Strategies for Internal Auditors to Negate Intimidation and Victimisation the Grey Matters on Ethics Questions the Audit Committee Should Ask About It 100

APRIL/MAY 2015 I A ADVISER

STRATEGIES FOR INTERNAL AUDITORS TO NEGATE INTIMIDATION AND VICTIMISATION THE GREY MATTERS ON ETHICS QUESTIONS THE AUDIT COMMITTEE SHOULD ASK ABOUT IT 100

LEADERS FORUM 8 June 2015 I Emperors Palace

The IIA SA will be hosting the Leaders Forum, exclusively for Heads of Internal Audit (CAEs).

This unique forum is an opportunity for like-minded, progressive CAEs to meet, maintain and enhance their networks, listen to high-profile speakers and be exposed to new trends. In addition, pertinent issues affecting the profession will be discussed.

Please visit the IIA SA website: www.iiasa.org.za for more information and to register. Contents

MESSAGE FROM THE chief executive officer 5

Welcome to new members 8

Strategies for Internal Auditors to Negate 23 Intimidation and Victimisation 10

List of Occupations in High Demand: 2014 12

MICROFINANCING: INNOVATION OR CURSE 14

THE GREY MATTERS ON ETHICS 19 26 QUESTIONS THE AUDIT COMMITTEE SHOULD ASK ABOUT IT 23

Corporate SA is still failing to include women 26

feedback from the 2014 National conference 28

BOOK REVIEWS 34

BOARD OF DIRECTORS e-mail: [email protected] REGIONAL GOVERNORS Chairman: Riaan Thiart CIA Central Region: Refilwe Mocwaledi Vice Chairman: Vonani Chauke CIA Eastern Cape - Border Kei: Norman Trimaley Directors: Faith Burn Eastern Cape - Port Elizabeth: Veronique Reddy Paresh Lalla Gauteng - Johannesburg: Bukkie Adewuyi Paresh Lalla CIA Gauteng - Pretoria: Muthelo Madzivhandila Oupa Mbokodo CIA KwaZulu Natal: Alexander Winterbach Tshepo Mofokeng Limpopo: Moloto Mokwele Rudzani Nemaangani CIA Mpumalanga: Tony Mancos Rob Newsome CIA North West: Sikhuthali Nyangintsimbi Molefi Nkhabu Northern Cape: Johannes van Tonder Jan Opperman Western Cape: James Gourrah CIA Dion Poole CIA Lesotho: Liteboho Mokuena Kameetha Singh Namibia: Julian Beukes Arno Vorster Swaziland: Wesley Mndzebele Chief Executive Officer: Dr Claudelle von Eck Past President: Shirley Machaba Past Past President: Justine K Mazzocco

IA ADVISER April/May 2015 | 3

MESSAGE FROM THE chief executive officer

Institute of Internal Auditors South Africa Unit 2, Bedfordview Office Park Bedfordview , 2008

P O Box 2290, Bedfordview, 2008

Telephone: +27 11 450 1040 Facsimile: +27 11 450 1070

IIA SA Website: www.iiasa.org.za IIA Global Website: www.globaliia.org

Business Hours: Mon - Thurs: 08h30 - 17h00 Friday: 08h30 - 16h00

Accounts / Finance: Warren Elbourne e-mail: [email protected] fax: 086 685 0163 Although I have some really important Insti- year now appears in both PDF and Flash Bookstore: Xolisile Vuyiswa Mngwevu tute related news to share with you, it would with video clips. I encourage you to read e-mail: [email protected] fax: 086 685 0164 be remiss of me to not first pause and say a the IR as it is filled with information on what Certification: Tina Wolmarans few words around recent events that have is happening in the land of the IIA SA. e-mail: [email protected] fax: 086 685 0162 rocked our country and cast us in a very Communications and Business bad light. The recent spate of xenophobic Firstly, you should be aware of a significant Development: Val Brazao e-mail: [email protected] attacks should probably not have come as a shift in the South African qualifications CPD: Jenine Dresse surprise to us. Many of us have been warn- landscape which has seen the establish- e-mail: [email protected] fax: 086 685 0161 ing for a while now that we are sitting on a ment of the Quality Council for Trades and Learnerships: time bomb as the gap between the haves Occupations (QCTO) under the South Afri- Lawrence Chetty: e-mail: [email protected] and have-nots continuous to widen. While can Qualifications Authority (SAQA). As is Membership: Stephanie Erasmus e-mail: [email protected] most of us have preferred to only comment implicit in its name, SAQA is the custodian fax: 086 685 0160 from afar, we have now received a wake-up of qualifications in South Africa. You will Regions: Nazlie Ismail e-mail: [email protected] call. This affects all of us and none of us can start to hear more and more about SAQA, fax: 086 572 4301 distance ourselves from what has been fes- especially in the light of the fact that we Technical: Charles Nel CIA e-mail: [email protected] tering within. It is going to take a collective have seen so many high profile cases of in- fax: 086 685 0165 effort as South Africans and SA institutions dividuals falsifying their qualifications in re- Advertising For advertising enquiries contact to combat what has become an embarrass- cent times. The Skills Development Act has Queen Sithole: [email protected] ing exposure of the rot that is building up. made provision for quality councils under If you need to change your details please e-mail [email protected] It is important that we send a clear message SAQA to oversee the establishment, regis-

Editorial / Article Submission to the world that South Africans will not al- tration and maintenance of qualifications. Val Brazao: [email protected] low a minority to define who we are as a These councils oversee the registration of Charles Nel: [email protected] people. In this context the IIA SA says NO to qualifications in the three main spheres of To submit an article e-mail: [email protected] xenophobia and NO to violence against our education and training. While the coun- ISSN 2079-729X fellow human beings. cils for the schooling (Amalusi) and higher Published by the Institute of Internal Auditors South Africa and supplied gratis to members. The IIA SA does education (CHE) sectors have long been not accept responsibility for any opinions expressed by the contributors or correspondents, nor for the ac- Now, having said that, let me turn to the is- established, the council overseeing trades curacy of any information contained in contributions, sues directly affecting the Institute. My in- and occupations has only recently been es- advertisements or correspondence in this publication. All material submitted for consideration is subject to tention is to only focus on news not already tablished. As a result, professional qualifica- the discretion of the Editor and the Editorial Team. The Editor reserves the right to edit all material. Advertise- covered in our Integrated Report which is tions had in the past been registered direct- ments do not constitute an endorsement. accessible to all on our website. I am really ly with SAQA. With the establishment of the proud of our Integrated Report, which this QCTO, all professional qualifications must

IA ADVISER April/May 2015 | 5 MESSAGE FROM CHIEF EXECUTIVE OFFICER

now be registered with the QCTO as their direct registration with Director Jan Opperman Newly elected SAQA is expiring this year. This basically means that the IIA SA has to re-register its current learnerships under the QCTO. The Institute Director Kameetha Singh Newly elected has therefore now kick-started the registration of the national inter- Director Faith Burn Newly elected nal audit qualifications. We have had our first scoping meeting with Director Tshepo Mofokeng Newly elected the QCTO and various stakeholders and I am pleased to announce that the IIA SA has been appointed the Development Quality Part- We congratulate all of those who were elected to serve on the Board. ner for the registration of the internal audit qualifications. What does With a professional body that has a lot of complexity to deal with, the this mean for our learnerships? These qualifications essentially will Board is kept very busy and is often confronted with tough decisions be our current learnerships now recognised as national qualifications to make. These are the people who make decisions on behalf of your under the QCTO and will underpin our designations IAT and PIA. This Institute and have a significant impact on the direction the profes- is good news for the profession. Those currently in our programs will sion takes in the local context. This is a significant burden. Exercising not be affected, but once the national qualifications are registered, leadership is not always an easy thing to do. In actual fact, more often new entrants will go through the new process. You will not feel the than not it is difficult as one has to be brave while taking people to difference as the process will remain much the same. a new reality at a pace that the majority can absorb. It is therefore imperative that we give the Board our support. Another important piece of news that I need to share with you is the outcome of the AGM which was held on 22nd April 2015. Beside the I do want to spend a minute talking to our members about the es- election of the directors, members also voted on changes to the By- tablishment of the Academy as it is important that you fully under- laws and the establishment of a subsidiary under the Institute to sat- stand the rationale for it. Currently the Institute is responsible for the isfy the QCTO requirements for the new national qualifications. Both roll-out of the learnerships as well as the assessment process. Under the changes to the Bylaws and the establishment of the Academy the QCTO’s procedures, provision is made for two functions for the (subsidiary) were approved by an overwhelming majority of those occupational qualifications. The one is the Skills Development Part- who voted. ner (SDP) and the other the Assessment Quality Partner (AQP). The former is responsible for offering the training that accompanies the Your new Board now consists of: qualification and the latter the assessment that ascertains compe- Newly elected in this Chairman Riaan Thiart position tence at the end of the training process. Under the QCTO these two Newly elected in this roles cannot be played by the same organisation. In other words, you Vice Chairman Vonani Chauke position cannot be both player and referee on the field. It has therefore be- Director Rob Newsome Re-elected come necessary for us to accelerate the establishment of a separate entity to create a clear separation between the player and referee Director Molefi Nkhabu Re-elected aspects. In this context the Institute is applying to be AQP and the Director Arno Vorster Re-elected Academy will play the role of SDP. Vacated Chairman’s Past Chairman Shirley Machaba seat Thus, we are dealing with some really exciting (albeit a little scary Vacated Past Chairman’s Past Past Chairman Justine Mazzocco seat when one thinks of all the work involved) projects at the moment. Still in office. Appointed This is all in the name of professionalising internal audit. This profes- CEO Claudelle von Eck by the Board sion is such an important pillar of governance in South Africa that we Director Dion Poole Term end in 2016 cannot ignore the fact that we must ensure that internal auditors are Director Oupa Mbokodo Term end in 2016 adequately prepared for the increasing expectations from the market. I believe that we are on the right path. Key questions to you: Is Director Paresh Lalla Term end in 2016 your internal audit function aligned to the efforts to professionalise Director Rudzani Nemaangani Term end in 2016 internal audit and are you ready to take the quantum leap with us?

Claudelle von Eck, CEO: IIA SA

6 | IA ADVISER April/May 2015 IIA Membership

The Institute of Internal Auditors South Africa is the leading professional body representing the interests of Internal Auditors in South Africa. As part of an international network, the IIA SA upholds and supports the fundamental tenets of the profession - the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. The IIA SA supports the profession by providing a wide range of services dedicated to the education and advancement of internal auditors and dynamically promoting and developing the profession in South Africa.

We serve internal auditors in South Africa by offering Technical Guidance, Professional Training Programs, Certification Programs, Continuing Professional Development Opportunities, Conferences and Networking Opportunities.

For more information contact the Membership Administrator on Telephone: (011) 450 1040 or e-mail: [email protected] IIA SA website: www.iiasa.org.za Progress Through Sharing

IA ADVISER April/May 2015 | 7 Welcome to new members

Border Kei Liberty Group Limited Mohummed Areff Lloyd Viljoen Lindsey Bord Alfred NZO District Municipality Aviwe Mtakasi MNB Chartered Accountants Rhangani Mbhalati Department of Economic Development & Rivalani Ntuli Environmental Affairs - Eastern Cape Neliswa Nyosana Mogale City Local Municipality Boingotlo Bantaotse Department of Local Government & Trad Affairs - EC Andile Makhabeni MRL Incorporated CA ( SA ) Molefe Morife Department of Roads & Public Works - Eastern Cape Sibulelo Mbam National Treasury Keneiloe Kgoroeadira Zikhona Sagwityi Netcare Management (Pty) Ltd Silindile Sibiya Department of Sports Recreation Arts & Culture Nexia SAB&T Lethabo Mongalo (Eastern Cape) Nokuzola Mahanjana Ngubane & Company Ephraem Sibanda Department of Transport (Eastern Cape) Lulama Mpandana Nkonki Incorporated Sindi Zilwa Ntikhoyo Mene Mahendrin Moodley Nosisa Mahlutshana Morne Kermis Bonginkosi Nyongo Varsha Chetty Eastern Cape Development Corporation Sisamkele Ngxawu Khomotso Legote Inkwanca Municipality Asanda Mkonqo Mzimtsha Nkonki Lukhanji Local Municipality Ayanda Doko Tererai Dzirekwa Asanda Magqaza Nomcebo Mlambo Lumoka Chartered Accountants Nosiphiwo Magubeni Thuto Masasa Matseliso Mfanta Zakhele Nkosi Mandisi Msongelwa Pandell Consulting Simbarashe Mlambo Mnquma Local Municipality Phelela Mdladlamba SAA Technical Michael Mpanza Xolisa Mjakujo SizweNtsalubaGobodo Serame Mothupi Nkonkobe Local Municipality Luyolo Mapitiza South African Post Office (SAPO) Stephen Masango Nyandeni Local Municipality Sinovuyo Madolo Jeremia Mosieleng Office of The Auditor General South Africa ( Eastern Cape) Pumza Golimpi Willem Fourie Rakoma & Associates Incorporated Tembelani Tshabane South African Reserve Bank Kavershnie Moodley South African Post Office (SAPO) Leon de Vos Standard Bank South Africa Phumzile Gebashe Kealeboga Mabe FREE-STATE Lerato Dlamini Olebogeng Siko Central University of Technology (Student) Maite Letsoalo Mandisi Mzinyati Ethekwini Municipality Sifiso Ntozakhe Miliswa Mgavu Northern Cape Provincial Treasury Tau Pitso Shoki Maditsi Provincial Treasury - Northern Cape Tumelo Gaarekwe Oneilwe Methikge South African Post Office (SAPO) Lawrence Pitso Berko Danso University of the Free State Nandi Lubbe Fhatuwani Mufamadi Stateway Switchboards Nkosingiphile Doko johannesburg Tollserve cc Ntsoaki Mokoena Transnet Freight Rail Nthabiseng Tlalang ABSA Bank Ltd Phathiswa Nqini Umgeni Water Godfrey Ngwenya Charlene Chung Watermark Auditors Inc Nyasha Kaliyati Dingaan Khoza ABSA Bank Ltd (Internal Audit) Sonia Manilal kwazulu Natal Alexander Forbes Financial Services (Pty) Ltd Ludwe Mqengqeni Auditor General of South Africa (AGSA) - Pretoria Sibusisiwe Nkutha Durban University of Technology Mohammed Kharwa Auditor General South Africa (AGSA) Lindelihle Kunene Durban University of Technology Student Busisiwe Dhladhla Borwa Financial Services (Pty) Ltd Christinah Zebediela Health System Trust Blessing Mncwabe C N Corporate Partners SA cc Cease Nyamasoka HTB Consulting Nobuhle Khuzwayo Department of Justice Mareka Tebakang KwaDukuza Municipality Zama Bekwa Department of Mineral Resources Nhlonipho Khoza KZN Gaming and Betting Board Nontobeko Hlengwa Department of Social Development Malemane Kganana KZN Provincial Treasury Thobeka Basi Department of Tourism (National) Lebogang Mtshali Michaelmas College (Pty) Ltd Thembeka Mngqithi Development Bank of Southern Africa Tebogo Manakana Newcastle Municipality Khulakahle Poulten Nakasani Muronga Nexia SAB&T Pirogan Mudaly Discovery Ltd Arlene Alves Ntshidi & Associates Buza Bengu Edison Group Miguel Dos Santos OMA Professional Advisory Group (KZN) Suveen Dabeepersadh Eskom Holdings SOC Ltd Liaqat Azam Muhammad Sheik Financial Services Board Bertha Khoele Provincial Treasury - KZN Lipworth Mbonambi Group 5 Limited Mputluki Mokonyane Duduzile Ditlhale Group Five Construction Mosidi Komane Road Accident Fund Mbali Khubisa Imperial Truck Rental Surette Vorster SA Post Office PIA Ian Barnes Land & Agricultural Bank of SA Sydney Nkuna SizweNtsalubaGobodo Don Saunders Liberty Group Limited Oupa Mokgoantle Sumitomo Rubber South Africa (Pty) Ltd Nduduzo Chala Anthon Booysen Umgeni Water Ronica Mhlabane

8 | IA ADVISER April/May 2015 LIMPOPO Department of Social Development (National) Caroline Ditinti Department of Tourism (Pretoria) Sharon Biya Department of Roads & Transport - Limpopo Lindiwe Ngwenya Finbond Mutual Bank Petrus Selzer Greater Tubatse Municipality Mahlatse Mononyane Grant Thornton PS Advisory Services (Pty) Ltd Karel Steenkamp Metcash Africa Jan Pieterse Hernic Ferrochrome (Pty) Ltd MornÃ© Fraser PricewaterhouseCoopers - Polokwane Aneela Moodley Human Sciences Research Council Tshegofatso Modiba SML Projects (Pty) Ltd Maano Seokotsa JDG Trading (Pty) Ltd Mmantomi Seema Masilonyana Local Municipality Motlalepula Motaung MPUMALANGA Thabo Kareebos Medscheme Holdings (Pty) Ltd Mosima Kwebu Finbond Mutual Bank Sicelo Sithole Nexia SAB&T Vinolia Makgoba Lekwa Local Municipality Vukile Dladla Mmakgabo Motadi Mbombela Local Municipality Nkululeko Sifunda Refilwe Maimela Mpumalanga Provincial Legislature Rodney Zwane Setilo Maabane Nolwazi Mlimi Keneilwe Pholoma Steve Tshwete Housing Association Nomthandazo Skhosana Mmarungoane Manchidi Maripa Moabelo NAMIBIA Mphoke Senamela Mashoto Mogowe Erongo Regional Electricity Distributor Company Karin Andima Tlou Selahla Ministry of Finance Namibia Amutenya Jacobs Northwest Transport Investment Tshidi Mabusela PricewaterhouseCoopers - Namibia Charles Matundu OMA Chartered Accountants Inc Saheed Fasasi PricewaterhouseCoopers - Polokwane Vusi Ntuli NORTHERN cAPE Morepuo Kembo PricewaterhouseCoopers (Pretoria) Noluthando Vilakazi Mier Municipality Abigael Orange Renaissance Chartered Accountants Tshianeo Madadzhe Office of The Auditor General South Africa Mxolisi Phaliso SekelaXabiso Consulting Masabata Elephant Orange River Cellars Wentzel Engelbrecht South African Bank of Athens Monica Pattichides South African National Defence Force Orebotse Mothoko NORTH west South African Police Services (SAPS) Jacobus Roos Emmanuel Rapholo Johannesburg Fresh Produce Market Kobeli Motsieloa South African Post Office (SAPO) Thabo Doyoyo MVI Group Mokaedi Mabina James Ndlovu Ngaka Modiri Molema District Municipality Goitseone Makgolo Frik Stickling NWK Limited Beracah Sehloho Tollserve cc Martha Molekoa Ratlou Local Municipality Kgalalelo Letsapa Wiseman Mfayela SizweNtsalubaGobodo Kizito Aidoo University of South Africa Steven Moloi Gaongalelwe Modise South African Police Services Ofentse Kgope swaziland port elizabeth Swazi MTN Limited Ncamsile Mhlanga Royal Swaziland Sugar Association Phinda Mngomezulu Coega Development Corporation Msimelelo Boltina Royal Swaziland Sugar Corporation Winile Dlamini Coega Development Corporation (Pty) Ltd Siphokazi Mazomba George Croucamp Department of Economic Development & Philile Gumbi Enviromental Affairs - Eastern Cape Aphelele Kalipa Nozipho Msibi Department of Human Settlement (Eastern Cape) Chumani Ntlebi Swaziland Electricity Company Sakhile Dludlu Sibusiso Komnga University of Swaziland Bongani Msibi Veliswa Malashe Ernst & Young Natalie Goedhals western Cape Gavin Flanagan KPMG (Port Elizabeth) Maxesibandile Mbalane Cape Peninsula University of Technology (Student) Zwelithini Matsoso KPMG (Pty) Ltd Andre De Wet Department of The Premier - Western Cape Shane Soekoe Mkululi Mbali Financial Advisory Services cc Mkululi Mbali Grant Thornton CT Kudzayi Matsanga Office of the Auditor General (EL) Cwayita Gana Kuhumelela Registered Accountants and Auditors Lenin Ndziba Office Of the Premier - Eastern Cape Malungisa Lujalajala Maboya Capital (Pty) Ltd Lwazi Magayana Sovereign Foods Veronique Reddy Oakhurst Insurance Company Ltd Stephanus Louw Prescient Profile David Jarman pretoria South African Post Office (SAPO) Daniel Germishuys Joseph Sidonie Business Innovation Group (Pty) Ltd Evasen Archary Donald Valentyn Companies and Intellectual Property Commission (CIPC) Francis Manickum Hendrick Volschenk Department of Home Affairs Vincent Kgwale The Foschini Retail Group Nicole Andrews Department of Justice and Constitutional Development Lesego Ramakutana Radha Heera Department of Public Enterprises Samuel Sebola

IA ADVISER April/May 2015 | 9 Strategies for Internal Auditors to Negate Intimidation and Victimisation

With internal auditors facing increasing in- ger, they can most effectively focus on the ary gives another option to the person with timidation, victimisation and malicious re- task at hand.” whom the boundary is being set. An ex- porting within both the public and private ample may be, ‘…but I am willing to add in sectors, the need for internal audit profes- He continues that while there is no ‘silver an extra section or addendum to the report sionals to find and employ effective psycho- bullet’ for formulating and implementing that explains your concerns and position logical and behavioural strategies to negate this strategy as each situation needs to be regarding information Y.’ It is vital to remem- these extremely detrimental practices can- specifically managed and strategized - par ber all three steps in boundary setting.” not be overstated. ticular to the parties and context involved, he has found two ideas to be extremely Du Plessis continues that the second popu- To this end, Dr. Graham du Plessis (PhD), popular, and effective, with the people and lar idea is that in any communication there lecturer in the Department of Psychology at companies he has worked with. are a number of levels to consider. the University of Johannesburg, and a practicing clinical psychologist who counsels a The first of these is boundary “We communicate through what we say number of internal auditors in both a thera- setting. and how we say it. The content of the peutic and consulting context, outlines a words we use is only a small part of what number of such strategies which internal “Setting boundaries is crucial in both our is being communicated. Our tone, inflec- auditors can develop and utilize. personal and work relationships, particularly tion and body language while we are say- so in instances where overt and tacit threats ing something also convey a great deal of “To begin with, I have observed that inter- occur. This is because boundaries define the information. When the content of what we nal auditors often operate within a rather line between what I am responsible for, and say matches how we say it, we are commu- stressful and complex environment where what others are responsible for.” nicating in a manner that is highly authentic strong people skills are very necessary. and which often is most effective at making While each case is certainly different and He expounds that in order to set a bound- others comfortable and in getting the best requires a degree of tailoring, in the context ary, a person must follow three steps. out of relationships.” of threatening interactions there are a number of important principles to keep in mind,” “Firstly, they should acknowledge the need He elaborates that when there is disagree- he explains. of the other person. For example, ‘you ment between what is being said and how it would like for me to delete X information is being said, there is a problem in the com- First and foremost, he says, it is important in from your report, and replace it with Y in- munication, and that this is often the case such situations to look beyond the threat- formation.’ While this is often as simple as in the context of threats, or when there is ening behavior in order to discern its func- repeating to that person their request or some other form of relational breakdown. tion for the person who is doing the threat- statement, or your understanding thereof, ening, and that to do this, it is necessary to it does require practice to perfect.” “Therefore, when communicating our- check our emotional reaction and to look at selves, it is advisable to be as congruent the facts at hand. The second step is to set the in what we say and how we say it as pos- boundary. sible. When dealing with others who are “Often people threaten others as part of being dissonant in their communication, a negotiation. In essence, the idea of the “In this case, the person communicates the the rule of thumb is to focus on the ac- threat is to elicit emotion in someone with line of responsibility clearly and without tual content of the words, and to ignore the intent of getting them to act in a certain deviation. For example, ‘I cannot remove the non-verbal communications. The fun- manner. Therefore, internal auditors faced information from my report.’” damental idea of this strategy is to com- with threats need to remember that they pel the person who is communicating in should see the threat as a form of negotia- The final step involves offering an alternative. a discordant manner to verbalize with tion, and that by practicing checking their words the other, non-verbal message of emotional reactions of fear, shock and an- “In this step, the person setting the bound- his or her communication.”

10 | IA ADVISER April/May 2015 STRATEGIES FOR INTERNAL AUDITORS TO NEGATE INTIMIDATION AND VICTIMISATION

Often, threats are made through implicit remember that all communication is a two aspects of human nature. The first is that we communications where the words are not way street. When communicating informa- want and need to be listened to and heard, necessarily threatening but the manner in tion to others, and especially sensitive infor- even if our requests are not necessarily met. which the non-verbals are employed com- mation, it is of absolute importance to listen What is key here is to remember that being municates a clear implicit message, which to what the other has to say.” listened to is a practical human request. often is a threat. While on the surface it may appear to have Yet his clients are often surprised by this very little to do with the work at hand, in “In these situations, emphasizing boundary idea, saying, “I have something that my practice is it the most fundamental requi- setting in relation only to the actual content stakeholders need to hear. I don’t really site as it lays the relational foundation for all of the words is an effective strategy for han- need information from them.” other work and ‘buy-in’. The second is that dling threats. It is one of the most effective we don’t like to be ‘boxed-in’. All people means of dealing with threats in the busi- “On a logical level they are often correct,” have a basic need to direct their lives and ness environment.” says du Plessis. “However, on a psychologi- business in some way. Therefore it is crucial cal level they are forgetting that in order for to buy-in to make sure that stakeholders Du Plessis maintains that another good other people to hear us, actually hear us, we have some say in what they do. This ‘say’ psychological principle to apply in regards need to listen to them as well. It is not logi- does not necessarily have to be around core to people being aggressive, unfriendly or cal so much as psychological, which, when issues that can’t be changed, but it does threatening is as follows: working with others, is only logical.” have to be there.”

“As a rule you cannot cure unkindness with As for obtaining stakeholder buy-in to im- Thus, in pursuing buy-in it is important for kindness, and this also applies to threats. If, plement their recommendations, du Plessis internal auditors to remember that when when you are threatened, you accept the asserts that as a guiding rule he would en- they allow stakeholders some freedom to threat and are very nice about it, the person courage internal auditors to make sure that act, even if it is in regards to a non-core or who has threatened you is simply going to they are communicating in a very congru- seemingly irrelevant aspect of implemen- learn that this is an acceptable way to in- ent manner. tation, they are far more likely to lay a solid teract with you in future. I certainly do not foundation for effective implementation. advocate fighting back aggressively; rather “Again, what you say and how you say it I have found that effective boundary -set should all line up into an authentic communi- In addition to these psychological and be- ting is a very useful manner in which to as- cation. The other golden rule of ‘buy-in’ is that havioural strategies, Du Plessis points out sertively and implicitly communicate to the you need to listen carefully to others’ opinions. that because internal auditors often work in ‘threaten-er’ that this type of interaction will I would encourage internal auditors to take stressful and complex environments, they not work with you.” time to really listen to what their stakeholders are generally in a position where ‘self-care’ have to say. As a consultant clinical psycholo- is vital. And he stresses that these same principles gist I have often come across the opinion that apply after a threat has actually been car- ‘because it has to be this way, there is really “Broadly, this means that internal audi- ried out, and to many other aspects of an in- no point in discussing it with the stakehold- tors need to look after themselves prop- ternal auditors’ job, such as communicating ers any further’. On a purely logical level this erly. This involves paying attention to sensitive information, and obtaining their position makes sense, but on a psychological the human sides of life, such as investing stakeholders’ buy-in to implement their rec- level it can be disastrous.” time and energy in their personal rela- ommendations. tionships, their health, and in occasion- And this takes us back to boundary ally taking some mental ‘time off’. Most “Congruence is crucial when it comes to setting. important of all is spending time on life communicating sensitive information. It is works that are personally meaningful and also crucial, although often forgotten, to “Boundary setting underscores two crucial fun,” he concludes.

Steven Chiaberta for The Wisdom Keys Group (WKG) on behalf of the Institute of Internal Auditors South Africa (IIASA)

IA ADVISER April/May 2015 | 11 List of Occupations in High Demand: 2014

INTERNAL AUDIT Image courtesy of www.freegreatpicture.com/

Introduction National Government Gazette (No. 38174). transport, communications, and water and energy. In addition, they emphasised the Given that Internal Audit has once again The Development of the List need for city, urban and regional planning appeared in the latest version of the and engineering skills as well as artisanal commonly known scarce skills list under The development of this list was based on and technical skills, especially those directed OFO code 242211 (DHET.2014/22), an the appeal for such information captured in towards infrastructure development, and introductory document was thought several public source documents, including, housing and energy. Management and necessary to provide a brief overview of the amongst others, JIPSA, IPAP 2 and the NDP planning skills in education and health aforementioned list and its origins. etc. The process started with agreeing on was also a concern as well as mathematics, the terms of reference and establishing an science and language competence in public Background advisory committee to guide the project. schooling. In addition, JIPSA made proposals Thereafter, research was conducted and a to prioritise skills initiatives in the fields of Aiming to influence, amongst other things: draft list was compiled. The results of this tourism, information and communication qualifications’ development; supply side research were supported by an interview technology, business process outsourcing planning; student fund allocation; skills sample of employer associations. The and bio-fuels. development for special government findings were then presented to the projects; career guidance; and global Advisory panel and thereafter revised The Industrial Policy Action Plan (IPAP) 2 human resource attraction strategies; 100 according to their feedback. The revised identified the following 3 areas as in need scarce skills in the country were identified document was then gazetted for public of market growth and the associated and shared with the public on 23 May comment based upon which the final list upgrading of supply capacity and 2015 (Government Gazette No. 37678). was drafted and published capability: green industry; agro-processing; Feedback, however, revealed the need to and fabrication, capital and transport and desire to incorporate more skills and Key Findings equipment. as such the original intent of confining the list to 100 could not be met. The commonly The Joint Initiative on Priority Skills The National Development Plan (NDP) understood term of scarce skills was, thus, Acquisition (JIPSA) source documents 2010-2030 suggested the need for skills replaced by that of ‘occupations in high indicated that immediate attention in the areas of: Public service delivery; demand’, as published by the Department of needs to be given to developing world Sustainable Livelihoods; Education and Higher Education and Training (DHET) in the class engineers for industries focused on Training; Research and Development; Public

12 | IA ADVISER April/May 2015 LIST OF OCCUPATIONS IN HIGH DEMAND: 2014

infrastructure; and Health professionals. the disciplines with regards to engineers, documents identified them as “in need” technologists, technicians, and artisans. or “scarce”. The National Growth Path (NGP) identified • Points were allocated to each occupation the following disciplines in need of The Job Opportunities and Unemployment based on a 100-point rating scale employment creation and growth: Report (JOUR) noted that the high number • The top 100 occupations in demand • Engineers: Target at least 30 000 of vacancies in the country included were identified based on those that additional engineers by 2014, changing managers, senior public sector officials, scored the highest subsidy formulae for universities as engineers, technicians, artisans, Information • Additional occupations were incorporated appropriate; Technology professionals; and maths and into list based on public comments. • Artisans: Target at least 50 000 additional science teachers. • Some source documents (such as artisans by 2015, with annual targets The Human Resources Development the NDP and IPAP 2) refer to clusters for state owned enterprises; Council (HRDC) report on the Production of occupations rather than actual • Workplace skills: Improve skills in every of Professionals (2013) highlights the need occupations upon which occupations job and target 1, 2 million workers for for the production of professionals in were inferred and lower scores allocated certified on the-job skills improvement engineering, mining, health care and, the to reduce researcher bias. programmes annually from 2013; built environment. • Owing to its infrastructure focus, SIPs • Further education and training (FET) projects were allocated 10 points also colleges: Colleges have a central role in The Salary and Wage Analysis (2013/2014) to reduce bias. providing important middle-level skills indicated wage growth was strong for • Occupations listed in the Sector for young people; and engineers, project managers, medical Education Training Authority (SETA) • Information and communications personnel, artisans, and IT professionals. Pivotal Skills Lists were allocated 20 technology (ICT) skills: The departments (DHET.2014/13-16). points given that they were based on of education should ensure that computer recent studies (DHET.2013) skills are taught in all secondary schools Scoring of Occupations • In addition those occupations with and form part of the standard adult basic professional designations (such as education and training (ABET) curriculum The methodology used to identify engineers, quantity surveyors, doctors by 2015. All public servants should also occupations in high demand involved and teachers) received higher scores receive ICT training. the use of a scoring system to determine due to global high demand for such eligibility for the list. The following steps professions. The Government Strategic Infrastructure were followed in scoring occupations: Projects (SIPs) note a dire shortage across • Occupations were selected if source

References Unemployment in the South African Labour Market 2011-2012. Pretoria: DoL. 1. Department of Economic Development (2010). The New Growth 7. Department of Trade and Industry 2011/12 - 2013/14. (2012). Path: agenda. Pretoria: EDD. Industrial Policy Action Plan 2. Pretoria: DTI. 2. Department of Higher Education and Training (2013a). White 8. Human Resource Development Council of SA. (2010). Human Paper for Post-School Education and Training. Pretoria: DHET. Resource Development Strategy for South Africa (2010 - 2030) . 3. Department of Higher Education and Training (2013b). Learning HRDCSA: Pretoria. pathways for SIPs scarce skills. Pretoria: DHET. 9. Human Resource Development Council of SA. (2012). Key issues 4. Department of Higher Education and Training. (2013c). in improving the quantity and quality of professionals in South Compilation of SETA Scarce and Pivotal Skills Lists (2013/2014). Africa. HRDCSA: Pretoria. Pretoria: DHET. 10. National Planning Commission. (2012). National Development 5. Department of Higher Education and Training. 2014. List of Plan 2030. Pretoria: NPC. Occupations in High Demand: 2014.Pretoria: DHET 11. The Presidency. (2010). Joint Initiative on Priority Skills Acquisition, 6. Department of Labour. (2013). Job Opportunities and March. Pretoria: The Presidency.

Rakal Govender, Senior Research Analyst: Private Sector, IIA SA

IA ADVISER April/May 2015 | 13 MICROFINANCING: INNOVATION OR CURSE

Financial education plays a key role in en- couraging responsible financial behaviour. Borrowers default if their net equity falls below a certain threshold or if they cannot make their monthly payments due to credit constraints. Non-payment behaviour is common amongst middle and low income earners. Individuals have recognised that the causes of financial difficulties lie primarily in their inability to manage money and decisions regarding spending and indebtedness. Lack of borrower education programs was one of key reasons to high defaults.

Image courtesy of www.freegreatpicture.com/ Risky Business Background ties of micro lending. To understand micro lending, one needs to start with the cus- A micro finance institutions’ success and penetration is largely influenced by both The idea of micro finance is quite simple: tomer and their social environments. In mi- socio-political factors as well as operational to provide financial services to the poor. cro lending the individual is the key to suc- subtleties. The business of micro finance in- It is an instrument for alleviating poverty cess. The mission of a typical micro lender stitutions should be a constant balance be- and providing the poor access to financial is centred on providing access of credit for tween outreach (reaching large numbers of services. It makes a range of financial ser- the underprivileged. The success of mi- poor clients), financial sustainability (gen- vices products accessible to the lower in- cro credit programs has largely depended erating sufficient revenues to cover costs) come segments of the population who do upon the process of “character-based” lend- and impact (showing a positive effect on not meet the requirements of traditional ing which essentially means reliance on client’s quality of life). Factors affecting the financing. social pressures or peer-monitoring when extending loans. sustainability of micro financing institutions is broadly divided between institutional Micro lending in developing countries is and environmental variables. Institutional not banking as usual. It is a unique process More vulnerable households in develop- variables are those factors that are specific that relies on social relationships in order ing countries are more concerned with to the institution, while environmental are to overcome moral hazard, monitoring ensuring housing and securing food than those economic settings of the country in and enforcement problems. Micro lending less vulnerable households. A thorough which the institution operates. Programs has historically served customers in low- understanding of importance of various with high operating costs are less viable growth, informal economies with weak risks and the role household assets and than those with lower costs. Micro finance property rights and tight social control. available coping mechanisms play in miti- institutions tend to be more sustainable by These individuals have limited experience gating them is a milestone in designing increasing the size of their operations. Sus- with access to capital, capital accumulation relevant micro finance services that will tainability is a necessary long term goal for and its effective deployment. Hence, the assist households in increasing their se- almost all micro finance institutions. business of micro lending are tying their curity of priority household needs. To be fortunes to a fundamentally different kind successful micro lenders should use more Many risks are common to micro lenders. of banking customer where the customer’s household information in the screening Typically they are broken into 3 categories income is smaller, irregular and unpredict- and portfolio segmentation process. Client each focussing on different perspectives of able. As a result, a deep understanding of retention should be of utmost importance the micro lending risk environment. Below the customers is a fundamental step for as compared to further client growth. Mi- is a list of common risk areas with corre- successful entry into such markets. Focus- cro finance entities should improve their sponding approaches in managing the risk. sing purely on repayment rates, a common services by further adapting their products Although not exhaustive, it clearly gives in- practice, obscures the more complex reali- and services to specific target groups. sight into the common risks:

14 | IA ADVISER April/May 2015 MICROFINANCING: INNOVATION OR CURSE

1. Financial Risks change rate o Clearly communicate performance e. Investment portfolio risk expectations and lines of account- a. Credit risk o Risk referring to longer term invest- ability o Risk to earnings as a result of bor- ment decisions rather than short b. Reputation risk rowers’ late or non-payment of loan term liquidity or cash management o Risk to earnings as a result of from obligations decisions negative public opinion Effective approaches to managing risk Effective approaches to managing risk Effective approaches to managing risk o Well-designed borrower screening, o Staggering investment maturities o Building relationships with clients, careful loan structuring, close moni- o Policies establishing parameters for funders or investors and regulators toring, clear collection procedures acceptable investment decisions in c. External business risk and active oversight by management investment portfolio o Inherent risks as result of the exter- o Good portfolio reporting that accu- nal business environment rately reflects the status and month- 2. Operational Risks Effective approaches to managing risk ly trends in delinquency, including o Contingency plans for anticipation a portfolio-at-risk aging schedule a. Transaction risk and possible external events that and reports per loan product o Risk that arises daily as transactions can impact the business o Routine comparing of credit risk are processed d. Regulatory and compliance risk with adequacy of loan loss reserves Effective approaches to managing risk o Risk of non-compliance with laws, b. Liquidity risk o Simple, standardized and consis- rules, regulations or ethical stan- o Risk that micro finance institution tent procedures for cash transac- dards cannot meet its obligations on tions Effective approaches to managing risk timely basis o Effective internal controls to reduce o Establishing good working rela- Effective approaches to managing risk human error and fraud tions with regulatory authorities o Maintaining detailed estimates of o Strong internal audit activity to test projected cash inflows and -out and verify accuracy of information Granting microloans to borrowers not only flows and compliance result into credit risk but also in liquidity o Maintaining investment accounts o Limiting manual data capturing risk due to the refinancing process, interest that can easily be liquidated into b. Fraud risk rate risk, foreign exchange risk if applicable cash o Risk of loss of earnings as a result of and operational risk due to staff fraud. Mac- o Anticipating the potential cash re- intentional deception by employ- roeconomic factors such as unemployment quirements of new product intro- ees or client and inflation is regarded as being signifi- ductions Effective approaches to managing risk cant to micro finance institutions. Micro fi- c. Interest rate risk o Use of preventive measures to re- nance challenges are further compounded o Risk of financial loss from changes duce fraud by having education by over emphasis on collateral and ignor- in market interest rates campaigns, standardize loan poli- ing the debtor’s willingness or ability to pay Effective approaches to managing risk cies and procedures, enforce hu- and poor culture of repayment. The micro o Reduce the mismatch between man resource policies finance technologies of service delivery, short-term variable rate liabilities o Client visits to verify information screening, and monitoring significantly dif- and long-term fixed rate loans fer from those in the formal banking sector. d. Foreign exchange risk 3. Strategic Risks Research suggest that micro finance insti- o Risk for loss of earnings as a result tutions do not always do better, and some- of fluctuations in currency values a. Governance risk times do substantially worse where institu- Effective approaches to managing risk o Risk of having an inadequate struc- tions are more advanced. o Avoid funding the loan portfolio ture to make effective decisions with foreign currency if it cannot Effective approaches to managing risk Further Research Insights match foreign liabilities with for- o Board comprise of the right mix of • Larger micro finance loans result in a eign assets skills and experience lower yield on gross portfolio. Even o Use of interest rate swaps or futures o Clear lines of authority for board though larger loans reduce operating contracts to “lock-in” a certain ex- members and management costs, the gains in costs is off-set by the

IA ADVISER April/May 2015 | 15 MICROFINANCING: INNOVATION OR CURSE

increased difficulty in finding good -bor o This creates an environment where food and fuel crisis rowers willing to take out bigger loans. less funding is available as capital o Increased foreign exchange losses • Stronger profit orientation leads to streams dry up due to the lack of due to currency devaluation, if ap- higher interest rates but is also associ- confidence in the repayment ca- plicable ated with higher costs. pacity of counterparts. o Deterioration of microcredit repay- • Micro finance institutions offering o Cost of funds increase as percep- ment culture as a result of increase smaller loans tend to be more efficient tion of risk change in defaults and arrears in the rest of than those offering larger loans. Mi- o Funders tend to prefer short term trans- financial system, political interven- cro finance institutions offering larger actions as they are less sure of getting tion and competition from new fi- loans do not benefit in terms of effi- their outstanding credits back. nancial institutions ciency from raising interest rates as a • High inflation episodes – Inflation risk result of competition. is a common risk for micro finance insti- Findings in the South African Mi- • The most efficient micro financing institutions especially for those operating in cro Financing Industry tutions are the ones offering small but countries with weak monetary policies expensive loans. Moving towards better or unsustainable economic regimes. The below findings are based on research off clients in an attempt to reap the ben- o Changes in food and fuel prices can that was performed where a comparison efits of economies of scale, lower risk and feed back into inflationary spirals was made between micro financing man- profit oriented investments lead to an • High currency devaluation – currency agement perceptions as compared to the inefficient use of resources. Micro financ- devaluations can contain serious con- analysis of quantitative customer data. The ing institutions that stick to the poorer sequences for the asset- liability man- following key findings are noted: clients tend to be the most efficient. agement of micro finance institutions. • Micro financing institutions should be • Global recession – This refers to mul- Biggest Risks highly discouraged from allowing bor- tiple events associated with worldwide rowers to enter into multiple debt con- economic downturn. The most relevant Whereas management sees fraud, over tracts considering that micro finance of these events include: indebtedness and bad debts as the big- institutions cannot improve their perfor- o Higher unemployment and lower gest risks, client data suggest that the big- mance by indiscriminately lending more domestic demand for goods and gest risks are bigger loan amounts, longer as over-lending reduces efficiencies. services term loans and loans to younger clients. o Lower remittances The different views and analysis are- how Impact of a Financial Crisis and o Increase demand for consumption- ever overlapping as indebtedness possi- Recession on Micro Financing In- smoothing purposes bly results into bigger, longer term loans stitutions • Food and fuel price shocks – increases to clients that cannot meet the necessary in this without comparable increase in obligations. According to the research the The impact of a financial crisis on both mi- income, forces borrowers to allocate average good micro finance client in South cro financing institutions and their clients higher promotions of income to those Africa is a client that meets obligations of a depend on several characteristics includ- expenses and directly affect the ability 6 month loan and a loan amount of R3450 ing: the macroeconomic environment, the to repay loans. as per affordability calculation. level of integration of the country to the global economy, cost and funding struc- Potential effects of a financial crisis on the Finding Balance between Too Little and tures and the ability of management to micro finance institution include: Too Much Risk deal with the crisis. o Reduction in borrower repayment capacity as a result of inflation, dif- According to management within micro Components of a financial crisis that are ficulty in dealing with higher inter- finance institutions the best way to acceler- most relevant to the micro financing indus- est rates, reduction in remittances, ate micro finance business in South Africa try are listed below: increases in fuel and food prices is to extend the term and the amount of o Higher costs and potentially higher loans to attract a bigger market. However, • Liquidity and credit crunch – defined interest rates for borrowers client data indicates that the longer loan as the contraction of the availability of o Reduced growth due to liquid- terms and bigger loan amounts drastically funding. ity crunch, economic recession and increases the possibility of non-payment.

16 | IA ADVISER April/May 2015 MICROFINANCING: INNOVATION OR CURSE

Proactively Managing Risk in Micro Fi- • Average loan term of 14 months of non-payment. As smaller loan amounts nance Environment • Average of number of 12 loans over a over shorter periods reduces microfinance period of 5 years risks drastically, it should be more actively Customer data suggest that a credit scor- • Has about 1.81 open loans at any stage marketed. ing model is the best way of managing risk. • Has an average credit exposure of This is followed closely by building a cus- about R20 000 over a period of 5 years A Value Add Role by Internal Audit in Mi- tomer relationship with shorter term prod- cro Finance Environment ucts and staff training. On the other hand, Other findings include: management suggests that the best way of With so much risk within the micro finance optimising client service is through a real • In terms of risk tools, credit granting pol- environment, internal audit would be in time debtor management system. icies and customer affordability calcula- the best position to provide Management tions together with internal controls and with the needed assurance in an indepen- Increasing the Success of Predicting the debt collecting is rated as being more dent and objective manner by evaluating Outcome of Micro Finance Credit Trans- important than credit scoring models the controls around the key risks. The fol- actions • Respondents are not totally convinced lowing value adding comments should be that traditional banking tools can be noted by Internal Audit. According to management the biggest applied to the micro financing industry predictor of non-payment of new clients is • A real time, effective loan management Internal controls assist in promoting and the level of the client’s disposable income system is seen as being the most ef- providing reasonable assurance of the fol- after living expenses and loan instalments. ficient way to optimise client service lowing: Management also suggest that the num- and reduce risk as compared to decen- • Profitability and sustainability ber of loans and number of judgements tralised credit decisions, cash disburse- • Adherence to management policies are also predictors of the outcome of credit ments to clients, a call centre function • Safeguarding of assets both physical transactions. However, client data totally and centralised credit decisions and non-physical contradicts management in the sense that • External fraud is a much bigger risk • Prevention and detection of fraud and the number of loans and judgements do than internal fraud error not materially influence the outcome pre- • At age of 38 the probability that client • Accuracy and completeness of account- dictions of credit transactions. Client analy- will be good or bad is equal ing records sis suggest that smaller loan amounts on • The probability of debtors going bad as • Timely preparation of reliable financial shorter terms hold much less risk than loans a result of death is less than 1% information with bigger amounts over longer terms. • The probability of clients going for debt • Discharge of statutory responsibilities counselling after they became bad pay- The average good micro finance client in ers is less than 10% A weak internal control system has the fol- South Africa has the following characteristics: lowing evident Key Recommendations to Consider • Lack of segregation of duties • Average age of 42 • Lack of supervisory or internal audit • Average loan amount of R3 450 Micro finance institutions in South Africa monitoring • Average loan term of 6 months need to eliminate the risk of fraud, both in- • Lack of independent verification of • Average number of 25 loans over a pe- ternal and external, as far as possible. This work performed riod of 5 years can be done by investing in staff training, • Lack of good information systems • Has about 2.34 open loans at any stage real time loan management systems and • Lack of senior management to internal • Has an average credit exposure of effective internal controls. The level of cli- controls about R50 000 over a period of 5 years ent disposable income needs to also be more accurately assessed in terms of af- The 3 most critical aspects of micro financ- The average bad micro finance client in South fordability. A credit scoring model is crucial ing operations include: Africa has the following characteristics: to match the correct product with a specific • Human resources client, based on the client’s risk profile. The • Policies and procedures • Average age of 36 term of the loan is the main outcome of a • Information systems • Average loan amount of R6 300 credit scoring model and a good predictor

IA ADVISER April/May 2015 | 17 MICROFINANCING: INNOVATION OR CURSE

Areas of Internal Audit Interest Fraud is often detected by the increase in delinquencies, accounting irregularities and employee tip-offs. FRAUD DETECTION SIGNALS

From a Micro Finance Perspective, Internal Danger Signals Examples of Problems that may Result Auditors should “FOLLOW THE MONEY”. They need to understand the flow of cash in Employee exceeds scope of Individual negotiates contracts and and out of the institution according to the responsibilities assumes responsibility for approving different cycles i.e. revenue cycle, expendi- invoices in order to get kickbacks ture cycle and treasury or finance cycle.

Unusual reduction in or loss of regular Key employee has silent partnership in Key Indications of Problems in Micro Fi- customer business new competitor nance Sector • Over-indebtedness and Regulatory Loan officer also approves a loan Financial information inflated and loans Pressure given in order for kickbacks • Diversifying away from its core client base Employee living beyond his/her means Employee embezzling to support lifestyle • Too strong growth, under-provisioning and mispricing risk

Wayne Poggenpoel CIA, CCSA, CGAP, Technical Committee: IIA SA

Congratulations to CCSA, CFSA, CGAP and CRMA candidates

CCSA Subhadra Ragubeer CFSA Junior Dube Kgomotso Ragoleka Lelane Brits Thakane Rampai Thembakazi Tina Elias Dlamini Elias Itumeleng Ramoganyaka Chanelle Da Silva Samuel Ramuhashi Marco van der Merwe Gary Leong Gary Thakane Rampai Umaira Gani Jeremy Samuel Mark Theo Kruger Heinrich Joodt Heinrich Zubair Sader Nkosazana Joko Solomons Ramoshie Mahapa Unathi Kondlo Sisanda Mahlasela Tebogo Maidi Willie Swart Karen Louw Cecile Louw Fannie Sithole Fortune Mkhabela Mlulasi Zenani Jeremy Sanderson Tuliswa Makoba Thomas Swanepoel Nokukhanya Mlanduli Thapelo Matsapola Jacobus van der Westhuizen Sibongile Motloung CGAP CRMA Bongani Wilberforce Jacques van Zyl Mareda Mphaphuli Jean-Pierre Rossouw Angelique Adams Mbewu Nazir Vanker Sylishna Naidoo Ritesh Patel Kevin Chivere Thokozile Mthembu John Varga Lungile Ngcobo Cynthia Cornelius Mamogobalale Phala Nicolene Waso Ritesh Patel Willem Pieters Thembisile P Zwane

18 | IA ADVISER April/May 2015 THE GREY MATTERS ON ETHICS

reflects what is acceptable in the workplace.

That having been said, there is hardly an issue of a newspaper or a business publication that does not include at least one story about a new or ongoing ethical scandal. One does not need to look far to find such scandals on the international landscape. Think about the corporate failures such as Enron, HealthSouth, MF Global, WorldCom, Parmalat, Qwest Communications and Tyco International and the Ponzi scheme masterminded by Bernard Madoff.

In a recent case in the South African context, a Pinnacle Holdings executive was allegedly involved in bribing a police officer to secure a tender. The executive was accused of offering a R5 million bribe to a member of the South African Police Service to secure a multimillion rand contract. Subsequent to the scandal the company’s share price dropped by more than 40 per cent (Eye Witness News, 2014).

Another scandal involves Aveng, one of The Ethics Challenge This response has had a profound influence several companies in the construction on me, and I have realised that a career as sector accused of engaging in anti- At some time or other in their lives most an internal auditor requires a certain level competitiveness practices by the internal audit professionals have attended of introspection. Competition Commission. The cartel of a lecture on the subject of ethics. This which it had formed part had apparently lecture did not necessarily entail the The challenge in this regard relates to engaged in various collusive practices such science of debits or credits or an intricate the fact that a person’s values and belief as holding meetings to divide markets and understanding of financial concepts but system have to be aligned in some way to agree on margins and plan collusion referred rather to a behavioural attribute or other with the ethical requirements of among firms to create the illusion of that is expected of someone pursuing a the profession. It is not about role playing competition (IIA SA, 2013). career in internal auditing. or separating one’s own values and beliefs from those required by the job. Bribery and corruption continue to occupy Today, the moral ethical bar has been a predominant position today in our raised; there is an expectation that, as an By its actions and its words the internal audit society, ranging from petty bribes to traffic internal auditor, your ethical conduct has to activity must be seen both to be setting officials to significant amounts of money be beyond reproach. Although such moral an example of strong ethics and actively paid as commission to secure tenders. discussions centre on simple qualities such promoting them (Verschoor, 2007, p. 20). Whilst amounts may differ the actions do as integrity and honesty, they nevertheless Personal values can differ widely as they are not, as all such acts fundamentally amount provoke contentious opinions. influenced by a variety of factors including to corruption (Schoeman, 2014, p. 17). upbringing and culture. It is therefore critical What is integrity? This question elicits a to understand that they can differ from The incident that has captured the variety of responses, yet the meaning is the organisational values as well. It then imagination of South Africans countrywide simple: “Doing the right thing even when becomes appropriate, indeed essential, that and has kept everyone talking is the no one sees you.” the organisation espouses a set of values that Nkandla saga, which involves costs that

IA ADVISER April/May 2015 | 19 ATHDVISEE GRERY MATTERS ON ETHICS

have been conservatively estimated Despite the mammoth ethical challenges make unethical choices because they to be in the region of R246 million for faced by organisations, ethics issues are are not certain about what really is upgrading the President’s homestead. not given the platform they deserve; as a the right thing to do. Often, ethical Although the Public Protector has result they are often addressed reactively problems are complicated, and the highlighted a number of irregularities in after the incident has taken place. At times, proper choice may be far from obvious. the project, what lies at the core of this but unfortunately not always, perpetrators • Inadequate recruitment process – Hiring debacle is the improper ethical conduct have to face the costs and consequences of of employees should be based on by various stakeholders. their misconduct (Schoeman, 2011, p. 10) rigorous selection processes including background and reference checks. The Consistent with the view expressed by the Having said this, one does not need to feedback received from this process is Public Protector, the City Press newspaper occupy the CEO’s chair to realise that there fundamental to identifying the kind of (Du Plessis, 2014) reports, “Zuma and his is a problem with ethics in general and, candidate an organisation is looking to ministers should have acted when the to assume that the public sector alone hire. Mail & Guardian blew the whistle in 2009 is corrupt to the exclusion of the private • Tone at the top – The effects of bad on the R65 million the project cost at the sector, would be inaccurate. leadership cannot be over-emphasised. time, but the spending increased after that. Employees look up to their leaders Zuma violated the Executive Ethics Code Ethical issues occur in both the public and and when they model a wrong ethical by failing to contain state spending and the private sector in South Africa, although behaviour sooner or later employees benefiting from it. He wore two hats.” it some areas they are perceived to be inevitably begin to drop their ethical subtle and more pervasive. Whatever the standards and model the unethical Referring to the high levels of corruption case, the extent of the problem cannot be behaviour being projected by leaders. in the public sector, the Public Protector denied; news reports of corporate scandals • Pressure to perform/succeed in order asserted that “the corruption in this country and fraud are testament to the pervasive to be incentivised notwithstanding the has reached crisis proportions there is no nature of the problem in both sectors. ethical challenges – A bonus/incentive- two ways about it” (Madonsela, 2013) driven culture may also impact on how Identifying the problem is only the first step, ethically individuals perform their work. Organisations all over the world, regardless however equally important is to critically Are businesses setting realistic targets of size, are at some time or other faced analyse the root causes of this problem and or are they setting targets that are not with unethical business practices. Business to identify the influencing factors. easily achievable? ethics are compromised by upper and • Unrealistic targets – There is a perception lower management alike and, owing to Potential Causes of the Ethics that once employees perceive the prevalence of the problem, the need Dilemma the targets set to be unrealistic or for organisations to deal with ethical issues unattainable, the default behaviour is has become a global priority. Hofstee (2009, p. 162) points out that when that employees begin to breach ethical proposing a sound argument, related boundaries to somehow reach targets Ethical behaviour lies at the roots of the questions often arise and it is in this way in order to be incentivised. corporate scandals we read about daily. that new research is developed. • Self-interest/personal gain – Some However, despite the immense efforts made What one needs to ask here, perhaps, is people do not just do something wrong by corporations to distinguish between whether organisations are creating an in a weak moment or because they are what is acceptable and unacceptable, right environment that is conducive to an ethical not sure about what the right thing to and wrong there are often practices that culture and whether business is essentially do is. Self-interest and personal gain is enter the grey areas. a crucial element of the problem. To be just two of the reasons for a great deal more precise, one should ask whether the of the unethical activity in business. Very often management is faced with board and management have instilled the • Lack of or poor consequence manage- choices that require them to make decisions right ethical culture. ment – This plays a role in raising the that have no clear cut resolution and are ethical bar or dropping it. Failure by extremely problematic. Consequently, they The following are some of the common management to act decisively and hold are likely to find themselves confronted reasons why employees breach ethical employees accountable for their un- with ethical dilemmas (Ehrich, Cranston, & standards: ethical conduct projects an incorrect Kimber, 2003, p. 4). • Lack of ethical standards – Some people message.

20 | IA ADVISER April/May 2015 THE GREY MATTERS ONA DVISEETHICRS

The Role of Internal Auditors in Accordingly, internal auditors are required that are geared to achieving the right level creating an Ethical Culture to play an active role in support of an of ethical compliance. organisation’s ethical culture, in the main Edmund Burke, the Irish political because they possess high levels of trust Making an equally valid point, Schoeman philosopher, once said “All that is necessary and integrity in the organisation and have (2012) argues that in order to make an for the triumph of evil is that good men do the skills required to be effective advocates impact ethics needs to extend beyond a nothing.” of ethical conduct (Verschoor, 2007, p. 20). mere “tick box” compliance aiming only to meet the minimum requirements; instead an Therefore, having identified the extent of the Moreover, there are sound arguments to organisation should strive to build genuine ethical challenge and its influencing factors support the idea that internal auditors are commitment to doing the right thing. it is perhaps also prudent to ask what value uniquely qualified to play a critical role internal audit can provide in ensuring that in performing ethics audits, as they are In support of the ethics efforts being organisations have the right ethos. well positioned within the organisation to undertaken by organisations, Verschoor maintain independence and objectivity (2007, p. 21) highlights that internal audit In an attempt to answer this question, (Boyle et al., 2011, p. 3). should evaluate the effectiveness of the Elmore (2013, p. 51) points out that ethics following features which are indicative of a influences everything else, such that Taking all the above factors into highly effective ethical culture: while an audit finding may have nothing consideration, internal auditors have the to do with fraud or illegal behaviour, competence, capacity and independence • A formal code that is clear and the audit may still have a positive effect necessary as well as being positioned to understandable on the organisation’s ethical culture. appeal to enterprise leaders, managers and • Frequent communication and Elmore further argues that ethics is not an other employees to comply with legal and demonstrations of expected ethical isolated issue which is exclusive of other ethical responsibilities. attitudes and behaviours by leaders things. Just the mere fact that employees • Explicit strategies to support an see their management implementing What is an Ethics Audit and why is enhanced ethical culture with regular recommendations from internal audit can it Important? programmes to update and renew influence their behaviour. commitment to an ethical culture Unlike a number of audits performed • Several easily accessible ways for Internal audit can therefore assume a by internal audit, ethics audits are people to report allegations relating number of roles as a champion for ethics. somewhat different and more complex. to the ethical code, policies and acts of These roles include ethics officers, members The challenge is that the actual test is not misconduct confidentially of the internal ethics council or assessors of based on common controls and providing • Regular declaration by employees, the organisation’s ethical climate. management with an idea of how effective suppliers and customers that they are they are, but rather such audits involve an aware of the ethical requirements It is thus necessary to understand that assessment of much “softer” controls which • Clear delegation of responsibilities to internal audit as a profession has a crucial are rooted in intangible yet critical things ensure that ethical consequences are role to play in ethics. A number of surveys such as integrity and ethics that steer evaluated, confidential counselling conducted by internal auditors have found people in the right direction. provided, allegations of misconduct that companies focus little attention investigated and case findings properly on the issue of ethics, which has been a An ethics audit primarily assesses an reported fundamental contributor to some of the organisation’s ethical climate, which • Easy access to learning opportunities recent corporate scandals. includes the tone at the top and the to enable all employees to be ethics effectiveness of the organisation in advocates According the IIA 2010 Global Internal Audit achieving the desired level of legal and • Positive personnel practices that Survey, in response to this challenge internal ethical conduct (Boyle et al., 2011, p. 4). encourage employees to contribute auditors are now required to focus less on towards the ethical climate internal controls, operations and compliance Verschoor (2007, p. 21) points out that at the • Regular surveys of employees, suppliers and to place greater emphasis on corporate very least the internal audit activity should and customers to determine the state governance, risk management and ethics audits periodically assess the state of the ethical of the ethical culture (Boyle, Hermanson, & Wilkins, 2011, p. 3). climate by reviewing the effectiveness of the • Regular reviews of formal and informal strategies, processes and communications processes that could potentially create

IA ADVISER April/May 2015 | 21 ATHDVISEE GRERY MATTERS ON ETHICS

pressure and bias that could undermine with the desired ethical values. internal audit function is well positioned the ethical culture Step 4 – Plan the ethics using a risk- to partner with organisations on this • Regular reference and background based approach consistent with the COSO journey. checks as part of hiring procedures Enterprise Risk management framework. Step 5 – Conduct a structured entity Winston Churchill said “To each there In addition to the Verschoor’s views, Boyle level interview or entity-wide surveys to comes in their lifetime a special moment et al. (2011, p. 5) highlight seven practical evaluate and assess whether values set by when they are figuratively tapped on the steps for complete an ethics audit: top management align with the views of shoulder and offered the chance to do a employees at all levels of the organisation. very special thing, unique to them and Step 1 – Educate top management, as well Step 6 – Report the results to the fitted to their talents. What a tragedy if as the board and audit committee on the appropriate accountable parties. that moment finds them unprepared or value of an ethics audit and obtain their Step 7 – Monitor actions and plans put in unqualified for that which could have been support. Though there may be some level place to address areas of improvement/ their finest hour”. of resistance it is important that senior remediation. management be informed throughout the In light of these words, it is worth process to ensure they are comfortable and Conclusion mentioning that internal auditors are the supportive. gatekeepers of ethics. They are the moral Step 2 – Interview the senior management, It would be naïve to conclude that the compass of an organisation and very often board and audit committee to determine the ethics problem is not pervasive. It is they are presented with a rare opportunity ethical values desired by the organisation. furthermore undeniable that the world at not granted to many; that is, to have the Internal Audit should be mindful that some large is facing many ethical challenges. The right audience and be provided with a of these values may be contained in the ethical scandals highlighted in this article platform to raise critical ethical concerns organisation’s code of conduct. are just some examples attesting to the – failure to seize this moment would be a Step 3 – Identify and assess the organisa- extent of the problem globally. However, tragedy. tion’s risk associated with non-compliance although the challenge is immense, the

References

Boyle, D. M., Hermanson, D. R., & Wilkins, A. (2011, November/ IIA SA. (2013, November 11). www.iiasa.org.za. Retrieved April 23, December). Ethics sudits: Implications for internal audits. Internal 2014, from Institure of Internal Auditors South Africa: http://www. Auditing, pp. 3–8. iiasa.org.za/?page=Opinion_pieces

Du Plessis, C. (2014, March 19). City Press. Retrieved May 5, 2014, Madonsela, T. (2013, October 14). ENCA. Retrieved March 26, from www.citypress.co.za: http://www.citypress.co.za/politics/10- 2014, from www.enca.com: http://www.enca.com/south-africa/ things-worth-knowing-madonselas-nkandla-report/ madonsela-warns-sa-corruption-crisis-levels

Ehrich, L., Cranston, N., & Kimber, M. (2003). Griffins University. Schoeman, C. (2011, October-November). Recovering from ethical Retrieved March 25, 2014, from www.gu.edu.au: http://eprints.qut. failure. Directorship, pp. 10–11. edu.au/1388/1/1388_2.pdf Schoeman, C. (2012, June). Ethics Monitor. Retrieved August 29, Elmore, T. P. (2013). The role of internal auditors in creating an ethical 2014, from www.ethicsmonitor.co.za: http://www.ethicsmonitor. culture. The Journal of Government Financial Management, 49–53. co.za/Articles/saying-and-doing.pdf

Eye Witness News. (2014, March 27). Eye Witness News. (C. Wynn, Schoeman, C. (2014, February/March). Why corruption costs? Editor) Retrieved March 28, 2014, from www.ewn.co.za: http://ewn. Business Brief, p. 17. co.za/2014/03/27/Pinnacle-CEO-says-bribe-claims-a-surprise Verschoor, C. C. (2007). Ethics and compliance: Challenges for Hofstee, E. (2009). Constructing a good dissertation: A practical internal auditing. Florida: The Institute of Internal Auditors Research guide to finishing a master’s, MBA or PhD on schedule. Sandton: Foundation. EPE.

Thapelo Modisagae CIA, CRMA, CCSA

22 | IA ADVISER April/May 2015 QUESTIONS THE AUDIT COMMITTEE SHOULD ASK ABOUT IT Image courtesy of www.freegreatpicture.com/

Gary Hardy is the owner of IT Winners, an IT tioned that this approach is not correct as it • Is the organisation compliant to other company that is based in Cape Town. Gary compromises the quality of oversight that Regulations? has got over 30 years of experience in the IT the audit committee ought to provide. He • Is the organisation making efficient use industry, is recognised globally as a thought put emphasis on the necessity to change of the resources (budgets, information leader and expert in business and IT perfor- the attitude that ‘IT is enterprise-wide and systems)? mance improvement. He is a long standing not just for the IT function or just for IT Au- • Is the organisation making the right de- and past board member of ISACA, is one of dit’. Explaining about the pervasiveness of cisions and generating a ROI? the originators of the COBIT® framework IT, he shared insight on how the informa- and has been a contributor to COBIT since tion systems are not only being used as In the 21st century, it is really about time its inception in 1992. He is a lead developer enablers to business but are built into the that IT is not done at the level of scratch- of COBIT 5. Gary started off the presenta- strategy of the business. The relevant ques- ing the surface but to the deepest level. tion by explaining the pervasiveness of tions to be asked at this level in order to en- This can only be achieved if IT is collectively IT as it is part of every strategic objective, able management and/or audit committee embraced by auditors, management and critical to support business operations and make informed decisions are as follows: the IT department. Findings must be scru- integral to all business activities. IT extends tinised, unpacking the root causes and not beyond the enterprise to stakeholders and • Who is accountable for business and IT just symptoms. Real causes of the findings business partners. alignment? that auditors raise must be analysed, ac- • How flexible and reliable are the informa- countability for addressing the root cause He shared his observation that most peo- tion systems in enabling the organisation must be allocated; the real business impact ple wonder how success can be achieved reacts timely to new opportunities? of the finding must be quantified and/or with IT demands resulting from changes in • Is the service levels acceptable (quality, illustrated. It is pointless to raise findings culture and mind-set. This is the case with reliability and availability)? that do not serve stakeholders or just low even executive and senior management, • Is the network security adequately pro- level impact on business objectives. When they employ consultant to carry out IT tected? IT audits are conducted, the recommenda- technicalities and just hope that those con- • Is the organisation compliant to the tions must be practical and solution-driven sultants know what they are doing. He cau- POPI Act? to the buyer of the solution (audit clients).

IA ADVISER April/May 2015 | 23 AQDVISEUESTIONSR THE AUDIT COMMITTEE SHOULD ASK ABOUT IT

Accountability for IT tively, the most effective and efficient the organisation. The same goes for main- sourcing options should be identified and tenance, the IT systems do need ongoing The business should take ownership for IT- as such; the IT operational budget must be maintenance which includes removing related decisions and key role players for challenged and optimised. Establishing the program and design errors, updating docu- strategic IT decisions should be known and frequency and extent to which IT-related mentation and test data and updating user accountable. King III places IT governance projects go over budget. The amount of IT support. This is particularly important as it in the hands of the board of directors. This effort that goes to firefighting rather than allows the IT function to adapt the IT system makes sense as this is where the strategy, enabling business improvements must be to suit the functional needs. The leadership investments, architecture, service levels quantified and substantiated. Businesses must understand IT otherwise tracking IT are managed. It also shows how much of need to learn to get more value from IT for performance becomes overwhelming. The a strategic partner IT should be. Decisions less cost “more for less” through simplifica- IT performance report must also be under- should be made on whether the CIO and tion, standardisation and maturity. It is not standable to the business, to enable EXCO IT management team may make decisions incorrect to state that one of the greatest to monitor IT performance. IT strategy by default. The adequacy of governance advantages of IT is cost reduction and in- must be linked to the strategic objectives structures should also be evaluated. There creased agility. of the business. IT performance should be should be adequate governance of IT struc- monitored through service levels, invest- tures in place; these include committees, IT Operations - reliable and ment returns, incidents and costs that have policies, frameworks, processes and proce- secure been saved. The CIO must be able to act as dures. The governance structure should be a bridge to business management and not effective as well; this means that the Board Even when one is not an IT expert, there are be a barrier to business understanding. and Exco must have IT on their agenda. some factors that can be looked at to assess IT Operations for reliability and security. Managing Supplier or third The organisation must also implement a Firstly, the robustness of the IT operational party Risk? certain framework when it comes to IT gov- processes, how well reliable the infrastruc- ernance. The adoption of the COBIT5 has ture is and whether the organisation has The audit committee must scrutinise the been noted in the past few years by many got an old legacy systems. It is not good to balance in dependence on external IT ser- organisations. However, adopting COBIT hang on to old systems even when there vice providers (Black Box Management). IT framework is not all; the organisational are better ways to maximise efficiencies. outsourcing agreements should be man- leadership should ensure that IT risks are It is also not particularly good to always aged well, just like any other contractual ar- understood in an organisation. IT-related acquire new systems for the sake of early rangement; ensuring that the organisation risks must be recorded in the business risk adoption. The IT systems are very expen- obtains assurance over the performance register and be expressed as business risks. sive and should be changed when it is ben- of the external IT service provider. The The risk committee must monitor IT-related eficial to do so. There sometimes is heavy provider’s operations should be tested for business risks the same way it manages reliance on modified systems such as SAP security and reliability as the organisation other business risks and understand likely and vendors; this too should be managed still has to comply with applicable rules IT risk scenarios. It has been noted in the as there could be a downfall to it. The or- and regulations. Questions about security, past that IT is treated as a special area and ganisation should have adequate technical privacy and reliability of the IT processes management often shy away from asking skills in order to support and maintain the of the business partners should also be questions that are IT related. This should IT systems. Each year the business depends raised; these have the potential to expose not be happening at this time as most busi- more and more on IT, yet many enterprises risks on business transaction and compro- ness processes are being automated. IT under invest in maintenance, processes, mise integrity and confidentiality state of risks are just a subset of a business risks and knowledge management and training; information. It is quite shocking to hear in- are becoming more and more relevant as leading to dependency on other businesses cidents where the service provider’s system the technology is being the centre of busi- for these critical processes. When IT invest- was down and that business could not be ness. There should be adequate IT financial ment is being made, all aspects must be carried out. The contractual terms should controls, acquired in a cost-transparent carefully analysed. Businesses can acquire mention system availability as basic; it does manner. the best system but if there is inadequate not make any business sense to pay for ser- training of IT specialists, there is not much vices that are not able to support the conti- IT resources must be sourced cost-effec- support that the IT function may provide to nuity of the main business.

24 | IA ADVISER April/May 2015 QUESTIONS THE AUDIT COMMITTEE SHOULD ASK AABOUTDVISE ITR

What IT is all about

Risks Incidents Trust ROI

Costs Failures Benefits Transparency

He concluded by remarking that IT Audit goals and metrics that are used as perfor- the findings must be evident that auditors should delivering value and must be evident mance measures. IT Audit procedures must are measuring the right things. Repeating the that it is yielding positive ROI. There must be also be integrated into general or business same findings every year serves no purpose business improvements as a result of IT audits; audits. Communicating audit reports must when the same IT issues are reported on but these may be defined IT Audit performance be done using the business language and are not being measured.

DO YOU HAVE A FEW MINUTES TO SPARE?

The IIA SA has created a presence on various social media platforms where members can engage with each other, view current articles, and information on IIA SA news and networking events.

We encourage you to join in on discussions; share your thoughts and comment on various topics, articles and photo albums.

Click the buttons below to join the conversation.

Please note that to access these profiles, you need to have an existing Twitter / Facebook / LinkedIn personal profiles.

IA ADVISER April/May 2015 | 25 Corporate SA is still failing to include women

The empowerment movement gained im- petus under previous minister of women, children and people with disabilities, Lulu Xingwana, when she introduced the Wom- en Empowerment and Gender Equality Bill.

The bill annoyed many, especially those in business, who called it impractical and costly.

The bill lapsed when Xingwana left and was replaced by former minister of mineral resources Susan Shabangu.

Parmi Natesan, an executive at the Insti- tute of Directors in Southern Africa, said Image courtesy of suphakit73 FreeDigitalPhotos.net at there were a number of things that could be done to improve gender diversity on Country is woefully slow to transform its of CEO and managing director positions boards. corporate boards and is not taking into are occupied by women. consideration research that shows that “We need to get the word out to boards when you have women on boards, deci- A higher percentage – 21% – of women are and shareholders about the benefit of hav- sion-making improves found in the positions of chief financial of- ing women on boards, and not just as a ficer, while 26% of human resource execu- check list exercise. Activists campaigning for the greater par- tive jobs are occupied by women. ticipation of women on the boards of listed “Research has shown that when you have companies have lowered their sights and The report also showed that 23% of listed women on boards, decision-making im- are now fighting for 30% female represen- companies have no women in senior man- proves,” said Natesan. tation in South Africa. agement positions, up from 21% in last year’s report. A 2013 report by research firm Catalyst This month, Germany became the latest Eu- made a business case for having more ropean country to pass legislation requir- Shannon Smith, director of advisory ser- women in senior positions and on boards. ing major companies to allot 30% of seats vices at Grant Thornton KZN, said there was on nonexecutive boards to women. room for improvement in South Africa. Among the benefits were improved financial performance and better corporate Germany joined countries such as Norway, “The percentage of women in senior governance for companies that had more France and Spain in introducing the quota management roles in South Africa is inad- women. system. equate. “If an economy is only using half of its most According to a report released by Grant “The gender bias is subtle at the beginning talented people, then it immediately cuts Thornton this month, when it comes to rep- of a career, but it causes a clear separation its growth potential,” said Smith. resentation at board level in South Africa, of career paths between men and women. only 15% of directors in listed companies South Africa has a fine tradition of strong “Women also control a large portion of are women. women in business and female political consumer spending globally. So they have leaders, but there is still much room for im- an understanding of what consumers want The representation of women in senior provement,” she said. and so should have a representation on management roles is at 27%, while only 7% these boards,” added Natesan.

26 | IA ADVISER April/May 2015 CORPORATE SA IS STILL FAILING TO INCLUDE WOMEN

The Grant Thornton report also showed Proportion of senior management roles held by women that among the South African companies that were sampled, only 48% would support the introduction of quotas for the number of women on executive boards of large listed companies, a big drop from 60% in 2013.

Although City Press tried to contact Sha- bangu, she was unavailable for comment as she was in New York. However, in a recent speech, she said 30% female representation was not ambitious enough and 50% was what women should be aiming for.

“If you look at countries that have a significant proportion of female representation on boards it is those countries that have quotas already,” said Natesan. But she added that the use of quotas did represent a unique challenge. “If we don’t Source: Grant Thornton International Business Report Graphics24 have quotas, we might not come right. “However, the risk of quotas is that it will be about ticking a box and men saying But she also cautioned that women should South Africa started its own 30% Club women were chosen based on their gen- not sit back and wait for opportunities. chapter in September 2013 and it has been der and not merit, similar to some of the endorsed by Business Unity SA (Busa). effects of BEE.” Phala said: “The Employ- “If you [as a woman] think you can add ment Equity Act provides clear penalties value to a board, get governance training “We agree that the level of transformation for noncompliance with measures aimed and network.” is not satisfactory, particularly for black at achieving affirmative action; it’s not women and women with disabilities,” said our view that additional penalties will im- Meanwhile, women in business have also Vanessa Phala, executive director at Busa. prove compliance. started a lobbying effort in the form of the 30% Club. Its objective is to provide best “What is needed to drive workplace gen- “What would improve compliance is the practices for gender mainstreaming in the der transformation are real organisational commitment from business leadership to South African private sector. transformation interventions that move embrace and champion transformation.” away from numbers and percentages, but Shabangu also said her department was The organisation also wants to ensure 30% emphasise real transformation. planning to convene national and provin- female representation in senior manage- cial dialogues between now and June to ment by 2018. “This includes making sure companies discuss steps towards the attainment of have proper plans to build their pipeline of female empowerment and gender equal- The 30% Club concept came about as a young women, supporting capacity-build- ity in the country. This will contribute to result of a conversation between Helena ing initiatives and most importantly, creat- the development of a report on the sta- Morrissey, CEO of Newton Investment Man- ing spaces and an enabling environment tus of women that will be released on Na- agement in London, and member of the UK for women to take over senior and execu- tional Women’s Day on August 9. Labour Party Mary Goudie about how few tive positions.” women were making it into top positions.

This article was first published on City_Press, 23 March 2015 7:00 by Mamello Masote

IA ADVISER April/May 2015 | 27 feedback from the 2014 National conference

The conference featured several prominent speakers and experts in the fields of internal auditing, governance, risk management and business. A brief summary of selected topics follows.

DAY 1 - MONDAY, 11 AUGUST 2014

Africa’s rightful seat in the Global Leadership Arena Minister Nhlanhla Musa Nene, Minister of Finance of South Africa

Nene confirms a “season of great ing below their potential. This depresses de- tent labour strikes, Nene says that govern- hope and promise for Africa”. mand for local exports, and is adversely af- ment continues to work hard “to improve fecting SA’s ability to grow. The United States’ business conditions by releasing supply side Finance Minister Nonhlanhla Nene was the so-called ‘tapering’ policies will most likely constraints, improving policy alignment and keynote speaker at the IIA SA national confer- increase the cost of borrowing for emerging policy certainty”. He cited government’s plans ence in August 2014, addressing the topic of economies such as South Africa. Compound- to improve the socio-economic conditions in Africa’s rightful place in the leadership area. ing the situation, is the slower growth and mining towns as one such intervention. In a detailed and informative talk, the Minis- expansion in emerging markets which has ter explained why he agreed with President negatively affected the international price of Minister Nene again reminded the audi- Jacob Zuma that “it is truly a season of great our export commodities, thereby leading to a ence that the National Develop Plan is gov- hope and promise for Africa”. The President deterioration of our terms of trade. ernment’s blueprint to address pressing had conveyed that sentiment the previous socio-economic challenges. In this regard, week in his address to the national press club The Minister acknowledged however that the government has adopted the Medium Term in Washington DC. greatest challenges to economic growth are Strategic Framework (MTSF) in order to align largely domestic. It is well known that “supply the work of government at national, provin- Minister Nene focussed at length on the state side disruptions” (read labour unrest) have cial and local government behind a single of the domestic economy and government’s plagued the economy over the last few years, coherent program. The MTSF is essentially plans to improve the country’s economic per- weakening confidence and lowering levels of government’s implementing program for formance. In his honest talk, he frankly paint- investment and household consumption. the first five years of the NDP. The focus of the ed a somewhat bleak picture of the economy MTSF is not so much on new programs, but and the challenges faced by government in Nene admitted that current economic growth rather on improving the implementation of attempting to improve the situation. is simply not enough to address the chal- existing policies. lenges of poverty and unemployment, which Minister Nene pointed out that the global has increased to 25.5%. Moreover, despite Shifting focus to Africa, Minister Nene noted economy continues to strengthen, albeit that low economic growth, consumer inflation is that over the past 20 years SA’s economy has uneven and downside risks still remain. Very rising and is currently at 6.6% (well above the become inextricably intertwined with that of recently, the IMF revised its global forecast for Reserve Bank’s target range of 3.26%). the rest of the continent. “Macroeconomic economic growth from 3.7 to 3.4% for 2014. Faced with a sluggish economy, higher infla- stability, political reform, favourable demo- Unfortunately, many economies are perform- tion, loss of business confidence, and persis- graphics and stronger institutions” he said,

28 | IA ADVISER April/May 2015 FEEDBACK FROM THE 2014 NATIONAL CONFERENCE

have transformed Africa into a rapidly grow- of Africa. This would be mutually beneficial the lack of project preparation funding. The ing region that is attracting more investment. in terms of long-term growth prospects and New Development Bank’s operating model Economic growth in Sub-Saharan Africa is providing tax revenues, profits and dividends will include a project preparation facility, and expected to accelerate to 5.5% in 2014. High to the receiving country as well as SA. will place special focus on regional cross bor- growth sectors such as technology, telecom- der projects in energy, transport and logistics. munications, financial services and retail are On a global scale, Nene believes that the ini- These infrastructure projects, he says, will showing even more pronounced growth, tiative by the five BRICS (Brazil, Russia, India, “boost intra- African trade and unleash the po- leading Nene to affirm that “Africa is indeed China and South Africa) countries to launch tential of the continent to grow even faster”. rising!” the New Development Bank will benefit SA and the rest of the continent. As a potential According to Nene, SA’s membership of Africa’s share of FDI is also rising and SA in- borrower, SA can use the bank as an alter- BRICS, and the country’s ascension to the vestment into other parts of the continent native source to fund its local infrastructure group of Finance Ministers and Central Bank had double to around R30 billion by 2012. programs, as well as regional integration proj- Governors of the G20 are amongst the most All these trends point to a ‘virtuous cycle’ of ects. The New Development Bank could very important achievement of the post-apartheid increased investment and economic growth well solve Sub Saharan’s funding gaps, which era. These developments have affirmed that supported by growing consumer demand limit its growth potential. It is therefore help- while SA may not be one of the biggest eco- for goods and services. In contrast, wages ful that the Bank’s regional centre will be lo- nomic powers in the world, we are neverthe- and consumption has stagnated in Europe cated in Johannesburg, as many of its clients less a ‘significant player’ in the global system and America. According to Nene the SA gov- will be from the region. There are a number of financial and economic governance. As ernment is committed to supporting the ex- of potential infrastructure projects on the such, SA will continue “to amplify the African pansion of South African firms into the rest continent that have not been realised due to voice”. DAY 1 - MONDAY, 11 AUGUST 2014

Your Brand, Your Credibility Nicola Rimmer, Vice President: Barclays Internal Audit and President of the IIA UK

What do people say about you become more desirable now that so much As with leading brands, a great personal when you leave the room? more is expected of internal audit. Gone brand is sure to impact positively on stake- are the days of internal auditors being mere holders and clients. Using well-known In a lively and engaging talk, Nicola Rimmer bean counters. These days they are increas- brands such as Intercontinental and Nan- informed internal auditors at the IIA SA annu- ingly seen as trusted advisors with business dos as examples, Rimmer said that the first al national conference in August, why it is im- acumen that management can rely upon. thing to do is to clarify what your personal portant for them to build their own personal The credibility of internal audit is always brand stands for, and then to show the brands. Rimmer, who is Vice President of Bar- at stake when interacting with key stake- world what that brand represents through clays Internal Audit, as well as the President holders. Beyond that, the internal auditor’s everyday interactions. of the IIA UK, drew upon her own personal personal brand also determines his or her experience as the leader of a large team of credibility amongst their peers. Therefore Rimmer’s favourite definition of a personal internal auditors in the United Kingdom. how auditors present themselves and how brand is “what people say about you when She explained that personal branding has they are seen matters. you leave the room”. For better or worse, we

IA ADVISER April/May 2015 | 29 FEEDBACK FROM THE 2014 NATIONAL CONFERENCE

all have a personal brand - often by default core strengths and key values, and then act in This practice involves tricking the body rather than by design. The way we speak, act accordance with those qualities. into secreting more hormones such a tes- and otherwise engage with the world creates tosterone to boost confidence. By striking an impression in the minds of others. Person- Equally important is the first impression that universal poses that innately represent al branding is simply the intention to mould is created. Internal auditors would do well to confidence – such as arms outstretched in that impression in a more deliberate way. remember that their stakeholders and clients the ‘Yes!’ or ‘victory’ pose, one immediately may already have preconceived views about feels more positive and confident. Rimmer According to Rimmer an internal auditor’s them based on their stereotypes about the urged the audience to watch Amy Cuddy’s personal brand should have two layers, so profession. They may think for instance, that TED talk on Your body language shapes to speak. The first layer is the internal audit internal auditors are ‘dry as a stick without any who you are to learn more about power brand itself, based on common characteris- real relevance’! The manner in which an audi- posing. tics or values associated with the profession tor dresses, greets, speaks and acts can im- such as independence, integrity, objectivity mediately debunk any negative stereotypes. Once a personal brand has been developed, etc. Overlaid upon those brand attributes, are Confidence is the key to being respected and it is critical that there is congruence between the individual’s own personal top qualities or trusted. Real confidence is usually based on the brand’s promise, that is, what you say you beliefs. Using herself as an example, Rimmer knowledge, experience and insight. Where are and what you do. It is vital to deliver on says that she positions herself as a great com- that is lacking, especially with junior internal your promises, be they overt or implied as municator. She communicates clearly what auditors, Rimmer suggests that they “fake it your brand could be tarnished by inconsis- she sees as the risks an organisation faces, and till you make it!” By acting as if you already tent behaviour. A reputation can also be de- then she also communicates clearly the solu- are mature, insightful and knowledgeable, a stroyed by a social media profile that conveys tions she proposes. And thus she is known for young internal auditor is more likely to get a a contradictory image to that of the internal being a pragmatist and a great communica- positive reception. auditor as a professional. Once credibility has tor. She would not, however, present herself been lost, it is extremely difficult to restore it, as a technical expert because that is not her One trick that Rimmer shared with the au- and all the work done in building a personal major strength. It follows therefore that the dience to fake confidence is to engage in brand will come undone. internal auditor should base his brand on ‘power posing’ just before a big meeting.

DAY 2 - THURSDAY, 12 AUGUST 2014

Hacktivists and cyber espionage Willem Mouton, Senior Analyst: Sensepost

Coming from a security consulting company (whether a political/religious view etc) via specialising in offensive security via simu- computers, digital media, and networks, He continued that the main motivation be- lated attacks and penetration testing (i.e. at- the presenter explained how hactivism can hind hactivism is typically the desire to drive tempted application and network break-ins), be used to promote civil disobedience or one’s point across. Hence, this would not be Sensepost’s senior specialist, Willem Mouton even personal gripes against a company. He done under the cover of darkness, as anyone addressed hactivism and cyber espionage at stressed, though, that not all hacking is bad, wanting to do this is going to want to make it the 17th Southern African Internal Audit Con- indicating how a lot of countries have come as public as possible. It can be as simple and ference. Acknowledging that security and risk, to the realisation that hackers can be benefi- straightforward as defacing a webpage or in terms of IT infrastructure, were initially not cial to their companies. Citing Google and Mi- more extreme such as a case of information considered to be a priority, he has noticed that crosoft as examples, he described how some leakage. The point that people are trying to that thinking has rapidly been changing over companies have bounty programmes that bring across with hactivism is that they can the years. Now quite a hot topic, hactivism and pay people to look for bugs in them. This is cause public embarrassment, and essentially, cyber espionage have become real and preva- not surprising given how many vulnerabili- data breaches. Thus, the risks involved with lent issues; however, often going undetected. ties exist as evident via the recent hackings companies are firstly reputational because A means of propagating one’s message that took place on Facebook and Twitter. though it may not necessarily affect a com-

30 | IA ADVISER April/May 2015 FEEDBACK FROM THE 2014 NATIONAL CONFERENCE

pany’s ability to function (typically data is not move is, whether it is in acquisitions, mergers, creative the hackers get. compromised because that data is hosted or project launches etc. In terms of govern- somewhere else), it can still impact customer ment, for example, if one knows what his com- The presenter described another recent expe- perception by portraying the company as petitor is doing with regards to military and rience where during an internal assessment one that is vulnerable to sabotage. strategic planning, a response can be tailor for a mining company he had asked the risk made to combat that move. manager if there was any sensitive informa- Normally, except if they are attacking a spe- tion that the company wouldn’t want in the cific company, hactivists don’t have a particu- Competitive edge has been seen a lot lately public eye to which the manager didn’t be- lar target in mind; they will basically scour the especially with big corporates going after lieve that there was any, stating that this was internet for whatever they can hack which is one another. At a vehicle tracking company, a public company and all their information as easy as doing a Google search for specific recently, he realised that that some of the is made available. After some digging, how- components, frameworks, or exposed port- competitors were gaining access to the cus- ever, the presenter discovered an email chain lets and then using some common vulner- tomer base which is an inside information talking to strike action discussion which indi- abilities, misconfigurations or known applica- risk. The presenter stressed that this is one cated how far the company was willing to go tion flaws to gain access. thing that people need to understand; that in terms of increase, as well as dates and de- the biggest threat is not usually the anony- tails of what they would do after the strikes; Bringing in the other side to this coin, the mous threat from the outside but typically all information they would likely not want in presenter then talked to the topic of cyber the people working in the inside. the hands of the unions. How much would espionage, describing it as the simple act of unions pay for that information? Hackers can spying. As soon as people started competing In modern boardrooms today there is typi- make a lot of money selling such information with each other, the ability to know what the cally some sort of computer system, audio vi- to the competitors wanting to have the up- other was doing became key and lately this sual presentations, or webcams which are all per hand on their opponent. has become a lot more pronounced. Cyber easy to take control over. As soon as anyone espionage is exactly the opposite of hactivism plugs into a network they can be anyone they In conclusion, the presenter emphasised that where with the latter one wants to publically want to. People think hacking is like a mission treats are real. He added that risks are hard to humiliate or embarrass a target, with cyber es- impossible scenario but it’s really as simple as define but it is also a matter of perception, as pionage, stealth is key; one does not want to using a memory stick. People spend millions what may seem useless today might be gold be detected so to remain on a network as long on implementing data loss prevention (DLP) tomorrow. Security is not a destination that as possible. The driving force behind cyber systems but hackers can just break data into you arrive at; it is actually a constantly evolv- espionage is the same as it has always been: tiny bits via DNS requests and reassemble it ing process. Attackers have it easy, defenders Knowledge is power. Competitors would give on the other side, which DLP can’t catch. The have it hard as they have to be lucky every anything to know what their opponent’s next more advanced the defenders get, the more time, hackers only have to get lucky once. DAY 3 - WEDNESDAY, 13 AUGUST 2014

Role of oversight bodies in protecting whistleblowers Prof Deon Rossouw, CEO: Ethics Institute of South Africa

South Africa has the best whistle-blower leg- Speaking at the IIA SA annual national confer- rates South Africa’s Protected Disclosures Act islation in the world, yet individuals are too ence in August, Prof Deon Rossouw cited the as the best of its kind globally. Prof. Rossouw, afraid to blow the whistle on wrongdoing. DLA Piper Whistleblowing Report 2013 which CEO of the Ethics Institute of South Africa,

IA ADVISER April/May 2015 | 31 FEEDBACK FROM THE 2014 NATIONAL CONFERENCE

also cited his organisation’s own research authority, an exchange, a legal adviser, a di- The mandate of this committee is focused study (SA Business Ethics survey 2013), which rector, a prescribed officer, company secretary, primarily on social rather than ethical issues, looked at the ethical culture in JSE listed auditor, board or committee of the company and it would be quite a stretch to imagine companies. The following results show the concerned” that oversight of whistle-blowing practices reasons why employees do not report cor- are also included in its mandate. According ruption and other impropriety: The Companies Act [S 159 (7)] further stipu- to Rossouw, it has nevertheless become best lates that: practice amongst most JSE listed companies Thought someone else would A public company and state owned company to voluntarily expand the SEC’s terms of ref- 30% report it must directly or indirectly – erence to include a governance/ethics man- (a) Establish and maintain a system to re- date that typically includes the following Don’t want to report a colleague 35% ceive disclosures […] confidentially and kinds of statements: act on them; and; – Nothing will happen if it goes to 36% (b) routinely publicise the availability of • ethical standards are articulated in a court that system code of ethics and supporting policies Think the report will not remain 48% • structures, systems and processes are anonymous The Act makes it clear that an individual di- in place to ensure that the board, em- rector, the board or a board committee may ployees, and supply chains are familiar Fear retaliation 65% be the recipient of a protected disclosure. As with and adhere to the company’s ethi- Think company will not take such, these individuals or bodies are obliged cal standards 66% corrective action to deal with whistle-blower disclosures in the • ethics performance is included in the correct manner. Subsection 7 quoted above, scope of internal audit and reported on in also places a positive obligation on boards the company’s integrated annual report It is clear that having relatively robust whis- to maintain an effective system of whistle- tle-blowing laws is not necessarily enough blowing in the company, ensuring that em- Under an enhanced mandate, whistle-blow- to encourage whistle-blowing. Much more is ployees are made aware of the system and ing may be included within the scope of the required to assure potential whistle-blowers encouraged to use it. Given the board’s clear committee since it supports the ethics policy; that it is safe ‘to do the right thing’. As the re- responsibility to ensure that whistle-blowing and any mechanisms introduced to encour- search shows, people will continue to doubt measures and mechanisms are in place, the age whistle-blowing would fall under the the effectiveness of whistle-blowing mecha- question arises as to which committees “structures, systems and process” required to nisms as long as they fear retaliation or hav- within the organisation should play a role in foster an ethical corporate culture. It would ing their identities exposed. assisting the board in this regard. then be up to the SEC to ensure that a proper, credible and trustworthy whistle-blowing The Protected Disclosures Act sets out the re- The Social and Ethics Committee (SEC) system is in place. Such a system must ensure quirements for safe and effective disclosures, the confidentiality of reports, the anonym- but only protects employees against occu- All publicly listed companies or state owned ity of the whistle-blower and provide clarity pational detriment, and not any other kind companies are legally required to establish about what happens after a report has been of harm. Occupational detriment refers to Social and Ethics Committees as per the Com- made. discrimination in the workplace related to job panies Amendment Act (Act No. 3 of 2011) . security such as unfair dismissal. The Compa- The SEC is therefore a mandatory, statutory Rossouw advises that the SEC should assess nies Act extends these protections somewhat board committee. reports regularly, noting the number received, for employees and other categories of persons how they are being handled and what trends that have dealings with companies. What The SEC’s mandate is to monitor and report there are in issues reporting. Such informa- should be noted is to whom disclosures can be to the board on a company’s social perfor- tion would be useful to management and the made. Section 159 (3) of the Act states that: mance, with due regard to the organisation’s board. It is important that management acts social and economic development, good cor- decisively when required to do after proper “A disclosure is protected if: porate citizenship, environment, health and investigation of a complaint. safety issues, consumer relations, labour and It is made in good faith to the Commission, the employment issues. Audit Committee Companies Tribunal, the Panel, a regulatory

32 | IA ADVISER April/May 2015 FEEDBACK FROM THE 2014 NATIONAL CONFERENCE

As part of its duty to review the ethics man- dential, anonymous, trusted, credible and ro- ditional responsibilities to the Social and Eth- agement system of the company, internal au- bust. They should therefore check the integri- ics Committee, as is often the case. Rossouw dit should also include the whistle-blowing ty of systems and the people operating them, points out that directors have five ethical du- system. The audit committee should ensure and assess if they are independent, highlight- ties relating to conscience, inclusivity, compe- that this task is included in the audit plan, as it ing any potential conflicts of interest. Based tence, commitment and courage. The latter is important to provide assurance over the in- on such information, the audit committee may be the most difficult of all to fulfil. Never- tegrity of the whistle-blowing measures and would be in a better position to gauge the ef- theless, since the buck stops with board, it is mechanisms. Internal audit will be required fectiveness of the whistle-blowing system. up to the directors to find the moral courage to make an assessment of the adequacy and to act with integrity when making tough de- effectiveness of internal system, establishing Board of Directors cisions. Those decisions should also include whether they work and are being used as in- the ways in which whistle-blowers are pro- tended. King III in Principle 1.1 states that the “board tected within the organisation. If this is done should provide effective leadership based effectively, within in a strong ethical culture, Where whistle-blowing systems are out- on an ethical foundation”. In order to ensure then employees may feel less afraid to blow sourced, internal audit should determine that it receives robust information regarding the whistle on corruption. whether the mechanisms are secure, confi- ethical matters, the board may delegate ad-

National Conference Feedback is prepared by: Rakal Govender, Senior Research Analyst: Private Sector, IIA SA and Zisanda Jalavu CIA, Senior Research Analyst: Private Sector, IIA SA

Congratulations to CIA candidates

Delphine Bagwire Eugene Greyling Sipho Masumpa Alois Nyazema Rabith Sukhari Abdul Bellim Julius Gurure Asanda Mdlulwa Ritesh Patel Muhammed Tayob Daniel Jacobus Brand Linda Harris Dzorai Meke Charlene Pillay Cuthbert Tinavapi Priyanka Bugwandeen Jothie Hemraj Fortune Mkhabela Kubendran Pillay Zaheer Titus David Chuene Zisanda Beatrice Jalavu Selby Mochochoko Chantel Poovan Shamil Ukabhai Christoffel Coetzer Hendrik Jordaan Debbie Modisane Marthinus Prinsloo Karen van der Westhuizen Vinolia Coopsamy Mohammed Kader Mamadimo Mogano Mankwana Ragolane Cecilia van der Westhuizen James Cronje Anna Kadisov Fatinyana Molala Subhadra Ragubeer Daniel van Niekerk Chanelle da Silva Simphiwe Khumalo Phatedi Monyebodi Deepa Rama Johannes van Tonder Nelette De La Rey Johannes Lambrechts Lorato Moyo Kotlane Sekgota Francois Viljoen Elmarie de Waal Tsholofelo Leballo Kwazi Msiza Dondeguy Sibanda Robyn Wheatley Nicole Erasmus Brenda-Lee Lodder Mavis Mthimunye Stephens Sikhondo Robin Bruce Williams Danielle Erasmus Karen Louw Mxolisi Mtshali Pieter Smith George Woodworth Charne Fourie Zwakele Majola Sharlene Murugan Muhammad Solomons Lin Ye Umaira Gani Wandile Malinga Jerod Naidoo Vukosi Sondlane Odwa Goso Babalwa Mapisa Chermaine Naidoo Sidiso Vincent Sotshede Sharon Govender Ilse Marais Lungile Ignatia Ngcobo Adriaan Steenekamp

IA ADVISER April/May 2015 | 33 BOOK REVIEWS

Sawyer’s Guide for Internal Auditors, 6th Edition, 2014

This marks the sixth edition of Sawyer’s tionships. Significant expansion of guid- 5.3 – Audit Approach Comparisons: Pres- Internal Auditing, and introduces format ance and information has been made to ents the differences between a traditional and content changes since the previous the sections relating to Control and Risk and participative audit approach. version was published in 2005. The most Models, and a new chapter relating to As- notable format change is that the guide surance and Consulting Services has been The second volume, Internal Audit Pro- has now been split into 3 separate volumes introduced. cesses and Methods, focuses on technical based on content: 1) Internal Audit Es- and tactical guidance for the application sentials, 2) Internal Audit Processes and As with previous editions, Volume 1 con- of internal audit, with specific focus on cli- Methods, and 3) Governance, Risk Man- tains helpful exhibits to assist the reader in ent and stakeholder relationship manage- agement, and Compliance Essentials. In illustrating certain concepts and reinforce ment, audit planning, assignment execu- terms of content, Information Technology best practice application of the guidance. tion, and communication and reporting of (IT) related topics and guidance have been Several of the new additions in this round results. Minor updates have been made to interwoven throughout the guides, rather include: chapters relating to planning assurance en- than segregated into separate chapters, gagements from high-level risk assessment in order to present a more holistic view of 1.2 – Internal Audit Rules of Conduct to opening meeting, and communicating the practice and methodology of internal (from the IPPF, 2011): Offers a summary of results during the engagement through auditing. The previous series of multiple the four categories comprising the IPPF’s to Board reporting. Significant enhance- choice questions per chapter has been Rules of Conduct, including Integrity, Ob- ments have been made to the content and excluded from the new edition; however, jectivity, Confidentiality and Competency. presentation of chapters relating to defin- the glossary of audit related terminology ing the audit and risk universes, evaluating has been substantially expanded and in- 2.1 – Relationships between Risk Man- the design of controls, testing effective- cluded at the end of each volume in the agement Principles, Framework and ness of controls, additional risk manage- series. Finally, new information has been Processes (from ISO 31000:2009): Provides ment techniques, and audit documenta- included throughout all three volumes to information on what principles should exist tion. New chapters have been introduced reflect environmental, social and economic to manage risk, presents a generic frame- relating to entity-wide risk assessment and changes and corresponding responses and work for managing risk and a standard pro- entity-wide assurance projects, as well as a advances in internal audit techniques. This cess for managing risk. full chapter on consulting activities. information relates in particular to IT, communicating results, governance, risk man- 3.2 – Key Differences between Assurance As with Volume 1, some of the new addi- agement, compliance and corporate social and Consulting Standards: Describes the key tions to the best practice and guidance ex- responsibility.1 differences between the two types of assurance hibits for this edition of Volume 2 include: work that Internal Audit can perform. This book review aims to provide unfamil- 7.1 – Alignment of the Identified Risks to iar readers with an overview of what the 4.3 – Internal Auditor Competency the IT Environment: Details an example guides have to offer an internal audit pro- Framework (from the IIA Global frame- of the alignment of business objectives to fessional, and for those readers who are work, 2013): Summarises the four elements business risks, to business processes, and familiar with Sawyer’s previous manuals, of the framework, including interpersonal ultimately to IT Assets. what fresh perspectives and guidance have skills, tools and techniques, Internal Audit been presented. standards, theory and methodology, and 10.2 – Possible Risk Response and Audi- knowledge areas. tor Action: Provides guidance on the pos- The first volume, Internal Audit Essentials, sible risk response and subsequent audit includes minor updates to sections pro- 5.2 – Key Components of Effective Inter- response depending on the impact and viding an introduction to the history and viewing (from IIA Research Foundation, likelihood rating of a particular risk. evolution of modern internal auditing, in- 2009): Includes elements such as interview- cluding the current Professional Practices ing objectives and process, common barri- 10.3 – Sample Flowchart: An updated ex- Framework, audit process management ers to effective interviews and critical suc- ample of a vertical flowchart for an ‘order- and administration, and stakeholder rela- cess factors. ing and receiving’ process.

1 Page viii, Volume 1: Internal Audit Essentials

34 | IA ADVISER April/May 2015 BOOK REVIEWS

11.2 – Steps of an Application Control Au- 15.16 – Internal Audit Maturity / Capabil- dit (from ISACA Journal, volume 5, 2002): ity Assessment (from theiia.org website): Presents a step by step overview of how to Depicts the five levels of maturity / capa- complete an application control audit. bility of internal audit functions (Initial, In- frastructure, Integrated, Managed, and Op- 13.2 – Root Cause Analysis Techniques: timising), across 6 core competency areas Summarises three techniques, “Five Why (Services and Roles of IA, People Manage- Analysis”,” Change Analysis” and” Ishikawa ment, Professional Practices, Performance / Fish-bone Diagram,” for determining the Management and Accountability, Organi- root cause of control breakdowns / audit sational Relationships and Culture, and issues. Governance Structure).

13.19 – Reviewing Versus Editing: Presents 15.17 – Data Elements Diagram (from UPDATE YOUR DETAILS the advantages and disadvantages of re- Thomson Reuters, 2009): Details the core view versus editing of audit reports. user requirements and proposed data sets AND ENJOY THE required to support governance, risk and BENEFITS OF BEING AN 14.1 – Comparison of Self-Assessment compliance implementation within an or- Techniques: Three self-assessment tech- ganisation. IIA SA MEMBER niques, facilitated workshops, surveys and structured interviews, are summarised ac- 17.3 – Role of Internal Auditing in ERM cording to their relative advantages and (from the IIA Position Paper, 2009): Presents A key objective of the Institute of disadvantages. a list of potential assurance activities which Internal Auditors South Africa is to internal audit activities that comply with The third volume, Governance, Risk Man- the International Standards for the Profes- provide our members with access agement, and Compliance Essentials, sional Practice of Internal Auditing should to world-class information and focuses on providing an integrated view of provide. governance, risk management and compli- development. Ensure that your skills ance. This entire volume has been substan- 19.4 – Fraud Risk Management Principles and competencies remain relevant tially updated and re-organised to present a (from the IIA, AICPA and ACFE, 2012): Intro- holistic view, although many elements were duces five key principles for proactive and and up to date. touched upon in the previous version. New effective management of organisational chapters have been introduced relating to fraud risk. internal audit responsibility regarding fraud, It is imperative that the Institute of ethics and people risk, and the role internal 20.1 – Corporate Social Responsibility Internal Auditors audit plays in corporate social responsibility Definition (from ISO26000:2010): provides South Africa has your correct details. and sustainability. the definition of Corporate Social Responsi- bility as per ISO 26000. Some of the new additions to the best Please visit our website: practice and guidance exhibits for this edi- 20.2 –Definition of Corporate Social Re- tion of Volume 3 include: sponsibility (from the IIA, 2011): provides www.iiasa.org.za the definition of Corporate Social Respon- to update your details. 15.1 – Definition of GRC (from Gartner Re- sibility as per the IIA Practice Guide. search website, 2011): Provides a commonly referenced definition of “governance,” All in all, this 6th edition of Sawyer’s Guide “risk,” and “compliance.” for Internal Auditors offers a wealth of cut- ting edge information and guidance, pre- 15.5 – Comparison of Standards and Prac- sented in a concise and easily understand- tices for Financial Reporting and GRC Re- able manner, and would be a powerful tool porting: Explains the differences in standards and valuable addition to any internal audi- and practices for financial reporting versus tor’s personal or professional library. governance, risk and compliance reporting.

IA ADVISER April/May 2015 | 35 BOOK REVIEWS

Internal Auditor’s Guide to Risk Assessment - (Rick A. Wright JR; CIA)

In the author’s own words: stage for how to think about risks, which on these topics and how that might influ- ultimately will influence how you identify, ence your approach. Besides stakeholders, “Purpose of the book – to provide a clear measure, and prioritize risk. The premise it is important to know your organisation’s understanding of risk assessment charac- is that you must first understand how risk risk profile and key vulnerabilities. teristics so you can confidently plan and behaves and manifests itself in order to conduct your own risk assessment. This understand how to build a structure for ex- Going beyond the minimum – Internal au- book also will help you to make sure that ecuting a value-adding risk assessment.” dit leadership should be vigilant in seek- your risk assessment adds value to your or- ing out those practices that are expected ganisation because they will be based on The theory of risk therefore the definitions, of their stakeholders above and beyond the needs of your stakeholders.“ fundamentals, nature or characteristics of minimum requirements. To be effective at risk, risks internal and external drivers and risk assessment, it is critical that you under- The book starts with establishing the key how changing environments make risk stand your stakeholders – both who they points of understanding risk assessment dynamic and ever changing are explained. are and what concerns them. This will help and then explains step- by step- how to The book highlights the fact that these def- shape decisions on the types of risk upon conduct a risk assessment. initions present risk in the context of uncer- which to focus. tainty and consequences, but do not depict While the main focus of this book is risk as- it in terms of negative outcomes. The risk and control maturity of the organi- sessment methodologies to develop the sation where you work will have a direct im- audit plan, there are three chapters specific A short history briefing leads to a discussion pact on how you approach your risk assess- for engagement risk assessment, fraud risk of some contemporary ideas and trends ment. The author also discusses how the assessment and IT risk assessment. about modern risk assessment. The author internal audit function’s capability maturity also highlights the importance to under- and risk competencies will help shape the The last chapters of the book provide com- stand stakeholder perspectives in risk and risk assessment approach. mon mistakes and challenges throughout governance, which are at the core of the the risk assessment journey. value proposition for internal auditors. The three important areas you should consider for selecting the risk assessment ap- Lastly a set of 10 risk assessment examples From a risk assessment standpoint – it is proach is: that include excel spreadsheets and work important for internal auditors to recog- 1. Risk and control maturity – Is the inter- document that you can customise to meet nize their organisations’s capabilities when nal audit function more control-centric the needs in your oganisation is included. managing change so they can understand or risk-centric? The templates are divided in two groups: how environmental changes will impact 2. Organisational vulnerabilities – What - Group 1: Audit Universe Risk Assess- certain types of risk to the organisation. are the risks that matter most to your ments particular rganisation? - Group 2: Audit Engagement Risk As- Section 2 Choosing the Best Risk Assessment 3. Internal audit capabilities. Is your inter- sessments Approach for your organisation nal audit function equipped to address the needs of the organisation? A brief overview of the book. The book is The second section provides you with divided in five sections explaining specific consideration when choosing your risk as- In addition the author also provides five concepts and each section consist of chap- sessment approach. The IIA Standards set key principles to follow to assist in seeking ters elaborating this concept for each read- minimum requirements for internal audit’s the right approach to risk assessment for er to make it their own. risk assessment exercise, but are stakehold- your organisation. ers satisfied with minimum standards? 1. Conform with and align your method- Section 1: Understanding the Nature of Risk Stakeholders’ expectations are changing in ology to IIA Standards. regard to audit’s coverage of strategic risk 2. Understand your stakeholder needs “The first part of this book provides an intel- and governance areas so it is important to and expectations lectual basis for risk assessment. It sets the understand your stakeholder’s viewpoints 3. Understand the changing environment

36 | IA ADVISER April/May 2015 BOOK REVIEWS

4. Know your rganisation’s risk focus and “Ensuring your audit universe is complete?” changed? primary vulnerabilities. This for me is the most important question • Have any fraud or ethics violations been 5. Assess your internal audit function’s ca- to ask when conducting a risk assessment detected? pability maturity and risk competencies. for the annual audit plan. • Have there been any reported instances of competitors or any similar organisa- Section3: Tools for conducting your oganisa- The author provides insight to this questions experiencing new opportunities tion’s Risk Assessment tion. or threats to their business? • Are the new external opportunities/ This section highlights practical ways for “Every organisation audit universe is unique. threats to the organisation? building a process for executing a risk as- Some questions, to reflect that the audit uni- • Are there new internal opportunities/ sessment. Developing a comprehensive verse has been thoughtfully vetted. threats to the organization?” audit universe is the first task. The audit universe serves as the risk assessment start- • What environments have changed The completion of the audit universe is a ing point as it identifies the possible audit- since the last audit universe update? journey. Audit universe requires periodic able units that will eventually comprise the • Have there been any changes to the maintenance. audit plan. strategic goals of the organisation? • Have there been any changes in leader- Section 4: Special types of Risk Assessment When assessing audit universe risks. Start ship at key positions? by identifying business objectives and then • Have there been any key personnel Risk assessment come in various forms and tackle risk identification, risk measurement, changes (loss of institutional knowl- are used for many purposes. In section and risk prioritisation as centerpieces of a edge, headcount reductions)? 4, three variations of risk assessment are well-constructed risk assessment frame- • Are there any new systems that have presented for specialised uses relating to work. Several examples and varying ap- been implemented? internal audit engagement planning, fraud proaches are included to provide a variety • Are there any new system development considerations, and IT-related risk assess- of perspectives for what risk assessment projects? ments. can be. Frequency of risk assessment activ- • Have any new programs been imple- ities and alignment of the risk assessment mented? Engagement Risk Assessment with business strategy and ERM are also • Are there new products lines or lines of discussed in this section. business? This is done on a micro level relating to • Has the organisation acquired any new specific process-level business objectives. Practical advice from the author when businesses or entered into any new “Engagement risk assessment – A micro - aligning with ERM and strategic objectives partnerships? level assessment of an auditable unit’s risk first, ensure your audit universe includes • Has the organisation divested any busi- with the objectives of creating an engage- auditable units of strategic nature. These ness or terminated any partnerships? ment plan that focuses efforts toward the may include strategic planning processes, • Does the organisation do business with key risks that would keep the auditable unit the ERM program, corporate governance any new strategic suppliers or ven- form achieving its objectives. “ activities, sustainability programs, crisis dors? management, and reputation manage- • Have there been any changes in the ca- Fraud risk Assessment ment to name a few. An audit universe that pabilities of strategic suppliers or ven- includes areas of strategic concern ensures dors.? Std 2120.A2 from IPPF there will be a focus on strategic risks dur- • Are there plans for significant business ing audit planning and that audit resources growth or declines? “The internal audit activity must evaluate will be assigned to these areas, where ap- • Are there new customers being the potential for the occurrence of fraud propriate. served? and how the organisation manages fraud • Have new legislative or regulatory ac- risk. Some common mistakes to avoid when tions impacted the business? IIA developed practice guide – “Internal identifying risks are also highlighted: • Are there new industry standards or Auditing and Fraud” – This guide lists 5 key 1. Confusing risk with the consequences policy changes that have been imple- steps common to most fraud risk assess- of risk. mented? ments: 2. Focusing on controls instead of risk. • Are there any new internal stakehold- 1. Identify relevant fraud risk factors ers, or have existing stakeholder needs 2. Identify potential fraud schemes and

IA ADVISER April/May 2015 | 37 BOOK REVIEWS

priorities them based on risk gic risk, alignment with ERM programs, and 1. “Risk creates opportunities and threats. 3. Map existing controls to potential fraud risk appetite as key value drivers and fron- 2. Stakeholders expects internal audit to schemes and identify gaps tiers for innovation. assess strategic risk 4. Test operating effectiveness of fraud 3. Change creates risk prevention and detection controls. In addition three common mistakes to 4. Identify stakeholder expectations 5. Document and report the fraud risk as- avoid relating to risk assessments are dis- 5. Always start with objectives sessment. cussed: 6. Identify, measure, prioritize 1. Equating complexity with value 7. Stay flexible IT Risk Assessment 2. Assigning the wrong staff 8. Align with ERM 3. Inadequate Data-gathering tools 9. Be aware of other types of risk assess- The author stresses to the reader the impor- ments. tance of the distinction between risks that Further three common challenges to antici- 10. Consider risk appetite are business related (and therefore not IT pate during the process of risk assessment 11. Don’t go it alone” specific) versus those that are truly related are reviewed: to the existence of an IT strategy within the 1. Inconsistent risk measurement results. In my view this book is easy to read – it pro- organisation, when assessing IT risk. 2. Inadequate resources vide clear definitions and guidance for the 3. Lack of management engagement first time risk assessment conductor, how- Section 5: Identifying Risk Appetite and solv- ever the content of the book is also valu- ing common challenges The summary and conclusion of the book is able for the experienced risk assessment the eleven main principles that are address conductor to ensure that their method is In this section the author delve into strate- in this book: still vetted.

Sarah Tucker, Technical Committee: IIA SA

OBTAIN AN IIA SA PROFESSIONAL DESIGNATION

Apply now to enter our Internal Audit Technician or Professional Internal Auditor program. These are a pre- requisite for entering the CIA program. Alternatively apply to go through our Recognition of Prior Learning process if you have the requisite qualification and experience and obtain our prestigious designations.

For more information contact : Lawrence Chetty, Deputy Head: Certifications and Accreditation Tel: (011) 450 1040 e-mail: [email protected]

38 | IA ADVISER April/May 2015 ADVISER

IA ADVISER April/May 2015 | 39