Presentation is loading. Please wait.

Presentation is loading. Please wait.

REPUBLIC OF SOUTH AFRICA (RSA) APPROACH TO THE COSO COMPONENTS 2 & 3 AND THE 3 LINES OF DEFENCE (COMBINED ASSURANCE) Presenter: Pulane Mkhize | National.

Published byRuth Horn Modified over 5 years ago

Similar presentations

Presentation on theme: "REPUBLIC OF SOUTH AFRICA (RSA) APPROACH TO THE COSO COMPONENTS 2 & 3 AND THE 3 LINES OF DEFENCE (COMBINED ASSURANCE) Presenter: Pulane Mkhize | National."— Presentation transcript:

1 REPUBLIC OF SOUTH AFRICA (RSA) APPROACH TO THE COSO COMPONENTS 2 & 3 AND THE 3 LINES OF DEFENCE
(COMBINED ASSURANCE) Presenter: Pulane Mkhize | National Treasury - RSA | 10 April 2019

2 TABLE OF CONTENTS Background
The COSO Internal Control – Integrated Framework COSO IC Component 2 – Risk Assessment COSO IC Component 3 – Internal Controls Lines of Assurance Combined Assurance – Approach in RSA Combined Assurance Process

3 BACKGROUND Legislative Mandate PFMA
Section 38 1(a) (i) - National Departments (Ministries) “The accounting officer for a department, trading entity or constitutional institution must ensure that that department, trading entity or constitutional institution has and maintains— effective, efficient and transparent systems of financial and risk management and internal control” Section 51 1(a) (i) – Public Entities (State Owned Entities) “An accounting authority for a public entity must ensure that that public entity has and maintains effective, efficient and transparent systems of financial and risk management and internal control” TREASURY REGULATIONS Issued in terms of PFMA for Departments, Constitutional Institutions and Public Entities Chapter 3

4 The COSO Internal Control – Integrated Framework
Internal Control Components Control Environment Risk Assessment Control Activities Information & Communication Monitoring

5 COSO IC Component 2 – Risk Assessment
Levels of Risk Assessments in SA  Strategic, tactical and operational levels (for 3-tier organisations e.g. SOEs)  Strategic and operational levels (for 2-tier organisations e.g. government departments) Objectives  Strategic objectives are set out in multi-year, strategic plans  Operational objectives are set out in corporate plans/annual performance plans Basis for Risk Assessments  Strategic objectives are used to compile strategic risk registers  Operational/annual performance objectives are used to compile operational risk registers Basic Risk Register Components a) Risk name and description b) Contributing factors c) Consequence description d) Internal controls e) Residual risks f) Risk tolerance levels (RRT) g) Net risk exposure h) Mitigation plans Risk Assessment Matrices  A rating is assigned based on the level of probability for risk occurrence (likelihood rating) and the effect the risk may have on an organisations objectives (impact rating)  Internal control effectiveness is assessed, using a specified rating Key Risk Management Instruments a) Risk management policy b) Risk management strategy & route map c) Annual risk implementation plan d) Risk management framework e) Risk management tool Risk Management Structures a) Board/Council/Executive Authority b) Risk Management Committee c) EXCO c) Risk Management Function d) Risk Champions Forum Risk Monitoring a) Emerging risks b) Risk movements c) Near-miss events d) Loss events e) Retired risks f) Risk management performance Risk Management Reporting  Internal reporting (to all risk monitoring forums)  Connected reporting (to the Risk Management Committee and the Board/Council/Executive Authority)  External reporting (to Shareholders/the Public)

6 COSO IC Component 3 – Internal Controls
Internal Control Framework This is an internally-developed framework, which outlines: a) Nature, type and category of controls b) Criteria for control adequacy c) Criteria for control effectiveness d) Processes for design, implementation and monitoring of internal controls e) Assessment of internal controls Key Control Classifications a) Entity-level controls – these provide direction and set out requirements for what must be done to achieve objectives e.g. policies b) Process-level controls – these are integral to the organisational processes and activities performed on the daily basis to achieve policy directives and requirements c) Key controls (made up of primary and compensating controls) Classification of Controls by Key Functional Process a) Critical operational performance controls (COPCs) b) Critical financial reporting controls (CFRCs) c) All these controls may be manual, automated or a hybrid Risk and Control Relationship  Internal controls do not respond directly to risks, but to each contributing factor identified for a risk  One (1) risk may have multiple contributing factors – each of these must be appropriately addressed, by a relevant internal control  A combination of controls, that respond to multiple contributing factors for one (1) risk, are make up one (1) key control Mitigation Plan  These are planned enhancements to internal controls, in cases where existing controls have been assessed as inadequate/ineffective Or  Introduction of new controls, in cases where no controls existed to respond to identified and assessed risks Policies, Procedures & Forms a) All policies serve as entity-level controls as they provide direction on various key focus areas b) Standard operating procedures outline specific activities that must be carried out in implementing policy directives c) Forms, registers and other templates help ensure that standardization of processes is achieved organization

7 COSO IC Component 3 – Internal Controls cont…
Design, Implementation and Assessment Guide COSO IC Component 3 – Internal Controls cont… Economy The cost of the key control should not exceed the benefits deriving from that key control Both the real and opportunity costs must be considered Efficiency Duplications in the process of implementing an internal control should be identified and eliminated Any controls that cause delays in customer service, production or decision-making should be enhanced (causes for inefficiencies must be reduced/eliminated Effectiveness Key performance measures, targets and indicators must be developed for internal controls to enable objective assessment of performance The entire key control, and not just a few components of a key control, must operate effectively and achieve the pre-set KPTs

8 COSO IC Component 3 – Internal Controls cont…
Board/Council/Executive Authority  The King IV Report sets out 4 outcomes for the Governing Body a) Ethical culture b) Good performance c) Effective control d) Legitimacy  The PFMA, MFMA and Treasury Regulations require the Board/Council/Executive Authority to ensure controls are in place and operating effectively Management  Management is required to design adequate internal controls, lead their implementation and monitor their effectiveness  In South Africa, the Management Control Policy outlines Management’s responsibilities for the design, implementation, monitoring, review and updating of the policy. Employees  By following directives outlined in policies and steps/methods set out in the SOPs, employees embed internal controls in their daily functions.  Employees require support, through training and availability of resources, in order to efficiently and effectively achieve key control objectives Internal Control Structures  Internal control monitoring is made an integral part of every Committee within an organization, from the Executive Management Committee (EXCO) to sub-committees of EXCO  In some organisations, a dedicated Internal Control Function is stablished to provide IC subject matter expertise to Management and employees

9 Lines of Assurance First Line of Assurance Second Line of Assurance
Third Line of Assurance Management Oversight Technical Support Structure Objective Assurance Nature of Assurance: Line management is accountable and responsible for the management of risk and performance. Management can establish a system of self-assessment/reviews to inform them on the adequacy and effectiveness of risk management activities. Specialist Units are subject matter experts, and as such provide technical support to line management in executing their duties. These include functions such as risk management, legal & compliance, internal control, quality assurance and health & safety specialists. This is independent assurance generally provided by objective assurance providers such as internal auditors, external auditors, external quality assurers, regulatory health inspectors, independent actuaries etc. Reporting Lines Sub-committees of Executive Management (across the Group) Risk Management Committee Audit Committee Accounting Authority Executive Authority Oversight Structures (Governing Body, GB Sub-Committees, EXCO, EXCO Sub-Committees) Oversight structures review and approve the combined assurance framework, policy and plan, and then monitor the roll out of the framework and the implementation of the policy and the plan. As part of their monitoring activities, oversight structures assess whether there are improvements in the control environment; whether the is increased integrity of internal information; and whether information included in external reports is valid and credible. Oversight structures use the results of internal and external audits to make this assessment.  Internal control monitoring is made an integral part of every Committee within an organization, from the Executive Management Committee (EXCO) to sub-committees of EXCO  In some organisations, a dedicated Internal Control Function is stablished to provide IC subject matter expertise to Management and employees

10 Combined Assurance - Approach in RSA
Principle 15 of the King IV Report recommends that the governing body should establish effective combined assurance processes to achieve: Effective internal control environment; Improved integrity of information used for internal decision-making; and Improved integrity of external reports. Standard 2050 of the Institute of Internal Auditors (IIA) requires that “The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.” Thus, the IPPF requires that custodianship of combined assurance must rest with the CAE. Paragraph ( for Public Entities) of the Treasury Regulations requires that “Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors.” Thus, Treasury Regulations give regulatory status to the International Professional Practices Framework (IPPF) of the IIA. The Treasury Regulations are recognised as statute in South Africa, and as such failure to achieve the requirements of paragraph ( for Public Entities) of the Regulations constitutes non-compliance with laws and regulations. Thus, failure by the Internal Audit Function to comply with the requirements of Standard 2050 constitutes failure to comply with Treasury Regulations. In conclusion, in order for the Internal Audit Function to be assessed as conforming with the requirements of Standard 2050, it must coordinate and assume custodianship of combined assurance processes within an organisation. Any arrangements outside this requirement, in relation to coordination of combined assurance processes, constitutes non-compliance with laws and regulations. No other Function within an organisation, apart from the Internal Audit Function, is required either by legislation or professional standards to coordinate and take custodianship combined assurance processes. Further, delegation of combined assurance oversight responsibilities to the Audit Committee by the governing body confirms the Internal Audit Function’s custodianship of combined assurance processes.  Internal control monitoring is made an integral part of every Committee within an organization, from the Executive Management Committee (EXCO) to sub-committees of EXCO  In some organisations, a dedicated Internal Control Function is stablished to provide IC subject matter expertise to Management and employees

11 Combined Assurance – Process
Context analysis Key risk identification and assessment Identification and assessment of key controls for mitigation of assessed risks Determining the level and extent of assurance required Determining assurance objectives and scope, and assigning assurance activities to assurance providers Collectively planning, executing, monitoring and reporting the results of combined assurance activities  Internal control monitoring is made an integral part of every Committee within an organization, from the Executive Management Committee (EXCO) to sub-committees of EXCO  In some organisations, a dedicated Internal Control Function is stablished to provide IC subject matter expertise to Management and employees

12 Combined Assurance – Process cont…
Third Line of Assurance (Internal Audit) Where residual risks are low, the Internal Audit Function provides objective assurance (i.e. conducts audit reviews) Where residual risks are high, the Internal Audit Function support Management with consulting services Second Line of Assurance (Subject Matter Experts) The Risk Management Function provides ERM support to the Risk Owners (Senior Management) and employees The Internal Control Function (in organisations that have one) support Management with the design and monitoring of internal controls First Line of Assurance (Management) This level is tasked with designing and implementing internal controls Management monitors internal controls through reviews and control-self assessments  Internal control monitoring is made an integral part of every Committee within an organization, from the Executive Management Committee (EXCO) to sub-committees of EXCO  In some organisations, a dedicated Internal Control Function is stablished to provide IC subject matter expertise to Management and employees

13 THANK YOU

Download ppt "REPUBLIC OF SOUTH AFRICA (RSA) APPROACH TO THE COSO COMPONENTS 2 & 3 AND THE 3 LINES OF DEFENCE (COMBINED ASSURANCE) Presenter: Pulane Mkhize | National."

Similar presentations

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Debt Management Strategy: Governance and Transparency

Debt Management Strategy: Governance and Transparency
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Click to edit Master subtitle style Audit of Performance Information (AoPI) AGSA approach.

Click to edit Master subtitle style Audit of Performance Information (AoPI) AGSA approach.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Financial Management and Control Arrangements in Practice Monika Kos, Ministry of Finance, the Republic of Poland.

Financial Management and Control Arrangements in Practice Monika Kos, Ministry of Finance, the Republic of Poland.
Purpose of the Standards

Purpose of the Standards
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
PAINTING THE FULL PICTURE

PAINTING THE FULL PICTURE
Session 4: Good Governance: How SAIs influence Good Governance in Public Administration Zahira Ravat 27 & 28 May 2014.

Session 4: Good Governance: How SAIs influence Good Governance in Public Administration Zahira Ravat 27 & 28 May 2014.
1 Portfolio Committee on Home Affairs Presentation on Internal Audit 19 April 2013 Building a New Home Affairs.

1 Portfolio Committee on Home Affairs Presentation on Internal Audit 19 April 2013 Building a New Home Affairs.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
PRESENTATION TO THE PORTFOLIO COMMITTEE ON ENERGY PROF YASWANT GORDHAN CA (SA) AUDIT COMMITTEE CHAIRPERSON 11 OCTOBER 2012.

PRESENTATION TO THE PORTFOLIO COMMITTEE ON ENERGY PROF YASWANT GORDHAN CA (SA) AUDIT COMMITTEE CHAIRPERSON 11 OCTOBER 2012.
Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
City of Tshwane GDS 2055 3 August 2012. 2 Reputation promise/mission The Auditor-General of South Africa has a constitutional mandate and, as the Supreme.

City of Tshwane GDS August Reputation promise/mission The Auditor-General of South Africa has a constitutional mandate and, as the Supreme.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
1 Monitoring and Evaluation System Mr M Thibela by Director: Corporate Planning Department: Water Affairs (DWA) 18 August 2009.

1 Monitoring and Evaluation System Mr M Thibela by Director: Corporate Planning Department: Water Affairs (DWA) 18 August 2009.
FOURTH EUROPEAN QUALITY ASSURANCE FORUM CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010, COPENHAGEN, 19-21 NOVEMBER 2009. IV FORUM-

FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-

Similar presentations

Ads by Google