Unfortunately, many economies are perform-
ing below their potential. This depresses de-
mand for local exports, and is adversely af-
fecting SA’s ability to grow. The United States’
so-called ‘tapering’ policies will most likely
increase the cost of borrowing for emerging
economies such as South Africa. Compound-
ing the situation, is the slower growth and
expansion in emerging markets which has
negatively affected the international price of
our export commodities, thereby leading to a
deterioration of our terms of trade.
The Minister acknowledged however that the
greatest challenges to economic growth are
largely domestic. It is well known that “supply
side disruptions” (read labour unrest) have
plagued the economy over the last few years,
weakening confidence and lowering levels of
investment and household consumption.
Nene admitted that current economic growth
is simply not enough to address the chal-
lenges of poverty and unemployment, which
has increased to 25.5%. Moreover, despite
low economic growth, consumer inflation is
rising and is currently at 6.6% (well above the
Reserve Bank’s target range of 3.26%).
Faced with a sluggish economy, higher infla-
tion, loss of business confidence, and persis-
tent labour strikes, Nene says that govern-
ment continues to work hard “to improve
business conditions by releasing supply side
constraints, improving policy alignment and
policy certainty”. He cited government’s plans
to improve the socio-economic conditions in
mining towns as one such intervention.
Minister Nene again reminded the audi-
ence that the National Develop Plan is gov-
ernment’s blueprint to address pressing
socio-economic challenges. In this regard,
government has adopted the Medium Term
Strategic Framework (MTSF) in order to align
the work of government at national, provin-
cial and local government behind a single
coherent program. The MTSF is essentially
government’s implementing program for
the first five years of the NDP. The focus of the
MTSF is not so much on new programs, but
rather on improving the implementation of
existing policies.
Shifting focus to Africa, Minister Nene noted
that over the past 20 years SA’s economy has
become inextricably intertwined with that of
the rest of the continent. “Macroeconomic
stability, political reform, favourable demo-
graphics and stronger institutions” he said,
The conference featured several prominent speakers and experts in the fields of internal auditing, governance, risk management and business. A brief summary of selected topics follows.
AFRiCA’s RiGHtFul seAt in tHe GlobAl leAdeRsHip ARenAMinister Nhlanhla Musa Nene, Minister of Finance of South Africa
IA ADVISER April/May 2015 | 29
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
have transformed Africa into a rapidly grow-
ing region that is attracting more investment.
Economic growth in Sub-Saharan Africa is
expected to accelerate to 5.5% in 2014. High
growth sectors such as technology, telecom-
munications, financial services and retail are
showing even more pronounced growth,
leading Nene to affirm that “Africa is indeed
rising!”
Africa’s share of FDI is also rising and SA in-
vestment into other parts of the continent
had double to around R30 billion by 2012.
All these trends point to a ‘virtuous cycle’ of
increased investment and economic growth
supported by growing consumer demand
for goods and services. In contrast, wages
and consumption has stagnated in Europe
and America. According to Nene the SA gov-
ernment is committed to supporting the ex-
pansion of South African firms into the rest
of Africa. This would be mutually beneficial
in terms of long-term growth prospects and
providing tax revenues, profits and dividends
to the receiving country as well as SA.
On a global scale, Nene believes that the ini-
tiative by the five BRICS (Brazil, Russia, India,
China and South Africa) countries to launch
the New Development Bank will benefit SA
and the rest of the continent. As a potential
borrower, SA can use the bank as an alter-
native source to fund its local infrastructure
programs, as well as regional integration proj-
ects. The New Development Bank could very
well solve Sub Saharan’s funding gaps, which
limit its growth potential. It is therefore help-
ful that the Bank’s regional centre will be lo-
cated in Johannesburg, as many of its clients
will be from the region. There are a number
of potential infrastructure projects on the
continent that have not been realised due to
the lack of project preparation funding. The
New Development Bank’s operating model
will include a project preparation facility, and
will place special focus on regional cross bor-
der projects in energy, transport and logistics.
These infrastructure projects, he says, will
“boostintra-Africantradeandunleashthepo-
tential of the continent to grow even faster”.
According to Nene, SA’s membership of
BRICS, and the country’s ascension to the
group of Finance Ministers and Central Bank
Governors of the G20 are amongst the most
important achievement of the post-apartheid
era. These developments have affirmed that
while SA may not be one of the biggest eco-
nomic powers in the world, we are neverthe-
less a ‘significant player’ in the global system
of financial and economic governance. As
such, SA will continue “to amplify the African
voice”.
dAY 1 - MondAY, 11 AuGust 2014
What do people say about you when you leave the room?
In a lively and engaging talk, Nicola Rimmer
informed internal auditors at the IIA SA annu-
al national conference in August, why it is im-
portant for them to build their own personal
brands. Rimmer, who is Vice President of Bar-
clays Internal Audit, as well as the President
of the IIA UK, drew upon her own personal
experience as the leader of a large team of
internal auditors in the United Kingdom.
She explained that personal branding has
become more desirable now that so much
more is expected of internal audit. Gone
are the days of internal auditors being mere
bean counters. These days they are increas-
ingly seen as trusted advisors with business
acumen that management can rely upon.
The credibility of internal audit is always
at stake when interacting with key stake-
holders. Beyond that, the internal auditor’s
personal brand also determines his or her
credibility amongst their peers. Therefore
how auditors present themselves and how
they are seen matters.
As with leading brands, a great personal
brand is sure to impact positively on stake-
holders and clients. Using well-known
brands such as Intercontinental and Nan-
dos as examples, Rimmer said that the first
thing to do is to clarify what your personal
brand stands for, and then to show the
world what that brand represents through
everyday interactions.
Rimmer’s favourite definition of a personal
brand is “what people say about you when
you leave the room”. For better or worse, we
YouR bRAnd, YouR CRedibilitYNicola Rimmer, Vice President: Barclays Internal Audit and President of the IIA UK
30 | IA ADVISER April/May 2015
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
all have a personal brand - often by default
rather than by design. The way we speak, act
and otherwise engage with the world creates
an impression in the minds of others. Person-
al branding is simply the intention to mould
that impression in a more deliberate way.
According to Rimmer an internal auditor’s
personal brand should have two layers, so
to speak. The first layer is the internal audit
brand itself, based on common characteris-
tics or values associated with the profession
such as independence, integrity, objectivity
etc. Overlaid upon those brand attributes, are
the individual’s own personal top qualities or
beliefs. Using herself as an example, Rimmer
says that she positions herself as a great com-
municator. She communicates clearly what
she sees as the risks an organisation faces, and
then she also communicates clearly the solu-
tions she proposes. And thus she is known for
being a pragmatist and a great communica-
tor. She would not, however, present herself
as a technical expert because that is not her
major strength. It follows therefore that the
internal auditor should base his brand on
core strengths and key values, and then act in
accordance with those qualities.
Equally important is the first impression that
is created. Internal auditors would do well to
remember that their stakeholders and clients
may already have preconceived views about
them based on their stereotypes about the
profession. They may think for instance, that
internal auditors are ‘dry as a stick without any
real relevance’! The manner in which an audi-
tor dresses, greets, speaks and acts can im-
mediately debunk any negative stereotypes.
Confidence is the key to being respected and
trusted. Real confidence is usually based on
knowledge, experience and insight. Where
that is lacking, especially with junior internal
auditors, Rimmer suggests that they “fake it
till you make it!” By acting as if you already
are mature, insightful and knowledgeable, a
young internal auditor is more likely to get a
positive reception.
One trick that Rimmer shared with the au-
dience to fake confidence is to engage in
‘power posing’ just before a big meeting.
This practice involves tricking the body
into secreting more hormones such a tes-
tosterone to boost confidence. By striking
universal poses that innately represent
confidence–suchasarmsoutstretchedin
the ‘Yes!’ or ‘victory’ pose, one immediately
feels more positive and confident. Rimmer
urged the audience to watch Amy Cuddy’s
TED talk on Your body language shapes
who you are to learn more about power
posing.
Once a personal brand has been developed,
it is critical that there is congruence between
the brand’s promise, that is, what you say you
are and what you do. It is vital to deliver on
your promises, be they overt or implied as
your brand could be tarnished by inconsis-
tent behaviour. A reputation can also be de-
stroyed by a social media profile that conveys
a contradictory image to that of the internal
auditor as a professional. Once credibility has
been lost, it is extremely difficult to restore it,
and all the work done in building a personal
brand will come undone.
dAY 2 - tHuRsdAY, 12 AuGust 2014
Coming from a security consulting company
specialising in offensive security via simu-
lated attacks and penetration testing (i.e. at-
tempted application and network break-ins),
Sensepost’s senior specialist, Willem Mouton
addressed hactivism and cyber espionage at
the 17th Southern African Internal Audit Con-
ference. Acknowledging that security and risk,
in terms of IT infrastructure, were initially not
considered to be a priority, he has noticed that
that thinking has rapidly been changing over
the years. Now quite a hot topic, hactivism and
cyber espionage have become real and preva-
lent issues; however, often going undetected.
A means of propagating one’s message
(whether a political/religious view etc) via
computers, digital media, and networks,
the presenter explained how hactivism can
be used to promote civil disobedience or
even personal gripes against a company. He
stressed, though, that not all hacking is bad,
indicating how a lot of countries have come
to the realisation that hackers can be benefi-
cial to their companies. Citing Google and Mi-
crosoft as examples, he described how some
companies have bounty programmes that
pay people to look for bugs in them. This is
not surprising given how many vulnerabili-
ties exist as evident via the recent hackings
that took place on Facebook and Twitter.
He continued that the main motivation be-
hind hactivism is typically the desire to drive
one’s point across. Hence, this would not be
done under the cover of darkness, as anyone
wanting to do this is going to want to make it
as public as possible. It can be as simple and
straightforward as defacing a webpage or
more extreme such as a case of information
leakage. The point that people are trying to
bring across with hactivism is that they can
cause public embarrassment, and essentially,
data breaches. Thus, the risks involved with
companies are firstly reputational because
though it may not necessarily affect a com-
HACKtivists And CYbeR espionAGeWillem Mouton, Senior Analyst: Sensepost
IA ADVISER April/May 2015 | 31
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
pany’s ability to function (typically data is not
compromised because that data is hosted
somewhere else), it can still impact customer
perception by portraying the company as
one that is vulnerable to sabotage.
Normally, except if they are attacking a spe-
cific company, hactivists don’t have a particu-
lar target in mind; they will basically scour the
internet for whatever they can hack which is
as easy as doing a Google search for specific
components, frameworks, or exposed port-
lets and then using some common vulner-
abilities, misconfigurations or known applica-
tion flaws to gain access.
Bringing in the other side to this coin, the
presenter then talked to the topic of cyber
espionage, describing it as the simple act of
spying. As soon as people started competing
with each other, the ability to know what the
other was doing became key and lately this
has become a lot more pronounced. Cyber
espionage is exactly the opposite of hactivism
where with the latter one wants to publically
humiliate or embarrass a target, with cyber es-
pionage, stealth is key; one does not want to
be detected so to remain on a network as long
as possible. The driving force behind cyber
espionage is the same as it has always been:
Knowledge is power. Competitors would give
anything to know what their opponent’s next
move is, whether it is in acquisitions, mergers,
or project launches etc. In terms of govern-
ment, for example, if one knows what his com-
petitor is doing with regards to military and
strategic planning, a response can be tailor
made to combat that move.
Competitive edge has been seen a lot lately
especially with big corporates going after
one another. At a vehicle tracking company,
recently, he realised that that some of the
competitors were gaining access to the cus-
tomer base which is an inside information
risk. The presenter stressed that this is one
thing that people need to understand; that
the biggest threat is not usually the anony-
mous threat from the outside but typically
the people working in the inside.
In modern boardrooms today there is typi-
cally some sort of computer system, audio vi-
sual presentations, or webcams which are all
easy to take control over. As soon as anyone
plugs into a network they can be anyone they
want to. People think hacking is like a mission
impossible scenario but it’s really as simple as
using a memory stick. People spend millions
on implementing data loss prevention (DLP)
systems but hackers can just break data into
tiny bits via DNS requests and reassemble it
on the other side, which DLP can’t catch. The
more advanced the defenders get, the more
creative the hackers get.
The presenter described another recent expe-
rience where during an internal assessment
for a mining company he had asked the risk
manager if there was any sensitive informa-
tion that the company wouldn’t want in the
public eye to which the manager didn’t be-
lieve that there was any, stating that this was
a public company and all their information
is made available. After some digging, how-
ever, the presenter discovered an email chain
talking to strike action discussion which indi-
cated how far the company was willing to go
in terms of increase, as well as dates and de-
tails of what they would do after the strikes;
all information they would likely not want in
the hands of the unions. How much would
unions pay for that information? Hackers can
make a lot of money selling such information
to the competitors wanting to have the up-
per hand on their opponent.
In conclusion, the presenter emphasised that
treats are real. He added that risks are hard to
define but it is also a matter of perception, as
what may seem useless today might be gold
tomorrow. Security is not a destination that
you arrive at; it is actually a constantly evolv-
ing process. Attackers have it easy, defenders
have it hard as they have to be lucky every
time, hackers only have to get lucky once.
dAY 3 - WednesdAY, 13 AuGust 2014
South Africa has the best whistle-blower leg-
islation in the world, yet individuals are too
afraid to blow the whistle on wrongdoing.
Speaking at the IIA SA annual national confer-
ence in August, Prof Deon Rossouw cited the
DLA Piper Whistleblowing Report 2013 which
rates South Africa’s Protected Disclosures Act
as the best of its kind globally. Prof. Rossouw,
CEO of the Ethics Institute of South Africa,
Role oF oveRsiGHt bodies in pRoteCtinG WHistlebloWeRsProf Deon Rossouw, CEO: Ethics Institute of South Africa
32 | IA ADVISER April/May 2015
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
also cited his organisation’s own research
study (SA Business Ethics survey 2013), which
looked at the ethical culture in JSE listed
companies. The following results show the
reasons why employees do not report cor-
ruption and other impropriety:
Thought someone else would
report it30%
Don’t want to report a colleague 35%
Nothing will happen if it goes to
court36%
Think the report will not remain
anonymous48%
Fear retaliation 65%
Think company will not take
corrective action66%
It is clear that having relatively robust whis-
tle-blowing laws is not necessarily enough
to encourage whistle-blowing. Much more is
required to assure potential whistle-blowers
that it is safe ‘to do the right thing’. As the re-
search shows, people will continue to doubt
the effectiveness of whistle-blowing mecha-
nisms as long as they fear retaliation or hav-
ing their identities exposed.
The Protected Disclosures Act sets out the re-
quirements for safe and effective disclosures,
but only protects employees against occu-
pational detriment, and not any other kind
of harm. Occupational detriment refers to
discrimination in the workplace related to job
security such as unfair dismissal. The Compa-
nies Act extends these protections somewhat
for employees and other categories of persons
that have dealings with companies. What
should be noted is to whom disclosures can be
made. Section 159 (3) of the Act states that:
“A disclosure is protected if:
It is made in good faith to the Commission, the
Companies Tribunal, the Panel, a regulatory
authority, an exchange, a legal adviser, a di-
rector, a prescribed officer, company secretary,
auditor, board or committee of the company
concerned”
The Companies Act [S 159 (7)] further stipu-
lates that:
A public company and state owned company
mustdirectlyorindirectly–
(a) Establish and maintain a system to re-
ceive disclosures […] confidentially and
actonthem;and;–
(b) routinely publicise the availability of
that system
The Act makes it clear that an individual di-
rector, the board or a board committee may
be the recipient of a protected disclosure. As
such, these individuals or bodies are obliged
to deal with whistle-blower disclosures in the
correct manner. Subsection 7 quoted above,
also places a positive obligation on boards
to maintain an effective system of whistle-
blowing in the company, ensuring that em-
ployees are made aware of the system and
encouraged to use it. Given the board’s clear
responsibility to ensure that whistle-blowing
measures and mechanisms are in place, the
question arises as to which committees
within the organisation should play a role in
assisting the board in this regard.
The Social and Ethics Committee (SEC)
All publicly listed companies or state owned
companies are legally required to establish
Social and Ethics Committees as per the Com-
panies Amendment Act (Act No. 3 of 2011) .
The SEC is therefore a mandatory, statutory
board committee.
The SEC’s mandate is to monitor and report
to the board on a company’s social perfor-
mance, with due regard to the organisation’s
social and economic development, good cor-
porate citizenship, environment, health and
safety issues, consumer relations, labour and
employment issues.
The mandate of this committee is focused
primarily on social rather than ethical issues,
and it would be quite a stretch to imagine
that oversight of whistle-blowing practices
are also included in its mandate. According
to Rossouw, it has nevertheless become best
practice amongst most JSE listed companies
to voluntarily expand the SEC’s terms of ref-
erence to include a governance/ethics man-
date that typically includes the following
kinds of statements:
• ethical standards are articulated in a
code of ethics and supporting policies
• structures, systems and processes are
in place to ensure that the board, em-
ployees, and supply chains are familiar
with and adhere to the company’s ethi-
cal standards
• ethics performance is included in the
scope of internal audit and reported on in
the company’s integrated annual report
Under an enhanced mandate, whistle-blow-
ing may be included within the scope of the
committee since it supports the ethics policy;
and any mechanisms introduced to encour-
age whistle-blowing would fall under the
“structures, systems and process” required to
foster an ethical corporate culture. It would
then be up to the SEC to ensure that a proper,
credible and trustworthy whistle-blowing
system is in place. Such a system must ensure
the confidentiality of reports, the anonym-
ity of the whistle-blower and provide clarity
about what happens after a report has been
made.
Rossouw advises that the SEC should assess
reports regularly, noting the number received,
how they are being handled and what trends
there are in issues reporting. Such informa-
tion would be useful to management and the
board. It is important that management acts
decisively when required to do after proper
investigation of a complaint.
Audit Committee
IA ADVISER April/May 2015 | 33
FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe
National Conference Feedback is prepared by:Rakal Govender, Senior Research Analyst: Private Sector, IIA SA and Zisanda Jalavu CIA, Senior Research Analyst: Private Sector, IIA SA
As part of its duty to review the ethics man-
agement system of the company, internal au-
dit should also include the whistle-blowing
system. The audit committee should ensure
that this task is included in the audit plan, as it
is important to provide assurance over the in-
tegrity of the whistle-blowing measures and
mechanisms. Internal audit will be required
to make an assessment of the adequacy and
effectiveness of internal system, establishing
whether they work and are being used as in-
tended.
Where whistle-blowing systems are out-
sourced, internal audit should determine
whether the mechanisms are secure, confi-
dential, anonymous, trusted, credible and ro-
bust. They should therefore check the integri-
ty of systems and the people operating them,
and assess if they are independent, highlight-
ing any potential conflicts of interest. Based
on such information, the audit committee
would be in a better position to gauge the ef-
fectiveness of the whistle-blowing system.
Board of Directors
King III in Principle 1.1 states that the “board
should provide effective leadership based
on an ethical foundation”. In order to ensure
that it receives robust information regarding
ethical matters, the board may delegate ad-
ditional responsibilities to the Social and Eth-
ics Committee, as is often the case. Rossouw
points out that directors have five ethical du-
ties relating to conscience, inclusivity, compe-
tence, commitment and courage. The latter
may be the most difficult of all to fulfil. Never-
theless, since the buck stops with board, it is
up to the directors to find the moral courage
to act with integrity when making tough de-
cisions. Those decisions should also include
the ways in which whistle-blowers are pro-
tected within the organisation. If this is done
effectively, within in a strong ethical culture,
then employees may feel less afraid to blow
the whistle on corruption.
Delphine Bagwire
Abdul Bellim
Daniel Jacobus Brand
Priyanka Bugwandeen
David Chuene
Christoffel Coetzer
Vinolia Coopsamy
James Cronje
Chanelle da Silva
Nelette De La Rey
Elmarie de Waal
Nicole Erasmus
Danielle Erasmus
Charne Fourie
Umaira Gani
Odwa Goso
Sharon Govender
Eugene Greyling
Julius Gurure
Linda Harris
Jothie Hemraj
Zisanda Beatrice Jalavu
Hendrik Jordaan
Mohammed Kader
Anna Kadisov
Simphiwe Khumalo
Johannes Lambrechts
Tsholofelo Leballo
Brenda-Lee Lodder
Karen Louw
Zwakele Majola
Wandile Malinga
Babalwa Mapisa
Ilse Marais
Sipho Masumpa
Asanda Mdlulwa
Dzorai Meke
Fortune Mkhabela
Selby Mochochoko
Debbie Modisane
Mamadimo Mogano
Fatinyana Molala
Phatedi Monyebodi
Lorato Moyo
Kwazi Msiza
Mavis Mthimunye
Mxolisi Mtshali
Sharlene Murugan
Jerod Naidoo
Chermaine Naidoo
Lungile Ignatia Ngcobo
Alois Nyazema
Ritesh Patel
Charlene Pillay
Kubendran Pillay
Chantel Poovan
Marthinus Prinsloo
Mankwana Ragolane
Subhadra Ragubeer
Deepa Rama
Kotlane Sekgota
Dondeguy Sibanda
Stephens Sikhondo
Pieter Smith
Muhammad Solomons
Vukosi Sondlane
Sidiso Vincent Sotshede
Adriaan Steenekamp
Rabith Sukhari
Muhammed Tayob
Cuthbert Tinavapi
Zaheer Titus
Shamil Ukabhai
Karen van der Westhuizen
Cecilia van der Westhuizen
Daniel van Niekerk
Johannes van Tonder
Francois Viljoen
Robyn Wheatley
Robin Bruce Williams
George Woodworth
Lin Ye
Congratulations to CIA candidates
34 | IA ADVISER April/May 2015
This marks the sixth edition of Sawyer’s Internal Auditing, and introduces format and content changes since the previous version was published in 2005. The most notable format change is that the guide has now been split into 3 separate volumes based on content: 1) Internal Audit Es-sentials, 2) Internal Audit Processes and Methods, and 3) Governance, Risk Man-agement, and Compliance Essentials. In terms of content, Information Technology (IT) related topics and guidance have been interwoven throughout the guides, rather than segregated into separate chapters, in order to present a more holistic view of the practice and methodology of internal auditing. The previous series of multiple choice questions per chapter has been excluded from the new edition; however, the glossary of audit related terminology has been substantially expanded and in-cluded at the end of each volume in the series. Finally, new information has been included throughout all three volumes to reflect environmental, social and economic changes and corresponding responses and advances in internal audit techniques. This information relates in particular to IT, com-municating results, governance, risk man-agement, compliance and corporate social responsibility.1 This book review aims to provide unfamil-iar readers with an overview of what the guides have to offer an internal audit pro-fessional, and for those readers who are familiar with Sawyer’s previous manuals, what fresh perspectives and guidance have been presented.
The first volume, Internal Audit Essentials, includes minor updates to sections pro-viding an introduction to the history and evolution of modern internal auditing, in-cluding the current Professional Practices Framework, audit process management and administration, and stakeholder rela-
tionships. Significant expansion of guid-ance and information has been made to the sections relating to Control and Risk Models, and a new chapter relating to As-surance and Consulting Services has been introduced.
As with previous editions, Volume 1 con-tains helpful exhibits to assist the reader in illustrating certain concepts and reinforce best practice application of the guidance. Several of the new additions in this round include:
1.2 – Internal Audit Rules of Conduct (from the IPPF, 2011): Offers a summary of the four categories comprising the IPPF’s Rules of Conduct, including Integrity, Ob-jectivity, Confidentiality and Competency.
2.1 – Relationships between Risk Man-agement Principles, Framework and Processes (from ISO 31000:2009): Provides information on what principles should exist to manage risk, presents a generic frame-work for managing risk and a standard pro-cess for managing risk.
3.2 – Key Differences between Assurance and Consulting Standards: Describes the key differences between the two types of assurance work that Internal Audit can perform.
4.3 – Internal Auditor Competency Framework (from the IIA Global frame-work, 2013): Summarises the four elements of the framework, including interpersonal skills, tools and techniques, Internal Audit standards, theory and methodology, and knowledge areas.
5.2–Key Components of Effective Inter-viewing (from IIA Research Foundation, 2009): Includes elements such as interview-ing objectives and process, common barri-ers to effective interviews and critical suc-cess factors.
5.3–Audit Approach Comparisons: Pres-ents the differences between a traditional and participative audit approach.
The second volume, Internal Audit Pro-cesses and Methods, focuses on technical and tactical guidance for the application of internal audit, with specific focus on cli-ent and stakeholder relationship manage-ment, audit planning, assignment execu-tion, and communication and reporting of results. Minor updates have been made to chapters relating to planning assurance en-gagements from high-level risk assessment to opening meeting, and communicating results during the engagement through to Board reporting. Significant enhance-ments have been made to the content and presentation of chapters relating to defin-ing the audit and risk universes, evaluating the design of controls, testing effective-ness of controls, additional risk manage-ment techniques, and audit documenta-tion. New chapters have been introduced relating to entity-wide risk assessment and entity-wide assurance projects, as well as a full chapter on consulting activities.
As with Volume 1, some of the new addi-tions to the best practice and guidance ex-hibits for this edition of Volume 2 include:
7.1–Alignment of the Identified Risks to the IT Environment: Details an example of the alignment of business objectives to business risks, to business processes, and ultimately to IT Assets.
10.2–Possible Risk Response and Audi-tor Action: Provides guidance on the pos-sible risk response and subsequent audit response depending on the impact and likelihood rating of a particular risk.
10.3–Sample Flowchart: An updated ex-ample of a vertical flowchart for an ‘order-ing and receiving’ process.
booK RevieWs
sAWYeR’s Guide FoR inteRnAl AuditoRs, 6tH edition, 2014
1 Page viii, Volume 1: Internal Audit Essentials
IA ADVISER April/May 2015 | 35
booK RevieWs
11.2–Steps of an Application Control Au-dit (from ISACA Journal, volume 5, 2002): Presents a step by step overview of how to complete an application control audit.
13.2 – Root Cause Analysis Techniques: Summarises three techniques, “Five Why Analysis”,” Change Analysis” and” Ishikawa / Fish-bone Diagram,” for determining the root cause of control breakdowns / audit issues.
13.19–Reviewing Versus Editing: Presents the advantages and disadvantages of re-view versus editing of audit reports.
14.1 – Comparison of Self-Assessment Techniques: Three self-assessment tech-niques, facilitated workshops, surveys and structured interviews, are summarised ac-cording to their relative advantages and disadvantages.
The third volume, Governance, Risk Man-agement, and Compliance Essentials, focuses on providing an integrated view of governance, risk management and compli-ance. This entire volume has been substan-tially updated and re-organised to present a holistic view, although many elements were touched upon in the previous version. New chapters have been introduced relating to internal audit responsibility regarding fraud, ethics and people risk, and the role internal audit plays in corporate social responsibility and sustainability.
Some of the new additions to the best practice and guidance exhibits for this edi-tion of Volume 3 include:
15.1–Definition of GRC (from Gartner Re-search website, 2011): Provides a common-ly referenced definition of “governance,” “risk,” and “compliance.”
15.5–Comparison of Standards and Prac-tices for Financial Reporting and GRC Re-porting: Explains the differences in standards and practices for financial reporting versus governance, risk and compliance reporting.
15.16–Internal Audit Maturity / Capabil-ity Assessment (from theiia.org website): Depicts the five levels of maturity / capa-bility of internal audit functions (Initial, In-frastructure, Integrated, Managed, and Op-timising), across 6 core competency areas (Services and Roles of IA, People Manage-ment, Professional Practices, Performance Management and Accountability, Organi-sational Relationships and Culture, and Governance Structure).
15.17 – Data Elements Diagram (from Thomson Reuters, 2009): Details the core user requirements and proposed data sets required to support governance, risk and compliance implementation within an or-ganisation.
17.3 –Role of Internal Auditing in ERM (from the IIA Position Paper, 2009): Presents a list of potential assurance activities which internal audit activities that comply with the International Standards for the Profes-sional Practice of Internal Auditing should provide.
19.4–Fraud Risk Management Principles (from the IIA, AICPA and ACFE, 2012): Intro-duces five key principles for proactive and effective management of organisational fraud risk.
20.1 – Corporate Social Responsibility Definition (from ISO26000:2010): provides the definition of Corporate Social Responsi-bility as per ISO 26000.
20.2–Definition of Corporate Social Re-sponsibility (from the IIA, 2011): provides the definition of Corporate Social Respon-sibility as per the IIA Practice Guide.
All in all, this 6th edition of Sawyer’s Guide for Internal Auditors offers a wealth of cut-ting edge information and guidance, pre-sented in a concise and easily understand-able manner, and would be a powerful tool and valuable addition to any internal audi-tor’s personal or professional library.
UPDATE YOUR DETAILS
AND ENJOY THE
BENEFITS OF BEING AN
IIA SA MEMBER
A key objective of the Institute of
Internal Auditors South Africa is to
provide our members with access
to world-class information and
development. Ensure that your skills
and competencies remain relevant
and up to date.
It is imperative that the Institute of
Internal Auditors
South Africa has your correct details.
Please visit our website:
www.iiasa.org.za
to update your details.
36 | IA ADVISER April/May 2015
booK RevieWs
In the author’s own words:
“Purposeof thebook– toprovidea clearunderstanding of risk assessment charac-teristics so you can confidently plan and conduct your own risk assessment. This book also will help you to make sure that your risk assessment adds value to your or-ganisation because they will be based on the needs of your stakeholders.“
The book starts with establishing the key points of understanding risk assessment and then explains step- by step- how to conduct a risk assessment.
While the main focus of this book is risk as-sessment methodologies to develop the audit plan, there are three chapters specific for engagement risk assessment, fraud risk assessment and IT risk assessment.
The last chapters of the book provide com-mon mistakes and challenges throughout the risk assessment journey.
Lastly a set of 10 risk assessment examples that include excel spreadsheets and work document that you can customise to meet the needs in your oganisation is included. The templates are divided in two groups:- Group 1: Audit Universe Risk Assess-
ments- Group 2: Audit Engagement Risk As-
sessments
A brief overview of the book. The book is divided in five sections explaining specific concepts and each section consist of chap-ters elaborating this concept for each read-er to make it their own.
Section1:UnderstandingtheNatureofRisk
“The first part of this book provides an intel-lectual basis for risk assessment. It sets the
stage for how to think about risks, which ultimately will influence how you identify, measure, and prioritize risk. The premise is that you must first understand how risk behaves and manifests itself in order to understand how to build a structure for ex-ecuting a value-adding risk assessment.”
The theory of risk therefore the definitions, fundamentals, nature or characteristics of risk, risks internal and external drivers and how changing environments make risk dynamic and ever changing are explained. The book highlights the fact that these def-initions present risk in the context of uncer-tainty and consequences, but do not depict it in terms of negative outcomes.
A short history briefing leads to a discussion of some contemporary ideas and trends about modern risk assessment. The author also highlights the importance to under-stand stakeholder perspectives in risk and governance, which are at the core of the value proposition for internal auditors.
From a risk assessment standpoint – it isimportant for internal auditors to recog-nize their organisations’s capabilities when managing change so they can understand how environmental changes will impact certain types of risk to the organisation. Section2ChoosingtheBestRiskAssessmentApproach for your organisation
The second section provides you with consideration when choosing your risk as-sessment approach. The IIA Standards set minimum requirements for internal audit’s risk assessment exercise, but are stakehold-ers satisfied with minimum standards? Stakeholders’ expectations are changing in regard to audit’s coverage of strategic risk and governance areas so it is important to understand your stakeholder’s viewpoints
on these topics and how that might influ-ence your approach. Besides stakeholders, it is important to know your organisation’s risk profile and key vulnerabilities.
Goingbeyondtheminimum–Internalau-dit leadership should be vigilant in seek-ing out those practices that are expected of their stakeholders above and beyond minimum requirements. To be effective at risk assessment, it is critical that you under-stand your stakeholders – bothwho theyare and what concerns them. This will help shape decisions on the types of risk upon which to focus.
The risk and control maturity of the organi-sation where you work will have a direct im-pact on how you approach your risk assess-ment. The author also discusses how the internal audit function’s capability maturity and risk competencies will help shape the risk assessment approach.
The three important areas you should con-sider for selecting the risk assessment ap-proach is:1. Riskandcontrolmaturity–Istheinter-
nal audit function more control-centric or risk-centric?
2. Organisational vulnerabilities – Whatare the risks that matter most to your particular rganisation?
3. Internal audit capabilities. Is your inter-nal audit function equipped to address the needs of the organisation?
In addition the author also provides five key principles to follow to assist in seeking the right approach to risk assessment for your organisation. 1. Conform with and align your method-
ology to IIA Standards.2. Understand your stakeholder needs
and expectations3. Understand the changing environment
inteRnAl AuditoR’s Guide to RisK AssessMent - (RiCK A. WRiGHt jR; CiA)
IA ADVISER April/May 2015 | 37
booK RevieWs
4. Know your rganisation’s risk focus and primary vulnerabilities.
5. Assess your internal audit function’s ca-pability maturity and risk competencies.
Section3:Toolsforconductingyouroganisa-tion’sRiskAssessment
This section highlights practical ways for building a process for executing a risk as-sessment. Developing a comprehensive audit universe is the first task. The audit universe serves as the risk assessment start-ing point as it identifies the possible audit-able units that will eventually comprise the audit plan. When assessing audit universe risks. Start by identifying business objectives and then tackle risk identification, risk measurement, and risk prioritisation as centerpieces of a well-constructed risk assessment frame-work. Several examples and varying ap-proaches are included to provide a variety of perspectives for what risk assessment can be. Frequency of risk assessment activ-ities and alignment of the risk assessment with business strategy and ERM are also discussed in this section.
Practical advice from the author when aligning with ERM and strategic objectives first, ensure your audit universe includes auditable units of strategic nature. These may include strategic planning processes, the ERM program, corporate governance activities, sustainability programs, crisis management, and reputation manage-ment to name a few. An audit universe that includes areas of strategic concern ensures there will be a focus on strategic risks dur-ing audit planning and that audit resources will be assigned to these areas, where ap-propriate.
Some common mistakes to avoid when identifying risks are also highlighted:1. Confusing risk with the consequences
of risk.2. Focusing on controls instead of risk.
“Ensuring your audit universe is complete?” This for me is the most important question to ask when conducting a risk assessment for the annual audit plan.
The author provides insight to this ques-tion.
“Every organisation audit universe is unique. Some questions, to reflect that the audit uni-verse has been thoughtfully vetted.
• What environments have changedsince the last audit universe update?
• Have there been any changes to thestrategic goals of the organisation?
• Havetherebeenanychangesinleader-ship at key positions?
• Have there been any key personnelchanges (loss of institutional knowl-edge, headcount reductions)?
• Are there any new systems that havebeen implemented?
• Arethereanynewsystemdevelopmentprojects?
• Have any new programs been imple-mented?
• Aretherenewproductslinesorlinesofbusiness?
• Hastheorganisationacquiredanynewbusinesses or entered into any new partnerships?
• Hastheorganisationdivestedanybusi-ness or terminated any partnerships?
• Doestheorganisationdobusinesswithany new strategic suppliers or ven-dors?
• Havetherebeenanychangesintheca-pabilities of strategic suppliers or ven-dors.?
• Arethereplansforsignificantbusinessgrowth or declines?
• Are there new customers beingserved?
• Have new legislative or regulatory ac-tions impacted the business?
• Are there new industry standards orpolicy changes that have been imple-mented?
• Are there any new internal stakehold-ers, or have existing stakeholder needs
changed?• Haveanyfraudorethicsviolationsbeen
detected?• Havetherebeenanyreportedinstances
of competitors or any similar organisa-tions experiencing new opportunities or threats to their business?
• Are the new external opportunities/threats to the organisation?
• Are there new internal opportunities/threats to the organization?”
The completion of the audit universe is a journey. Audit universe requires periodic maintenance.
Section4:SpecialtypesofRiskAssessment
Risk assessment come in various forms and are used for many purposes. In section 4, three variations of risk assessment are presented for specialised uses relating to internal audit engagement planning, fraud considerations, and IT-related risk assess-ments.
Engagement Risk Assessment
This is done on a micro level relating to specific process-level business objectives. “Engagement risk assessment – Amicro -level assessment of an auditable unit’s risk with the objectives of creating an engage-ment plan that focuses efforts toward the key risks that would keep the auditable unit form achieving its objectives. “
Fraud risk Assessment
Std 2120.A2 from IPPF
“The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk. IIA developed practice guide – “InternalAuditingandFraud”–Thisguidelists5keysteps common to most fraud risk assess-ments:1. Identify relevant fraud risk factors2. Identify potential fraud schemes and
38 | IA ADVISER April/May 2015
booK RevieWs
priorities them based on risk3. Map existing controls to potential fraud
schemes and identify gaps4. Test operating effectiveness of fraud
prevention and detection controls.5. Document and report the fraud risk as-
sessment.
IT Risk Assessment
The author stresses to the reader the impor-tance of the distinction between risks that are business related (and therefore not IT specific) versus those that are truly related to the existence of an IT strategy within the organisation, when assessing IT risk.
Section5:IdentifyingRiskAppetiteandsolv-ing common challenges
In this section the author delve into strate-
gic risk, alignment with ERM programs, and risk appetite as key value drivers and fron-tiers for innovation.
In addition three common mistakes to avoid relating to risk assessments are dis-cussed:1. Equating complexity with value2. Assigning the wrong staff3. Inadequate Data-gathering tools
Further three common challenges to antici-pate during the process of risk assessment are reviewed:1. Inconsistent risk measurement results. 2. Inadequate resources3. Lack of management engagement
The summary and conclusion of the book is the eleven main principles that are address in this book:
1. “Risk creates opportunities and threats. 2. Stakeholders expects internal audit to
assess strategic risk3. Change creates risk4. Identify stakeholder expectations5. Always start with objectives6. Identify, measure, prioritize7. Stay flexible8. Align with ERM9. Be aware of other types of risk assess-
ments. 10. Consider risk appetite11. Don’t go it alone”
Inmyviewthisbookiseasytoread–itpro-vide clear definitions and guidance for the first time risk assessment conductor, how-ever the content of the book is also valu-able for the experienced risk assessment conductor to ensure that their method is still vetted.
Apply now to enter our Internal Audit Technician or
Professional Internal Auditor program. These are a pre-
requisite for entering the CIA program. Alternatively apply
to go through our Recognition of Prior Learning process
if you have the requisite qualification and experience and
obtain our prestigious designations.
For more information contact :
Lawrence Chetty, Deputy Head:
Certifications and Accreditation
Tel: (011) 450 1040
e-mail: learnerships@iiasa.org.za
OBTAIN AN IIA SA PROFESSIONAL DESIGNATION
Sarah Tucker, Technical Committee: IIA SA
IA ADVISER April/May 2015 | 39
AdviseR