APPENDIX 4: LIST OF SCHEDULE 1 OFFENCES 270
6.12 KING CODES ON CORPORATE GOVERNANCE
6.12.3 King III
According to Jackson and Stent (2010:4/4), the King code of governance for South Africa (King III) was created during 2009. The IODSA (2009) issued King III pursuant to the promulgation of the Companies Act 71 of 2008, as well as due to global changes in corporate governance. King III embodies many sound governance principles that were contained in the previous two King reports on corporate governance. The difference with King III is that it applies to all public, private and non-profit entities that operate in South Africa.
The “apply or explain” basis, for the implementation of the code on corporate governance, emanated out of King III. The term “apply or explain” means that, when directors choose not to implement a governance recommendation, they need to explain the reasons why it is not applicable. In this regard, Jackson and Stent (2010:4/5) hold that the “apply or explain” basis does not afford directors an excuse to violate any laws. Legislative compliance does not operate on the “apply or explain” basis. Directors cannot attempt to justify a violation of the law on the basis that it was done in the best interests of the entity. King III is not enforced through any legislation. The Companies Act 71 of 2008 contains many corporate governance principles that were contained in King II.
According to Wixley and Everingham (2002:9), compliance with King III is voluntary to all private sector entities and certain public sector entities in South Africa, except for companies that are listed on the Johannesburg Securities Exchange (JSE). There are nine constructs (principles) to the King III IODSA (2009:16) corporate governance framework. They are:
Ethical leadership and corporate citizenship;
Boards and directors;
Audit committees;
Governance of risk;
Governance of information technology;
Compliance with laws, codes, rules and standards;
Internal audit;
Governing stakeholder relationships, and
Integrated reporting and disclosure.
For purposes of this research, the following four relevant constructs of this framework were chosen:
Ethical leadership and corporate citizenship;
Audit committees;
Governance of risk, and
Internal audit.
Each of these four constructs contains various governance elements. The governance elements in turn contain various governance principles. These chosen governance elements and principles of the King III corporate governance framework have simplified our understanding about fraud prevention from a holistic perspective.
The selected corporate governance constructs, elements and principles are explained further in this chapter. Figure 6.1 below depicts the four constructs of King III that were chosen for this study:
Figure 6.1: Adapted from the King Code of Governance for South Africa (King III)
Source: IODSA (2009:16)
King III Ethical leadership and
corporate citizenship
Audit committees
Governance of risk Internal
audit
Table 6.2 below reflects the governance elements and principles associated with the four chosen constructs of King III:
Table 6.2: Chosen Constructs of the King Code of Governance for South Africa (King III)
CONSTRUCT GOVERNANCE ELEMENT GOVERNANCE PRINCIPLE
Ethical
leadership and corporate citizenship
Responsible leadership, the board’s responsibilities and ethical foundation.
The board should provide effective leadership based on ethical foundation.
The board should ensure that the company is, and is seen to be, a responsible corporate citizen.
The board should ensure that the company’s ethics are managed effectively.
Audit
committees Existence of audit
committees. The board should ensure that the company has an effective and independent audit committee.
Membership and resources of
the audit committee. Audit committee members should be suitably skilled and experienced, independent, non-executive directors.
The audit committee should be chaired by an independent, non-executive director.
Responsibilities of the audit
committee. The audit committee should oversee integrated reporting.
The audit committee should ensure that a combined assurance model is applied to provide a co-ordinated approach to all assurance activities.
Internal assurance providers. The audit committee should satisfy itself of the expertise, resources and experience of the finance function.
The audit committee should be responsible for overseeing of internal audit.
The audit committee should be an integral component of the risk management process.
External assurance providers. The audit committee is responsible for recommending the appointment of the external auditor and overseeing the external audit process.
Reporting. The audit committee should report to the board and shareholders on how it has discharged its duties.
Governance of
risk The board’s responsibility for
risk governance. The board should be responsible for the governance of risk.
The board should determine the levels of risk tolerance.
The risk committee or audit committee should assist the board in carrying out its risk responsibilities.
Management’s responsibility
for risk management. The board should delegate to management the responsibility to design, implement and monitor the risk management plan.
Risk assessment. The board should ensure that risk assessments are performed on a continual basis.
The board should ensure that the frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks.
Risk response. The board should ensure that management considers and implements appropriate risk responses.
Risk monitoring. The board should ensure continual risk monitoring by management.
Risk assurance. The board should receive assurance regarding the effectiveness of the risk management process.
Risk disclosure. The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders.
Internal audit The need for and role of
internal audit. The board should ensure that there is an effective risk-based internal audit.
Internal audit’s approach and
plan. Internal audit should follow a risk-based approach to its plan.
Internal audit should provide a written assessment of the effectiveness of the company’s system of internal control and risk management.
The audit committee should be responsible for overseeing internal audit.
Internal audit’s status in the
company. Internal audit should be strategically positioned to achieve its objectives.
Source: IODSA (2009:16)
6.12.3.1 Ethical Leadership and Corporate Citizenship
In ensuring ethical leadership and corporate citizenship, the board of a company should:
Provide direction for the company strategy and operations;
Be mindful of the impact of the company operations on people, profit and planet;
Engender an ethical culture within the company by getting management to devise and implement a code for ethical conduct;
Be accountable to all stakeholders, and
Execute its responsibilities with responsibility, accountability, fairness and transparency.
6.12.3.2 Audit Committees
In terms of good governance and compliance with the Companies Act 71 of 2008, audit committees should be established for all companies. The audit committee should:
Report directly to the board of the company;
Meet independently with internal and external auditors;
Have suitably skilled and experienced members who are independent, non- executive directors;
Monitor the accuracy and completeness of the financial reporting of the company;
Maintain oversight in respect of integrated reporting;
Ensure that it receives combined assurance from internal and external auditors as well as from management;
Be satisfied with the competence of the finance function of the company;
Maintain oversight of the internal audit function;
Play an integral role in the process to manage risks, including fraud risks, insofar as it relates to financial reporting;
Oversee the external audit process and recommend the appointment of external auditors, and
Report to the board and shareholders about its activities.
6.12.3.3 Governance of Risk
The governance of risk has to be considered within the risk management process, and in this regard the board should:
Take responsibility for the governance of risk and ensure the existence of a risk management policy and plan that is widely publicised and implemented;
Ensure that management identifies and measures risks and implements mitigating controls to obviate the risks;
Determine the levels of risk that the company is willing to tolerate for key risks;
Be assisted by the audit and risk committee in carrying out its risk responsibilities;
Ensure that management designs, implements and monitors the risk management plan;
Monitor and ensure that assessments are performed of the various types of risks on an annual basis;
Be assured by management that risk management frameworks and methodologies have been implemented which enhance the predicting of all types of risks;
Ensure that all risks are ranked and rated and that management has devised adequate responses to the identified risks;
Ensure that management monitors the identified risks on an ongoing basis;
Be assured by management about the effectiveness of the risk management process, which should be assessed by internal audit;
Ensure that the internal audit function does not take on responsibility for any risk management functions, and
Issue a statement in the integrated report on how it executed its roles and responsibilities in respect of risk management.
6.12.3.4 Internal Audit
The internal audit projects should be risk-based, and in order to ensure that the internal audit function is effective, the board should:
Ensure that all internal audit projects are based on identified risks within the company;
Ensure the internal audit function provides a written assessment of the effectiveness of the internal control environment and the risk management process;
Maintain oversight of the internal audit function, and
Ensure that the Chief Audit Executive reports administratively to the Chief Executive Officer of the company and functionally to the audit committee.
This section is particularly relevant to employee fraud and prevention strategies at universities in KwaZulu-Natal.