FEBRUARY 2010

South Africa’s King III report anoints internal auditors as central to their company’s governance activities and an essential part of business strategy.

A single boardroom decision helped corporate governance guru Mervyn King appreciate the true value of good internal auditing. It was the end of the 1990s, and he was board chairman of a big, privately owned South African company. A private equity fund had made a hostile takeover bid; King and his fellow directors had to decide whether to recommend it to shareholders. The decision, he says, had to be based on information from management. The problem was, how could King and his board colleagues know whether this information was reliable and complete? Only the chief audit executive (CAE), he realized, could provide the kind of independent and objective assurance King was looking for, “So for me, in that instance, internal auditing played a critical role.”

This wasn’t a sudden conversion to the merits of internal auditing. Involvement in that hostile bid crystallized ideas about internal auditing’s potential that King had been mulling over for a few years. He was already an internationally recognized expert on corporate governance, having produced the groundbreaking King Report on Corporate Governance in 1994, which defined a new governance model for South African companies. But reading it now, 16 years later, the ideas about internal auditing in King I — as the report is known — seem rather entry-level. It said the internal auditor should attend audit committee meetings, command respect from the business, and provide information about the adequacy and effectiveness of controls. There was no mention of risk. “Internal auditing was still very compliance focused then,” King says today. “Strategy was not within its compass; it was completely different.”

Nonetheless, King I had a huge impact. “That first King report started a revolution in internal auditing,” says Thienus Coetzee, vice president of internal audit at South African mining company Anglo Gold Ashanti. “To be blunt, until then it was a dumping ground for people who didn’t want to work anywhere else or couldn’t work anywhere else. The King report was a huge influence.” King gave internal auditing another massive boost when he produced an updated version of his report — King II — in 2002. The audit function played an integral role in good governance, this report said (see “King Through the Years” at right).

And now his ideas look set to give internal auditing another big push forward. In King III, his latest report, published in 2009, professional internal auditing is not just integral to good governance, it is central to it — a vital ingredient of business success. Internal auditing is not just an important activity in its own right, it underpins the organization’s wider governance efforts and plays an essential role in the achievement of business strategy. Moreover, the kind of internal auditing that King III calls for is leading edge stuff. Internal auditing should be risk-based, gathering and combining sources of assurance from across the organization, giving the board and audit committee vital insights that they cannot get elsewhere, it says. Not surprisingly, internal auditors who have already gotten to grips with the governance model set out in King III say their peers around the world should take note: King’s latest ideas can help all internal auditors do a better job and add more value.

King III raises the bar even higher than its predecessors and introduces another set of innovative ideas about corporate governance and internal auditing’s role. Written during the global financial crisis, when poor risk management was exposed at many companies, the new report includes a much stronger focus on risk management and gives the audit committee far greater independence (when implemented, the audit committee of every public company in South Africa will have to be appointed by shareholders at the annual general meeting).

On risk, the report says a company should have a risk assessment framework that identifies the root causes of risk and considers all aspects of risks and risk sources. It says risk management must be embedded into the company’s day-to-day operations, management should not “follow the herd” when faced with systemic and pervasive risks, and management should be able to identify and understand how risks are related. There is also a specific focus on IT risk that addresses the key governance areas related to IT and clearly places the responsibility of IT governance with the board.

Within this new governance approach, King III includes four important changes for internal auditing. The first is that internal audit plans should be risk-based. Many audit shops will be doing this already, King says, but not all. “Internal auditing has a critical involvement in risk, so its plan should be risk-based,” he says. “And when you have a risk-based internal audit plan it dovetails better with the external audit plan, which means you get better audit coverage.”

Second, the audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities. The aim is to “optimize the assurance coverage obtained from management, internal assurance providers, and external assurance providers.” The report says internal auditing should play a pivotal role here, providing the board with assurance that the combined model optimizes costs, avoids duplication, and “prevents assurance overload and assessment fatigue.” That means internal auditing is an important assurance provider in its own right, but also hovers above all the other assurance providers — including management — assimilating their work.

The third important change is that King III tells internal auditing to provide two written assessments each year on the effectiveness of the company’s system of internal control and risk management. The first covers financial controls and goes to the audit committee. The second covers all risks and is for the board.

King III is careful to call these reports assessments rather than opinions. “Opinion has connotations in the legal and accounting worlds, and I didn’t want to start a whole debate about opinions,” King says. The assessment is meant to give the audit committee or board what King calls “a context of substance and knowledge” in which they can form their own opinion. Such a formal statement on the effectiveness of financial control might sound a lot like the U.S. Sarbanes-Oxley Act of 2002, with its associated costs and bureaucracy. But King says there is a key difference: There is no need for the external auditor to check internal auditing’s assessment. “We thought that was completely unnecessary,” he says. “It just adds another layer of expense.”

The final important change for internal auditors is that the CAE should have “a standing invitation” to attend meetings of the company’s executive committee. This is the group of senior executives, chaired by the chief executive, responsible for implementing a strategy agreed upon with the board. The CAE should not be a member of the committee, King says, as that would compromise his or her independence, but should be able to attend any meeting. The same invitation should cover the audit and risk committees, if they exist. The idea is to secure the CAE’s “top table” access.

Taken together, King says he wants the changes in his new report to further raise the profile of internal auditing, and of the CAE specifically. The new report says the CAE should be “connected to the realities of the business” and be able to challenge on issues relating to all facets of the company. “I’d like the chief internal auditor to be seen as absolutely key to the question of good governance,” he says. “He is the ringmaster in combined assurance and the right arm of the nonexecutive board. That’s why when I talk about the attributes needed by an internal auditor I say he can no longer be a backroom character. He’s got to have boardroom presence, be intellectual, be interactive, and criticize constructively. It’s a new person altogether.”

Norman Gray, CAE at South African retailer Massmart Holding, was a member of a King III subcommittee that developed the recommendations on internal auditing. He says the impact on internal audit shops in South Africa will be varied, depending on the size of the organization and its risk maturity.

In his company, Gray already follows a risk-based plan and gives his audit committee assessments and opinions on risks and controls. And he already attends Massmart’s executive committee meetings regularly and goes to every other one of the company’s quarterly board meetings. Attending such senior meetings may be difficult for CAEs who haven’t operated at that level before, he says. The discussions cover not just risk and control, but wider business strategy and operational areas, such as marketing. “It is very different. It needs a different skill set,” he explains.

But from what he has heard at workshops on the implications of King III, some audit organizations face more of a challenge to comply. “It’s clear that there are some out there who are still stuck in the world of internal auditing being about control and being financially oriented, looking at substantive stuff and not risks,” he says. “I have listened to people from reasonably large companies, and they have asked questions and talked about things in a way that makes me think, ‘Where have you been for the last 15 years?’”

 

Coetzee says he has created a personal action plan for implementing King III at Anglo Gold Ashanti. His two key items are to ensure the combined assurance model is in place and working — so that he can provide the required overall assessments to the board and audit committee — and to give the audit committee an annual presentation confirming the independence of internal auditing. Because the company is listed on the New York Stock Exchange, it complies with Sarbanes-Oxley, which Coetzee says will make it easier for him to provide the assurance on financial controls, as he does much of that work already. While he appreciates King’s reasons for not calling this exercise an “opinion,” he says he believes it will become that in practice. “Your assessment is meant to be building up to an opinion, but the audit committee is bound to say ‘what do you mean by all of this?’ So I’ll have to give an opinion.”

Internal audit shops at some companies, smaller ones especially, might find it hard to implement some of King III, such as the parts on risk management and audit independence, Coetzee says, but overall the changes will be positive for the profession as internal auditing underpins everything else that King III does. “In the past it might have been difficult for us to get into certain areas; now it says very specifically that internal auditing needs to give that assurance.”

While the third King report has been written to improve corporate governance at South African companies, its impact will be felt beyond the country’s borders. Coetzee says the nonexecutives on his board hold similar positions at companies around the world. They pick up changes in other governance codes and cherry-pick the good parts, looking at how they can apply them at other companies. They’ll now be getting used to the idea that combined assurance is best practice, that internal auditing should be independent — with a reporting line to the audit committee — and that internal auditing should be giving overall assessments on the effectiveness of all controls. They’ll be asking internal auditors at other companies whether they do all these things too, Coetzee notes.

Gray agrees. His message to internal auditors working in other countries: “Watch what is happening in South Africa and ask yourself, ‘Do I like what I see? Could I do this in my business?’” Auditors should think about how they could use King III to get better access to the top table in their organization and how they can get more involved in strategic risk, he suggests.

Richard Chambers, global IIA president and CEO, says the King III recommendations have his full support. “The IIA has long advocated that internal auditing is integral to good governance. We see the King III report as validating that belief in a way that we have not seen before in corporate governance codes,” he explains. “Specifically, it recognizes the importance of internal auditing to the point that it spells out the principles upon which a strong and effective internal audit function should be built, and those principles align very closely with The IIA’s International Standards for the Professional Practice of Internal Auditing.”

With the current global economic crisis, internal auditing is well-positioned to add value through the assessment and provision of assurance about the effectiveness of risk management and control in the company, Chambers says. “There is pressure on boards to play a stronger role in risk management; they will need someone who is independent and objective to provide them with assurance because they are not going to be there every day and cannot assess all the risks themselves.”

While internal auditors digest the implications of King III, its author is already thinking about what might appear in King IV. Any fourth report would seek to ensure that governance and internal auditing evolve to match the changing nature of business, he says.

“The milieu in which companies operate has changed completely,” King says. Companies now face three crises: the financial crisis, climate change crisis, and environmental crisis, in which two-thirds of the world’s ecosystems and biodiversity are being degraded. “Companies that work on the basis of the economic model that we have had for 150 years — that natural capital is limitless, and that the planet can absorb waste on an unlimited basis — I’m afraid will not be sustainable over the next 10 or 15 years, simply because the planet cannot sustain them,” he says.

NEXT PAGE... 

---

Audit Committees
What is your advice on the issue of escallating Audit Committee reports to other review bodies Anti Corruption, Stock Exchange, where audit committee's view is that management is not fully addressing issues refered to audit Committee from either External or Internal Audit reports, and such issues if not well addressed may have a serious impact on the performance of the organisation. In comming up with Audit Committee Guidelines in the Public Sector in Kenya, we suggest that the Audit Committee should be free to report. Thank
Posted By: Willis Odhiambo Okwacho
2010-02-12 3:33 AM

---

Internal audit role in strategy
Indeed King III report was good. Internal audit work especially risk focus is a critical input to strategy setting of the Company and every successful Board cannot ignore this. The mere fact that this process highlights hardcore risk factors threatening acheivement of corporate objectives positions use of the output from an audit process central in stategy setting.
Posted By: stephen nthei
2010-02-12 12:23 AM

---

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---