April 2014 IIA Adviser

I A ADVISERAPRIL/MAY 2015

STRATEGIES FOR INTERNAL AUDITORS TO NEGATE INTIMIDATION AND VICTIMISATION THE GREY MATTERS ON ETHICSQUESTIONS THE AUDIT COMMITTEE SHOULD ASK ABOUT IT

LEADERS FORUM8 June 2015 I Emperors Palace

The IIA SA will be hosting the Leaders Forum, exclusively for Heads of Internal Audit (CAEs).

This unique forum is an opportunity for like-minded, progressive CAEs to meet, maintain and enhance their networks, listen to high-profile speakers and be exposed to new trends. In addition, pertinent issues affecting the profession will be discussed.

Please visit the IIA SA website: www.iiasa.org.za for more information and to register.

100

IA ADVISER April/May 2015 | 3

BOARD OF DIRECTORS e-mail: [email protected]: Riaan Thiart CIAVice Chairman: Vonani Chauke CIADirectors: Faith Burn Paresh Lalla Paresh Lalla CIA Oupa Mbokodo CIA Tshepo Mofokeng Rudzani Nemaangani CIA Rob Newsome CIA Molefi Nkhabu Jan Opperman Dion Poole CIA Kameetha Singh Arno VorsterChief Executive Officer: Dr Claudelle von Eck Past President: Shirley MachabaPast Past President: Justine K Mazzocco

REGIONAL GOVERNORSCentral Region: Refilwe Mocwaledi Eastern Cape - Border Kei: Norman TrimaleyEastern Cape - Port Elizabeth: Veronique ReddyGauteng - Johannesburg: Bukkie Adewuyi Gauteng - Pretoria: Muthelo MadzivhandilaKwaZulu Natal: Alexander WinterbachLimpopo: Moloto MokweleMpumalanga: Tony MancosNorth West: Sikhuthali Nyangintsimbi Northern Cape: Johannes van Tonder Western Cape: James Gourrah CIALesotho: Liteboho MokuenaNamibia: Julian BeukesSwaziland: Wesley Mndzebele

23

26

Contents

MessAGe FRoM tHe CHieF exeCutive oFFiCeR 5

WelCoMe to neW MeMbeRs 8

stRAteGies FoR inteRnAl AuditoRs to neGAte

intiMidAtion And viCtiMisAtion 10

list oF oCCupAtions in HiGH deMAnd: 2014 12

MiCRoFinAnCinG: innovAtion oR CuRse 14

tHe GReY MAtteRs on etHiCs 19

Questions tHe Audit CoMMittee sHould AsK About it 23

CoRpoRAte sA is still FAilinG to inClude WoMen 26

FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe 28

booK RevieWs 34


Institute of Internal Auditors South AfricaUnit 2, Bedfordview Office ParkBedfordview , 2008

P O Box 2290, Bedfordview, 2008

Telephone: +27 11 450 1040Facsimile: +27 11 450 1070

IIA SA Website: www.iiasa.org.zaIIA Global Website: www.globaliia.org

Business Hours: Mon - Thurs: 08h30 - 17h00 Friday: 08h30 - 16h00

Accounts / Finance: Warren Elbournee-mail: [email protected]: 086 685 0163

Bookstore: Xolisile Vuyiswa Mngwevue-mail: [email protected] fax: 086 685 0164

Certification: Tina Wolmaranse-mail: [email protected]: 086 685 0162

Communications and Business Development: Val Brazaoe-mail: [email protected]

CPD: Jenine Dresse e-mail: [email protected]: 086 685 0161

Learnerships:Lawrence Chetty: e-mail: [email protected]

Membership: Stephanie Erasmus e-mail: [email protected]: 086 685 0160

Regions: Nazlie Ismaile-mail: [email protected]: 086 572 4301

Technical: Charles Nel CIAe-mail: [email protected]: 086 685 0165

Advertising For advertising enquiries contact Queen Sithole: [email protected]

If you need to change your details please e-mail [email protected]

Editorial / Article SubmissionVal Brazao: [email protected] Charles Nel: [email protected] submit an article e-mail: [email protected]

ISSN 2079-729X

Published by the Institute of Internal Auditors South Africa and supplied gratis to members. The IIA SA does not accept responsibility for any opinions expressed by the contributors or correspondents, nor for the ac-curacy of any information contained in contributions, advertisements or correspondence in this publication. All material submitted for consideration is subject to the discretion of the Editor and the Editorial Team. The Editor reserves the right to edit all material. Advertise-ments do not constitute an endorsement.

Although I have some really important Insti-

tute related news to share with you, it would

be remiss of me to not first pause and say a

few words around recent events that have

rocked our country and cast us in a very

bad light. The recent spate of xenophobic

attacks should probably not have come as a

surprise to us. Many of us have been warn-

ing for a while now that we are sitting on a

time bomb as the gap between the haves

and have-nots continuous to widen. While

most of us have preferred to only comment

from afar, we have now received a wake-up

call. This affects all of us and none of us can

distance ourselves from what has been fes-

tering within. It is going to take a collective

effort as South Africans and SA institutions

to combat what has become an embarrass-

ing exposure of the rot that is building up.

It is important that we send a clear message

to the world that South Africans will not al-

low a minority to define who we are as a

people. In this context the IIA SA says NO to

xenophobia and NO to violence against our

fellow human beings.

Now, having said that, let me turn to the is-

sues directly affecting the Institute. My in-

tention is to only focus on news not already

covered in our Integrated Report which is

accessible to all on our website. I am really

proud of our Integrated Report, which this

year now appears in both PDF and Flash

with video clips. I encourage you to read

the IR as it is filled with information on what

is happening in the land of the IIA SA.

Firstly, you should be aware of a significant

shift in the South African qualifications

landscape which has seen the establish-

ment of the Quality Council for Trades and

Occupations (QCTO) under the South Afri-

can Qualifications Authority (SAQA). As is

implicit in its name, SAQA is the custodian

of qualifications in South Africa. You will

start to hear more and more about SAQA,

especially in the light of the fact that we

have seen so many high profile cases of in-

dividuals falsifying their qualifications in re-

cent times. The Skills Development Act has

made provision for quality councils under

SAQA to oversee the establishment, regis-

tration and maintenance of qualifications.

These councils oversee the registration of

qualifications in the three main spheres of

education and training. While the coun-

cils for the schooling (Amalusi) and higher

education (CHE) sectors have long been

established, the council overseeing trades

and occupations has only recently been es-

tablished. As a result, professional qualifica-

tions had in the past been registered direct-

ly with SAQA. With the establishment of the

QCTO, all professional qualifications must

MessAGe FRoM tHe CHieF exeCutive oFFiCeR

6 | IA ADVISER April/May 2015

MessAGe FRoM CHieF exeCutive oFFiCeR

now be registered with the QCTO as their direct registration with

SAQA is expiring this year. This basically means that the IIA SA has

to re-register its current learnerships under the QCTO. The Institute

has therefore now kick-started the registration of the national inter-

nal audit qualifications. We have had our first scoping meeting with

the QCTO and various stakeholders and I am pleased to announce

that the IIA SA has been appointed the Development Quality Part-

ner for the registration of the internal audit qualifications. What does

this mean for our learnerships? These qualifications essentially will

be our current learnerships now recognised as national qualifications

under the QCTO and will underpin our designations IAT and PIA. This

is good news for the profession. Those currently in our programs will

not be affected, but once the national qualifications are registered,

new entrants will go through the new process. You will not feel the

difference as the process will remain much the same.

Another important piece of news that I need to share with you is the

outcome of the AGM which was held on 22nd April 2015. Beside the

election of the directors, members also voted on changes to the By-

laws and the establishment of a subsidiary under the Institute to sat-

isfy the QCTO requirements for the new national qualifications. Both

the changes to the Bylaws and the establishment of the Academy

(subsidiary) were approved by an overwhelming majority of those

who voted.

Your new Board now consists of:

Chairman Riaan Thiart Newly elected in this position

Vice Chairman Vonani Chauke Newly elected in this position

Director Rob Newsome Re-elected

Director Molefi Nkhabu Re-elected

Director Arno Vorster Re-elected

Past Chairman Shirley Machaba Vacated Chairman’s seat

Past Past Chairman Justine Mazzocco Vacated Past Chairman’s seat

CEO Claudelle von Eck Still in office. Appointed by the Board

Director Dion Poole Term end in 2016

Director Oupa Mbokodo Term end in 2016

Director Paresh Lalla Term end in 2016

Director Rudzani Nemaangani Term end in 2016

Director Jan Opperman Newly elected

Director Kameetha Singh Newly elected

Director Faith Burn Newly elected

Director Tshepo Mofokeng Newly elected

We congratulate all of those who were elected to serve on the Board.

With a professional body that has a lot of complexity to deal with, the

Board is kept very busy and is often confronted with tough decisions

to make. These are the people who make decisions on behalf of your

Institute and have a significant impact on the direction the profes-

sion takes in the local context. This is a significant burden. Exercising

leadership is not always an easy thing to do. In actual fact, more often

than not it is difficult as one has to be brave while taking people to

a new reality at a pace that the majority can absorb. It is therefore

imperative that we give the Board our support.

I do want to spend a minute talking to our members about the es-

tablishment of the Academy as it is important that you fully under-

stand the rationale for it. Currently the Institute is responsible for the

roll-out of the learnerships as well as the assessment process. Under

the QCTO’s procedures, provision is made for two functions for the

occupational qualifications. The one is the Skills Development Part-

ner (SDP) and the other the Assessment Quality Partner (AQP). The

former is responsible for offering the training that accompanies the

qualification and the latter the assessment that ascertains compe-

tence at the end of the training process. Under the QCTO these two

roles cannot be played by the same organisation. In other words, you

cannot be both player and referee on the field. It has therefore be-

come necessary for us to accelerate the establishment of a separate

entity to create a clear separation between the player and referee

aspects. In this context the Institute is applying to be AQP and the

Academy will play the role of SDP.

Thus, we are dealing with some really exciting (albeit a little scary

when one thinks of all the work involved) projects at the moment.

This is all in the name of professionalising internal audit. This profes-

sion is such an important pillar of governance in South Africa that we

cannot ignore the fact that we must ensure that internal auditors are

adequately prepared for the increasing expectations from the mar-

ket. I believe that we are on the right path. Key questions to you: Is

your internal audit function aligned to the efforts to professionalise

internal audit and are you ready to take the quantum leap with us?

Claudelle von Eck, CEO: IIA SA


Progress Through Sharing

IIA Membership

The Institute of Internal Auditors South Africa is the leading professional body representing the interests of Internal

Auditors in South Africa. As part of an international network, the IIA SA upholds and supports the fundamental tenets

of the profession - the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing.

The IIA SA supports the profession by providing a wide range of services dedicated to the education and advancement

of internal auditors and dynamically promoting and developing the profession in South Africa.

We serve internal auditors in South Africa by offering Technical Guidance, Professional Training Programs, Certification

Programs, Continuing Professional Development Opportunities, Conferences

and Networking Opportunities.

For more information contact the Membership Administrator on

Telephone: (011) 450 1040 or e-mail: [email protected]

IIA SA website: www.iiasa.org.za


boRdeR Kei

Alfred NZO District Municipality Aviwe MtakasiDepartment of Economic Development & Environmental Affairs - Eastern Cape Neliswa NyosanaDepartment of Local Government & Trad Affairs - EC Andile MakhabeniDepartment of Roads & Public Works - Eastern Cape Sibulelo Mbam Zikhona SagwityiDepartment of Sports Recreation Arts & Culture (Eastern Cape) Nokuzola MahanjanaDepartment of Transport (Eastern Cape) Lulama Mpandana Ntikhoyo Mene Nosisa Mahlutshana Bonginkosi NyongoEastern Cape Development Corporation Sisamkele NgxawuInkwanca Municipality Asanda MkonqoLukhanji Local Municipality Ayanda Doko Asanda MagqazaLumoka Chartered Accountants Nosiphiwo Magubeni Matseliso Mfanta Mandisi MsongelwaMnquma Local Municipality Phelela Mdladlamba Xolisa MjakujoNkonkobe Local Municipality Luyolo MapitizaNyandeni Local Municipality Sinovuyo MadoloOffice of The Auditor General South Africa ( Eastern Cape) Pumza GolimpiRakoma & Associates Incorporated Tembelani TshabaneSouth African Post Office (SAPO) Leon de Vos

FRee-stAte

Central University of Technology (Student) Maite LetsoaloEthekwini Municipality Sifiso NtozakheNorthern Cape Provincial Treasury Tau PitsoProvincial Treasury - Northern Cape Tumelo GaarekweSouth African Post Office (SAPO) Lawrence PitsoUniversity of the Free State Nandi Lubbe

joHAnnesbuRG

ABSA Bank Ltd Phathiswa Nqini Charlene Chung Dingaan KhozaABSA Bank Ltd (Internal Audit) Sonia ManilalAlexander Forbes Financial Services (Pty) Ltd Ludwe MqengqeniAuditor General of South Africa (AGSA) - Pretoria Sibusisiwe NkuthaAuditor General South Africa (AGSA) Lindelihle KuneneBorwa Financial Services (Pty) Ltd Christinah ZebedielaC N Corporate Partners SA cc Cease NyamasokaDepartment of Justice Mareka TebakangDepartment of Mineral Resources Nhlonipho KhozaDepartment of Social Development Malemane KgananaDepartment of Tourism (National) Lebogang MtshaliDevelopment Bank of Southern Africa Tebogo Manakana Nakasani MurongaDiscovery Ltd Arlene AlvesEdison Group Miguel Dos SantosEskom Holdings SOC Ltd Liaqat AzamFinancial Services Board Bertha KhoeleGroup 5 Limited Mputluki MokonyaneGroup Five Construction Mosidi KomaneImperial Truck Rental Surette VorsterLand & Agricultural Bank of SA Sydney NkunaLiberty Group Limited Oupa Mokgoantle Anthon Booysen

Liberty Group Limited Mohummed AreffLloyd Viljoen Lindsey BordMNB Chartered Accountants Rhangani Mbhalati Rivalani NtuliMogale City Local Municipality Boingotlo BantaotseMRL Incorporated CA ( SA ) Molefe MorifeNational Treasury Keneiloe KgoroeadiraNetcare Management (Pty) Ltd Silindile SibiyaNexia SAB&T Lethabo MongaloNgubane & Company Ephraem SibandaNkonki Incorporated Sindi Zilwa Mahendrin Moodley Morne Kermis Varsha Chetty Khomotso Legote Mzimtsha Nkonki Tererai Dzirekwa Nomcebo Mlambo Thuto Masasa Zakhele NkosiPandell Consulting Simbarashe MlamboSAA Technical Michael MpanzaSizweNtsalubaGobodo Serame MothupiSouth African Post Office (SAPO) Stephen Masango Jeremia Mosieleng Willem FourieSouth African Reserve Bank Kavershnie MoodleyStandard Bank South Africa Phumzile Gebashe Kealeboga Mabe Lerato Dlamini Olebogeng Siko Mandisi Mzinyati Miliswa Mgavu Shoki Maditsi Oneilwe Methikge Berko Danso Fhatuwani MufamadiStateway Switchboards Nkosingiphile DokoTollserve cc Ntsoaki MokoenaTransnet Freight Rail Nthabiseng TlalangUmgeni Water Godfrey NgwenyaWatermark Auditors Inc Nyasha Kaliyati

KWAzulu nAtAl

Durban University of Technology Mohammed KharwaDurban University of Technology Student Busisiwe DhladhlaHealth System Trust Blessing MncwabeHTB Consulting Nobuhle KhuzwayoKwaDukuza Municipality Zama BekwaKZN Gaming and Betting Board Nontobeko HlengwaKZN Provincial Treasury Thobeka BasiMichaelmas College (Pty) Ltd Thembeka MngqithiNewcastle Municipality Khulakahle PoultenNexia SAB&T Pirogan MudalyNtshidi & Associates Buza BenguOMA Professional Advisory Group (KZN) Suveen Dabeepersadh Muhammad SheikProvincial Treasury - KZN Lipworth Mbonambi Duduzile DitlhaleRoad Accident Fund Mbali KhubisaSA Post Office PIA Ian BarnesSizweNtsalubaGobodo Don SaundersSumitomo Rubber South Africa (Pty) Ltd Nduduzo ChalaUmgeni Water Ronica Mhlabane

WelCoMe to neW MeMbeRs


liMpopo

Department of Roads & Transport - Limpopo Lindiwe NgwenyaGreater Tubatse Municipality Mahlatse MononyaneMetcash Africa Jan PietersePricewaterhouseCoopers - Polokwane Aneela MoodleySML Projects (Pty) Ltd Maano Seokotsa

MpuMAlAnGA

Finbond Mutual Bank Sicelo SitholeLekwa Local Municipality Vukile DladlaMbombela Local Municipality Nkululeko SifundaMpumalanga Provincial Legislature Rodney Zwane Nolwazi MlimiSteve Tshwete Housing Association Nomthandazo Skhosana

nAMibiA

Erongo Regional Electricity Distributor Company Karin AndimaMinistry of Finance Namibia Amutenya JacobsPricewaterhouseCoopers - Namibia Charles Matundu

noRtHeRn CApe

Mier Municipality Abigael OrangeOffice of The Auditor General South Africa Mxolisi PhalisoOrange River Cellars Wentzel Engelbrecht

noRtH West

Johannesburg Fresh Produce Market Kobeli MotsieloaMVI Group Mokaedi MabinaNgaka Modiri Molema District Municipality Goitseone MakgoloNWK Limited Beracah SehlohoRatlou Local Municipality Kgalalelo LetsapaSizweNtsalubaGobodo Kizito Aidoo Gaongalelwe ModiseSouth African Police Services Ofentse Kgope

poRt elizAbetH

Coega Development Corporation Msimelelo BoltinaCoega Development Corporation (Pty) Ltd Siphokazi MazombaDepartment of Economic Development & Enviromental Affairs - Eastern Cape Aphelele KalipaDepartment of Human Settlement (Eastern Cape) Chumani Ntlebi Sibusiso Komnga Veliswa MalasheErnst & Young Natalie Goedhals Gavin FlanaganKPMG (Port Elizabeth) Maxesibandile MbalaneKPMG (Pty) Ltd Andre De WetMkululi Mbali Financial Advisory Services cc Mkululi MbaliOffice of the Auditor General (EL) Cwayita GanaOffice Of the Premier - Eastern Cape Malungisa LujalajalaSovereign Foods Veronique Reddy

pRetoRiA

Business Innovation Group (Pty) Ltd Evasen ArcharyCompanies and Intellectual Property Commission (CIPC) Francis ManickumDepartment of Home Affairs Vincent KgwaleDepartment of Justice and Constitutional Development Lesego RamakutanaDepartment of Public Enterprises Samuel Sebola

Department of Social Development (National) Caroline DitintiDepartment of Tourism (Pretoria) Sharon BiyaFinbond Mutual Bank Petrus SelzerGrant Thornton PS Advisory Services (Pty) Ltd Karel SteenkampHernic Ferrochrome (Pty) Ltd MornÃ© FraserHuman Sciences Research Council Tshegofatso ModibaJDG Trading (Pty) Ltd Mmantomi SeemaMasilonyana Local Municipality Motlalepula Motaung Thabo KareebosMedscheme Holdings (Pty) Ltd Mosima KwebuNexia SAB&T Vinolia Makgoba Mmakgabo Motadi Refilwe Maimela Setilo Maabane Keneilwe Pholoma Mmarungoane Manchidi Maripa Moabelo Mphoke Senamela Mashoto Mogowe Tlou SelahlaNorthwest Transport Investment Tshidi MabuselaOMA Chartered Accountants Inc Saheed FasasiPricewaterhouseCoopers - Polokwane Vusi Ntuli Morepuo KemboPricewaterhouseCoopers (Pretoria) Noluthando VilakaziRenaissance Chartered Accountants Tshianeo MadadzheSekelaXabiso Consulting Masabata ElephantSouth African Bank of Athens Monica PattichidesSouth African National Defence Force Orebotse MothokoSouth African Police Services (SAPS) Jacobus Roos Emmanuel RapholoSouth African Post Office (SAPO) Thabo Doyoyo James Ndlovu Frik SticklingTollserve cc Martha Molekoa Wiseman MfayelaUniversity of South Africa Steven Moloi

sWAzilAnd

Swazi MTN Limited Ncamsile MhlangaRoyal Swaziland Sugar Association Phinda MngomezuluRoyal Swaziland Sugar Corporation Winile Dlamini George Croucamp Philile Gumbi Nozipho MsibiSwaziland Electricity Company Sakhile DludluUniversity of Swaziland Bongani Msibi

WesteRn CApe

Cape Peninsula University of Technology (Student) Zwelithini MatsosoDepartment of The Premier - Western Cape Shane SoekoeGrant Thornton CT Kudzayi MatsangaKuhumelela Registered Accountants and Auditors Lenin NdzibaMaboya Capital (Pty) Ltd Lwazi MagayanaOakhurst Insurance Company Ltd Stephanus LouwPrescient Profile David JarmanSouth African Post Office (SAPO) Daniel Germishuys Joseph Sidonie Donald Valentyn Hendrick VolschenkThe Foschini Retail Group Nicole Andrews Radha Heera


stRAteGies FoR inteRnAl AuditoRs to neGAte intiMidAtion And viCtiMisAtion

With internal auditors facing increasing in-

timidation, victimisation and malicious re-

porting within both the public and private

sectors, the need for internal audit profes-

sionals to find and employ effective psycho-

logical and behavioural strategies to negate

these extremely detrimental practices can-

not be overstated.

To this end, Dr. Graham du Plessis (PhD),

lecturer in the Department of Psychology at

the University of Johannesburg, and a prac-

ticing clinical psychologist who counsels a

number of internal auditors in both a thera-

peutic and consulting context, outlines a

number of such strategies which internal

auditors can develop and utilize.

“To begin with, I have observed that inter-

nal auditors often operate within a rather

stressful and complex environment where

strong people skills are very necessary.

While each case is certainly different and

requires a degree of tailoring, in the context

of threatening interactions there are a num-

ber of important principles to keep in mind,”

he explains.

First and foremost, he says, it is important in

such situations to look beyond the threat-

ening behavior in order to discern its func-

tion for the person who is doing the threat-

ening, and that to do this, it is necessary to

check our emotional reaction and to look at

the facts at hand.

“Often people threaten others as part of

a negotiation. In essence, the idea of the

threat is to elicit emotion in someone with

the intent of getting them to act in a certain

manner. Therefore, internal auditors faced

with threats need to remember that they

should see the threat as a form of negotia-

tion, and that by practicing checking their

emotional reactions of fear, shock and an-

ger, they can most effectively focus on the

task at hand.”

He continues that while there is no ‘silver

bullet’ for formulating and implementing

this strategy as each situation needs to be

specifically managed and strategized par-

ticular to the parties and context involved,

he has found two ideas to be extremely

popular, and effective, with the people and

companies he has worked with.

tHe FiRst oF tHese is boundARY settinG.

“Setting boundaries is crucial in both our

personal and work relationships, particularly

so in instances where overt and tacit threats

occur. This is because boundaries define the

line between what I am responsible for, and

what others are responsible for.”

He expounds that in order to set a bound-

ary, a person must follow three steps.

“Firstly, they should acknowledge the need

of the other person. For example, ‘you

would like for me to delete X information

from your report, and replace it with Y in-

formation.’ While this is often as simple as

repeating to that person their request or

statement, or your understanding thereof,

it does require practice to perfect.”

tHe seCond step is to set tHe boundARY.

“In this case, the person communicates the

line of responsibility clearly and without

deviation. For example, ‘I cannot remove

information from my report.’”

The final step involves offering an alternative.

“In this step, the person setting the bound-

ary gives another option to the person with

whom the boundary is being set. An ex-

ample may be, ‘…but I am willing to add in

an extra section or addendum to the report

that explains your concerns and position

regarding information Y.’ It is vital to remem-

ber all three steps in boundary setting.”

Du Plessis continues that the second popu-

lar idea is that in any communication there

are a number of levels to consider.

“We communicate through what we say

and how we say it. The content of the

words we use is only a small part of what

is being communicated. Our tone, inflec-

tion and body language while we are say-

ing something also convey a great deal of

information. When the content of what we

say matches how we say it, we are commu-

nicating in a manner that is highly authentic

and which often is most effective at making

others comfortable and in getting the best

out of relationships.”

He elaborates that when there is disagree-

ment between what is being said and how it

is being said, there is a problem in the com-

munication, and that this is often the case

in the context of threats, or when there is

some other form of relational breakdown.

“Therefore, when communicating our-

selves, it is advisable to be as congruent

in what we say and how we say it as pos-

sible. When dealing with others who are

being dissonant in their communication,

the rule of thumb is to focus on the ac-

tual content of the words, and to ignore

the non-verbal communications. The fun-

damental idea of this strategy is to com-

pel the person who is communicating in

a discordant manner to verbalize with

words the other, non-verbal message of

his or her communication.”


stRAteGies FoR inteRnAl AuditoRs to neGAte intiMidAtion And viCtiMisAtion

Often, threats are made through implicit

communications where the words are not

necessarily threatening but the manner in

which the non-verbals are employed com-

municates a clear implicit message, which

often is a threat.

“In these situations, emphasizing boundary

setting in relation only to the actual content

of the words is an effective strategy for han-

dling threats. It is one of the most effective

means of dealing with threats in the busi-

ness environment.”

Du Plessis maintains that another good

psychological principle to apply in regards

to people being aggressive, unfriendly or

threatening is as follows:

“As a rule you cannot cure unkindness with

kindness, and this also applies to threats. If,

when you are threatened, you accept the

threat and are very nice about it, the person

who has threatened you is simply going to

learn that this is an acceptable way to in-

teract with you in future. I certainly do not

advocate fighting back aggressively; rather

I have found that effective boundary set-

ting is a very useful manner in which to as-

sertively and implicitly communicate to the

‘threaten-er’ that this type of interaction will

not work with you.”

And he stresses that these same principles

apply after a threat has actually been car-

ried out, and to many other aspects of an in-

ternal auditors’ job, such as communicating

sensitive information, and obtaining their

stakeholders’ buy-in to implement their rec-

ommendations.

“Congruence is crucial when it comes to

communicating sensitive information. It is

also crucial, although often forgotten, to

remember that all communication is a two

way street. When communicating informa-

tion to others, and especially sensitive infor-

mation, it is of absolute importance to listen

to what the other has to say.”

Yet his clients are often surprised by this

idea, saying, “I have something that my

stakeholders need to hear. I don’t really

need information from them.”

“On a logical level they are often correct,”

says du Plessis. “However, on a psychologi-

cal level they are forgetting that in order for

other people to hear us, actually hear us, we

need to listen to them as well. It is not logi-

cal so much as psychological, which, when

working with others, is only logical.”

As for obtaining stakeholder buy-in to im-

plement their recommendations, du Plessis

asserts that as a guiding rule he would en-

courage internal auditors to make sure that

they are communicating in a very congru-

ent manner.

“Again, what you say and how you say it

should all line up into an authentic communi-

cation. The other golden rule of ‘buy-in’ is that

you need to listen carefully to others’ opinions.

I would encourage internal auditors to take

time to really listen to what their stakeholders

have to say. As a consultant clinical psycholo-

gist I have often come across the opinion that

‘because it has to be this way, there is really

no point in discussing it with the stakehold-

ers any further’. On a purely logical level this

position makes sense, but on a psychological

level it can be disastrous.”

And tHis tAKes us bACK to boundARY settinG.

“Boundary setting underscores two crucial

aspects of human nature. The first is that we

want and need to be listened to and heard,

even if our requests are not necessarily met.

What is key here is to remember that being

listened to is a practical human request.

While on the surface it may appear to have

very little to do with the work at hand, in

practice is it the most fundamental requi-

site as it lays the relational foundation for all

other work and ‘buy-in’. The second is that

we don’t like to be ‘boxed-in’. All people

have a basic need to direct their lives and

business in some way. Therefore it is crucial

to buy-in to make sure that stakeholders

have some say in what they do. This ‘say’

does not necessarily have to be around core

issues that can’t be changed, but it does

have to be there.”

Thus, in pursuing buy-in it is important for

internal auditors to remember that when

they allow stakeholders some freedom to

act, even if it is in regards to a non-core or

seemingly irrelevant aspect of implemen-

tation, they are far more likely to lay a solid

foundation for effective implementation.

In addition to these psychological and be-

havioural strategies, Du Plessis points out

that because internal auditors often work in

stressful and complex environments, they

are generally in a position where ‘self-care’

is vital.

“Broadly, this means that internal audi-

tors need to look after themselves prop-

erly. This involves paying attention to

the human sides of life, such as investing

time and energy in their personal rela-

tionships, their health, and in occasion-

ally taking some mental ‘time off ’. Most

important of all is spending time on life

works that are personally meaningful and

fun,” he concludes.

Steven Chiaberta for The Wisdom Keys Group (WKG) on behalf of the Institute of Internal Auditors South Africa (IIASA)


intRoduCtion

Given that Internal Audit has once again appeared in the latest version of the commonly known scarce skills list under OFO code 242211 (DHET.2014/22), an introductory document was thought necessary to provide a brief overview of the aforementioned list and its origins.

bACKGRound

Aiming to influence, amongst other things: qualifications’ development; supply side planning; student fund allocation; skills development for special government projects; career guidance; and global human resource attraction strategies; 100 scarce skills in the country were identified and shared with the public on 23 May 2015 (Government Gazette No. 37678). Feedback, however, revealed the need to and desire to incorporate more skills and as such the original intent of confining the list to 100 could not be met. The commonly understood term of scarce skills was, thus, replaced by that of ‘occupations in high demand’, as published by the Department of Higher Education and Training (DHET) in the

National Government Gazette (No. 38174).

tHe developMent oF tHe list

The development of this list was based on the appeal for such information captured in several public source documents, including, amongst others, JIPSA, IPAP 2 and the NDP etc. The process started with agreeing on the terms of reference and establishing an advisory committee to guide the project. Thereafter, research was conducted and a draft list was compiled. The results of this research were supported by an interview sample of employer associations. The findings were then presented to the Advisory panel and thereafter revised according to their feedback. The revised document was then gazetted for public comment based upon which the final list was drafted and published

KeY FindinGs

The Joint Initiative on Priority Skills Acquisition (JIPSA) source documents indicated that immediate attention needs to be given to developing world class engineers for industries focused on

transport, communications, and water and energy. In addition, they emphasised the need for city, urban and regional planning and engineering skills as well as artisanal and technical skills, especially those directed towards infrastructure development, and housing and energy. Management and planning skills in education and health was also a concern as well as mathematics, science and language competence in public schooling. In addition, JIPSA made proposals to prioritise skills initiatives in the fields of tourism, information and communication technology, business process outsourcing and bio-fuels.

The Industrial Policy Action Plan (IPAP) 2 identified the following 3 areas as in need of market growth and the associated upgrading of supply capacity and capability: green industry; agro-processing; and fabrication, capital and transport equipment.

The National Development Plan (NDP) 2010-2030 suggested the need for skills in the areas of: Public service delivery; Sustainable Livelihoods; Education and Training; Research and Development; Public

list oF oCCupAtions in HiGH deMAnd: 2014

INTERNAL AUDIT

Imag

e co

urte

sy o

f ww

w.fr

eegr

eatp

ictu

re.c

om/


list oF oCCupAtions in HiGH deMAnd: 2014

infrastructure; and Health professionals.

The National Growth Path (NGP) identified the following disciplines in need of employment creation and growth:• Engineers: Target at least 30 000

additional engineers by 2014, changing subsidy formulae for universities as appropriate;

• Artisans:Targetatleast50000additionalartisans by 2015, with annual targets for state owned enterprises;

• Workplaceskills:Improveskillsineveryjob and target 1, 2 million workers for certified on the-job skills improvement programmes annually from 2013;

• Further education and training (FET)colleges: Colleges have a central role in providing important middle-level skills for young people; and

• Information and communicationstechnology (ICT) skills: The departments of education should ensure that computer skills are taught in all secondary schools and form part of the standard adult basic education and training (ABET) curriculum by 2015. All public servants should also receive ICT training.

The Government Strategic Infrastructure Projects (SIPs) note a dire shortage across

the disciplines with regards to engineers, technologists, technicians, and artisans.

The Job Opportunities and Unemployment Report (JOUR) noted that the high number of vacancies in the country included managers, senior public sector officials, engineers, technicians, artisans, Information Technology professionals; and maths and science teachers.The Human Resources Development Council (HRDC) report on the Production of Professionals (2013) highlights the need for the production of professionals in engineering, mining, health care and, the built environment.

The Salary and Wage Analysis (2013/2014) indicated wage growth was strong for engineers, project managers, medical personnel, artisans, and IT professionals. (DHET.2014/13-16).

sCoRinG oF oCCupAtions

The methodology used to identify occupations in high demand involved the use of a scoring system to determine eligibility for the list. The following steps were followed in scoring occupations:• Occupations were selected if source

documents identified them as “in need” or “scarce”.

• Pointswereallocatedtoeachoccupationbased on a 100-point rating scale

• The top 100 occupations in demandwere identified based on those that scored the highest

• Additionaloccupationswereincorporatedinto list based on public comments.

• Some source documents (such asthe NDP and IPAP 2) refer to clusters of occupations rather than actual occupations upon which occupations were inferred and lower scores allocated to reduce researcher bias.

• Owing to its infrastructure focus, SIPsprojects were allocated 10 points also to reduce bias.

• Occupations listed in the SectorEducation Training Authority (SETA) Pivotal Skills Lists were allocated 20 points given that they were based on recent studies (DHET.2013)

• In addition those occupations withprofessional designations (such as engineers, quantity surveyors, doctors and teachers) received higher scores due to global high demand for such professions.

Rakal Govender, Senior Research Analyst: Private Sector, IIA SA

ReFeRenCes

1. Department of Economic Development (2010). The New Growth

Path: agenda. Pretoria: EDD.

2. Department of Higher Education and Training (2013a). White

Paper for Post-School Education and Training. Pretoria: DHET.

3. Department of Higher Education and Training (2013b). Learning

pathways for SIPs scarce skills. Pretoria: DHET.

4. Department of Higher Education and Training. (2013c).

Compilation of SETA Scarce and Pivotal Skills Lists (2013/2014).

Pretoria: DHET.

5. Department of Higher Education and Training. 2014. List of

Occupations in High Demand: 2014.Pretoria: DHET

6. Department of Labour. (2013). Job Opportunities and

Unemployment in the South African Labour Market 2011-2012.

Pretoria: DoL.

7. Department of Trade and Industry 2011/12 - 2013/14. (2012).

Industrial Policy Action Plan 2. Pretoria: DTI.

8. Human Resource Development Council of SA. (2010). Human

Resource Development Strategy for South Africa (2010 - 2030) .

HRDCSA: Pretoria.

9. Human Resource Development Council of SA. (2012). Key issues

in improving the quantity and quality of professionals in South

Africa. HRDCSA: Pretoria.

10. National Planning Commission. (2012). National Development

Plan 2030. Pretoria: NPC.

11. The Presidency. (2010). Joint Initiative on Priority Skills Acquisition,

March. Pretoria: The Presidency.


MiCRoFinAnCinG: innovAtion oR CuRse

bACKGRound

The idea of micro finance is quite simple:

to provide financial services to the poor.

It is an instrument for alleviating poverty

and providing the poor access to financial

services. It makes a range of financial ser-

vices products accessible to the lower in-

come segments of the population who do

not meet the requirements of traditional

financing.

Micro lending in developing countries is

not banking as usual. It is a unique process

that relies on social relationships in order

to overcome moral hazard, monitoring

and enforcement problems. Micro lending

has historically served customers in low-

growth, informal economies with weak

property rights and tight social control.

These individuals have limited experience

with access to capital, capital accumulation

and its effective deployment. Hence, the

business of micro lending are tying their

fortunes to a fundamentally different kind

of banking customer where the customer’s

income is smaller, irregular and unpredict-

able. As a result, a deep understanding of

the customers is a fundamental step for

successful entry into such markets. Focus-

sing purely on repayment rates, a common

practice, obscures the more complex reali-

ties of micro lending. To understand micro

lending, one needs to start with the cus-

tomer and their social environments. In mi-

cro lending the individual is the key to suc-

cess. The mission of a typical micro lender

is centred on providing access of credit for

the underprivileged. The success of mi-

cro credit programs has largely depended

upon the process of “character-based” lend-

ing which essentially means reliance on

social pressures or peer-monitoring when

extending loans.

More vulnerable households in develop-

ing countries are more concerned with

ensuring housing and securing food than

less vulnerable households. A thorough

understanding of importance of various

risks and the role household assets and

available coping mechanisms play in miti-

gating them is a milestone in designing

relevant micro finance services that will

assist households in increasing their se-

curity of priority household needs. To be

successful micro lenders should use more

household information in the screening

and portfolio segmentation process. Client

retention should be of utmost importance

as compared to further client growth. Mi-

cro finance entities should improve their

services by further adapting their products

and services to specific target groups.

Financial education plays a key role in en-

couraging responsible financial behaviour.

Borrowers default if their net equity falls

below a certain threshold or if they can-

not make their monthly payments due to

credit constraints. Non-payment behaviour

is common amongst middle and low in-

come earners. Individuals have recognised

that the causes of financial difficulties lie

primarily in their inability to manage mon-

ey and decisions regarding spending and

indebtedness. Lack of borrower education

programs was one of key reasons to high

defaults.

RisKY business

A micro finance institutions’ success and

penetration is largely influenced by both

socio-political factors as well as operational

subtleties. The business of micro finance in-

stitutions should be a constant balance be-

tween outreach (reaching large numbers of

poor clients), financial sustainability (gen-

erating sufficient revenues to cover costs)

and impact (showing a positive effect on

client’s quality of life). Factors affecting the

sustainability of micro financing institutions

is broadly divided between institutional

and environmental variables. Institutional

variables are those factors that are specific

to the institution, while environmental are

those economic settings of the country in

which the institution operates. Programs

with high operating costs are less viable

than those with lower costs. Micro finance

institutions tend to be more sustainable by

increasing the size of their operations. Sus-

tainability is a necessary long term goal for

almost all micro finance institutions.

Many risks are common to micro lenders.

Typically they are broken into 3 categories

each focussing on different perspectives of

the micro lending risk environment. Below

is a list of common risk areas with corre-

sponding approaches in managing the risk.

Although not exhaustive, it clearly gives in-

sight into the common risks:

Imag

e co

urte

sy o

f ww

w.fr

eegr

eatp

ictu

re.c

om/



1. FinAnCiAl RisKs

a. Credit risk

o Risk to earnings as a result of bor-

rowers’ late or non-payment of loan

obligationsEffective approaches to managing risk

o Well-designed borrower screening,

careful loan structuring, close moni-

toring, clear collection procedures

and active oversight by management

o Good portfolio reporting that accu-

rately reflects the status and month-

ly trends in delinquency, including

a portfolio-at-risk aging schedule

and reports per loan product

o Routine comparing of credit risk

with adequacy of loan loss reserves

b. Liquidity risk

o Risk that micro finance institution

cannot meet its obligations on

timely basisEffective approaches to managing risk

o Maintaining detailed estimates of

projected cash inflows and out-

flows

o Maintaining investment accounts

that can easily be liquidated into

cash

o Anticipating the potential cash re-

quirements of new product intro-

ductions

c. Interest rate risk

o Risk of financial loss from changes

in market interest ratesEffective approaches to managing risk

o Reduce the mismatch between

short-term variable rate liabilities

and long-term fixed rate loans

d. Foreign exchange risk

o Risk for loss of earnings as a result

of fluctuations in currency values

Effective approaches to managing risk

o Avoid funding the loan portfolio

with foreign currency if it cannot

match foreign liabilities with for-

eign assets

o Use of interest rate swaps or futures

contracts to “lock-in” a certain ex-

change rate

e. Investment portfolio risk

o Risk referring to longer term invest-

ment decisions rather than short

term liquidity or cash management

decisions


o Staggering investment maturities

o Policies establishing parameters for

acceptable investment decisions in

investment portfolio

2. opeRAtionAl RisKs

a. Transaction risk

o Risk that arises daily as transactions

are processed


o Simple, standardized and consis-

tent procedures for cash transac-

tions

o Effective internal controls to reduce

human error and fraud

o Strong internal audit activity to test

and verify accuracy of information

and compliance

o Limiting manual data capturing

b. Fraud risk

o Risk of loss of earnings as a result of

intentional deception by employ-

ees or client


o Use of preventive measures to re-

duce fraud by having education

campaigns, standardize loan poli-

cies and procedures, enforce hu-

man resource policies

o Client visits to verify information

3. stRAteGiC RisKs

a. Governance risk

o Risk of having an inadequate struc-

ture to make effective decisions


o Board comprise of the right mix of

skills and experience

o Clear lines of authority for board

members and management

o Clearly communicate performance

expectations and lines of account-

ability

b. Reputation risk

o Risk to earnings as a result of from

negative public opinion


o Building relationships with clients,

funders or investors and regulators

c. External business risk

o Inherent risks as result of the exter-

nal business environment


o Contingency plans for anticipation

and possible external events that

can impact the business

d. Regulatory and compliance risk

o Risk of non-compliance with laws,

rules, regulations or ethical stan-

dards


o Establishing good working rela-

tions with regulatory authorities

Granting microloans to borrowers not only

result into credit risk but also in liquidity

risk due to the refinancing process, interest

rate risk, foreign exchange risk if applicable

and operational risk due to staff fraud. Mac-

roeconomic factors such as unemployment

and inflation is regarded as being signifi-

cant to micro finance institutions. Micro fi-

nance challenges are further compounded

by over emphasis on collateral and ignor-

ing the debtor’s willingness or ability to pay

and poor culture of repayment. The micro

finance technologies of service delivery,

screening, and monitoring significantly dif-

fer from those in the formal banking sector.

Research suggest that micro finance insti-

tutions do not always do better, and some-

times do substantially worse where institu-

tions are more advanced.

FuRtHeR ReseARCH insiGHts• Larger micro finance loans result in a

lower yield on gross portfolio. Even

though larger loans reduce operating

costs, the gains in costs is off-set by the



increased difficulty in finding good bor-

rowers willing to take out bigger loans.

• Stronger profit orientation leads to

higher interest rates but is also associ-

ated with higher costs.

• Micro finance institutions offering

smaller loans tend to be more efficient

than those offering larger loans. Mi-

cro finance institutions offering larger

loans do not benefit in terms of effi-

ciency from raising interest rates as a

result of competition.

• Themostefficientmicrofinancinginsti-

tutions are the ones offering small but

expensive loans. Moving towards better

off clients in an attempt to reap the ben-

efits of economies of scale, lower risk and

profit oriented investments lead to an

inefficient use of resources. Micro financ-

ing institutions that stick to the poorer

clients tend to be the most efficient.

• Micro financing institutions should be

highly discouraged from allowing bor-

rowers to enter into multiple debt con-

tracts considering that micro finance

institutions cannot improve their perfor-

mance by indiscriminately lending more

as over-lending reduces efficiencies.

iMpACt oF A FinAnCiAl CRisis And ReCession on MiCRo FinAnCinG in-stitutions

The impact of a financial crisis on both mi-

cro financing institutions and their clients

depend on several characteristics includ-

ing: the macroeconomic environment, the

level of integration of the country to the

global economy, cost and funding struc-

tures and the ability of management to

deal with the crisis.

Components of a financial crisis that are

most relevant to the micro financing indus-

try are listed below:

• Liquidity and credit crunch – defined

as the contraction of the availability of

funding.

o This creates an environment where

less funding is available as capital

streams dry up due to the lack of

confidence in the repayment ca-

pacity of counterparts.

o Cost of funds increase as percep-

tion of risk change

o Funders tend to prefer short term trans-

actions as they are less sure of getting

their outstanding credits back.

• High inflationepisodes – Inflation risk

is a common risk for micro finance insti-

tutions especially for those operating in

countries with weak monetary policies

or unsustainable economic regimes.

o Changes in food and fuel prices can

feed back into inflationary spirals

• High currency devaluation – currency

devaluations can contain serious con-

sequences for the asset- liability man-

agement of micro finance institutions.

• Global recession – This refers to mul-

tiple events associated with worldwide

economic downturn. The most relevant

of these events include:

o Higher unemployment and lower

domestic demand for goods and

services

o Lower remittances

o Increase demand for consumption-

smoothing purposes

• Foodandfuelpriceshocks–increases

in this without comparable increase in

income, forces borrowers to allocate

higher promotions of income to those

expenses and directly affect the ability

to repay loans.

Potential effects of a financial crisis on the

micro finance institution include:

o Reduction in borrower repayment

capacity as a result of inflation, dif-

ficulty in dealing with higher inter-

est rates, reduction in remittances,

increases in fuel and food prices

o Higher costs and potentially higher

interest rates for borrowers

o Reduced growth due to liquid-

ity crunch, economic recession and

food and fuel crisis

o Increased foreign exchange losses

due to currency devaluation, if ap-

plicable

o Deterioration of microcredit repay-

ment culture as a result of increase

in defaults and arrears in the rest of

financial system, political interven-

tion and competition from new fi-

nancial institutions

FindinGs in tHe soutH AFRiCAn Mi-CRo FinAnCinG industRY

The below findings are based on research

that was performed where a comparison

was made between micro financing man-

agement perceptions as compared to the

analysis of quantitative customer data. The

following key findings are noted:

Biggest Risks

Whereas management sees fraud, over

indebtedness and bad debts as the big-

gest risks, client data suggest that the big-

gest risks are bigger loan amounts, longer

term loans and loans to younger clients.

The different views and analysis are how-

ever overlapping as indebtedness possi-

bly results into bigger, longer term loans

to clients that cannot meet the necessary

obligations. According to the research the

average good micro finance client in South

Africa is a client that meets obligations of a

6 month loan and a loan amount of R3450

as per affordability calculation.

Finding Balance between Too Little and

Too Much Risk

According to management within micro

finance institutions the best way to acceler-

ate micro finance business in South Africa

is to extend the term and the amount of

loans to attract a bigger market. However,

client data indicates that the longer loan

terms and bigger loan amounts drastically

increases the possibility of non-payment.



Proactively Managing Risk in Micro Fi-

nance Environment

Customer data suggest that a credit scor-

ing model is the best way of managing risk.

This is followed closely by building a cus-

tomer relationship with shorter term prod-

ucts and staff training. On the other hand,

management suggests that the best way of

optimising client service is through a real

time debtor management system.

Increasing the Success of Predicting the

Outcome of Micro Finance Credit Trans-

actions

According to management the biggest

predictor of non-payment of new clients is

the level of the client’s disposable income

after living expenses and loan instalments.

Management also suggest that the num-

ber of loans and number of judgements

are also predictors of the outcome of credit

transactions. However, client data totally

contradicts management in the sense that

the number of loans and judgements do

not materially influence the outcome pre-

dictions of credit transactions. Client analy-

sis suggest that smaller loan amounts on

shorter terms hold much less risk than loans

with bigger amounts over longer terms.

The average good micro finance client in

South Africa has the following characteristics:

• Averageageof42

• AverageloanamountofR3450

• Averageloantermof6months

• Averagenumberof25loansoverape-

riod of 5 years

• Hasabout2.34openloansatanystage

• Has an average credit exposure of

about R50 000 over a period of 5 years

The average bad micro finance client in South

Africa has the following characteristics:

• Averageageof36

• AverageloanamountofR6300

• Averageloantermof14months

• Averageofnumberof12 loansovera

period of 5 years

• Hasabout1.81openloansatanystage

• Has an average credit exposure of

about R20 000 over a period of 5 years

Other findings include:

• Intermsofrisktools,creditgrantingpol-

icies and customer affordability calcula-

tions together with internal controls and

debt collecting is rated as being more

important than credit scoring models

• Respondentsarenottotallyconvinced

that traditional banking tools can be

applied to the micro financing industry

• Arealtime,effectiveloanmanagement

system is seen as being the most ef-

ficient way to optimise client service

and reduce risk as compared to decen-

tralised credit decisions, cash disburse-

ments to clients, a call centre function

and centralised credit decisions

• External fraud is a much bigger risk

than internal fraud

• Atageof38theprobabilitythatclient

will be good or bad is equal

• Theprobabilityofdebtorsgoingbadas

a result of death is less than 1%

• Theprobabilityofclientsgoingfordebt

counselling after they became bad pay-

ers is less than 10%

Key Recommendations to Consider

Micro finance institutions in South Africa

need to eliminate the risk of fraud, both in-

ternal and external, as far as possible. This

can be done by investing in staff training,

real time loan management systems and

effective internal controls. The level of cli-

ent disposable income needs to also be

more accurately assessed in terms of af-

fordability. A credit scoring model is crucial

to match the correct product with a specific

client, based on the client’s risk profile. The

term of the loan is the main outcome of a

credit scoring model and a good predictor

of non-payment. As smaller loan amounts

over shorter periods reduces microfinance

risks drastically, it should be more actively

marketed.

A Value Add Role by Internal Audit in Mi-

cro Finance Environment

With so much risk within the micro finance

environment, internal audit would be in

the best position to provide Management

with the needed assurance in an indepen-

dent and objective manner by evaluating

the controls around the key risks. The fol-

lowing value adding comments should be

noted by Internal Audit.

Internal controls assist in promoting and

providing reasonable assurance of the fol-

lowing:

• Profitabilityandsustainability

• Adherencetomanagementpolicies

• Safeguarding of assets both physical

and non-physical

• Preventionanddetectionoffraudand

error

• Accuracyandcompletenessofaccount-

ing records

• Timelypreparationofreliablefinancial

information

• Dischargeofstatutoryresponsibilities

A weak internal control system has the fol-

lowing evident

• Lackofsegregationofduties

• Lack of supervisory or internal audit

monitoring

• Lack of independent verification of

work performed

• Lackofgoodinformationsystems

• Lackofseniormanagementtointernal

controls

The 3 most critical aspects of micro financ-

ing operations include:

• Humanresources

• Policiesandprocedures

• Informationsystems



Wayne Poggenpoel CIA, CCSA, CGAP, Technical Committee: IIA SA

Fraud is often detected by the increase in

delinquencies, accounting irregularities

and employee tip-offs.

From a Micro Finance Perspective, Internal

Auditors should “FOLLOW THE MONEY”.

They need to understand the flow of cash in

and out of the institution according to the

different cycles i.e. revenue cycle, expendi-

ture cycle and treasury or finance cycle.

Key Indications of Problems in Micro Fi-

nance Sector

• Over-indebtedness and Regulatory

Pressure

• Diversifying away from its core client

base

• Toostronggrowth,under-provisioning

and mispricing risk

Areas of Internal Audit Interest

FRAUD DETECTION SIGNALS

Danger Signals Examples of Problems that may Result

Employee exceeds scope of

responsibilities

Individual negotiates contracts and

assumes responsibility for approving

invoices in order to get kickbacks

Unusual reduction in or loss of regular

customer business

Key employee has silent partnership in

new competitor

Loan officer also approves a loan Financial information inflated and loans

given in order for kickbacks

Employee living beyond his/her means Employee embezzling to support lifestyle

CCSA

Lelane Brits

Chanelle Da Silva

Umaira Gani

Nkosazana Joko

Tebogo Maidi

Fortune Mkhabela

Nokukhanya Mlanduli

Sibongile Motloung

Mareda Mphaphuli

Sylishna Naidoo

Lungile Ngcobo

Ritesh Patel

Subhadra Ragubeer

Thakane Rampai

Samuel Ramuhashi

Jeremy Samuel Mark

Solomons

Willie Swart

Mlulasi Zenani

CGAPJean-Pierre Rossouw

Ritesh Patel

CFSAThembakazi Tina

Marco van der Merwe

Theo Kruger

Ramoshie Mahapa

Karen Louw

Jeremy Sanderson

CRMAAngelique Adams

Kevin Chivere

Cynthia Cornelius

Junior Dube

Elias Dlamini Elias

Gary Leong Gary

Heinrich Joodt Heinrich

Unathi Kondlo

Cecile Louw

Tuliswa Makoba

Thapelo Matsapola

Bongani Wilberforce

Mbewu

Thokozile Mthembu

Mamogobalale Phala

Willem Pieters

Kgomotso Ragoleka

Itumeleng Ramoganyaka

Thakane Rampai

Zubair Sader

Sisanda Mahlasela

Fannie Sithole

Thomas Swanepoel

Jacobus van der Westhuizen

Jacques van Zyl

Nazir Vanker

John Varga

Nicolene Waso

Thembisile P Zwane

Congratulations to CCSA, CFSA, CGAP and CRMA candidates


tHe etHiCs CHAllenGe

At some time or other in their lives most internal audit professionals have attended a lecture on the subject of ethics. This lecture did not necessarily entail the science of debits or credits or an intricate understanding of financial concepts but referred rather to a behavioural attribute that is expected of someone pursuing a career in internal auditing.

Today, the moral ethical bar has been raised; there is an expectation that, as an internal auditor, your ethical conduct has to be beyond reproach. Although such moral discussions centre on simple qualities such as integrity and honesty, they nevertheless provoke contentious opinions.

What is integrity? This question elicits a variety of responses, yet the meaning is simple: “Doing the right thing even when no one sees you.”

This response has had a profound influence on me, and I have realised that a career as an internal auditor requires a certain level of introspection.

The challenge in this regard relates to the fact that a person’s values and belief system have to be aligned in some way or other with the ethical requirements of the profession. It is not about role playing or separating one’s own values and beliefs from those required by the job.

By its actions and its words the internal audit activity must be seen both to be setting an example of strong ethics and actively promoting them (Verschoor, 2007, p. 20).Personal values can differ widely as they are influenced by a variety of factors including upbringing and culture. It is therefore critical to understand that they can differ from the organisational values as well. It then becomes appropriate, indeed essential, that the organisation espouses a set of values that

reflects what is acceptable in the workplace.

That having been said, there is hardly an issue of a newspaper or a business publication that does not include at least one story about a new or ongoing ethical scandal. One does not need to look far to find such scandals on the international landscape. Think about the corporate failures such as Enron, HealthSouth, MF Global, WorldCom, Parmalat, Qwest Communications and Tyco International and the Ponzi scheme masterminded by Bernard Madoff.

In a recent case in the South African context, a Pinnacle Holdings executive was allegedly involved in bribing a police officer to secure a tender. The executive was accused of offering a R5 million bribe to a member of the South African Police Service to secure a multimillion rand contract. Subsequent to the scandal the company’s share price dropped by more than 40 per cent (Eye Witness News, 2014).

Another scandal involves Aveng, one of several companies in the construction sector accused of engaging in anti- competitiveness practices by the Competition Commission. The cartel of which it had formed part had apparently engaged in various collusive practices such as holding meetings to divide markets and to agree on margins and plan collusion among firms to create the illusion of competition (IIA SA, 2013).

Bribery and corruption continue to occupy a predominant position today in our society, ranging from petty bribes to traffic officials to significant amounts of money paid as commission to secure tenders. Whilst amounts may differ the actions do not, as all such acts fundamentally amount to corruption (Schoeman, 2014, p. 17).

The incident that has captured the imagination of South Africans countrywide and has kept everyone talking is the Nkandla saga, which involves costs that

tHe GReY MAtteRs on etHiCs


AdviseRtHe GReY MAtteRs on etHiCs

have been conservatively estimated to be in the region of R246 million for upgrading the President’s homestead. Although the Public Protector has highlighted a number of irregularities in the project, what lies at the core of this debacle is the improper ethical conduct by various stakeholders.

Consistent with the view expressed by the Public Protector, the City Press newspaper (Du Plessis, 2014) reports, “Zuma and his ministers should have acted when the Mail & Guardian blew the whistle in 2009 on the R65 million the project cost at the time, but the spending increased after that. Zuma violated the Executive Ethics Code by failing to contain state spending and benefiting from it. He wore two hats.”

Referring to the high levels of corruption in the public sector, the Public Protector asserted that “the corruption in this country has reached crisis proportions there is no two ways about it” (Madonsela, 2013)

Organisations all over the world, regardless of size, are at some time or other faced with unethical business practices. Business ethics are compromised by upper and lower management alike and, owing to the prevalence of the problem, the need for organisations to deal with ethical issues has become a global priority.

Ethical behaviour lies at the roots of the corporate scandals we read about daily. However, despite the immense efforts made by corporations to distinguish between what is acceptable and unacceptable, right and wrong there are often practices that enter the grey areas.

Very often management is faced with choices that require them to make decisions that have no clear cut resolution and are extremely problematic. Consequently, they are likely to find themselves confronted with ethical dilemmas (Ehrich, Cranston, & Kimber, 2003, p. 4).

Despite the mammoth ethical challenges faced by organisations, ethics issues are not given the platform they deserve; as a result they are often addressed reactively after the incident has taken place. At times, but unfortunately not always, perpetrators have to face the costs and consequences of their misconduct (Schoeman, 2011, p. 10)

Having said this, one does not need to occupy the CEO’s chair to realise that there is a problem with ethics in general and, to assume that the public sector alone is corrupt to the exclusion of the private sector, would be inaccurate.

Ethical issues occur in both the public and the private sector in South Africa, although it some areas they are perceived to be subtle and more pervasive. Whatever the case, the extent of the problem cannot be denied; news reports of corporate scandals and fraud are testament to the pervasive nature of the problem in both sectors.

Identifying the problem is only the first step, however equally important is to critically analyse the root causes of this problem and to identify the influencing factors. potentiAl CAuses oF tHe etHiCs dileMMA

Hofstee (2009, p. 162) points out that when proposing a sound argument, related questions often arise and it is in this way that new research is developed.What one needs to ask here, perhaps, is whether organisations are creating an environment that is conducive to an ethical culture and whether business is essentially a crucial element of the problem. To be more precise, one should ask whether the board and management have instilled the right ethical culture.

The following are some of the common reasons why employees breach ethical standards: • Lackofethicalstandards–Somepeople

make unethical choices because they are not certain about what really is the right thing to do. Often, ethical problems are complicated, and the proper choice may be far from obvious.

• Inadequate recruitmentprocess –Hiringof employees should be based on rigorous selection processes including background and reference checks. The feedback received from this process is fundamental to identifying the kind of candidate an organisation is looking to hire.

• Tone at the top – The effects of badleadership cannot be over-emphasised. Employees look up to their leaders and when they model a wrong ethical behaviour sooner or later employees inevitably begin to drop their ethical standards and model the unethical behaviour being projected by leaders.

• Pressure to perform/succeed in orderto be incentivised notwithstanding the ethical challenges–Abonus/incentive-driven culture may also impact on how ethically individuals perform their work. Are businesses setting realistic targets or are they setting targets that are not easily achievable?

• Unrealistictargets–Thereisaperceptionthat once employees perceive the targets set to be unrealistic or unattainable, the default behaviour is that employees begin to breach ethical boundaries to somehow reach targets in order to be incentivised.

• Self-interest/personal gain – Somepeople do not just do something wrong in a weak moment or because they are not sure about what the right thing to do is. Self-interest and personal gain is just two of the reasons for a great deal of the unethical activity in business.

• Lack of or poor consequence manage-ment –This plays a role in raising theethical bar or dropping it. Failure by management to act decisively and hold employees accountable for their un-ethical conduct projects an incorrect message.



tHe Role oF inteRnAl AuditoRs in CReAtinG An etHiCAl CultuRe

Edmund Burke, the Irish political philosopher, once said “All that is necessary for the triumph of evil is that good men do nothing.”

Therefore, having identified the extent of the ethical challenge and its influencing factors it is perhaps also prudent to ask what value internal audit can provide in ensuring that organisations have the right ethos.

In an attempt to answer this question, Elmore (2013, p. 51) points out that ethics influences everything else, such that while an audit finding may have nothing to do with fraud or illegal behaviour, the audit may still have a positive effect on the organisation’s ethical culture. Elmore further argues that ethics is not an isolated issue which is exclusive of other things. Just the mere fact that employees see their management implementing recommendations from internal audit can influence their behaviour.

Internal audit can therefore assume a number of roles as a champion for ethics. These roles include ethics officers, members of the internal ethics council or assessors of the organisation’s ethical climate.

It is thus necessary to understand that internal audit as a profession has a crucial role to play in ethics. A number of surveys conducted by internal auditors have found that companies focus little attention on the issue of ethics, which has been a fundamental contributor to some of the recent corporate scandals.

According the IIA 2010 Global Internal Audit Survey, in response to this challenge internal auditors are now required to focus less on internal controls, operations and compliance and to place greater emphasis on corporate governance, risk management and ethics audits (Boyle, Hermanson, & Wilkins, 2011, p. 3).

Accordingly, internal auditors are required to play an active role in support of an organisation’s ethical culture, in the main because they possess high levels of trust and integrity in the organisation and have the skills required to be effective advocates of ethical conduct (Verschoor, 2007, p. 20).

Moreover, there are sound arguments to support the idea that internal auditors are uniquely qualified to play a critical role in performing ethics audits, as they are well positioned within the organisation to maintain independence and objectivity (Boyle et al., 2011, p. 3).

Taking all the above factors into consideration, internal auditors have the competence, capacity and independence necessary as well as being positioned to appeal to enterprise leaders, managers and other employees to comply with legal and ethical responsibilities.

WHAt is An etHiCs Audit And WHY is it iMpoRtAnt?

Unlike a number of audits performed by internal audit, ethics audits are somewhat different and more complex. The challenge is that the actual test is not based on common controls and providing management with an idea of how effective they are, but rather such audits involve an assessment of much “softer” controls which are rooted in intangible yet critical things such as integrity and ethics that steer people in the right direction.

An ethics audit primarily assesses an organisation’s ethical climate, which includes the tone at the top and the effectiveness of the organisation in achieving the desired level of legal and ethical conduct (Boyle et al., 2011, p. 4).

Verschoor (2007, p. 21) points out that at the very least the internal audit activity should periodically assess the state of the ethical climate by reviewing the effectiveness of the strategies, processes and communications

that are geared to achieving the right level of ethical compliance.

Making an equally valid point, Schoeman (2012) argues that in order to make an impact ethics needs to extend beyond a mere “tick box” compliance aiming only to meet the minimum requirements; instead an organisation should strive to build genuine commitment to doing the right thing.

In support of the ethics efforts being undertaken by organisations, Verschoor (2007, p. 21) highlights that internal audit should evaluate the effectiveness of the following features which are indicative of a highly effective ethical culture:

• A formal code that is clear andunderstandable

• Frequent communication anddemonstrations of expected ethical attitudes and behaviours by leaders

• Explicit strategies to support anenhanced ethical culture with regular programmes to update and renew commitment to an ethical culture

• Several easily accessible ways forpeople to report allegations relating to the ethical code, policies and acts of misconduct confidentially

• Regular declaration by employees,suppliers and customers that they are aware of the ethical requirements

• Clear delegation of responsibilities toensure that ethical consequences are evaluated, confidential counselling provided, allegations of misconduct investigated and case findings properly reported

• Easy access to learning opportunitiesto enable all employees to be ethics advocates

• Positive personnel practices thatencourage employees to contribute towards the ethical climate

• Regularsurveysofemployees,suppliersand customers to determine the state of the ethical culture

• Regularreviewsofformalandinformalprocesses that could potentially create



pressure and bias that could undermine the ethical culture

• Regular reference and backgroundchecks as part of hiring procedures

In addition to the Verschoor’s views, Boyle et al. (2011, p. 5) highlight seven practical steps for complete an ethics audit:

Step 1 –Educatetopmanagement,aswellas the board and audit committee on the value of an ethics audit and obtain their support. Though there may be some level of resistance it is important that senior management be informed throughout the process to ensure they are comfortable and supportive.Step 2–Interviewtheseniormanagement,board and audit committee to determine the ethical values desired by the organisation. Internal Audit should be mindful that some of these values may be contained in the organisation’s code of conduct. Step 3 – Identifyandassess theorganisa-tion’s risk associated with non-compliance

with the desired ethical values.Step 4 – Plan the ethics using a risk-based approach consistent with the COSO Enterprise Risk management framework.Step 5 – Conduct a structured entitylevel interview or entity-wide surveys to evaluate and assess whether values set by top management align with the views of employees at all levels of the organisation.Step 6 – Report the results to theappropriate accountable parties.Step 7–Monitoractionsandplansputinplace to address areas of improvement/remediation.

ConClusion

It would be naïve to conclude that the ethics problem is not pervasive. It is furthermore undeniable that the world at large is facing many ethical challenges. The ethical scandals highlighted in this article are just some examples attesting to the extent of the problem globally. However, although the challenge is immense, the

internal audit function is well positioned to partner with organisations on this journey.

Winston Churchill said “To each there comes in their lifetime a special moment when they are figuratively tapped on the shoulder and offered the chance to do a very special thing, unique to them and fitted to their talents. What a tragedy if that moment finds them unprepared or unqualified for that which could have been their finest hour”.

In light of these words, it is worth mentioning that internal auditors are the gatekeepers of ethics. They are the moral compass of an organisation and very often they are presented with a rare opportunity not granted to many; that is, to have the right audience and be provided with a platform to raise critical ethical concerns – failure toseize thismomentwouldbeatragedy.

Thapelo Modisagae CIA, CRMA, CCSA

Boyle, D. M., Hermanson, D. R., & Wilkins, A. (2011, November/December). Ethics sudits: Implications for internal audits. Internal Auditing,pp.3–8.

Du Plessis, C. (2014, March 19). City Press. Retrieved May 5, 2014, from www.citypress.co.za: http://www.citypress.co.za/politics/10-things-worth-knowing-madonselas-nkandla-report/

Ehrich, L., Cranston, N., & Kimber, M. (2003). Griffins University. Retrieved March 25, 2014, from www.gu.edu.au: http://eprints.qut.edu.au/1388/1/1388_2.pdf

Elmore, T. P. (2013). The role of internal auditors in creating an ethical culture.TheJournalofGovernmentFinancialManagement,49–53.

Eye Witness News. (2014, March 27). Eye Witness News. (C. Wynn, Editor) Retrieved March 28, 2014, from www.ewn.co.za: http://ewn.co.za/2014/03/27/Pinnacle-CEO-says-bribe-claims-a-surprise

Hofstee, E. (2009). Constructing a good dissertation: A practical guide to finishing a master’s, MBA or PhD on schedule. Sandton: EPE.

IIA SA. (2013, November 11). www.iiasa.org.za. Retrieved April 23, 2014, from Institure of Internal Auditors South Africa: http://www.iiasa.org.za/?page=Opinion_pieces

Madonsela, T. (2013, October 14). ENCA. Retrieved March 26, 2014, from www.enca.com: http://www.enca.com/south-africa/madonsela-warns-sa-corruption-crisis-levels

Schoeman, C. (2011, October-November). Recovering from ethical failure.Directorship,pp.10–11.

Schoeman, C. (2012, June). Ethics Monitor. Retrieved August 29, 2014, from www.ethicsmonitor.co.za: http://www.ethicsmonitor.co.za/Articles/saying-and-doing.pdf

Schoeman, C. (2014, February/March). Why corruption costs? Business Brief, p. 17.

Verschoor, C. C. (2007). Ethics and compliance: Challenges for internal auditing. Florida: The Institute of Internal Auditors Research Foundation.

ReFeRenCes


Questions tHe Audit CoMMittee sHould AsK About it

Gary Hardy is the owner of IT Winners, an IT

company that is based in Cape Town. Gary

has got over 30 years of experience in the IT

industry, is recognised globally as a thought

leader and expert in business and IT perfor-

mance improvement. He is a long standing

and past board member of ISACA, is one of

the originators of the COBIT® framework

and has been a contributor to COBIT since

its inception in 1992. He is a lead developer

of COBIT 5. Gary started off the presenta-

tion by explaining the pervasiveness of

IT as it is part of every strategic objective,

critical to support business operations and

integral to all business activities. IT extends

beyond the enterprise to stakeholders and

business partners.

He shared his observation that most peo-

ple wonder how success can be achieved

with IT demands resulting from changes in

culture and mind-set. This is the case with

even executive and senior management,

they employ consultant to carry out IT

technicalities and just hope that those con-

sultants know what they are doing. He cau-

tioned that this approach is not correct as it

compromises the quality of oversight that

the audit committee ought to provide. He

put emphasis on the necessity to change

the attitude that ‘IT is enterprise-wide and

not just for the IT function or just for IT Au-

dit’. Explaining about the pervasiveness of

IT, he shared insight on how the informa-

tion systems are not only being used as

enablers to business but are built into the

strategy of the business. The relevant ques-

tions to be asked at this level in order to en-

able management and/or audit committee

make informed decisions are as follows:

• WhoisaccountableforbusinessandIT

alignment?

• Howflexibleandreliablearetheinforma-

tion systems in enabling the organisation

reacts timely to new opportunities?

• Istheservicelevelsacceptable(quality,

reliability and availability)?

• Isthenetworksecurityadequatelypro-

tected?

• Is the organisation compliant to the

POPI Act?

• Is theorganisationcompliant toother

Regulations?

• Istheorganisationmakingefficientuse

of the resources (budgets, information

systems)?

• Istheorganisationmakingtherightde-

cisions and generating a ROI?

In the 21st century, it is really about time

that IT is not done at the level of scratch-

ing the surface but to the deepest level.

This can only be achieved if IT is collectively

embraced by auditors, management and

the IT department. Findings must be scru-

tinised, unpacking the root causes and not

just symptoms. Real causes of the findings

that auditors raise must be analysed, ac-

countability for addressing the root cause

must be allocated; the real business impact

of the finding must be quantified and/or

illustrated. It is pointless to raise findings

that do not serve stakeholders or just low

level impact on business objectives. When

IT audits are conducted, the recommenda-

tions must be practical and solution-driven

to the buyer of the solution (audit clients).

Imag

e co

urte

sy o

f ww

w.fr

eegr

eatp

ictu

re.c

om/


AdviseRQuestions tHe Audit CoMMittee sHould AsK About it

ACCountAbilitY FoR it

The business should take ownership for IT-

related decisions and key role players for

strategic IT decisions should be known and

accountable. King III places IT governance

in the hands of the board of directors. This

makes sense as this is where the strategy,

investments, architecture, service levels

are managed. It also shows how much of

a strategic partner IT should be. Decisions

should be made on whether the CIO and

IT management team may make decisions

by default. The adequacy of governance

structures should also be evaluated. There

should be adequate governance of IT struc-

tures in place; these include committees,

policies, frameworks, processes and proce-

dures. The governance structure should be

effective as well; this means that the Board

and Exco must have IT on their agenda.

The organisation must also implement a

certain framework when it comes to IT gov-

ernance. The adoption of the COBIT5 has

been noted in the past few years by many

organisations. However, adopting COBIT

framework is not all; the organisational

leadership should ensure that IT risks are

understood in an organisation. IT-related

risks must be recorded in the business risk

register and be expressed as business risks.

The risk committee must monitor IT-related

business risks the same way it manages

other business risks and understand likely

IT risk scenarios. It has been noted in the

past that IT is treated as a special area and

management often shy away from asking

questions that are IT related. This should

not be happening at this time as most busi-

ness processes are being automated. IT

risks are just a subset of a business risks and

are becoming more and more relevant as

the technology is being the centre of busi-

ness. There should be adequate IT financial

controls, acquired in a cost-transparent

manner.

IT resources must be sourced cost-effec-

tively, the most effective and efficient

sourcing options should be identified and

as such; the IT operational budget must be

challenged and optimised. Establishing the

frequency and extent to which IT-related

projects go over budget. The amount of IT

effort that goes to firefighting rather than

enabling business improvements must be

quantified and substantiated. Businesses

need to learn to get more value from IT for

less cost “more for less” through simplifica-

tion, standardisation and maturity. It is not

incorrect to state that one of the greatest

advantages of IT is cost reduction and in-

creased agility.

it opeRAtions - ReliAble And seCuRe

Even when one is not an IT expert, there are

some factors that can be looked at to assess

IT Operations for reliability and security.

Firstly, the robustness of the IT operational

processes, how well reliable the infrastruc-

ture is and whether the organisation has

got an old legacy systems. It is not good to

hang on to old systems even when there

are better ways to maximise efficiencies.

It is also not particularly good to always

acquire new systems for the sake of early

adoption. The IT systems are very expen-

sive and should be changed when it is ben-

eficial to do so. There sometimes is heavy

reliance on modified systems such as SAP

and vendors; this too should be managed

as there could be a downfall to it. The or-

ganisation should have adequate technical

skills in order to support and maintain the

IT systems. Each year the business depends

more and more on IT, yet many enterprises

under invest in maintenance, processes,

knowledge management and training;

leading to dependency on other businesses

for these critical processes. When IT invest-

ment is being made, all aspects must be

carefully analysed. Businesses can acquire

the best system but if there is inadequate

training of IT specialists, there is not much

support that the IT function may provide to

the organisation. The same goes for main-

tenance, the IT systems do need ongoing

maintenance which includes removing

program and design errors, updating docu-

mentation and test data and updating user

support. This is particularly important as it

allows the IT function to adapt the IT system

to suit the functional needs. The leadership

must understand IT otherwise tracking IT

performance becomes overwhelming. The

IT performance report must also be under-

standable to the business, to enable EXCO

to monitor IT performance. IT strategy

must be linked to the strategic objectives

of the business. IT performance should be

monitored through service levels, invest-

ment returns, incidents and costs that have

been saved. The CIO must be able to act as

a bridge to business management and not

be a barrier to business understanding.

MAnAGinG supplieR oR tHiRd pARtY RisK?

The audit committee must scrutinise the

balance in dependence on external IT ser-

vice providers (Black Box Management). IT

outsourcing agreements should be man-

aged well, just like any other contractual ar-

rangement; ensuring that the organisation

obtains assurance over the performance

of the external IT service provider. The

provider’s operations should be tested for

security and reliability as the organisation

still has to comply with applicable rules

and regulations. Questions about security,

privacy and reliability of the IT processes

of the business partners should also be

raised; these have the potential to expose

risks on business transaction and compro-

mise integrity and confidentiality state of

information. It is quite shocking to hear in-

cidents where the service provider’s system

was down and that business could not be

carried out. The contractual terms should

mention system availability as basic; it does

not make any business sense to pay for ser-

vices that are not able to support the conti-

nuity of the main business.


AdviseR

Risks

trust

Costs

benefits

Failures

Roi

transparency

incidents

WHAt it is All About

Questions tHe Audit CoMMittee sHould AsK About it

He concluded by remarking that IT Audit

should delivering value and must be evident

that it is yielding positive ROI. There must be

business improvements as a result of IT audits;

these may be defined IT Audit performance

goals and metrics that are used as perfor-

mance measures. IT Audit procedures must

also be integrated into general or business

audits. Communicating audit reports must

be done using the business language and

the findings must be evident that auditors

are measuring the right things. Repeating the

same findings every year serves no purpose

when the same IT issues are reported on but

are not being measured.

do You HAve A FeW Minutes to spARe?The IIA SA has created a presence on various social media

platforms where members can engage with each other, view

current articles, and information on IIA SA news

and networking events.

We encourage you to join in on discussions; share your thoughts

and comment on various topics, articles and photo albums.

Click the buttons below to join the conversation.

Please note that to access these profiles, you need to have an existing Twitter / Facebook / LinkedIn personal profiles.

https://www.facebook.com/pages/IIA-SA-The-Institute-of-Internal-Auditors-South-Africa/139016689455370?sk=wall

https://www.linkedin.com/company/the-institute-of-internal-auditors-south-africa

twitter.com/#!/IIASOUTHAFRICA

http://www.auditchannel.tv/


Country is woefully slow to transform its corporate boards and is not taking into consideration research that shows that when you have women on boards, deci-sion-making improves

Activists campaigning for the greater par-ticipation of women on the boards of listed companies have lowered their sights and are now fighting for 30% female represen-tation in South Africa.

This month, Germany became the latest Eu-ropean country to pass legislation requir-ing major companies to allot 30% of seats on nonexecutive boards to women.

Germany joined countries such as Norway, France and Spain in introducing the quota system.

According to a report released by Grant Thornton this month, when it comes to rep-resentation at board level in South Africa, only 15% of directors in listed companies are women.

The representation of women in senior management roles is at 27%, while only 7%

of CEO and managing director positions are occupied by women.

Ahigherpercentage–21%–ofwomenarefound in the positions of chief financial of-ficer, while 26% of human resource execu-tive jobs are occupied by women.

The report also showed that 23% of listed companies have no women in senior man-agement positions, up from 21% in last year’s report.

Shannon Smith, director of advisory ser-vices at Grant Thornton KZN, said there was room for improvement in South Africa.

“The percentage of women in senior management roles in South Africa is inad-equate.

“The gender bias is subtle at the beginning of a career, but it causes a clear separation of career paths between men and women. South Africa has a fine tradition of strong women in business and female political leaders, but there is still much room for im-provement,” she said.

The empowerment movement gained im-petus under previous minister of women, children and people with disabilities, Lulu Xingwana, when she introduced the Wom-en Empowerment and Gender Equality Bill.

The bill annoyed many, especially those in business, who called it impractical and costly.

The bill lapsed when Xingwana left and was replaced by former minister of mineral resources Susan Shabangu.

Parmi Natesan, an executive at the Insti-tute of Directors in Southern Africa, said there were a number of things that could be done to improve gender diversity on boards.

“We need to get the word out to boards and shareholders about the benefit of hav-ing women on boards, and not just as a check list exercise.

“Research has shown that when you have women on boards, decision-making im-proves,” said Natesan.

A 2013 report by research firm Catalyst made a business case for having more women in senior positions and on boards. Among the benefits were improved finan-cial performance and better corporate governance for companies that had more women.

“If an economy is only using half of its most talented people, then it immediately cuts its growth potential,” said Smith.

“Women also control a large portion of consumer spending globally. So they have an understanding of what consumers want and so should have a representation on these boards,” added Natesan.

CoRpoRAte sA is still FAilinG to inClude WoMen

Imag

e co

urte

sy o

f sup

haki

t73

at F

reeD

igita

lPho

tos.n

et


CoRpoRAte sA is still FAilinG to inClude WoMen

But she also cautioned that women should not sit back and wait for opportunities.

“If you [as a woman] think you can add value to a board, get governance training and network.”

Meanwhile, women in business have also started a lobbying effort in the form of the 30% Club. Its objective is to provide best practices for gender mainstreaming in the South African private sector.

The organisation also wants to ensure 30% female representation in senior manage-ment by 2018.

The 30% Club concept came about as a result of a conversation between Helena Morrissey, CEO of Newton Investment Man-agement in London, and member of the UK Labour Party Mary Goudie about how few women were making it into top positions.

South Africa started its own 30% Club chapter in September 2013 and it has been endorsed by Business Unity SA (Busa).

“We agree that the level of transformation is not satisfactory, particularly for black women and women with disabilities,” said Vanessa Phala, executive director at Busa.

“What is needed to drive workplace gen-der transformation are real organisational transformation interventions that move away from numbers and percentages, but emphasise real transformation.

“This includes making sure companies have proper plans to build their pipeline of young women, supporting capacity-build-ing initiatives and most importantly, creat-ing spaces and an enabling environment for women to take over senior and execu-tive positions.”

The Grant Thornton report also showed that among the South African companies that were sampled, only 48% would sup-port the introduction of quotas for the number of women on executive boards of large listed companies, a big drop from 60% in 2013.

Although City Press tried to contact Sha-bangu, she was unavailable for comment as she was in New York. However, in a re-cent speech, she said 30% female represen-tation was not ambitious enough and 50% was what women should be aiming for.

“If you look at countries that have a sig-nificant proportion of female representa-tion on boards it is those countries that have quotas already,” said Natesan. But she added that the use of quotas did rep-resent a unique challenge. “If we don’t have quotas, we might not come right. “However, the risk of quotas is that it will be about ticking a box and men saying women were chosen based on their gen-der and not merit, similar to some of the effects of BEE.” Phala said: “The Employ-ment Equity Act provides clear penalties for noncompliance with measures aimed at achieving affirmative action; it’s not our view that additional penalties will im-prove compliance.

“What would improve compliance is the commitment from business leadership to embrace and champion transformation.” Shabangu also said her department was planning to convene national and provin-cial dialogues between now and June to discuss steps towards the attainment of female empowerment and gender equal-ity in the country. This will contribute to the development of a report on the sta-tus of women that will be released on Na-tional Women’s Day on August 9.

Proportion of senior management roles held by women

Source: Grant Thornton International Business Report Graphics24

This article was first published on City_Press, 23 March 2015 7:00 by Mamello Masote


FeedbACK FRoM tHe 2014 nAtionAl ConFeRenCe

dAY 1 - MondAY, 11 AuGust 2014

Nene confirms a “season of great hope and promise for Africa”.

Finance Minister Nonhlanhla Nene was the

keynote speaker at the IIA SA national confer-

ence in August 2014, addressing the topic of

Africa’s rightful place in the leadership area.

In a detailed and informative talk, the Minis-

ter explained why he agreed with President

Jacob Zuma that “it is truly a season of great

hope and promise for Africa”. The President

had conveyed that sentiment the previous

week in his address to the national press club

in Washington DC.

Minister Nene focussed at length on the state

of the domestic economy and government’s

plans to improve the country’s economic per-

formance. In his honest talk, he frankly paint-

ed a somewhat bleak picture of the economy

and the challenges faced by government in

attempting to improve the situation.

Minister Nene pointed out that the global

economy continues to strengthen, albeit that

uneven and downside risks still remain. Very

recently, the IMF revised its global forecast for

economic growth from 3.7 to 3.4% for 2014.

Unfortunately, many economies are perform-

ing below their potential. This depresses de-

mand for local exports, and is adversely af-

fecting SA’s ability to grow. The United States’

so-called ‘tapering’ policies will most likely

increase the cost of borrowing for emerging

economies such as South Africa. Compound-

ing the situation, is the slower growth and

expansion in emerging markets which has

negatively affected the international price of

our export commodities, thereby leading to a

deterioration of our terms of trade.

The Minister acknowledged however that the

greatest challenges to economic growth are

largely domestic. It is well known that “supply

side disruptions” (read labour unrest) have

plagued the economy over the last few years,

weakening confidence and lowering levels of

investment and household consumption.

Nene admitted that current economic growth

is simply not enough to address the chal-

lenges of poverty and unemployment, which

has increased to 25.5%. Moreover, despite

low economic growth, consumer inflation is

rising and is currently at 6.6% (well above the

Reserve Bank’s target range of 3.26%).

Faced with a sluggish economy, higher infla-

tion, loss of business confidence, and persis-

tent labour strikes, Nene says that govern-

ment continues to work hard “to improve

business conditions by releasing supply side

constraints, improving policy alignment and

policy certainty”. He cited government’s plans

to improve the socio-economic conditions in

mining towns as one such intervention.

Minister Nene again reminded the audi-

ence that the National Develop Plan is gov-

ernment’s blueprint to address pressing

socio-economic challenges. In this regard,

government has adopted the Medium Term

Strategic Framework (MTSF) in order to align

the work of government at national, provin-

cial and local government behind a single

coherent program. The MTSF is essentially

government’s implementing program for

the first five years of the NDP. The focus of the

MTSF is not so much on new programs, but

rather on improving the implementation of

existing policies.

Shifting focus to Africa, Minister Nene noted

that over the past 20 years SA’s economy has

become inextricably intertwined with that of

the rest of the continent. “Macroeconomic

stability, political reform, favourable demo-

graphics and stronger institutions” he said,

The conference featured several prominent speakers and experts in the fields of internal auditing, governance, risk management and business. A brief summary of selected topics follows.

AFRiCA’s RiGHtFul seAt in tHe GlobAl leAdeRsHip ARenAMinister Nhlanhla Musa Nene, Minister of Finance of South Africa



have transformed Africa into a rapidly grow-

ing region that is attracting more investment.

Economic growth in Sub-Saharan Africa is

expected to accelerate to 5.5% in 2014. High

growth sectors such as technology, telecom-

munications, financial services and retail are

showing even more pronounced growth,

leading Nene to affirm that “Africa is indeed

rising!”

Africa’s share of FDI is also rising and SA in-

vestment into other parts of the continent

had double to around R30 billion by 2012.

All these trends point to a ‘virtuous cycle’ of

increased investment and economic growth

supported by growing consumer demand

for goods and services. In contrast, wages

and consumption has stagnated in Europe

and America. According to Nene the SA gov-

ernment is committed to supporting the ex-

pansion of South African firms into the rest

of Africa. This would be mutually beneficial

in terms of long-term growth prospects and

providing tax revenues, profits and dividends

to the receiving country as well as SA.

On a global scale, Nene believes that the ini-

tiative by the five BRICS (Brazil, Russia, India,

China and South Africa) countries to launch

the New Development Bank will benefit SA

and the rest of the continent. As a potential

borrower, SA can use the bank as an alter-

native source to fund its local infrastructure

programs, as well as regional integration proj-

ects. The New Development Bank could very

well solve Sub Saharan’s funding gaps, which

limit its growth potential. It is therefore help-

ful that the Bank’s regional centre will be lo-

cated in Johannesburg, as many of its clients

will be from the region. There are a number

of potential infrastructure projects on the

continent that have not been realised due to

the lack of project preparation funding. The

New Development Bank’s operating model

will include a project preparation facility, and

will place special focus on regional cross bor-

der projects in energy, transport and logistics.

These infrastructure projects, he says, will

“boostintra-Africantradeandunleashthepo-

tential of the continent to grow even faster”.

According to Nene, SA’s membership of

BRICS, and the country’s ascension to the

group of Finance Ministers and Central Bank

Governors of the G20 are amongst the most

important achievement of the post-apartheid

era. These developments have affirmed that

while SA may not be one of the biggest eco-

nomic powers in the world, we are neverthe-

less a ‘significant player’ in the global system

of financial and economic governance. As

such, SA will continue “to amplify the African

voice”.

dAY 1 - MondAY, 11 AuGust 2014

What do people say about you when you leave the room?

In a lively and engaging talk, Nicola Rimmer

informed internal auditors at the IIA SA annu-

al national conference in August, why it is im-

portant for them to build their own personal

brands. Rimmer, who is Vice President of Bar-

clays Internal Audit, as well as the President

of the IIA UK, drew upon her own personal

experience as the leader of a large team of

internal auditors in the United Kingdom.

She explained that personal branding has

become more desirable now that so much

more is expected of internal audit. Gone

are the days of internal auditors being mere

bean counters. These days they are increas-

ingly seen as trusted advisors with business

acumen that management can rely upon.

The credibility of internal audit is always

at stake when interacting with key stake-

holders. Beyond that, the internal auditor’s

personal brand also determines his or her

credibility amongst their peers. Therefore

how auditors present themselves and how

they are seen matters.

As with leading brands, a great personal

brand is sure to impact positively on stake-

holders and clients. Using well-known

brands such as Intercontinental and Nan-

dos as examples, Rimmer said that the first

thing to do is to clarify what your personal

brand stands for, and then to show the

world what that brand represents through

everyday interactions.

Rimmer’s favourite definition of a personal

brand is “what people say about you when

you leave the room”. For better or worse, we

YouR bRAnd, YouR CRedibilitYNicola Rimmer, Vice President: Barclays Internal Audit and President of the IIA UK



all have a personal brand - often by default

rather than by design. The way we speak, act

and otherwise engage with the world creates

an impression in the minds of others. Person-

al branding is simply the intention to mould

that impression in a more deliberate way.

According to Rimmer an internal auditor’s

personal brand should have two layers, so

to speak. The first layer is the internal audit

brand itself, based on common characteris-

tics or values associated with the profession

such as independence, integrity, objectivity

etc. Overlaid upon those brand attributes, are

the individual’s own personal top qualities or

beliefs. Using herself as an example, Rimmer

says that she positions herself as a great com-

municator. She communicates clearly what

she sees as the risks an organisation faces, and

then she also communicates clearly the solu-

tions she proposes. And thus she is known for

being a pragmatist and a great communica-

tor. She would not, however, present herself

as a technical expert because that is not her

major strength. It follows therefore that the

internal auditor should base his brand on

core strengths and key values, and then act in

accordance with those qualities.

Equally important is the first impression that

is created. Internal auditors would do well to

remember that their stakeholders and clients

may already have preconceived views about

them based on their stereotypes about the

profession. They may think for instance, that

internal auditors are ‘dry as a stick without any

real relevance’! The manner in which an audi-

tor dresses, greets, speaks and acts can im-

mediately debunk any negative stereotypes.

Confidence is the key to being respected and

trusted. Real confidence is usually based on

knowledge, experience and insight. Where

that is lacking, especially with junior internal

auditors, Rimmer suggests that they “fake it

till you make it!” By acting as if you already

are mature, insightful and knowledgeable, a

young internal auditor is more likely to get a

positive reception.

One trick that Rimmer shared with the au-

dience to fake confidence is to engage in

‘power posing’ just before a big meeting.

This practice involves tricking the body

into secreting more hormones such a tes-

tosterone to boost confidence. By striking

universal poses that innately represent

confidence–suchasarmsoutstretchedin

the ‘Yes!’ or ‘victory’ pose, one immediately

feels more positive and confident. Rimmer

urged the audience to watch Amy Cuddy’s

TED talk on Your body language shapes

who you are to learn more about power

posing.

Once a personal brand has been developed,

it is critical that there is congruence between

the brand’s promise, that is, what you say you

are and what you do. It is vital to deliver on

your promises, be they overt or implied as

your brand could be tarnished by inconsis-

tent behaviour. A reputation can also be de-

stroyed by a social media profile that conveys

a contradictory image to that of the internal

auditor as a professional. Once credibility has

been lost, it is extremely difficult to restore it,

and all the work done in building a personal

brand will come undone.

dAY 2 - tHuRsdAY, 12 AuGust 2014

Coming from a security consulting company

specialising in offensive security via simu-

lated attacks and penetration testing (i.e. at-

tempted application and network break-ins),

Sensepost’s senior specialist, Willem Mouton

addressed hactivism and cyber espionage at

the 17th Southern African Internal Audit Con-

ference. Acknowledging that security and risk,

in terms of IT infrastructure, were initially not

considered to be a priority, he has noticed that

that thinking has rapidly been changing over

the years. Now quite a hot topic, hactivism and

cyber espionage have become real and preva-

lent issues; however, often going undetected.

A means of propagating one’s message

(whether a political/religious view etc) via

computers, digital media, and networks,

the presenter explained how hactivism can

be used to promote civil disobedience or

even personal gripes against a company. He

stressed, though, that not all hacking is bad,

indicating how a lot of countries have come

to the realisation that hackers can be benefi-

cial to their companies. Citing Google and Mi-

crosoft as examples, he described how some

companies have bounty programmes that

pay people to look for bugs in them. This is

not surprising given how many vulnerabili-

ties exist as evident via the recent hackings

that took place on Facebook and Twitter.

He continued that the main motivation be-

hind hactivism is typically the desire to drive

one’s point across. Hence, this would not be

done under the cover of darkness, as anyone

wanting to do this is going to want to make it

as public as possible. It can be as simple and

straightforward as defacing a webpage or

more extreme such as a case of information

leakage. The point that people are trying to

bring across with hactivism is that they can

cause public embarrassment, and essentially,

data breaches. Thus, the risks involved with

companies are firstly reputational because

though it may not necessarily affect a com-

HACKtivists And CYbeR espionAGeWillem Mouton, Senior Analyst: Sensepost



pany’s ability to function (typically data is not

compromised because that data is hosted

somewhere else), it can still impact customer

perception by portraying the company as

one that is vulnerable to sabotage.

Normally, except if they are attacking a spe-

cific company, hactivists don’t have a particu-

lar target in mind; they will basically scour the

internet for whatever they can hack which is

as easy as doing a Google search for specific

components, frameworks, or exposed port-

lets and then using some common vulner-

abilities, misconfigurations or known applica-

tion flaws to gain access.

Bringing in the other side to this coin, the

presenter then talked to the topic of cyber

espionage, describing it as the simple act of

spying. As soon as people started competing

with each other, the ability to know what the

other was doing became key and lately this

has become a lot more pronounced. Cyber

espionage is exactly the opposite of hactivism

where with the latter one wants to publically

humiliate or embarrass a target, with cyber es-

pionage, stealth is key; one does not want to

be detected so to remain on a network as long

as possible. The driving force behind cyber

espionage is the same as it has always been:

Knowledge is power. Competitors would give

anything to know what their opponent’s next

move is, whether it is in acquisitions, mergers,

or project launches etc. In terms of govern-

ment, for example, if one knows what his com-

petitor is doing with regards to military and

strategic planning, a response can be tailor

made to combat that move.

Competitive edge has been seen a lot lately

especially with big corporates going after

one another. At a vehicle tracking company,

recently, he realised that that some of the

competitors were gaining access to the cus-

tomer base which is an inside information

risk. The presenter stressed that this is one

thing that people need to understand; that

the biggest threat is not usually the anony-

mous threat from the outside but typically

the people working in the inside.

In modern boardrooms today there is typi-

cally some sort of computer system, audio vi-

sual presentations, or webcams which are all

easy to take control over. As soon as anyone

plugs into a network they can be anyone they

want to. People think hacking is like a mission

impossible scenario but it’s really as simple as

using a memory stick. People spend millions

on implementing data loss prevention (DLP)

systems but hackers can just break data into

tiny bits via DNS requests and reassemble it

on the other side, which DLP can’t catch. The

more advanced the defenders get, the more

creative the hackers get.

The presenter described another recent expe-

rience where during an internal assessment

for a mining company he had asked the risk

manager if there was any sensitive informa-

tion that the company wouldn’t want in the

public eye to which the manager didn’t be-

lieve that there was any, stating that this was

a public company and all their information

is made available. After some digging, how-

ever, the presenter discovered an email chain

talking to strike action discussion which indi-

cated how far the company was willing to go

in terms of increase, as well as dates and de-

tails of what they would do after the strikes;

all information they would likely not want in

the hands of the unions. How much would

unions pay for that information? Hackers can

make a lot of money selling such information

to the competitors wanting to have the up-

per hand on their opponent.

In conclusion, the presenter emphasised that

treats are real. He added that risks are hard to

define but it is also a matter of perception, as

what may seem useless today might be gold

tomorrow. Security is not a destination that

you arrive at; it is actually a constantly evolv-

ing process. Attackers have it easy, defenders

have it hard as they have to be lucky every

time, hackers only have to get lucky once.

dAY 3 - WednesdAY, 13 AuGust 2014

South Africa has the best whistle-blower leg-

islation in the world, yet individuals are too

afraid to blow the whistle on wrongdoing.

Speaking at the IIA SA annual national confer-

ence in August, Prof Deon Rossouw cited the

DLA Piper Whistleblowing Report 2013 which

rates South Africa’s Protected Disclosures Act

as the best of its kind globally. Prof. Rossouw,

CEO of the Ethics Institute of South Africa,

Role oF oveRsiGHt bodies in pRoteCtinG WHistlebloWeRsProf Deon Rossouw, CEO: Ethics Institute of South Africa



also cited his organisation’s own research

study (SA Business Ethics survey 2013), which

looked at the ethical culture in JSE listed

companies. The following results show the

reasons why employees do not report cor-

ruption and other impropriety:

Thought someone else would

report it30%

Don’t want to report a colleague 35%

Nothing will happen if it goes to

court36%

Think the report will not remain

anonymous48%

Fear retaliation 65%

Think company will not take

corrective action66%

It is clear that having relatively robust whis-

tle-blowing laws is not necessarily enough

to encourage whistle-blowing. Much more is

required to assure potential whistle-blowers

that it is safe ‘to do the right thing’. As the re-

search shows, people will continue to doubt

the effectiveness of whistle-blowing mecha-

nisms as long as they fear retaliation or hav-

ing their identities exposed.

The Protected Disclosures Act sets out the re-

quirements for safe and effective disclosures,

but only protects employees against occu-

pational detriment, and not any other kind

of harm. Occupational detriment refers to

discrimination in the workplace related to job

security such as unfair dismissal. The Compa-

nies Act extends these protections somewhat

for employees and other categories of persons

that have dealings with companies. What

should be noted is to whom disclosures can be

made. Section 159 (3) of the Act states that:

“A disclosure is protected if:

It is made in good faith to the Commission, the

Companies Tribunal, the Panel, a regulatory

authority, an exchange, a legal adviser, a di-

rector, a prescribed officer, company secretary,

auditor, board or committee of the company

concerned”

The Companies Act [S 159 (7)] further stipu-

lates that:

A public company and state owned company

mustdirectlyorindirectly–

(a) Establish and maintain a system to re-

ceive disclosures […] confidentially and

actonthem;and;–

(b) routinely publicise the availability of

that system

The Act makes it clear that an individual di-

rector, the board or a board committee may

be the recipient of a protected disclosure. As

such, these individuals or bodies are obliged

to deal with whistle-blower disclosures in the

correct manner. Subsection 7 quoted above,

also places a positive obligation on boards

to maintain an effective system of whistle-

blowing in the company, ensuring that em-

ployees are made aware of the system and

encouraged to use it. Given the board’s clear

responsibility to ensure that whistle-blowing

measures and mechanisms are in place, the

question arises as to which committees

within the organisation should play a role in

assisting the board in this regard.

The Social and Ethics Committee (SEC)

All publicly listed companies or state owned

companies are legally required to establish

Social and Ethics Committees as per the Com-

panies Amendment Act (Act No. 3 of 2011) .

The SEC is therefore a mandatory, statutory

board committee.

The SEC’s mandate is to monitor and report

to the board on a company’s social perfor-

mance, with due regard to the organisation’s

social and economic development, good cor-

porate citizenship, environment, health and

safety issues, consumer relations, labour and

employment issues.

The mandate of this committee is focused

primarily on social rather than ethical issues,

and it would be quite a stretch to imagine

that oversight of whistle-blowing practices

are also included in its mandate. According

to Rossouw, it has nevertheless become best

practice amongst most JSE listed companies

to voluntarily expand the SEC’s terms of ref-

erence to include a governance/ethics man-

date that typically includes the following

kinds of statements:

• ethical standards are articulated in a

code of ethics and supporting policies

• structures, systems and processes are

in place to ensure that the board, em-

ployees, and supply chains are familiar

with and adhere to the company’s ethi-

cal standards

• ethics performance is included in the

scope of internal audit and reported on in

the company’s integrated annual report

Under an enhanced mandate, whistle-blow-

ing may be included within the scope of the

committee since it supports the ethics policy;

and any mechanisms introduced to encour-

age whistle-blowing would fall under the

“structures, systems and process” required to

foster an ethical corporate culture. It would

then be up to the SEC to ensure that a proper,

credible and trustworthy whistle-blowing

system is in place. Such a system must ensure

the confidentiality of reports, the anonym-

ity of the whistle-blower and provide clarity

about what happens after a report has been

made.

Rossouw advises that the SEC should assess

reports regularly, noting the number received,

how they are being handled and what trends

there are in issues reporting. Such informa-

tion would be useful to management and the

board. It is important that management acts

decisively when required to do after proper

investigation of a complaint.

Audit Committee



National Conference Feedback is prepared by:Rakal Govender, Senior Research Analyst: Private Sector, IIA SA and Zisanda Jalavu CIA, Senior Research Analyst: Private Sector, IIA SA

As part of its duty to review the ethics man-

agement system of the company, internal au-

dit should also include the whistle-blowing

system. The audit committee should ensure

that this task is included in the audit plan, as it

is important to provide assurance over the in-

tegrity of the whistle-blowing measures and

mechanisms. Internal audit will be required

to make an assessment of the adequacy and

effectiveness of internal system, establishing

whether they work and are being used as in-

tended.

Where whistle-blowing systems are out-

sourced, internal audit should determine

whether the mechanisms are secure, confi-

dential, anonymous, trusted, credible and ro-

bust. They should therefore check the integri-

ty of systems and the people operating them,

and assess if they are independent, highlight-

ing any potential conflicts of interest. Based

on such information, the audit committee

would be in a better position to gauge the ef-

fectiveness of the whistle-blowing system.

Board of Directors

King III in Principle 1.1 states that the “board

should provide effective leadership based

on an ethical foundation”. In order to ensure

that it receives robust information regarding

ethical matters, the board may delegate ad-

ditional responsibilities to the Social and Eth-

ics Committee, as is often the case. Rossouw

points out that directors have five ethical du-

ties relating to conscience, inclusivity, compe-

tence, commitment and courage. The latter

may be the most difficult of all to fulfil. Never-

theless, since the buck stops with board, it is

up to the directors to find the moral courage

to act with integrity when making tough de-

cisions. Those decisions should also include

the ways in which whistle-blowers are pro-

tected within the organisation. If this is done

effectively, within in a strong ethical culture,

then employees may feel less afraid to blow

the whistle on corruption.

Delphine Bagwire

Abdul Bellim

Daniel Jacobus Brand

Priyanka Bugwandeen

David Chuene

Christoffel Coetzer

Vinolia Coopsamy

James Cronje

Chanelle da Silva

Nelette De La Rey

Elmarie de Waal

Nicole Erasmus

Danielle Erasmus

Charne Fourie

Umaira Gani

Odwa Goso

Sharon Govender

Eugene Greyling

Julius Gurure

Linda Harris

Jothie Hemraj

Zisanda Beatrice Jalavu

Hendrik Jordaan

Mohammed Kader

Anna Kadisov

Simphiwe Khumalo

Johannes Lambrechts

Tsholofelo Leballo

Brenda-Lee Lodder

Karen Louw

Zwakele Majola

Wandile Malinga

Babalwa Mapisa

Ilse Marais

Sipho Masumpa

Asanda Mdlulwa

Dzorai Meke

Fortune Mkhabela

Selby Mochochoko

Debbie Modisane

Mamadimo Mogano

Fatinyana Molala

Phatedi Monyebodi

Lorato Moyo

Kwazi Msiza

Mavis Mthimunye

Mxolisi Mtshali

Sharlene Murugan

Jerod Naidoo

Chermaine Naidoo

Lungile Ignatia Ngcobo

Alois Nyazema

Ritesh Patel

Charlene Pillay

Kubendran Pillay

Chantel Poovan

Marthinus Prinsloo

Mankwana Ragolane

Subhadra Ragubeer

Deepa Rama

Kotlane Sekgota

Dondeguy Sibanda

Stephens Sikhondo

Pieter Smith

Muhammad Solomons

Vukosi Sondlane

Sidiso Vincent Sotshede

Adriaan Steenekamp

Rabith Sukhari

Muhammed Tayob

Cuthbert Tinavapi

Zaheer Titus

Shamil Ukabhai

Karen van der Westhuizen

Cecilia van der Westhuizen

Daniel van Niekerk

Johannes van Tonder

Francois Viljoen

Robyn Wheatley

Robin Bruce Williams

George Woodworth

Lin Ye

Congratulations to CIA candidates


This marks the sixth edition of Sawyer’s Internal Auditing, and introduces format and content changes since the previous version was published in 2005. The most notable format change is that the guide has now been split into 3 separate volumes based on content: 1) Internal Audit Es-sentials, 2) Internal Audit Processes and Methods, and 3) Governance, Risk Man-agement, and Compliance Essentials. In terms of content, Information Technology (IT) related topics and guidance have been interwoven throughout the guides, rather than segregated into separate chapters, in order to present a more holistic view of the practice and methodology of internal auditing. The previous series of multiple choice questions per chapter has been excluded from the new edition; however, the glossary of audit related terminology has been substantially expanded and in-cluded at the end of each volume in the series. Finally, new information has been included throughout all three volumes to reflect environmental, social and economic changes and corresponding responses and advances in internal audit techniques. This information relates in particular to IT, com-municating results, governance, risk man-agement, compliance and corporate social responsibility.1 This book review aims to provide unfamil-iar readers with an overview of what the guides have to offer an internal audit pro-fessional, and for those readers who are familiar with Sawyer’s previous manuals, what fresh perspectives and guidance have been presented.

The first volume, Internal Audit Essentials, includes minor updates to sections pro-viding an introduction to the history and evolution of modern internal auditing, in-cluding the current Professional Practices Framework, audit process management and administration, and stakeholder rela-

tionships. Significant expansion of guid-ance and information has been made to the sections relating to Control and Risk Models, and a new chapter relating to As-surance and Consulting Services has been introduced.

As with previous editions, Volume 1 con-tains helpful exhibits to assist the reader in illustrating certain concepts and reinforce best practice application of the guidance. Several of the new additions in this round include:

1.2 – Internal Audit Rules of Conduct (from the IPPF, 2011): Offers a summary of the four categories comprising the IPPF’s Rules of Conduct, including Integrity, Ob-jectivity, Confidentiality and Competency.

2.1 – Relationships between Risk Man-agement Principles, Framework and Processes (from ISO 31000:2009): Provides information on what principles should exist to manage risk, presents a generic frame-work for managing risk and a standard pro-cess for managing risk.

3.2 – Key Differences between Assurance and Consulting Standards: Describes the key differences between the two types of assurance work that Internal Audit can perform.

4.3 – Internal Auditor Competency Framework (from the IIA Global frame-work, 2013): Summarises the four elements of the framework, including interpersonal skills, tools and techniques, Internal Audit standards, theory and methodology, and knowledge areas.

5.2–Key Components of Effective Inter-viewing (from IIA Research Foundation, 2009): Includes elements such as interview-ing objectives and process, common barri-ers to effective interviews and critical suc-cess factors.

5.3–Audit Approach Comparisons: Pres-ents the differences between a traditional and participative audit approach.

The second volume, Internal Audit Pro-cesses and Methods, focuses on technical and tactical guidance for the application of internal audit, with specific focus on cli-ent and stakeholder relationship manage-ment, audit planning, assignment execu-tion, and communication and reporting of results. Minor updates have been made to chapters relating to planning assurance en-gagements from high-level risk assessment to opening meeting, and communicating results during the engagement through to Board reporting. Significant enhance-ments have been made to the content and presentation of chapters relating to defin-ing the audit and risk universes, evaluating the design of controls, testing effective-ness of controls, additional risk manage-ment techniques, and audit documenta-tion. New chapters have been introduced relating to entity-wide risk assessment and entity-wide assurance projects, as well as a full chapter on consulting activities.

As with Volume 1, some of the new addi-tions to the best practice and guidance ex-hibits for this edition of Volume 2 include:

7.1–Alignment of the Identified Risks to the IT Environment: Details an example of the alignment of business objectives to business risks, to business processes, and ultimately to IT Assets.

10.2–Possible Risk Response and Audi-tor Action: Provides guidance on the pos-sible risk response and subsequent audit response depending on the impact and likelihood rating of a particular risk.

10.3–Sample Flowchart: An updated ex-ample of a vertical flowchart for an ‘order-ing and receiving’ process.

booK RevieWs

sAWYeR’s Guide FoR inteRnAl AuditoRs, 6tH edition, 2014

1 Page viii, Volume 1: Internal Audit Essentials


booK RevieWs

11.2–Steps of an Application Control Au-dit (from ISACA Journal, volume 5, 2002): Presents a step by step overview of how to complete an application control audit.

13.2 – Root Cause Analysis Techniques: Summarises three techniques, “Five Why Analysis”,” Change Analysis” and” Ishikawa / Fish-bone Diagram,” for determining the root cause of control breakdowns / audit issues.

13.19–Reviewing Versus Editing: Presents the advantages and disadvantages of re-view versus editing of audit reports.

14.1 – Comparison of Self-Assessment Techniques: Three self-assessment tech-niques, facilitated workshops, surveys and structured interviews, are summarised ac-cording to their relative advantages and disadvantages.

The third volume, Governance, Risk Man-agement, and Compliance Essentials, focuses on providing an integrated view of governance, risk management and compli-ance. This entire volume has been substan-tially updated and re-organised to present a holistic view, although many elements were touched upon in the previous version. New chapters have been introduced relating to internal audit responsibility regarding fraud, ethics and people risk, and the role internal audit plays in corporate social responsibility and sustainability.

Some of the new additions to the best practice and guidance exhibits for this edi-tion of Volume 3 include:

15.1–Definition of GRC (from Gartner Re-search website, 2011): Provides a common-ly referenced definition of “governance,” “risk,” and “compliance.”

15.5–Comparison of Standards and Prac-tices for Financial Reporting and GRC Re-porting: Explains the differences in standards and practices for financial reporting versus governance, risk and compliance reporting.

15.16–Internal Audit Maturity / Capabil-ity Assessment (from theiia.org website): Depicts the five levels of maturity / capa-bility of internal audit functions (Initial, In-frastructure, Integrated, Managed, and Op-timising), across 6 core competency areas (Services and Roles of IA, People Manage-ment, Professional Practices, Performance Management and Accountability, Organi-sational Relationships and Culture, and Governance Structure).

15.17 – Data Elements Diagram (from Thomson Reuters, 2009): Details the core user requirements and proposed data sets required to support governance, risk and compliance implementation within an or-ganisation.

17.3 –Role of Internal Auditing in ERM (from the IIA Position Paper, 2009): Presents a list of potential assurance activities which internal audit activities that comply with the International Standards for the Profes-sional Practice of Internal Auditing should provide.

19.4–Fraud Risk Management Principles (from the IIA, AICPA and ACFE, 2012): Intro-duces five key principles for proactive and effective management of organisational fraud risk.

20.1 – Corporate Social Responsibility Definition (from ISO26000:2010): provides the definition of Corporate Social Responsi-bility as per ISO 26000.

20.2–Definition of Corporate Social Re-sponsibility (from the IIA, 2011): provides the definition of Corporate Social Respon-sibility as per the IIA Practice Guide.

All in all, this 6th edition of Sawyer’s Guide for Internal Auditors offers a wealth of cut-ting edge information and guidance, pre-sented in a concise and easily understand-able manner, and would be a powerful tool and valuable addition to any internal audi-tor’s personal or professional library.

UPDATE YOUR DETAILS

AND ENJOY THE

BENEFITS OF BEING AN

IIA SA MEMBER

A key objective of the Institute of

Internal Auditors South Africa is to

provide our members with access

to world-class information and

development. Ensure that your skills

and competencies remain relevant

and up to date.

It is imperative that the Institute of

Internal Auditors

South Africa has your correct details.

Please visit our website:

www.iiasa.org.za

to update your details.


booK RevieWs

In the author’s own words:

“Purposeof thebook– toprovidea clearunderstanding of risk assessment charac-teristics so you can confidently plan and conduct your own risk assessment. This book also will help you to make sure that your risk assessment adds value to your or-ganisation because they will be based on the needs of your stakeholders.“

The book starts with establishing the key points of understanding risk assessment and then explains step- by step- how to conduct a risk assessment.

While the main focus of this book is risk as-sessment methodologies to develop the audit plan, there are three chapters specific for engagement risk assessment, fraud risk assessment and IT risk assessment.

The last chapters of the book provide com-mon mistakes and challenges throughout the risk assessment journey.

Lastly a set of 10 risk assessment examples that include excel spreadsheets and work document that you can customise to meet the needs in your oganisation is included. The templates are divided in two groups:- Group 1: Audit Universe Risk Assess-

ments- Group 2: Audit Engagement Risk As-

sessments

A brief overview of the book. The book is divided in five sections explaining specific concepts and each section consist of chap-ters elaborating this concept for each read-er to make it their own.

Section1:UnderstandingtheNatureofRisk

“The first part of this book provides an intel-lectual basis for risk assessment. It sets the

stage for how to think about risks, which ultimately will influence how you identify, measure, and prioritize risk. The premise is that you must first understand how risk behaves and manifests itself in order to understand how to build a structure for ex-ecuting a value-adding risk assessment.”

The theory of risk therefore the definitions, fundamentals, nature or characteristics of risk, risks internal and external drivers and how changing environments make risk dynamic and ever changing are explained. The book highlights the fact that these def-initions present risk in the context of uncer-tainty and consequences, but do not depict it in terms of negative outcomes.

A short history briefing leads to a discussion of some contemporary ideas and trends about modern risk assessment. The author also highlights the importance to under-stand stakeholder perspectives in risk and governance, which are at the core of the value proposition for internal auditors.

From a risk assessment standpoint – it isimportant for internal auditors to recog-nize their organisations’s capabilities when managing change so they can understand how environmental changes will impact certain types of risk to the organisation. Section2ChoosingtheBestRiskAssessmentApproach for your organisation

The second section provides you with consideration when choosing your risk as-sessment approach. The IIA Standards set minimum requirements for internal audit’s risk assessment exercise, but are stakehold-ers satisfied with minimum standards? Stakeholders’ expectations are changing in regard to audit’s coverage of strategic risk and governance areas so it is important to understand your stakeholder’s viewpoints

on these topics and how that might influ-ence your approach. Besides stakeholders, it is important to know your organisation’s risk profile and key vulnerabilities.

Goingbeyondtheminimum–Internalau-dit leadership should be vigilant in seek-ing out those practices that are expected of their stakeholders above and beyond minimum requirements. To be effective at risk assessment, it is critical that you under-stand your stakeholders – bothwho theyare and what concerns them. This will help shape decisions on the types of risk upon which to focus.

The risk and control maturity of the organi-sation where you work will have a direct im-pact on how you approach your risk assess-ment. The author also discusses how the internal audit function’s capability maturity and risk competencies will help shape the risk assessment approach.

The three important areas you should con-sider for selecting the risk assessment ap-proach is:1. Riskandcontrolmaturity–Istheinter-

nal audit function more control-centric or risk-centric?

2. Organisational vulnerabilities – Whatare the risks that matter most to your particular rganisation?

3. Internal audit capabilities. Is your inter-nal audit function equipped to address the needs of the organisation?

In addition the author also provides five key principles to follow to assist in seeking the right approach to risk assessment for your organisation. 1. Conform with and align your method-

ology to IIA Standards.2. Understand your stakeholder needs

and expectations3. Understand the changing environment

inteRnAl AuditoR’s Guide to RisK AssessMent - (RiCK A. WRiGHt jR; CiA)


booK RevieWs

4. Know your rganisation’s risk focus and primary vulnerabilities.

5. Assess your internal audit function’s ca-pability maturity and risk competencies.

Section3:Toolsforconductingyouroganisa-tion’sRiskAssessment

This section highlights practical ways for building a process for executing a risk as-sessment. Developing a comprehensive audit universe is the first task. The audit universe serves as the risk assessment start-ing point as it identifies the possible audit-able units that will eventually comprise the audit plan. When assessing audit universe risks. Start by identifying business objectives and then tackle risk identification, risk measurement, and risk prioritisation as centerpieces of a well-constructed risk assessment frame-work. Several examples and varying ap-proaches are included to provide a variety of perspectives for what risk assessment can be. Frequency of risk assessment activ-ities and alignment of the risk assessment with business strategy and ERM are also discussed in this section.

Practical advice from the author when aligning with ERM and strategic objectives first, ensure your audit universe includes auditable units of strategic nature. These may include strategic planning processes, the ERM program, corporate governance activities, sustainability programs, crisis management, and reputation manage-ment to name a few. An audit universe that includes areas of strategic concern ensures there will be a focus on strategic risks dur-ing audit planning and that audit resources will be assigned to these areas, where ap-propriate.

Some common mistakes to avoid when identifying risks are also highlighted:1. Confusing risk with the consequences

of risk.2. Focusing on controls instead of risk.

“Ensuring your audit universe is complete?” This for me is the most important question to ask when conducting a risk assessment for the annual audit plan.

The author provides insight to this ques-tion.

“Every organisation audit universe is unique. Some questions, to reflect that the audit uni-verse has been thoughtfully vetted.

• What environments have changedsince the last audit universe update?

• Have there been any changes to thestrategic goals of the organisation?

• Havetherebeenanychangesinleader-ship at key positions?

• Have there been any key personnelchanges (loss of institutional knowl-edge, headcount reductions)?

• Are there any new systems that havebeen implemented?

• Arethereanynewsystemdevelopmentprojects?

• Have any new programs been imple-mented?

• Aretherenewproductslinesorlinesofbusiness?

• Hastheorganisationacquiredanynewbusinesses or entered into any new partnerships?

• Hastheorganisationdivestedanybusi-ness or terminated any partnerships?

• Doestheorganisationdobusinesswithany new strategic suppliers or ven-dors?

• Havetherebeenanychangesintheca-pabilities of strategic suppliers or ven-dors.?

• Arethereplansforsignificantbusinessgrowth or declines?

• Are there new customers beingserved?

• Have new legislative or regulatory ac-tions impacted the business?

• Are there new industry standards orpolicy changes that have been imple-mented?

• Are there any new internal stakehold-ers, or have existing stakeholder needs

changed?• Haveanyfraudorethicsviolationsbeen

detected?• Havetherebeenanyreportedinstances

of competitors or any similar organisa-tions experiencing new opportunities or threats to their business?

• Are the new external opportunities/threats to the organisation?

• Are there new internal opportunities/threats to the organization?”

The completion of the audit universe is a journey. Audit universe requires periodic maintenance.

Section4:SpecialtypesofRiskAssessment

Risk assessment come in various forms and are used for many purposes. In section 4, three variations of risk assessment are presented for specialised uses relating to internal audit engagement planning, fraud considerations, and IT-related risk assess-ments.

Engagement Risk Assessment

This is done on a micro level relating to specific process-level business objectives. “Engagement risk assessment – Amicro -level assessment of an auditable unit’s risk with the objectives of creating an engage-ment plan that focuses efforts toward the key risks that would keep the auditable unit form achieving its objectives. “

Fraud risk Assessment

Std 2120.A2 from IPPF

“The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk. IIA developed practice guide – “InternalAuditingandFraud”–Thisguidelists5keysteps common to most fraud risk assess-ments:1. Identify relevant fraud risk factors2. Identify potential fraud schemes and


booK RevieWs

priorities them based on risk3. Map existing controls to potential fraud

schemes and identify gaps4. Test operating effectiveness of fraud

prevention and detection controls.5. Document and report the fraud risk as-

sessment.

IT Risk Assessment

The author stresses to the reader the impor-tance of the distinction between risks that are business related (and therefore not IT specific) versus those that are truly related to the existence of an IT strategy within the organisation, when assessing IT risk.

Section5:IdentifyingRiskAppetiteandsolv-ing common challenges

In this section the author delve into strate-

gic risk, alignment with ERM programs, and risk appetite as key value drivers and fron-tiers for innovation.

In addition three common mistakes to avoid relating to risk assessments are dis-cussed:1. Equating complexity with value2. Assigning the wrong staff3. Inadequate Data-gathering tools

Further three common challenges to antici-pate during the process of risk assessment are reviewed:1. Inconsistent risk measurement results. 2. Inadequate resources3. Lack of management engagement

The summary and conclusion of the book is the eleven main principles that are address in this book:

1. “Risk creates opportunities and threats. 2. Stakeholders expects internal audit to

assess strategic risk3. Change creates risk4. Identify stakeholder expectations5. Always start with objectives6. Identify, measure, prioritize7. Stay flexible8. Align with ERM9. Be aware of other types of risk assess-

ments. 10. Consider risk appetite11. Don’t go it alone”

Inmyviewthisbookiseasytoread–itpro-vide clear definitions and guidance for the first time risk assessment conductor, how-ever the content of the book is also valu-able for the experienced risk assessment conductor to ensure that their method is still vetted.

Apply now to enter our Internal Audit Technician or

Professional Internal Auditor program. These are a pre-

requisite for entering the CIA program. Alternatively apply

to go through our Recognition of Prior Learning process

if you have the requisite qualification and experience and

obtain our prestigious designations.

For more information contact :

Lawrence Chetty, Deputy Head:

Certifications and Accreditation

Tel: (011) 450 1040

e-mail: [email protected]

OBTAIN AN IIA SA PROFESSIONAL DESIGNATION

Sarah Tucker, Technical Committee: IIA SA


AdviseR

April 2014 IIA Adviser

Documents

charles nel cia email

board of directors email

val brazao email

warren elbourne email

jenine dresse email

stephanie erasmus email

tina wolmarans email

nazlie ismail email