The primary research question of this study reads as follows:
What do IAs in SA perceive as their role towards CG in SOEs?
The IAF is a unit who is responsible for evaluating, among other functions, CG practices in an entity to assure its effectiveness and efficiency. The IAF performs this function by using various methods prescribed to IA professionals by the IIA.
By posing the primary research question, its research objective was to establish the perceptions of SA IA professionals employed in SOEs in SA to understand their roles towards CG in SOEs. The scores reflected below, is all above average (2.5 out of 5), however, the scores below is not the result of an adequately performing function that the IAF performs in SOEs. As the frequency of responses differ per question posed to researchers, the researcher’s perspective is that although the mean scores reflect positive scores, there are still room for improvement within the IAF in SOEs. Therefore, the interpretation of the results is for this reason, reflected below.
The following statements provided the answer to the primary question, and the mean scores are reflected in brackets:
IAs regularly evaluate internal controls within the SOE (mean score = 3.78). Although this average score remains high, and is indicative of the testing of internal controls by IAs being at a respectable level. The concern is that this is an average score, which indicates that while some respondents have scored this question high, others have not, thus bringing down the mean score. This may be indicative of greater attention that needs to be exercised by the IAF in the evaluation of internal controls within the SOE, as this may be indicative of internal controls that may require improvement, and further improvement may be required in the testing of internal controls, to measure whether they provide the SOEs with the control measures for which they are intended.
IAs continuously assess the SOE objectives to test compliance with the mission of the SOE (mean score = 3.57). Although this score is significantly above 2.5, this mean score may be an indication that IAs do assess SOE objectives to test against the mission, but more regular
112
testing should be performed by the function, at strategic times during the financial year, which could be at beginning of the Financial year, or at the beginning of each quarter. This finding impacts on the IAFs responsibility to promote the objectives, vision, mission and values within the SOE, which may also impact on their responsibility to promote ethical standards and practices in SOEs. Further interpretation of this allows for the reasoning that management and staff may not be continuously reminded/educated about the company objectives, vision and mission, by the IAF. The IAF can action the promotion of company objectives and values better, through conducting roadshows and circulating internal communiques via the SOEs’ e-mail system to SOE staff, but at present, this may be a gap that needs to be filled.
The IAF recommends ways to improve organisational performance management within the SOE (mean score = 3.86). From the results, it is clear that recommendations are provided to improve organisational performance management. These recommendations should include a section on non-compliance to standard operating procedures, where irregularities (minor or major) committed by individuals, are included, which management must address with staff, to ensure that greater integrity, accountability and responsibility is administered by and within SOEs. This action is a way towards ensuring that ethical governance standards are employed with SOEs.
IAs recommend ways for departments to mitigate risks identified (mean = 3.83). The IAF recommends ways to management to address CG challenges faced by the SOE (mean = 3.77). The IAF recommends ways to coordinate activities among the board and various assurance providers within the SOE (mean = 3.73). Each audit conducted by the IAF is followed up by a report addressed to management, which highlights the status of the function performed, and highlights all findings on the audit conducted. Importantly, and a critical part of the audit report on the function audited, are the recommendations provided by the IA professionals that can assist management in the mitigation of the various risks related to the function, that has been detected by the IAF. From the above scores, it is clear that the IAF is recommending ways to mitigate risk across various areas in SOEs, on audits performed. It is clear that recommendations are provided by IAs in the IAF, and are at the desired standard.
Whether these recommendations are actioned by management, can relate to the theme- Attitude toward IAF.
The results that suggest whether the IAF identifies priority departments whose controls are most threatened by risk within the SOE, contains a mean score of 3.53 out of 5. The
113
identification of high-risk departments in an entity, is a critical role that should be performed by both the Risk departments and the IAF of the entity, and the IAF is responsible for the evaluation of Internal Controls. The evaluation of internal controls and risk management is stated in the definition of Internal Auditing, and as such, together with governance, forms the core essence of the IAF. Risk is imminent in each entity, and it is of paramount importance that the Risk management function, and the role of the IAF towards risks within each department of the entity, enjoys the highest priority. With this reflected mean score above, it is clear that this function is performed by the IAF in SOEs. As the IAF is a risk-based function, the results suggest that the IAF is identifying the priority areas of SOEs that are most threatened by risk. However, the score suggests that respondents are not entirely satisfied with this function, and that there is room for improvement in identifying departments whose controls remains threaten by risk. A reason for this may be that the IAF does not, or cannot provide absolute assurance on the areas that is audited.
Recommendations provided by the IAF to management within the SOE are also adopted (mean = 3.14) and implemented (mean = 2.95). The respondents further indicated that the IAF in SOEs communicates effectively and efficiently within the SOEs. The researcher, however, is of the view that looking at the average mean scores of 3.14 and 2.95, these numbers could be improved. As further stated on whether recommendations are actioned by management, the results suggest that respondents may not be satisfied with the implementation of their recommendations by management, after audits performed, and reports submitted by them, to management. Although management may adopt and implement recommendations, it is not clear as the scores are not at the required level. This action by management therefore requires improvement on adopting and implementing the IAF’s recommendations. This could even indicate that management might not be welcoming of the recommendations and value that are provided by the IAF, which could affect adopting and implementing the IAF’s recommendations within SOE operations.
Findings
1. The IAF may not be aspire to provide absolute assurance required within areas where it is needed, like risk management. Reasonable assurance may not be adequate, because not the entire population areas are tested. The evaluation of risk management practices by the IAF may not be performed at an adequate level, and may require improvement. If risk is not entirely identified and mitigated, SOEs and its mandate to deliver utility services, will deteriorate as the risk increases in the SOE.
114
2. It is not entirely clear whether recommendations provided by the IAF after an audit, in audit reports to management, are adopted and implemented by management in the various departments in SOEs. If these recommendations are implemented by management, the functioning of departments will comply with CG standards, and these recommendations will assist the SOE to achieve its mandate.
3. Management may not be held accountable for ignoring recommendations provided by the IAF towards the mitigation of the findings/risks of a specific department.