Moving forward with combined assurance www.pwc.com Moving forward with combined assurance IMFO Audit & Risk Indaba 28 October 2011 frank.muller@za.pwc.com

Discussion topics The source of the combined assurance concept Objectives and tangible benefits The challenges The models to consider A five step practical approach Where to from here………….. Combined assurance and corporate governance October 2011

Combined assurance model 1. The Source - King III introduces combined assurance as a recommended governance practice Combined assurance model “3.5. The audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities” “7.3.1. Internal audit should form an integral part of the combined assurance model as internal assurance provider.” Combined assurance and corporate governance October 2011

2. The objectives A combined assurance model aims to optimise the assurance coverage obtained from management, internal assurance providers and external assurance providers on the (key) risk areas affecting the company. The combined assurance provided by internal and external assurance providers and management should be sufficient to satisfy the audit committee that significant risk areas within the organisation have been adequately addressed and suitable controls exist to mitigate and reduce these risks. What are we often faced with? Risks not being covered/ covered too much Audit fatigue Limited assurance budget (especially for internal audit?) Combined assurance and corporate governance October 2011

2. Combined assurance offers tangible benefits that extent beyond compliance Coordinated and relevant assurance efforts focusing on key risks Comprehensive and prioritised tracking of remedial actions Minimised business/operational disruptions Improved reporting to the board and committees, including reducing the repetition of reports Possible reduced assurance costs or expansion in scope The use of combined assurance to support the audit committee and board in making their control assessment statements in the integrated report (IFC’s and systems of internal control) Combined assurance and corporate governance October 2011

3. The challenges and critical success factors Executive sponsor Combined Assurance champion – the driver Relevant and accurate risk information – ERM Maturity Agreeing on a framework, methodology, risk language, enabling technology Evaluating the quality of assurance provided and to whom Deciding on the desired level of assurance from which assurance provider (link to risk appetite and tolerance) Communication and training throughout the organisation Clear understanding of the plan, its objectives, processes, and outputs Combined assurance and corporate governance October 2011

3. The challenges and critical success factors Combined assurance and corporate governance October 2011

4. Market Models – What we see… New market challenge IFC’s and overall controls Who drives the combined assurance initiative Combined assurance and corporate governance October 2011

5. Combined assurance is one the biggest challenges in adopting King III A practical five-step approach to implementing an effective combined assurance approach Establishing the business case Assess the actual assurance provided – Reality check Detailed mapping of risks to assurance providers Design Combined Assurance blueprint Make Combined Assurance a reality Combined assurance and corporate governance October 2011

1. Gain high-level understanding of the current Assurance Profile Assurance is provided by 3 Lines of Defence: Line#1 - Management oversight e.g. performance measurement, risk management, control self-assessment. Line#2 - Enterprise risk management, legal, compliance, health and safety, quality assurance. Line#3 - Internal audit, external audit and other credible assurance providers. Management oversight will be factored into combined assurance where no second and third lines of defence are considered appropriate in the combined assurance model The business case is established through getting an overview status of the assurance profile Combined assurance and corporate governance October 2011

Example Assurance Profile Processes Three lines of defence assurance providers First line of defence - Management Second line of defence – Risk and legal based assurance Third line of defence – Independent assurance Control self assess Mgt review Special project ERM SOX Compliance External audit Internal audit Strategic Funding Sustainability Growth Operational Treasury Products and services Finance Extensive assurance Moderate assurance Inadequate assurance Not applicable Combined assurance and corporate governance October 2011

2. The assurance reality check Identify the assurance providers Internal and external audit ― Human Capital Risk Management ― SOX Compliance Compliance ― ISO Information security ― Insurance Assessment of the assurance providers Skill and experience levels Scope and frequency of work will address the risks Acceptable approach/methodology Conflict of interest Quality reviews Combined assurance and corporate governance October 2011

2. The assurance reality check Example of ranking of assurance Combined assurance and corporate governance October 2011

2. The assurance reality check Assess quality of assurance: Interviews with the recipients of the assurance Identify the assurance sponsors for forward consultation Assessment of current state of assurance reporting: Assurance may not reach appropriate forum Some forums do not receive any assurance Certain governance committees are overburdened Certain agenda items are debated in multiple forums INTERNAL AUDIT CAN DO THIS ! Combined assurance and corporate governance October 2011

Example – Current state of assurance reporting Combined assurance and corporate governance October 2011

3. Detailed mapping of risks to assurance providers Establish the universe for Combined Assurance: A consistent risk assessment approach should exist – ERM Maturity Profile Use strategic and key business unit risk profiles (start top 20 inherent?) Map the different lines of defence to the detailed risks and controls Determine the desired level of assurance Identify the gaps and the “excess assurance” Use risk management software to allow analysis and reporting INTERNAL AUDIT CAN LEAD THIS PROCESS !! Combined assurance and corporate governance October 2011

Scope excludes detailed configuration Example Risk Map Example IT risk Associated controls Three lines of defence assurance providers First line of defence - Management Second line of defence – Risk and legal based assurance Third line of defence – Independent assurance Control self assess Mgt review Special project ERM SOX Compliance External audit Internal audit Operational - Network Network perimeter security breach Secure firewall configuration Secure remote access design Security monitoring service contracted with supplier Network downtime Service level agreement with supplier Disaster recovery plan P P O O Scope excludes detailed configuration O P P P P P P P P P O P P Currently providing assurance Should provide assurance Quality of assurance acceptable P Quality of assurance unacceptable O Combined assurance and corporate governance October 2011

4. Design Combined Assurance blueprint Convince all stakeholders of the future approach: Agree the common risk universe What assurance is to be provided and to whom Agree on methodology to assess assurance providers Combined Assurance blueprint: Risk based assurance coverage Analysis by assurance provider Management / governance committee responsible Frequency and extent of assurance required Combined assurance and corporate governance October 2011

5. Make Combined Assurance a reality Executive sponsor and Audit Committee support Combined assurance champion driving day-to-day activities Needs to be driven actively Consistent reporting structure and feedback Regular assessment of quality of delivery Combined Assurance Forum Initial planning 3 to 6 monthly assessment Combined assurance and corporate governance October 2011

6. What do I do when I leave here? Find your Executive sponsor Assess the level of maturity of your ERM process Determine who is best placed to drive this initiative Liaison with the AC Chair What are their expectations Reporting requirements GET STARTED ! Combined assurance and corporate governance October 2011

www.pwc.com/za That’s the theory – the rest is up to you! This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Inc, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2011 PricewaterhouseCoopers (“PwC”), a South African firm, PwC is part of the PricewaterhouseCoopers International Limited (“PwCIL”) network that consists of separate and independent legal entities that do not act as agents of PwCIL or any other member firm, nor is PwCIL or the separate firms responsible or liable for the acts or omissions of each other in any way. No portion of this document may be reproduced by any process without the written permission of PwC.