King III: A Great Step for Corporate Governance?
Last year, the Institute of Directors in South Africa published the King Code of Governance for South Africa 2009 (King III). It is effective July 1, 2010. In my opinion, it was one of the most important advances in corporate governance in years. I am pleased that one of the contributors was IIA–South Africa.
A feature article in the February issue of Internal Auditor discussed some of the elements of the code, particularly the increased expectations of the internal audit function. It heralded that “South Africa’s King III report anoints internal auditors as central to their company’s governance activities and an essential part of business strategy.” PricewaterhouseCoopers also published an excellent report on the code, King’s Counsel: Understanding and Unlocking the Benefits of Sound Corporate Governance.
I want to share my perspectives on some of the major aspects of the new Code. South Africa is one of the several countries (including the United Kingdom) who use a “comply-or-explain” approach: corporations are expected to comply with the provisions of the nation’s corporate governance code, or explain in their annual reports why they do not. Although in South Africa compliance is voluntary, it sets the bar for companies in that nation.
The code includes a general discussion, followed by a schedule of principles and recommended practices. My hope is that as more influential thinkers and regulators grow to understand and appreciate King III, its insights will influence all nations.
- King III says governance “is essentially about effective leadership ... Such leadership is characterised by the ethical values of responsibility, accountability, fairness, and transparency, and based on moral duties.” The first principle in the code is “The board should provide effective leadership based on an ethical foundation.”
- It also focuses on sustainability, which it says is the “primary moral and economic imperative of the 21st century.” King not only advocates a focus on sustainability by corporate boards, but presses for integrated reporting of financial and sustainability information.
- There is a whole section just on internal auditing and the need for it to be risk-based. It includes this important paragraph:
“A compliance-based approach to internal audit adds little value to the governance of a company as it merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control. A risk-based approach is more effective as it allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt.”
- That is followed by this key requirement:
“Internal audit should be risk-based and every year the internal auditors should furnish an assessment to the board generally on the system of internal controls and to the audit committee specifically on the effectiveness of internal financial controls. The audit committee must report fully to the board on its conclusions arising from the internal audit assessment. This will give substance to the endorsement by directors of the effectiveness of internal controls.”
“Internal audit should provide a written assessment of the effectiveness of the system of internal controls and risk management to the board.”
- The code recognizes the importance of IT and includes a section on IT governance principles. They specify that “In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in regard to IT governance.”
- As you might imagine, one of the principles is “The board should ensure that the company’s ethics are managed effectively.”
- This next principle lies at the heart of governance, risk, and compliance (GRC): “The board should appreciate that strategy, risk, performance, and sustainability are inseparable.”
- King comes down on the side of separating the role of CEO and chairman of the board: “The board should elect a chairman of the board who is an independent nonexecutive director. The CEO of the company should not also fulfil the role of chairman of the board.”
- I am intrigued by a requirement that the audit committee should perform an annual review and “satisfy itself of the expertise, resources, and experience of the company’s finance function.” I imagine this might involve work by the internal audit function.
- There are some specific expectations of the audit committee with respect to internal auditing:
- There is an appropriate emphasis on risk: “The board should be responsible for the governance of risk.” The recommended practices include:
- Some debate whether compliance should be handled as a risk, or excluded — for a variety of interesting reasons. Again, King makes it clear what is expected: “The risk of non-compliance should be identified, assessed, and responded to through the risk management processes."
- Do you agree that these provisions are appropriate?
- What else should be covered in a governance code or framework?
- Would you like to see a framework like this in your country?
Posted on Feb 19, 2010 by Norman Marks
Share This Article: