Last year, the Institute of Directors in South Africa published the King Code of Governance for South Africa 2009 (King III). It is effective July 1, 2010. In my opinion, it was one of the most important advances in corporate governance in years. I am pleased that one of the contributors was IIA–South Africa.
A feature article in the February issue of Internal Auditor discussed some of the elements of the code, particularly the increased expectations of the internal audit function. It heralded that "South Africa's King III report anoints internal auditors as central to their company's governance activities and an essential part of business strategy." PricewaterhouseCoopers also published an excellent report on the code, King's Counsel: Understanding and Unlocking the Benefits of Sound Corporate Governance.
I want to share my perspectives on some of the major aspects of the new Code. South Africa is one of the several countries (including the United Kingdom) who use a "comply-or-explain" approach: corporations are expected to comply with the provisions of the nation's corporate governance code, or explain in their annual reports why they do not. Although in South Africa compliance is voluntary, it sets the bar for companies in that nation.
The code includes a general discussion, followed by a schedule of principles and recommended practices. My hope is that as more influential thinkers and regulators grow to understand and appreciate King III, its insights will influence all nations.
- King III says governance "is essentially about effective leadership ... Such leadership is characterised by the ethical values of responsibility, accountability, fairness, and transparency, and based on moral duties." The first principle in the code is "The board should provide effective leadership based on an ethical foundation."
- It also focuses on sustainability, which it says is the "primary moral and economic imperative of the 21st century." King not only advocates a focus on sustainability by corporate boards, but presses for integrated reporting of financial and sustainability information.
- There is a whole section just on internal auditing and the need for it to be risk-based. It includes this important paragraph:
"A compliance-based approach to internal audit adds little value to the governance of a company as it merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control. A risk-based approach is more effective as it allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt."
- That is followed by this key requirement:
"Internal audit should be risk-based and every year the internal auditors should furnish an assessment to the board generally on the system of internal controls and to the audit committee specifically on the effectiveness of internal financial controls. The audit committee must report fully to the board on its conclusions arising from the internal audit assessment. This will give substance to the endorsement by directors of the effectiveness of internal controls."
There is a great deal of discussion among CAEs and the standards and guidance developers at the IIA about whether internal auditors should be required to provide a formal opinion on internal controls. King decided not to use the word opinion," but there is little doubt that one is required. This is a step that the whole profession needs to embrace!
Later, under principle 4.9, King III goes further. Not only should internal auditing assess controls, but also the risk management processes!
"Internal audit should provide a written assessment of the effectiveness of the system of internal controls and risk management to the board."
The code also requires internal auditing to "evaluate the company's governance processes."
- The code recognizes the importance of IT and includes a section on IT governance principles. They specify that "In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in regard to IT governance."
- As you might imagine, one of the principles is "The board should ensure that the company's ethics are managed effectively."
- This next principle lies at the heart of governance, risk, and compliance (GRC): "The board should appreciate that strategy, risk, performance, and sustainability are inseparable."
I say it is at the heart of GRC, as when we talk about risk we are talking about risk to the achievement of strategy. Performance is the measurement of achievement of strategy. Mention of sustainability reflects the King belief that financial performance alone is not sufficient — the corporation also has to be a good citizen.
- King comes down on the side of separating the role of CEO and chairman of the board: "The board should elect a chairman of the board who is an independent nonexecutive director. The CEO of the company should not also fulfil the role of chairman of the board."
- I am intrigued by a requirement that the audit committee should perform an annual review and "satisfy itself of the expertise, resources, and experience of the company's finance function." I imagine this might involve work by the internal audit function.
- There are some specific expectations of the audit committee with respect to internal auditing:
"The audit committee should be responsible for the appointment, performance assessment, and/or dismissal of the CAE."
o "The audit committee should approve the internal audit plan."
o "The audit committee should ensure that the internal audit function is subject to an independent quality review as and when the committee determines it appropriate."
o "The internal audit function should report functionally to the audit committee."
- There is an appropriate emphasis on risk: "The board should be responsible for the governance of risk." The recommended practices include:
o "The board should comment in the integrated report on the effectiveness of the system and process of risk management."
o "The board's responsibility for risk governance should be expressed in the board charter."
o "The induction and ongoing training programmes of the board should incorporate risk governance." This is an interesting requirement, and I can see not only that it is critical but that internal auditing may have a role in its achievement.
o "The board should review the implementation of the risk management plan at least once a year."
o "The board should ensure that the implementation of the risk management plan is monitored continually."
o "The board should set the levels of risk tolerance once a year."
o "The board may set limits for the risk appetite."
o "The board should monitor that risks taken are within the tolerance and appetite levels."
o "The CRO should be a suitably experienced person who should have access and interact regularly on strategic matters with the board and/or appropriate board committee and executive management."
o "Management should demonstrate to the board that the risk response provides for the identification and exploitation of opportunities to improve the performance of the company." This is a remarkable recognition that risk management is not only about adverse events (the downside), but also the opportunities (upside).
- Some debate whether compliance should be handled as a risk, or excluded — for a variety of interesting reasons. Again, King makes it clear what is expected: "The risk of non-compliance should be identified, assessed, and responded to through the risk management processes."
My questions to you are:
- Do you agree that these provisions are appropriate?
- What else should be covered in a governance code or framework?
- Would you like to see a framework like this in your country?