King III: A Great Step for Corporate Governance?

Last year, the Institute of Directors in South Africa published the King Code of Governance for South Africa 2009 (King III). It is effective July 1, 2010. In my opinion, it was one of the most important advances in corporate governance in years. I am pleased that one of the contributors was IIA–South Africa.

A feature article in the February issue of Internal Auditor discussed some of the elements of the code, particularly the increased expectations of the internal audit function. It heralded that “South Africa’s King III report anoints internal auditors as central to their company’s governance activities and an essential part of business strategy.” PricewaterhouseCoopers also published an excellent report on the code, King’s Counsel: Understanding and Unlocking the Benefits of Sound Corporate Governance.

I want to share my perspectives on some of the major aspects of the new Code. South Africa is one of the several countries (including the United Kingdom) who use a “comply-or-explain” approach: corporations are expected to comply with the provisions of the nation’s corporate governance code, or explain in their annual reports why they do not. Although in South Africa compliance is voluntary, it sets the bar for companies in that nation.

The code includes a general discussion, followed by a schedule of principles and recommended practices. My hope is that as more influential thinkers and regulators grow to understand and appreciate King III, its insights will influence all nations.

  • King III says governance “is essentially about effective leadership ... Such leadership is characterised by the ethical values of responsibility, accountability, fairness, and transparency, and based on moral duties.” The first principle in the code is “The board should provide effective leadership based on an ethical foundation.”
  • It also focuses on sustainability, which it says is the “primary moral and economic imperative of the 21st century.” King not only advocates a focus on sustainability by corporate boards, but presses for integrated reporting of financial and sustainability information.
  • There is a whole section just on internal auditing and the need for it to be risk-based. It includes this important paragraph:
 “A compliance-based approach to internal audit adds little value to the governance of a company as it merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control. A risk-based approach is more effective as it allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt.
  • That is followed by this key requirement:
“Internal audit should be risk-based and every year the internal auditors should furnish an assessment to the board generally on the system of internal controls and to the audit committee specifically on the effectiveness of internal financial controls. The audit committee must report fully to the board on its conclusions arising from the internal audit assessment. This will give substance to the endorsement by directors of the effectiveness of internal controls.”
There is a great deal of discussion among CAEs and the standards and guidance developers at the IIA about whether internal auditors should be required to provide a formal opinion on internal controls. King decided not to use the word opinion,” but there is little doubt that one is required. This is a step that the whole profession needs to embrace!
Later, under principle 4.9, King III goes further. Not only should internal auditing assess controls, but also the risk management processes!
“Internal audit should provide a written assessment of the effectiveness of the system of internal controls and risk management to the board.”
The code also requires internal auditing to “evaluate the company’s governance processes.”
  • The code recognizes the importance of IT and includes a section on IT governance principles. They specify that “In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in regard to IT governance.”
  • As you might imagine, one of the principles is “The board should ensure that the company’s ethics are managed effectively.”
  • This next principle lies at the heart of governance, risk, and compliance (GRC): “The board should appreciate that strategy, risk, performance, and sustainability are inseparable.”
I say it is at the heart of GRC, as when we talk about risk we are talking about risk to the achievement of strategy. Performance is the measurement of achievement of strategy. Mention of sustainability reflects the King belief that financial performance alone is not sufficient — the corporation also has to be a good citizen.
  • King comes down on the side of separating the role of CEO and chairman of the board: “The board should elect a chairman of the board who is an independent nonexecutive director. The CEO of the company should not also fulfil the role of chairman of the board.”
  • I am intrigued by a requirement that the audit committee should perform an annual review and “satisfy itself of the expertise, resources, and experience of the company’s finance function.” I imagine this might involve work by the internal audit function.
  • There are some specific expectations of the audit committee with respect to internal auditing:
“The audit committee should be responsible for the appointment, performance assessment, and/or dismissal of the CAE.”
o   “The audit committee should approve the internal audit plan.”
o   “The audit committee should ensure that the internal audit function is subject to an independent quality review as and when the committee determines it appropriate.”
o   “The internal audit function should report functionally to the audit committee.”
  • There is an appropriate emphasis on risk: “The board should be responsible for the governance of risk.” The recommended practices include:
o   The board should comment in the integrated report on the effectiveness of the system and process of risk management.
o   “The board’s responsibility for risk governance should be expressed in the board charter.”
o   “The induction and ongoing training programmes of the board should incorporate risk governance.” This is an interesting requirement, and I can see not only that it is critical but that internal auditing may have a role in its achievement.
o   “The board should review the implementation of the risk management plan at least once a year.”
o   “The board should ensure that the implementation of the risk management plan is monitored continually.”
o   “The board should set the levels of risk tolerance once a year.”
o   “The board may set limits for the risk appetite.”
o   “The board should monitor that risks taken are within the tolerance and appetite levels.”
o   “The CRO should be a suitably experienced person who should have access and interact regularly on strategic matters with the board and/or appropriate board committee and executive management.”
o   “Management should demonstrate to the board that the risk response provides for the identification and exploitation of opportunities to improve the performance of the company.” This is a remarkable recognition that risk management is not only about adverse events (the downside), but also the opportunities (upside).
  • Some debate whether compliance should be handled as a risk, or excluded — for a variety of interesting reasons. Again, King makes it clear what is expected: “The risk of non-compliance should be identified, assessed, and responded to through the risk management processes."
My questions to you are:
  1. Do you agree that these provisions are appropriate?
  2. What else should be covered in a governance code or framework?
  3. Would you like to see a framework like this in your country?


Posted on Feb 19, 2010 by Norman Marks

Share This Article:    

  1.  In an effort ensure compliance. The Governance Board should be required to administer a test of their own. The Test would be centered around Ethics in Theory and Practice. In other words, they would look at the Ethics (in Theory) of the Business - Presentation of Ethics and Governance codes, then look to the media.

    Is you company constantly in the News over "possible ethics violations". This is proof of the mal-Practice in some form of another. What's the old saying? If there's smoke there's fire?

     If there is a disparity, the Board should address it as soon as possible.  As I see it today, there are many analysts and watchdogs that will start  connecting the dots between companies that talk a good Governance game and those that actually play a good game of Governance.  

  1. This is fascinating. I think Prof King has gone a long way towards dealing with a lot of the issues that many of us have raised (you're all bored by references to my OECD report by now: I am just concerned that there is still a possibility of playing RM off against IA. I would like to see what I described as full time NXDs and a Chief Assurance Officer who can stand toe-to-toe with the CEO. In the UK (and I imagine SA) s/he would be on the board, in the US in the C-Suite.

    I am finally tempted to go read the whole of King III...

    Thanks Norman

  1. Norman:

    I agree with prior comments. I will go back and read entire King III- is quite impressive overall. Thanks for summarizing in blog.




  1.  South Africa is truly leading the way in Africa with regards to corporate governance development just as they have been in other economic and corporate initiatives and we in Africa are very proud of them.

    Prof King is truly great and appreciated. Keep up the good work South Africa and thanks to IIA for their input into King III.



  1. Such provisions are appropriate. However as long as the comply-or -explain approach remains corporate governance scandals will still crop up.

    I totally agree with the seperation of roles of the Chairman and CEO and that they should be 2 different persons. However if the board really elects the chairman than the number of votes in favour and those against should be made public either through a company announcement. It is only in this way that the election process for the Board's chairman will be transparent.

    The Chairman should be an independent non-executive director however it also crucial that such Chairman is not a PEP - politically exposed person. One should really study the definition of a PEP and ensure that any Chairman does not fall in such a category.

    Corporate Governance is really a subject at heart and wish that it gets implemented really well, cause after all many mismanagements could be avoided. 

    I have one simple question. How many times do we see in annual reports any comments or write ups, that some directors did not vote in favour of certain board matters? 



  1. King II(2002),KingIII(2010), are works pegged towards resolving investor unforeseable risks, outlining on the issues of social responsibilities, disclosures and directors and CEOs remunerations, environmental issues and the like.

    We also have now to debate more on how state owned enteprises manage their affairs when there are fears of who controls the baords of directors, who manages their remuneations, who evalutes the boards of directos of state owned enterprises, . the issues is how must these state owned enterprises be managed through the contributions of  practicing best corporate governance. We all know there are institutions namely the Economic council of the UN, the World Bank, IMF, Governments, professonal bodies say the INTOSAI,ESAAG,FRC, and many others that research deeply on matters of corporate governance. China and India have been in the lead towards making the management of sate owned enterprises to operate more or less similar footings like the prvae sector.

    The question is how is the woenrship of the state owned enterprises going to be resolved, Will state owned enterprises practice best corporate governance we see in private sector. What about political interference in the state of affairs of these corporate organiations. what drections must they take to best practice corporate governance and must they be assessed?


    I hope that my fears here will meet your professional contributions towards managing state owned enterprises through best corporate governanace practices.


    Happy Easter Holidays to those of my faith!

  1. State owned enterprises must practice good corporate governance.  

     We have to debate more on how state owned enterprises manage their affairs. There are fears of ownership, controls tand the boards of directors, who manages their remunerations, who evaluates the boards of directors of state owned enterprises, . Must these state owned enterprises be managed by  practicing best corporate governance and to research deeply on matters of corporate governance. China and India have been in the lead towards making the management of state owned enterprises to operate more or less similar footings like the private sector.

     Will state owned enterprises practice best corporate governance like it is in  private sector. What about political interference in the state of affairs of these corporate organizations. What directions must they take to best practice corporate governance and must they be assessed?


Leave a Reply