ethics - The Institute of Internal Auditors South Africa

SEPTEMBER 2011 

I A ADVISER 

ETHICS- BUSINESS VS. PERSONAL VS. PROFESSIONAL ETHICS 

AUDITING THE THUNDERS IN THE CLOUD 

RISK SOUND BITES

The Adviser is green! 

Progress Through Sharing 

The Institute’s Board has taken a bold step to ensure that the Institute Members will receive access to the IA Adviser via e-mail so ensure 

becomes more green. After careful consideration, it was decided that you don’t miss a single edition, please make sure your details are 

the Advisor will in future only be distributed in electronic format. up to date. If any change has occurred, please visit our website: 

Showing our support for the conservation of the earth is an important www.iiasa.org.za and download an update form or 

step toward showing the world that we are evolving. 

Email: membership@iiasa.org.za 

The Institute of Internal Auditors South Africa 

Telephone: +27 11 450 1040 ı E-mail: customerservices@iiasa.org.za ı Web: www.iiasa.org.za

BOARD OF DIRECTORS e-mail: directors@iiasa.org.za 

President: Shirley Machaba CCSA 

Snr Vice President: Mmathabo Sukati CIA 

Vice Presidents: Vonani Chauke CIA 

Harold Chiloane 

Brian Cleak 

Vukani Dlamini CIA 

Oupa Mbokodo CIA 

Khethiwe Mhlanga 

Felicia Msiza 

Rob Newsome CIA 

Ashley Smith 

Riaan Thiart CIA 

Arno Vorster 

Chief Executive Offi cer: Dr Claudelle von Eck 

Past Presidents: Justine K Mazzocco 

Past Past Presidents: Linda Yanta CIA 

6 

40 

CONTENTS 

MESSAGE FROM THE CHIEF EXECUTIVE OFFICER 5 

SA WALKS AWAY WITH AWARDS 6 

WELCOME TO NEW MEMBERS 7 

IIA SA EVENTS CALENDER 12 

FEEDBACK FROM THE REGIONS 15 

THE AUDITORS ARE BACK! 18 

ETHICS- BUSINESS VS. PERSONAL VS. 

PROFESSIONAL ETHICS 20 

AUDITING THE THUNDERS IN THE CLOUD 23 

RISK SOUND BITES 30 

QUALITY ASSURANCE OF THE INSTITUTE OF INTERNAL 

AUDITORS SOUTH AFRICA’S CONTINUING PROFESSIONAL 

DEVELOPMENT (CPD) PROGRAMS 34 

A KEEN FOCUS ON SUPPLY CHAIN MANAGEMENT 

BY GOVERNMENT WILL HELP TO BUILD CONFIDENCE 

IN OUR DEMOCRACY 36 

UNIVERSITY OF PRETORIA AND NANJING AUDIT 

UNIVERSITY: IAEP PROGRAMMES PROGRESS 

THROUGH SHARING 40 

REGIONAL GOVERNORS 

Central Region: Matlali Solfafa 

Eastern Cape - Border Kei: Mxolisi Silinga CIA 

Eastern Cape - Port Elizabeth: Houdini Fourie 

Gauteng - Johannesburg: Ingrid Ravenscroft CIA 

Gauteng - Pretoria: Adrie de Klerk 

KwaZulu Natal: Jeanette Englund 

Limpopo: Jasmina Patel 

Mpumalanga: Thomas Varghese 

North West: Annelise Erasmus 

Northern Cape: Johan Snyders CIA 

Western Cape: Arno Vorster 

Lesotho: Ntefeleng Tsiboho 

Namibia: Melanie Späth CIA 

Swaziland: Wesley Mndzebele 

IA ADVISER September 2011 | 3

JOHANNESBURG: +27 11 706 9222 

CONTACT 

CAPE TOWN: +27 21 424 3042 DURBAN: +27 31 566 6140 

www.accountantsoncall.co.za 

INTERNATIONAL OPPORTUNITIES - SALARIES HIGHLY NEGOTIABLE 

• CA (SA) / CIA / CISA / MBA 

• Min. 5 years plus commercial with listed and or international 

experience 

• Min. 2 years plus management experience 

• Valid passport 

• Permanent opportunities 

These positions are requiring quality orientated individuals, 

who want to gain international experience within a large 

listed and diverse group. You will be offered an opportunity 

to gain experience that will elevate you to a new level with 

responsibilities on an international level. 

RISK MANAGER – HIGHLY NEGOTIABLE 

• CIA, B Comm (Hons), CCSA 

• IIA and RMSA membership 

• 4 -5 years Risk Management experience 

Newly created position within a listed group is seeking a passionate 

Risk Manager to join their eff ective team. This position 

will off er you a chance to set up and start an eff ective risk func- 

Responsibilities include full management function, strategic 

focus by ensuring the effective achievement of the Internal 

Audit Department’s objectives. 

Knowledge & experience include SOX and COSO risk assessment 

as well as large listed and or international client auditing 

experience. 

Skills include above average English report writing skills, ability to 

manage an outsourcing and co-sourcing services, CAATs, general IT 

audit skills, systems savvy as well as ability to lead, plan and execute. 

Ref: AD001 

tion where your contribution will be part of the success of the 

company in the future. You will be responsible to roll out and 

facilitate workshops to the rest of the group. We need a dynamic 

person who enjoys challenges, diversity and enjoys working 

with people. 

Ref: AD002 

SENIOR SPECIALIST INTERNAL AUDITOR – R650 000 NEGOTIABLE PLUS PERFORMANCE INCENTIVES 

• Gauteng 

• CA (SA) / CIA / CISA / B Comm (Hons) 

• Min. 5 years Internal Auditing experience 

Large corporate is seeking a specialist auditor to join their 

skilled team of highly specialized auditors. The ideal person will 

be analytical, be able to see the bigger picture, a lateral thinker 

SENIOR INTERNAL AUDITOR – R550 000 NEGOTIABLE PLUS PERFORMANCE INCENTIVES 

• Gauteng 

• CIA, B Comm (Hons), B Comm 

• Min. 4 - 5 years commercial or consulting experience 

A dynamic listed group is seeking a passionate, dedicated gogetter 

to join their highly dedicated team of specialists. Skills 

and a problem-solver, take control of situations and be able 

to initiate new approaches. Your ability to lead and supervise 

others will be advantageous. Time management will be required 

as you are working with deadlines. 

Ref: AD003 

required for this role would include SOX experience, supervisory 

experience, and the ability to lead an audit and work on your own. 

There is an element of travelling involved on a quarterly basis. 

Ref: AD004 

To apply for any of these positions please contact 

Marichen Viviers - email: marichen@frontlinesolutions.co.za or 082 891 9816 or 011 706 9222 

Sonja von Poncet - email: sonja@frontlinesolutions.co.za or 082 779 1302 or 011 706 9222 

Chantal David - email: chantal@frontlinesoltuions.co.za or 082 898 1116 or 011 706 9222 

Please quote the reference number when applying for the position.

Institute of Internal Auditors South Africa 

Unit 2, Bedfordview Offi ce Park 

Bedfordview , 2008 

P O Box 2290, Bedfordview, 2008 

Telephone: +27 11 450 1040 

Facsimile: +27 11 450 1070 

IIA SA Website: www.iiasa.org.za 

IIA Inc Website: www.theiia.org 

Business Hours: 

Mon - Thurs: 08h30 - 17h00 

Friday: 08h30 - 16h00 

Accounts / Finance: Patrick Clarence 

e-mail: patrick@iiasa.org.za 

fax: 086 685 0163 

Bookstore: 

e-mail: bookstore@iiasa.org.za 

fax: 086 685 0164 

Certifi cation: Tina Wolmarans 

e-mail: certifi cation@iiasa.org.za 

fax: 086 685 0162 

Communications and Business 

Development: Valentina Brazao 

e-mail: val@iiasa.org.za 

CPD: Jenine Dresse 

e-mail: seminars@iiasa.org.za 

fax: 086 685 0161 

Learnerships 

Bill Shellard: e-mail: bill@iiasa.org.za 

Lawrence Chetty: e-mail: lawrence@iiasa.org.za 

Membership: Stephanie Erasmus 

e-mail: membership@iiasa.org.za 

fax: 086 685 0160 

Regions: 

e-mail: regions@iiasa.org.za 

fax: 086 572 4301 

Technical: Charles Nel CIA 

e-mail: charles@iiasa.org.za 

fax: 086 685 0165 

Advertising For a copy of the advertising terms 

and conditions contact Theko Ntseare on theko@ 

iiasa.org.za 

If you need to change your details 

please e-mail membership@iiasa.org.za 

Editorial / Article Submission 

Val Brazao: val@iiasa.org.za 

Charles Nel: charles@iiasa.org.za 

To submit an article e-mail: dorah@iiasa.org.za 

ISSN 2079-729X 

Published by the Institute of Internal Auditors South 

Africa and supplied gratis to members. The IIA SA does 

not accept responsibility for any opinions expressed 

by the contributors or correspondents, nor for the accuracy 

of any information contained in contributions, 

advertisements or correspondence in this newsletter. 

All material submitted for consideration is subject to 

the discretion of the Editor and the Editorial Team. The 

Editor reserves the right to edit all material. Advertisements 

do not constitute an endorsement. 

MESSAGE FROM THE 

CHIEF EXECUTIVE OFFICER 

As I breathe a sigh of relief after the conference, 

I am left with one consuming 

thought. It became clear on the fi rst morning 

of our conference that our stakeholders 

are asking more from internal audit then 

they have ever asked before. The societal 

burden I see growing on internal audit 

goes beyond adding value in organisations 

from an assurance and advice on best practice 

perspective. It is becoming abundantly 

clear to me that there is call on internal 

auditors to boldly assume their role as the 

conscience of the organisation. However 

that is not where it ends. There seems to 

be an expectation on internal auditors to 

collectively provide a voice of conscience 

to the broader society. I listened carefully 

to speakers such as the Minister of Finance, 

Pravin Gordhan, and Prof Habib and heard 

the call to internal auditors to speak to the 

risks in the broader society. Prof Habib encouraged 

our members to stop shying away 

and being apologetic. For example, he referred 

to a time bomb we can hardly ignore 

in the form of young black graduates who 

are unable to fi nd jobs. Herein is a great risk 

to our society which would naturally have 

an impact on organisations. In other words, 

internal auditors are encouraged to courageously 

stand up in their organisations, but 

also have a collective voice in terms of the 

societal risks that we face. The conscience 

of society? If not you, then who? 

There are great opportunities in such a notion. 

However such a responsibility does not 

come without a huge price tag. It would, of 

course, give the profession a wonderful 

platform and raise its profi le if internal audit 

could speak as the conscience of society. 

However, there are important elements that 

must be in place to ensure credibility and 

the right to be that voice to the conscience 

of our country. Firstly we would need to be 

competent and be known as such. I have 

touched on the issue of competence a number 

of times in the past, but that was in relation 

to the individual auditors within their 

place of work. What I am referring to here 

is that collectively we are only as strong as 

our weakest link. It is therefore imperative 

that we understand very clearly that each 

internal auditor has some role to play in 

the collective credibility of the profession. 

There is also the element of being relevant. 

We would only be perceived as credible if 

we touch on the right issues – the burning 

issues which, when addressed, would make 

a diff erence in our society. It certainly is 

food for thought. 

I could not help but wonder whether we 

were playing the role of oracle when we 

decided on the new trophy for the Internal 

Auditor of the Year award. We felt it necessary 

to upgrade the old one and bring 

it into the 21st century. While looking at 


MESSAGE FROM THE CHIEF EXECUTIVE OFFICER 

a host of pictures of trophies, I was particularly 

drawn to the one we eventually 

chose. It consists of a pair of hands holding 

up the globe with Africa in the front view. 

The symbolism I saw in it is internal audit 

playing a signifi cant role in protecting our 

world. It seems to me that we do need to 

see internal audit making more bold statements 

about the risks that we face in our 

society. With that I would like to congratulate 

this year’s Internal Auditor of the Year 

winner, Kokela Siqendu. She certainly has 

made us proud. 

On refl ecting on that huge task on the shoulders 

of the profession, referred to above, I am 

6 | IA ADVISER September 2011 

also reminded of another sobering thought 

put to us by Michael Judin on the last day of 

the conference. Under the new Companies 

Act internal auditors can be sued. We need 

to take this message very seriously. Internal 

auditors will be judged based on what 

could be reasonably expected of them in 

their positions. Now, this gives me sleepless 

nights when I think about the numbers of internal 

auditors who have not yet been able 

to meet the minimum requirements of the 

Institute in terms of ensuring that they are 

competent to do their jobs eff ectively and 

effi ciently. Michael made it clear that where 

companies are sued, the lawyers will call the 

internal auditors to the stand. We had bet- 

Dr Claudelle von Eck, Chief Executive Offi cer: IIA SA 

ter get our ducks in a row. The last thing I 

would like to see is one of our members being 

splashed all over the media after being 

sentenced to a term in jail. 

This year the conference speakers have challenged 

us like we have never been challenged 

before. From encouraging us to spend 

more time thinking about the future and how 

the processes in their organisations need to 

change to meet the future head on, to becoming 

more IT savvy, to coming out of the 

trenches and spending more time on looking 

at the strategic issues. It is apparent that we 

need to raise the bar to an even higher level 

than ever before. 

SA WALKS AWAY WITH AWARDS 

South Africa has produced the 100,000th qualifying CIA. Portia ti Ngesi N i was honoured h d on stage t at t the th international i t ti l conference f andd 

IIA South Africa also received an award for its avid support of the CIA program.

BORDER KEI 

WELCOME TO NEW MEMBERS 

Alfred Nzo District Municipality NN Nozigqwaba 

Department of Human Settlement CH Komanisi 

MB Ngwane 

Department of Rural Development & Agrarian Reform A Singh 

Gobodo Inc O Sparrius 

Joe Gqabi District Municipality SI Mankayi 

A Mfazwe 

Offi ce of The Premier K Bota 

NP Mrwebi 

PricewaterhouseCoopers AT Mentoro 

D Schadle 

Private Member O Hlungula 

Umzimvubu Local Municipality GP Skenjana 

University of Fort Hare SB Mtintso 

Wimpy SV Mntonga 

FREE STATE 

ACentral University of Technology V Koma 

Department of Justice LM Jingose 

Department of The Premier MM Makhema 

Dihlabeng Local Municipality VC Sikaundi 

Ernst & Young N Naudé 

R Nell 

IR van der Merwe 

Eskom Holdings Ltd MB Maimane 

NJ Sikhosana 

Motheo District Municipality RMM Malebo 

PricewaterhouseCoopers CF du Toit 

Private Member MHK Dhlamini 

BE Mothibedi 

Ramathe Chartered Accountants (SA) K Mokhako 

SAB&T Chartered Accountants LJ Makubu 

South African Police Services T Sibuyi 

University of the Free State DJ Jacobs 

Xhariep District Municipality ND Mokoena 

JOHANNESBURG 

ABSA Bank Ltd MJ de Smedt 

F Essop 

J Naidoo 

VL Nakedi 

AECI Ltd KL Ellis 

SH Rutthan 

African Bank Investment Ltd MT Moutlane 

XP Mpungose 

African Oxygen Ltd OV Nong 

Akanani Consulting (Pty) Ltd T Tlhabang 

Alexander Forbes NM Mashego 

AN3 Consultancy Services Pty Ltd V Mavengedza 

AngloGold Ashanti Ltd TN Sephai 

OT Shakwane 

AR Process Projects (Pty) Ltd J Ndala 

Barloworld Ltd PN Lukhele 

BDO SA Advisory Services DA Fourie 

Cargo Carriers Limited SP Maseko 

Case Construction DA Mashatola 

Charter Financial & Auditing Corporated KK Mukenge 

Chili & Co Incorporated HP Maluleka 

Clientele Limited NJ Khumalo 

Datacentrix H Baloyi 

Deloitte & Touche TR Chidhakwa 

Deloitte & Touche C Jooma 

N Shabangu 

Department of Correctional Services ME Mahamotse 

Discovery Holdings N Mabuza 

NV Muluvhu 

N Rajbansi 

Eagle Wings Consulting EM Sefi tlholo 

Ebeneza Consulting Services QE Munyai 

EECSA Consulting ASX Demadema CIA 

Ekurhuleni Metropolitan Municipality CS Eloff 

KL Motsi 

N Nkosi 

Elvey Security Tech TT Baloyi 

Ernst & Young TT Dooka 

MN Nteo 

Eskom RJ Hiss 

First Rand Bank PMZ Mbatha 

SV Coleman 

M Mashige 

TBG Mokone 

F Suffl a 

Fortenay Fuels HF September 

Gauteng Department of Finance NN Baloyi 

LL Makhurupetse 

T Mazwi 

ZP Nkosi 

ID Ntuli 

PD Sengakana 

Gauteng Shared Services Centre TD Moeng 

Goldfi elds Mining Ltd SP Makhubu 

Hollard Insurance Company Ltd AR Hoosen 

R van den Berg 

S Xinwa 

Horwath Leveton & Boner SB Khuboni 

Industrial Development Corporation of SA Ltd CC Makhuvele 

ST Ngcwabe 

Indyebo Consulting DC Mashashane 

P Matokwe 

Katanga Mining Services (Switzerland) AG JM Malahay 

KPMG LCA Amadi 

AC Basson 

M Geldenhuys 

Z Mpoto 

Z Prinsloo 

LAW Holdings TV Msindwana 

Legal Aid Board ENM Mashele 

Manase & Associates GM Mushangwe 

Massmart Holdings M Govender 

L Karropoulos 

K Pillay 

Medscheme Holdings R Gething 

Metal Industries Benefi t Fund Administrators NJ Lombardo 

S Lukele 

MIH Holdings Ltd NC Dlamini 

NBC Holdings (Pty) Ltd GJ Phillips 

Nedbank BE Mogokonyane 

K Padayachee 

V Perumal 

LM Monchosi 

Nkonki Inc ZR Nyoka 

Offi ce of The Auditor General TJ Chauke 

OC Letlhakwane 

NA Makhale 

T Memela 

Offi ce of The Auditor General TS Mthombeni 



Omnia Group Ltd MP Makhubele 

TJ Yssel 

PC Training & Business College KT Muruvi 

PKF BEE Solutions SMM Bashala 

PricewaterhouseCoopers A Henning 

F Khan 

SP Reynolds 

Pro Optima Audit Services B Kotze 

Rail Safety Regulator PB Lekula 

Right to Care B Nagar 

RSM Betty & Dickson CD Betty 

E Mutaki 

Sanlam AE Randall 

Sasfi n Bank N Govender 

Sekela Consulting MB Cebekulu 

TNM Choane 

C Ditsepu 

Sekela Consulting B Dube 

X Hlongwane 

SF Madiba 

CMX Makhathini 

DS Masanabo 

LM Mseleku 

NG Msibi 

NGJ Ndaba 

TK Nkosi 

TL Nogampula 

P Nxumalo 

G Sibanda 

Sizwe Ntsaluba VSP CM Chavula 

AM Maqelepo 

South African Revenue Services CMN Motia 

PM Sebata 

MB Senwamadi 

South African Tourism S Nemakwarani 

Spar Group Ltd I Snyman 

Standard Bank of SA Ltd BB Modisane 

TJ Sehlapelo 

FL van Wyngaard 

The New Reclamation Group L Owen-Crompton 

Tshikululu Social Investments KM Dennehy 

Ubank CR Matsondota 

Unisa Student KA Sekgota 

United National Breweries SA Pty Ltd D Arora 

University of Johannesburg FS Siaga 

Vaal University of Technology Student MJ Moeketsi 

Westrand District Municipality TM Rasekgala 

Wholesale Housing Supplies (Pty) Ltd L Meintjes 

Xabiso Chartered Accountants MTP Sereka 

Zama Bhengu Consulting ZJ Bhengu 

KWAZULU NATAL 

Baker Tilly Morrison Murray N Mangaru 

Buhr, Parry & Company PN Ntshangase 

Camelsa Consulting C Madamba 

Desai Jadwat Inc MR Amod 

Durban University of Technology LF Jali 

Ernst & Young L Mjwara 

V Raidoo 

ESP Consulting S Dlamini 

SL Mqadi 

P Naidoo 

Gold Circle (Pty) Ltd DA Garavarian 

Grindrod Bank K Pillay 


IT Dynamics P Nundkumar 

Massmart Holdings SS Ntombela 

Newcastle Municipality P Maharaj 

Nexia Levitt Kirson SN Nunkumar 

Offi ce of The Auditor General K Kander 

V Maipath 

PricewaterhouseCoopers DA Bloem 

DD Gerber 

NP Mkhwanazi 

RI Kennedy & Associates S Dhanrathan 

S Maharaj 

V Singh 

Sizwe Ntsaluba VSP A Sonjani 

South African National Defence Force Z McBean 

South African Police Services LP Danca 

The Wholistics Planning Group J Nyamunda 

Ubucule Accountants STT Khumalo 

Umngeni Municipality HS Mpangase 

Umzimkhulu Municipality MD Gumede 

Unitrans Sugar & Agriculture CA Mainstone 

LESOTHO 

Centre for Accounting Studies MJ Nketekete 

Lesotho Revenue Authority LK Hoala 

LIMPOPO 

Agape Chartered Accountants Inc ND Tshithavhani 

SC Netshisaula 

Department of Agriculture MP Mamafa 

Limpopo Legislature AS Matlala 

AC Mudau 

Limpopo Provincial Treasury MS Mokgokong 

WA Rivombo 

KS Seema 

LJ Selala 

TA Sibiya 

MA Sibiya 

RD Tharage 

MS Tjiane 

RV Tshikalange 

Mopani District Municipality XP Chabalala 

TM Mokgola 

ST Sekgalakane 

MM Shai 

Offi ce of The Auditor General IM Chokwe 

MJ Masiya 

SAB&T LM Legodi 

Thulamela Municipality TW Mulaudzi 

Department of Public Works & Transport KT Mothapo 

Gobodo Incorporated T Chitauro 

Limpopo Provincial Treasury NX Hlungwani 

Y Kente 

GT Kgowana 

PL Khumalo 

BM Kupa 

MP Kyatla 

LT Livhuwani 

HR Makgatho 

NM Moabelo 

SAK Moeti 

MS Molepo 

PL Moloto 

Limpopo Provincial Treasury MS Morifi

Limpopo Provincial Treasury TT Mudau 

L Mukhathedzwa 

LRR Mushanganyisi 

FD Ndou 

TV Ngoetjana 

ZL Ngono 

MJJ Peasnall 

ME Ramaselele 

SP Ratlabala 

MM Tshivhuyahuvhi 

Mookgophong Municipality MA Mothema 

Offi ce of The Auditor General HW Chelhango 

PricewaterhouseCoopers MET Maluleke 

South African National Defence Force KF Sebola 

MPUMALANGA 

Department of Economic Development & Planning KT Nthutang 

Department of Finance BE Mndawe 

NJ Nkosi 

Eskom Holdings DN Zulu 

KPMG LI Ngcobo 

SP Sithole 

South African Police Services MJ Magoro 

PC Mpenyane 

M Mukomutelo 

MJ Munyai 

Private Member MA Molele 

NORTHERN CAPE 

Sol Plaatje Municipality RM Ndabezitha 

NORTH WEST 

Department of Public Safety KA Makgoe 

NWK Beperk WJA Kriel 

L Kruger 

AJ van Tonder 

PricewaterhouseCoopers EN Mbua 

Rustenburg Local Municipality CS Mabe 

Senwes Ltd T Shushu 

Private Member TG Ntsimane 

NAMIBIA 

Bank of Namibia JK Kahorongo 

Bank Windhoek L Fortuin 

T Nainda 

Ministry of Justice IM Hummel 

T Shapota 

EN Simon 

Namibia Water Corporation KA Iiyambo 

National Youth Service SH Nekaro 

Nedbank Namibia Limited TD Bock 

Offi ce of The Auditor General Namibia LN Shuungula 

Stanlib Namibia AA Naris 

PORT ELIZABETH 

Eden District Municipality RI Bruiners 

NM Dlengezele 

Eden District Municipality ZP Manqina 


Nelson Mandela Metropolitan Univeristy Student S Nombekana 

Nelson Mandela Metropolitan University KD Pather 

Offi ce of The Auditor General H Kika 

PRETORIA 

ABSA Bank TS Maluleka 

ABSA Consultants & Actuaries R Smit 

Alert Steel (Pty) Ltd MB Fourie 

Alexander Forbes JL Boikhutso 

Aurco Group (Pty) Ltd KB Dibodu 

NJ Mashego 

C-Track (Pty) Ltd SH Langeveld 

Deloitte & Touche AO Da Silva 

Department of Higher Education and Training DK Phasha 

Department of Infrastructure Development MP Mushoma 

Department of Justice & Constitutional Development SG Mokubela 

TN Rasodi 

Department of Labour MV Maswi 

Department of Mineral Resources TV Busakwe 

KK Mlangeni 

DK Ngandwe 

Department of Public Enterprises ML Mafereka 

Department of Roads & Transport MP Godobedzha 

Eskom Holdings OP Tube 

Habitat for Humanity International CS Makoni 

Hernic Ferrochrome (Pty) Ltd A Noormahomed 

Human Science Research Council AM Mogolane 

Imperial Holdings (Pty) Ltd Y Naidoo 

Ligwo Advisory Services FV Scheepers 

Moore Stephens Chartered Accountants S Cameron 

AE Prinsloo 

Mvelaserve Ltd P Jordaan 

National Department of Transport PZ Zuma 

National Lotteries Board R Hartzer 

National Treasury NM Kekana 

Nexus Forensic Services (Pty) Ltd E Naudé 

Nzalo White Consulting PT Masuku 

Offi ce of The Auditor General CJ Coetzer 

H Kallen 

PM Kekana 

AM Kemp 

NM Lenko 

MM Mahomane 

NG Maluleka 

BE Mokgongoana 

KP Mooketsi 

MH Sibiya 

B Weideman 

OMA Professional Advisory Group TJ Chamboko 

Outsurance Holdings (Pty) Ltd MJ Bothma 

PACT South Africa MM Tshuma 

PricewaterhouseCoopers MP Nhlengethwa 

SA Council for Social Service Professions MML Malebye 

SAB & T Incorporated KE Mosenye 

SAB&T Business Innovation Group (Pty) Ltd Y Gopaul 

MV Kanyane 

N Lekhuleni 

N Prinsloo 

KE Sealetsa 

PH van Zyl 

Sephaku Holdings Ltd AJ Fahy 

South African National Defence Force DJ Matthews 

LXW Nengudza 

South African Police Services ED Hlongoane 



South African Police Services TTJ Magato 

MM Maphalla 

PJ Masegela 

ME Thosago 

IS Welcome 

TA Dube 

NJ Malaka 

MC Mthembu 

RO Pale 

CP Schröder 

Standard Bank of SA Ltd EL Maake 

Tshwane University of Technology NA Tshabalala 

Tshwane University of Technology Student KC Mmitsi 

UNISA DJF Carles 

AV Visser 

UNISA Student ND Sibanda 

University of Pretoria O van Biljon 

University of Pretoria Student C Atkinson 

MG Barnard 

T Boucher 

M Bouwer 

TO Burtone 

SS Dawson 

JF de Gouveia 

N de la Rey 

GJ Deist 

JS Dempers 

M du Preez 

J du Toit 

Y Fopma 

C Fourie 

P Gaybba 

J Gildenhuys 

KP Hlabati 

MR Ismail 

T Joubert 

M Kritzinger 

MF Mabitsela 

RT Mahapa 

JJ Marais 

MN Masemola 

B Mkize 

S Mlangeni 

FLV Moeletsi 

TP Moloto 

LMS Monkam 

DP Motiang 

M Mphahlele 

MM Mutheiwana 

SR Ndlovu 

MK Panicker 

JN Pieters 

LR Raju 

K Rattan 

MAB Salvador 

KP Saudi 

CI Segida 

MD Sengakana 

SN Shino 

NL Sikakane 

PM Silolo 

SM Skosana 

NF Songo 

K Sujee 


University of Pretoria Student LB Thobakgale 

KJ Thomson 

KL Thusago 

KR Tsiloane 

E van Aardt 

SWAZILAND 

Namboard WM Ntshakala 

Swade Ltd DS Zondo 

Swaziland Beverages Limited K Hlophe 

Swaziland Development and Savings Bank SN Nhlabaji 

WESTERN CAPE 

Allan Gray Ltd Y Mowlana 

HRN Nyatsanza 

BDO South Africa Inc NT Boora 

Cape English Language School MAE Amod 

Cape Peninsula University of Technology Student V Baatjies 

M de Jager 

AT Farao 

DJ Flowers 

L Fredericks 

ET Mangwende 

N Mberirua 

B Mkalipi 

TS Paulsen 

VL Pietersen 

NA Va 

Capitec Bank Ltd RC Croeser 

City of Cape Town RJ Mfati 

Damco Logistics (Part of Safmarine/Maersk) K Naicker 

Engen Petroleum Ltd A Abdulla 

Ernst & Young S Timmerman 

EF Wiid 

Foschini Retail Group (Pty) Ltd T Gabier 

Greenwoods Chartered Accountants DP Botha 

PL Pike 

KPMG AW Marney 

GA van Wyk 

Kuhumelela SJ Lapoorta 

Langeberg Municipality VM Floris 

LDP Inc LN Johnson 

Mazars Forensic Services GM Bolton 

P Ramjee 

Nova Group (Pty) Ltd L Alexander 

Oakhurst Insurance Company Ltd SA Louw 

Old Mutual M Sixaba 

EC Louw 

PricewaterhouseCoopers V Gono 

RSM Betty & Dickson A du Plessis 

N Matsanga 

Sanlam Ltd ST Renecke 

Shoprite Group of Companies M Lefefa 

LE Stynder 

Sizwe Ntsaluba VSP HH Alexander 

Tenk Loubser Incorporated JM Frank 

Thuo Gaming Western Cape RR Harker 

Wesgro I Blackie 

West Coast FET College NP Gqwaka 

Private Member AM le Grange CIA

IIA Membership 

Ask more than 170 000 members worldwide what exclusive IIA member benefits are their favourite then you’ll 

understand all the different reasons why they belong. From global networking and discounted training and products 

to specialised guidance each member has their own motivation for joining. 

We invite YOU to explore the many member benefits offered by the IIA SA 

and you’ll discover a new favourite reason for being a member. 

For more information contact the Membership Administrator on 

Telephone: (011) 450 1040 or e-mail: membership@iiasa.org.za 

IIA SA website: www.iiasa.org.za


IIA SA EVENTS CALENDER 

UPCOMING SEMINARS 

OCTOBER 

TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 2 (TTB2) 3-7 OCT 

TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 1 (TTB1) 10-14 OCT 

ROOT CAUSE IDENTIFICATION (RCI) 13-14 SEP 

TOOLS AND TECHNIQUES FOR THE NEW AUDIT MANAGER (TNAM) 18-21 OCT 

PERFORMANCE AUDITING FOR THE PUBLIC SECTOR (PAUD) 19-21 OCT 

PREPARATION FOR CONTROL SELF-ASSESSMENT EXAMINATION (ICSA) 24-26 OCT 

USING THE GOVERNANCE APPROACH IN DEVELOPING AUDIT OBJECTIVES, TESTS AND 

RECOMMENDATIONS (UGAD) 

25-26 OCT 

CIA LEARNING SYSTEM INSTRUCTOR LED COURSE - PART 3 (CIA3) 26-28 OCT 

HOW TO EFFECTIVELY REVIEW YOUR ORGANISATION’S RISK MANAGEMENT PROCESS (ORMP) 31 OCT - 1 NOV 

IMPLEMENTING THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF) 31 OCT - 1 NOV 

NOVEMBER 

BUILDING, LEADING AND MANAGING THE INTERNAL AUDIT DEPARTMENT (BLIA) 2-3 NOV 

AUDITING THE MANAGEMENT AND REPORTING OF PERFORMANCE INFORMATION IN THE PUBLIC 

SECTOR (APIA) 

3-4 NOV 

ENVIRONMENTAL AUDITING FOR NON-ENVIRONMENTAL AUDITORS (ENEA) 3-4 NOV 

ESSENTIAL ELEMENTS FOR A FRAUD PREVENTION PLAN (EEFP) 4 NOV 

TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 3 (TTB3) 7-11 NOV 

DATA MINING FOR AUDITORS - A LOGICAL APPROACH TO CONTINUOUS AUDITING AND 

GOVERNANCE (DMIA) 

9-11 NOV 

SKILLS FOR SUPERVISING AN INTERNAL AUDIT PROJECT (SIAP) 11 NOV 

DEVELOPING A FRAUD RISK MANAGEMENT PROGRAM FOR YOUR ORGANISATION (DFRP) 14-15 NOV 

RISK BASED IT AUDITING (RITA) 14-16 NOV 

HOW TO DEVELOP A MODEL INTERNAL AUDIT PROGRAM (MIAP) 16 NOV 

IT AUDITING FOR NON-IT AUDITORS (BASICS OF IT AUDITING) (NONIT) 21-22 NOV 

ISSUING AN “ASSESSMENT” IN TERMS OF KING III (IAK3) 23 NOV 

HOW TO EFFECTIVELY REVIEW YOUR ORGANISATION’S RISK MANAGEMENT PROCESS (ORMP) 24- 25 NOV 

CIA LEARNING SYSTEM INSTRUCTOR LED COURSE - PART 4 (CIA4) 24 NOV 

ADVANCED PERFORMANCE AUDITING IN THE PUBLIC SECTOR (APAUD) 28-30 NOV 

TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 4 (TTB4) 28-30 NOV 

DECEMBER 

HOW TO DETECT AND PREVENT OCCUPATIONAL FRAUD (FRAUD) 6-9 DEC 

For more information please visit our website: 

www.iiasa.org.za or call our offi ces: +27 11 450 1040

�� 

Internal Audit Specialist (Cape Town) 

GREY_CONSULTING ADVISER 

accounting,finance and risk recruitment specialists 

� �� 

� �� 

� �� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

� �� 

� �� 

�� 

�� 

Senior Internal Auditor (Cape Town) 

� �� 

� �� 

� �� 

�� 

�� 

�� 

�� 

� �� 

�� 

�� 

Internal Auditor (Cape Town) 

� �� 

� �� 

�� 

�� 

�� 

�� 

� �� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

�� 

www.greyconsulting.co.za 


ADVISER 


www.pwc.com/za 

Scripting 

Internal Audit 

for a Changed 

World 

Internal Audit is responding to a changing risk environment with leading internal audit 

professionals preparing to play a significant role in a changed world. New rules, further 

disclosures, and strict enforcement are causing dramatic changes for businesses around 

the globe. Shareholders and regulators demand transparency, accountability, and more 

input on issues once reserved for management and the board of directors. At PwC we are 

here to help you every step of the way. We will work with you to advise the board and audit 

committee on the changing role of internal audit within your organisation. 

�� 

�� 

��

Internal audit professionals gathered at the 

IIASA KZN Region Function hosted by the 

KZN local chapter to discuss Ethics in relation 

to the Internal Audit profession. 

The event was well attended by internal 

auditors from across the public and private 

sectors and they were treated to a thoughtprovoking 

and topical presentation focusing 

on Ethics and the challenges facing individuals, 

organisations and our profession 

as a whole, in supporting a change in culture 

and promoting more ethical behavior. 

Guest speaker, Sean van der Merwe, Associate 

Director at Deloitte, focused on the 

challenges of ethics and shared some of his 

insights from his research and his extensive 

experience. 

Sean made the point that “Ethics is a particularly 

interesting and challenging topic because 

it hardly ever has a simple “yes or no” or 

“black and white” answer. He added that “we 

cannot aff ord to make snap decisions in assessing 

whether something is right or wrong, 

before seeking the full facts of each case”. 

A further interesting point to ponder: “We 

FEEDBACK FROM THE REGIONS 

IIASA KZN REGION FUNCTIONS: ETHICS AND THE INTERNAL AUDITOR 

are no longer alarmed by the incidence of 

ethics failures and fraud – perhaps only by 

the magnitude. We have come to almost 

accept it!” 

It is evident that professionals need to be 

knowledgeable in, and enforce the IIA code 

of ethics, in order to continue to enhance 

the credibility of the profession. 

Sean also encouraged the delegates to 

increase focus on ethics audits and noted 

that internal audit professionals should be 

aware of the factors evident when employees 

commit fraud or unethical behaviour 

- “Generally in cases of fraud, corruption 

or unethical behavior there will always be 

some kind of motivation, an opportunity 

such as weak controls, as well as the employees’ 

own justifi cation”. 

On the above note, he made the point that 

internal auditors are most experienced and 

comfortable when addressing 'opportunity', 

in testing the internal controls and making 

recommendations about them. They 

should be encouraged to start developing 

skills to recognise and understand the mo- 

Alex Winterbach, Manager: Internal Audit, Risk and Compliance Services 

tives, and possible justifi cations used by 

individuals when committing fraud. It is 

clear that auditors can no longer solely rely 

on fi nancial indicators of fraud, but should 

also be able to recognise nonfi nancial indicators 

of fraud and fraud red fl ags. 

Sean shared some thoughts on Business 

Ethics and Ethical leadership as outlined in 

The King Report on Corporate Governance 

and other best practice, and provided some 

very interesting tools to assist in dealing 

with ethical dilemnas, including ‘the PLUS 

factor’, which suggests that in considering 

an action one should determine whether 

it transgresses any policies, laws, universal 

behaviour or Self (being your own moral 

compass). 

In closing, Sean provided some hard-hitting 

quotations, one of which follows: 

“If you don't have integrity, you have 

nothing. You can't buy it. You can have 

all the money in the world, but if you 

are not a moral and ethical person, you 

really have nothing" - Henry Kravis. 


ADVISER FEEDBACK FROM THE REGIONS 

The Border-Kei Region recently hosted a 

successful member’s luncheon event on 8 

June 2011, at the East London Golf Club. It 

was also the Region's AGM. 

The event has well supported by members, 

and there were just over 130 attendees 

present. The speakers for the event were Dr 

Claudelle von Eck (IIA CEO) and Anton Van 

Wyk (National Risk Advisory Services Leader 

for PwC). 

Anton focused his presentation on the current 

status of King III. He gave the members insight 

into how organisation's were embracing King 

III, the challenges and their successes to date. 

Thereafter, Claudelle gave the members 

IIA SA BORDER KEI REGION ANNUAL GENERAL MEETING 

an update into the affairs of the IIA, and 

current "hot" issues within the profession. 

Both presenters were well received, and the 

Region is grateful to both for braving the 

unseasonably wet weather to join the Region 

at this event. 

After the keynote speakers, Frank Muller 

(event MC) gave the members feedback on 

the activities of the Regional Committee 

over the past two years. He noted that the 

Committee is very heartened at the members 

continued and growing support for Regional 

functions. Two recently qualified CIA's 

(Charlene Trimalley and Thandoxolo Xusa) 

were acknowledged at the function. 

S Hartzenberg (CIA)-Brigadier, Section Head: Internal Audit: Eastern Cape: SAPS 

Contact us on (011) 507-0123 or visit www.cqs.co.za and experience the difference 

our world class software and exceptional people can make to your business. 

011 507-0123 

www.cqs.co.za 

At the end of the event, the new Committee 

members were announced, being Asanda 

Myataza, Ruth Luzuka, Mxolisi Silinga, Loyiso 

Mbiko, Kiran Bhika, and Makhosandile Kwaza. 

The outgoing Committee members (Selwyn 

Hartzenberg, Frank Muller and Candice 

Putzier) were thanked for their contributions 

over their term of office. 

The Regional Committee would like to 

thank the event organisers, event MC, 

Frank Muller, and event sponsors PwC and 

KPMG. The next member’s event will be 

announced shortly by the new Committee, 

and members are encouraged to attend and 

participate. 

�� 

16 | IA ADVISER September 2011

The Johannesburg Region hosted a breakfast 

forum and AGM on 7 July 2011 at Discovery 

Holdings in Fredman Drive, Sandton. 

Our topic for the morning was “IT 

Governance” and we were privileged to 

have a fantastic group of speakers - Frik 

Coetzer, Thagraj Moodley and Sean Schmidt 

- who, after giving their presentations, 

participated in a panel discussion to answer 

delegates’ questions. The panel discussion 

was ably chaired by Caryn Newbold, a 

Johannesburg Region committee member. 

IIA SA JOHANNESBURG REGION BREAKFAST FORUM AND AGM 

Frik Coetzer is a partner at KPMG IT 

Advisory. His presentation, which he had 

previously given at an Audit Committee 

Forum Roundtable discussion, gave the 

delegates very good insight into what 

audit committee members should be 

looking for in respect of IT Governance. 

Please refer to Figure 1 for a diagrammatic 

summary of Frik’s presentation and Figure 

2 for a summary of key questions that audit 

committee members, and internal auditors, 

should be asking. 

Sean Schmidt is an Associate Director at 


KPMG IT Advisory and his presentation 

focused on auditing IT Governance from 

an internal- and external audit perspective. 

Please refer to fi gure 3 for a diagrammatic 

summary of Sean’s presentation… the 

one slide Sean advised delegates not to 

forget. 

Thagraj Moodley is an Information 

Security Audit Manager at Nedbank. His 

presentation provided an internal audit 

perspective to auditing the application of 

King III in IT Governance. Please refer to 

fi gure 4 for a summary of his presentation. 



After the IT Governance session, the 

region’s AGM was held. The Regional 

Governor, Ingrid Ravenscroft, took the 

delegates through the highlights of 2010 

and the regional committee’s plans for 

2011 and 2012. She also discussed the 

fi nancial statements for the year ended 30 

November 2010, which showed a strong 


surplus position and provide a strong base 

for strategies to be implemented in the 

next year or two. Ingrid then welcomed 

to the committee three new members – 

Adebukola Adewuyi (or “Bukkie”), Mogale 

Mogale and Davindran Munusamy – and 

two members who stood for re-election – 

Barry Ackers and Dion Poole. 

Ingrid Ravenscroft, Governor: IIA SA Johannesburg Region 

We would like to thank our speakers, our 

sponsor BarnOwl, handset vendor IML 

and all the delegates for attending and for 

making this event a great success. 

Please keep an eye-out for invitations to our 

newly launched monthly discussion forums on 

emerging and topical issues for internal auditors.

THE AUDITORS ARE BACK! 

During the audit, auditors identify control weaknesses of varying signifi 

cance and agree on a plan of action with management to rectify 

these weaknesses within a reasonable period of time. 

The return of the auditors could cause consternation amongst management 

if they are not sure about the resolution of control weakness 

fi ndings that were raised during prior audits. Without a sound 

system for tracking control weakness raised in audit reports leadership 

and management will be unable to ensure systemic continuous 

improvements in the control environment. 

As part of initial audit procedures, during subsequent audit, a follow up 

on prior year fi ndings is performed to assess progress and sign off the 

fi ndings that have been resolved. Sometimes a follow up on fi ndings is 

performed more frequently, especially for fi ndings relating to high risk 

exposure. This exercise could become another opportunity for management 

to open a debate on whether some of the fi ndings should have 

been raised in the fi rst place. This is usually the case when management 

has not taken any action to rectify the identifi ed control weakness. The 

other side this exercise could present some comfort to auditor that there 

has been some improvement in the control environment, if management 

have indicated and gathered audit evidence that corroborates 

that promised action plans were implemented. 

Issue tracking can be a key driver of continuous improvement in the 

Tel: +27 11 785 4930 

Fax: +27 11 785 4939 

www.wexford.co.za 

�� 

�� 

�� 

INTERNAL AUDITORS 

R500 000 – R400 000 CTC, Bryanston 

�� 

�� 

�� 

�� 

�� tanya@wexford.co.za 

INTERNAL AUDITOR 

R450 000 – R400 000 CTC, Sandton 

�� 

�� 

�� 

�� 

�� 

��janet.b@wexford.co.za 


R420 000 – R350 000 CTC, Sandton 

�� 

�� 

�� candice@wexford.co.za 

INTERNAL AUDIT MANAGER 

R800 000 – R600 000 CTC, North 

�� 

�� 

�� 

��liz@wexford.co.za 


R500 000 – R350 000 CTC, North 

�� 

�� 

�� 

�� 

felicia@wexford.co.za 


internal control environment in the organisation. If applied eff ectively, 

the audit committee can place reasonable reliance on this process 

in ensuring that management applies the most suited practices for 

the organisation in managing risk. 

When doing research on this topic for my thesis in 2010 it became 

evident that no academic research has been done on this process. 

The outcome of this study highlighted quite a number of areas that 

are under-researched within enterprise risk management and no research 

has been done on the tracking of audit fi ndings. 

The study I covered whether completed targeted institutions had a formalised 

issue tracking process, governance and positioning issue tracking 

process in the organisational structure and factors that are taken into 

account in concluding that the fi ndings is resolved. Furthermore opinions 

of risk offi cers were sought on the eff ectiveness of issue tracking in 

the process of improving the quality of internal control environment. 

It was plausible that all banks that were participating in the study had 

issue tracking process in place. Varying observations were made with 

respect to governance and positioning of this process. Some banks had 

fi ndings tracking being driven by the executive committee; however, 

most banks rely on internal audit department to drive this process. In 

some instances the internal audit function was solely responsible for 

tracking their fi ndings and always in dispute with management about 

long outstanding fi ndings. The result of this was long outstanding fi ndings 

and a possibility that some fi ndings identifi ed were lost during system 

changes. 

The study could not conclude on the factors that are taken into account 

to conclude on whether the issue has been resolved, this was 

because management did not agree with all factors that were considered 

to be an indication of resolution of control weakness. All risk 

offi cers agreed that issue tracking process is a key driver of improvements 

in the quality of internal control. 

The study recommended that issue tracking should remain the responsibility 

of management because it is a stage of risk management 

and it should be positioned as a strategic imperative of the organisation. 

Furthermore this process should follow an integrated approach, 

and not limit fi ndings to those raised by internal auditors, but also 

those self identifi ed fi ndings during managements’ risk control self 

assessment, external auditors during statutory audits and those 

identifi ed by other assurance providers. 

Issues of control weakness should be considered rectifi ed once corrective 

action has been fully embedded in the internal control process 

i.e. these may include updating and communicating the entity’s 

policy document, updating staff s job description and or updating 

staff ’s performance scorecards. 

To minimise stress levels on management during the return of independent 

assurance providers (internal and external auditors), management 

should realise the business case of improving the quality of 

internal controls and the key role that a sound issue tracking process 

should play in improving overrall corporate governance. The return of 

auditors will then be seen as providing independent assurance on the 

design and operation of internal controls and more value adding. 

Sethu Nsele (BCom, CIA, CFSA, MBL), Manager - Credit Risk 

Audit, GIA

ADVISER 

Is your company risk averse? Or risk intelligent? 

Current economic conditions can raise risk exposure beyond acceptable limits. Yet there may be long-term consequences to being 

risk averse in a downturn. Deloitte can help you recognize the dual nature of risk and devote sufficient resources to risk taking for 

reward and to protecting existing assets. Step ahead safely at www.deloitte.com 

© 2011 Deloitte & Touche. All rights reserved. 

Member of Deloitte Touche Tohmatsu Limited 


ETHICS- BUSINESS VS. PERSONAL VS. 

PROFESSIONAL ETHICS 

Ethics concerns itself with what is good 

or right in human interaction. The Oxford 

Dictionary defi nes ethics as “a set of moral 

principles that govern a person’s behavior 

or the conduct of an activity”. 

There are three core concepts which embody 

the meaning of ethics, namely self, 

good and others. Ethical behavior is therefore 

when one does not merely consider 

what is good for oneself but also what is 

good for others. 

ETHICS AND THE LAW 

Both ethics and the law strive for what is 

right. The law does this through a public 

and political process, whilst ethics is derived 

from and modeled upon the value 

systems of both an individual and an entity. 

Confl icts can however arise between ethics 

and the law. An example of a confl ict which 

could arise includes exceeding the speed 

limit in order to drive a seriously injured 

colleague to hospital. Whilst exceeding the 

speed limit is against the law, helping to 

get a seriously injured colleague to hospital 

and potentially saving their life, would be 

regarded as the ethical thing to do. 

A further example of a confl ict which could 

exist between ethics and the law includes 

the dumping of toxic waste in a country 

where no law against such conduct exists. 

Whilst dumping such waste is not ethical, 

it would also not be illegal in that particular 

country. 

In situations such as these, the entity and/or 

individual would need to use their professional 

judgement in deciding what would 

be the ethical course of action. 


PROFESSIONAL ETHICS 

Guidelines for professional ethics are usually 

codifi ed in codes of ethics or professional 

conduct. Professional bodies such as the Institute 

of Internal Auditors of South Africa, 

the South African Institute of Chartered 

Accountants and the Independent Regulatory 

Board for Auditors each have their own 

professional codes of ethics which defi ne 

and detail what would be considered professional 

ethical behaviour. Ethics can be 

broken down into four fundamental principles, 

namely: 

• Integrity; 

• Independence and Objectivity; 

• Confi dentiality; and 

• Professional behaviour. 

INTEGRITY 

The formal defi nition of integrity taken 

from the Oxford Dictionary is “the quality 

of being honest and having strong moral 

principles”. A more tongue-in-cheek defi - 

nition by Jim Stovall defi nes integrity as 

“doing the right things, even if nobody is 

watching”. 

INDEPENDENCE AND OBJECTIVITY 

The International Standards for the Professional 

Practice of Internal Auditing (“IIA 

standards”) defi ne independence as “the 

freedom from conditions that threaten the 

ability of the internal audit activity to carry 

out internal audit responsibilities in an unbiased 

manner.” Threats to independence 

need to be appropriately managed at an 

individual, engagement, functional and organizational 

level. 

Objectivity is closely linked with indepen- 

dence and comprises having an impartial, 

unbiased attitude and avoiding any confl 

icts of interest. 

CONFIDENTIALITY 

The principle of confi dentiality imposes an 

obligation on employees to refrain from: 

• Disclosing confi dential information acquired 

as a result of professional and business 

relationships without proper and specifi 

c authority or unless there is a legal or 

professional right or duty to disclose; and 

• Using confi dential information acquired 

as a result of professional and business 

relationships to their personal advantage 

or the advantage of third parties. 

Exceptions to the confi dentiality rule exist 

where for example disclosure: 

– Is required by law e.g. subpoena; and 

– Is in terms of professional rights or duties 

e.g. disciplinary enquiry, investigation 

etc. 

PROFESSIONAL BEHAVIOUR 

The principle of professional behaviour imposes 

an obligation to comply with relevant 

laws and regulations and avoid any action 

that may discredit the individual’s profession. 

SAFEGUARDS 

Safeguards can be implemented to ensure 

that threats to independence, objectivity, 

confi dentiality etc. are eliminated or reduced 

to an appropriately acceptable level. 

They fall into two broad categories: 

– Safeguards created by the profession, 

legislation or regulation; and 

– Safeguards in the work environment. 

Safeguards include educational, training

and experience requirements, continuing professional development 

requirements, corporate governance regulations, professional standards 

and professional monitoring and disciplinary procedures. 

BUSINESS ETHICS 

Business Ethics involves identifying and applying standards of conduct 

in and for business that will ensure that the interests of stakeholders 

are respected i.e. that business does not detrimentally impact 

these interests. The Code of Corporate Governance Principles for 

South Africa – 2009 (“King III”) defi nes business ethics as “the principles, 

norms and standards that guide an organisation’s conduct of 

its activities, internal relations and interactions with external stakeholders”. 

In addition King III also requires entities to demonstrate how 

they are providing leadership on ethical foundations. 

The extent to which ethics is embraced within a business aff ects 

both the perceptions of its stakeholders and the performance of the 

business. The confi dence of investors in organisations, the loyalty of 

customers to companies, and the willingness of talented individuals 

to off er their skills to organisations are all factors that are infl uenced 

by the ethics of a company. 

In making ethical business decisions as an entity or as a group of 

individuals representing an entity, the following questions should 

be asked by the decision makers: 

– Is it legal? 

– Does it meet company/practice standards? 

– Is it fair to all stakeholders? 

– Can it be disclosed? 

PERSONAL ETHICS 

People with a strong commitment to ethical standards are often 

referred to as people of integrity. There is an “Ethics quick test” 

which every individual should consider applying when faced with 

an ethical dilemma in their personal lives: 

– Is it legal? 

– How will it look in the newspaper? 

– Is it consistent with my own / the company’s values? 

– Is it fair to all? 

– If I do it, how will I feel? 

With social media becoming a medium where a person’s private 

life is often made very public, there is even more pressure on individuals 

to ensure that they behave in an ethical manner at all 

times, both in and outside of the work environment. 

ETHICS- BUSINESS VS. PERSONAL VS. PROFESSIONAL ADVISER ETHICS 

CONCLUSION 

All ‘forms’ of ethics ultimately have a common thread, namely integrity. 

If you behave in integrity in all areas of your life, namely business, 

professional and personal, you will be behaving ethically. One 

cannot call themselves ethical unless you are ethical in all spheres of 

your life. Integrity is not a 90% or 95% thing – either you have it or 

you don’t. Lastly I would like to leave you all with the following quote 

by Thomas Babington Macaulay: “The measure of a man’s real character 

is what he would do if he knew he would never be found out”. 

References: 

• International Standards for the Professional Practice of Internal 

Auditing. 

• IFAC Code of Ethics for Professional Accountants. 

• Code of Ethics of the Institute of Internal Auditors. 

• The Code of Governance Principles for South Africa - 2009. 

Kerry-Lee Laing CA (SA) CIA Registered Auditor Chartered 

MSCI (UK) Internal Audit and Governance Consultant 

PATON PERSONNEL 

INTELLIGENT RECRUITMENT 

JOB OPPOTUNITIES 

AUDITOR – SENIOR MANAGER (R850K) EE ONLY 

Top bank seeks CA(SA) with a flair for people as well as a passion for Audit, Risk 

and compliance. Lead and influence a dynamic team while you grow your 

career to new heights. 

AUDITOR – INVESTMENT BANKING (R700K) EE ONLY 

Show us your great track record & secure this exciting opportunity. BCom (Hons) 

& Investment Banking exp are essential for this leading Investment Banking 

brand. 

AUDITOR – ASSET MANAGEMENT (R600K) 

Bring your Financial Services Audit background to the table and secure this 

interesting role. BCom + CIA & relevant industry experience are the minimum 

requirement for us on this one. CA(SA) + 2 yrs experience preferred. 

AUDITOR – BANKING (R500K) 

Banking Auditors sought for various opportunities in Big 4 Banks. BCom + 

articles / BCom(Hons) / CA(SA)s are the qualifications sought to grab these great 

opportunities. 

AUDITOR – IT (R450K – R500K) EE ONLY 

A passion for IT Audit & relevant Banking exp are non-neg for a great role within 

industry leader. BCom Hons + articles are a min req. Bring your dynamic 

personality. 

RISK AUDITOR – BANKING (R450K+) EE ONLY 

BCom grad with a strong risk-minded approach to Banking audit. A solid track 

record in Credit Risk / Market Risk Audit will set you apart. 

AUDITOR – INSURANCE (R400K+) EE ONLY 

Industry specialist sought for this role. Degreed indiv with 3+ yrs in Financial 

Services Audit experience will set the pace. 

Contact Bulelwa Vundla at Paton on 011 325 5400 

For a complete list of our offerings IA visit ADVISER www.paton.co.za 

September 2011 | 23

In a complicated world, 

we can help you make sense of it all. 

kpmg.co.za 

© 2011 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa MC6425. 

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.


More companies the world over are adopting the cloud. According to Gartner (2010) the cloud market will be worth US $148.8 billion (about R1 

trillion) by 2014. Gartner forecast the cloud growth rate to be about 20% per year. In South Africa companies like T Systems are already providing 

cloud services. The cloud providers are growing on a daily basis. 

CLOUD COMPUTING DEFINITION 

The term cloud computing was inspired by the cloud symbol shown in Figure. 2. The symbol 

is often used to represent the Internet in fl ow charts and diagrams. Simply defi ned cloud 

computing is IT services accessible via the web and internet connection. 

The US National Institute of Standards and Technology (NIST) describes cloud computing 

as a model for enabling convenient, on-demand network access to a shared pool of confi 

gurable computing resources (e.g. networks, servers, storage, applications, and services) 

that can be rapidly provisioned and released with minimal management eff ort or service 

provider interaction. 

ISACA CEO defi nes Cloud computing as a “delivery model for consuming IT as a service 

and another way for an IT organization to deliver the technology necessary to run the 

enterprise business.” 

In its broadest usage, the term cloud computing refers to the delivery of scalable IT resources 

over the Internet, as opposed to hosting and operating those resources locally. It 

is a general term for anything that involves delivering hosted services over the Internet. 

Gartner defi nes cloud computing as “A style of computing where scalable and elastic IT 

related capabilities are provided ‘as a service’ to customers using Internet Technologies.” 

The essential characteristics of the cloud as described by NIST and Gartner are: on demand 

self services, broad network access, resource pooling, rapid elasticity, measured service 

and multi tenacity. Multi tenacity shown in Figure. 3 means users in diff erent sections of an 

enterprise will be rendered services on their own terms – usage rates, access restrictions 

uptimes. 

Cloud allows computing to be removed 

from the traditional shops to remote data 

centres. Cloud computing enables computer 

services such as email, applications, 

network or server service to be provided 

without requiring human interaction with 

each service provider. Cloud capabilities are 

available over the network and accessed 

through standard mechanisms that promote 

use by heterogeneous thin or thick 

client platforms such as mobile phones, 

laptops and PDAs. The provider’s computing 

resources are pooled together to serve 

multiple consumers using multiple-tenant 

model, with diff erent physical and virtual 

resources dynamically assigned and reassigned 

according to consumer demand. 

The resources include storage, processing, 

memory, network bandwidth, virtual 

machines and email services which build 

economies of scale. Cloud services can be 

rapidly and elastically provisioned, in some 

cases automatically, to quickly scale out and 

rapidly released to quickly scale in, thereby 

giving the client the ability to align IT with 

business objectives and requirements. To 

the consumer, the capabilities available for 

provisioning often appear to be unlimited 

and can be purchased in any quantity at 

any time. Under the cloud resource usage 

can be measured, controlled, and reported 

providing transparency for both the provider 

and consumer of the utilised service. This 

enables the user to control and optimise resource 

use. Just like air time, electricity or 

municipality water IT services are charged 

per usage metrics – pay per use. The more 

you utilise the higher the bill. 

Cloud impacts organisation’s IT size, structure, 

diversity, material assets and skill pool. 

The cloud changes the whole information 

technology (IT) landscape – IT roles, IT policies, 

processes and procedures, IT structures 

and the business governance of IT 

and may introduce an enterprise to more 

regulatory compliance issues. The shift 

in the traditional operation of IT requires 

Chief Information Offi cers (CIOs), Chief Risk 

Offi cers (RISOs), Chief Information Security 

Offi cers (CISOs), Chief Technology Offi cers 

(CTOs), Business Information Security Offi 

cers (BISOs), Chief Executive Offi cers 

(CEOs) or Chief Operations Offi cers (COOs) 

to develop diff erent IT strategies and skills. 

Skills required for eff ective enterprise governance 

of the cloud include managing 

contracts, overseeing integration between 

in-house and outsourced services, and 

mastering a diff erent model of IT budgets. 

The change in the IT set up requires a paradigm 

shift in providing assurance. According 

to ISACA in its IT Control Objectives for 

Cloud Computing: Controls and Assurance 

in the Cloud “assurance needs to become 

more real time, continuous and process oriented 

versus transactional in focus.” 

There is a strong need for assurance mechanisms 

before moving ahead with the decision 

to roll out cloud services or utilise 

cloud services. 



Figure.1 shows a cluster of cloud service providers (CSP). Amazon leads the pack. The trend 

in Africa may be slow but cloud is an undeniable reality. Like any other IT enabled investment 

the strategic objectives of cloud implementation remain business IT strategy alignment, 

value creation (value delivery), risk management (value preservation) and resource management 

(optimum utilisation of resources). 

SERVICE MODELS: 

Cloud computing service models are 

broadly divided into three categories: 

Software-as-a-Service (SaaS), Platform-asa-Service 

(PaaS) and Infrastructure-as-a- 

Service (IaaS) also known as Utility Computing. 

Collectively all the service models 

Figure.2 

Broad 

Network Access 

Software as a 

Service (SaaS) 


Rapid Elasticity Measured Service 

Resource Pooling 

Platform as a 

Service (PaaS) 

can be referred to as IT as a service (ITaaS) 

or the SPI Model. 

DEPLOYMENT MODELS: 

As illustrated in Figure. 2 there are four deployment 

models for cloud services namely 

private, community, public and hybrid. 

On-Demand 

Self-Service 

Infrastructure as a 

Service (IaaS) 

Public Private Hybrid Community 

Essential 

Characteristics 

Service 

Models 

Deployment 

Models 

PRIVATE CLOUD 

A private cloud is a proprietary network or 

a data center that supplies hosted services 

to a limited number of people. The cloud 

infrastructure is operated solely for a single 

organization. It may be managed by the 

organization or a third party, and may exist 

on-premises or off premises. When a service 

provider uses public cloud resources to create 

their private cloud, the result is called 

a virtual private cloud. The private cloud 

deployment method has minimum risk as 

identity management and corporate, legal 

and regulatory audits are easy to perform. 

Scalability and agility options may be limited 

in a private model. 

COMMUNITY CLOUD 

Community cloud infrastructure is shared 

by several organizations and supports a 

specifi c community that has shared concerns 

(e.g., mission, security requirements, 

policy, or compliance considerations). It 

may be managed by the organizations or a 

third party and may be hosted on-premises 

or off -premises. Community model may be 

a cloud provided for insurance companies 

or fi nancial institutions. The disadvantage 

of a community model is that data of competitors 

may be stored together for example 

clients for Hollard and Federal Mutual 

Insurance companies may be hosted on 

the same database; subject to the contractual 

and service agreement with the CSP. 

PUBLIC CLOUD 

The cloud infrastructure is made available 

to the general public or a large industry 

group and is owned by an organization 

selling cloud services. Public CSPs off er 

relatively undiff erentiated services. They 

sell services to anyone on the Internet. Currently, 

Amazon Web Services is the largest 

public cloud provider.

Figure. 3 

HYBRID CLOUD 

Hybrid cloud is a heterogeneous mix of services—some 

from the public cloud, others 

from private clouds, still others developed 

in-house or purchased and customized. 

Infrastructure in a Hybrid cloud is a composition 

of two or more clouds (private, 

community, or public) that remain unique 

entities but are bound together by standardized 

or proprietary technology that enables 

data and application portability (e.g., 

cloud bursting for load-balancing between 

clouds). Hybrid cloud is likely to characterise 

most institutional IT portfolios. 

THE RAINBOW AND THE THUNDERS IN 

THE CLOUD 

Whether the cloud is nimbostratus or altocumulus 

there are rainbows and thunderstorms 

in the cloud. The thunders and the 

rainbow vary depending on the service and 

deployment model, contractual and service 

levels agreements (SLA) and the maturity 

of the CSP. 

THE RAINBOW IN THE CLOUD 

Private, public, community or hybrid cloud 

computing enables an enterprises’ IT en- 

abled investments to meet business stakeholder 

requirements, sustain and extend 

enterprise strategy, create sustainable 

competitive advantages (unique selling 

plusses), measure the value of IT enabled 

investments to ensure that enterprise resources 

are used responsibly by providing 

easy, scalable access to computing resources 

and IT services. Cloud computing enables 

enterprises to streamline processes 

and increase innovation, it enables increasing 

productivity and transforming business 

processes through means that were prohibitively 

expensive. Business cyclical demands 

for performance can be readily met 

by cloud computing translating into more 

backup, satisfi ed customers, increased scalability 

and higher margins. Cloud allows 

fi rms that were previous lagging in taking 

advantage of cutting edge technology 

due to costs to leap frog traditional IT and 

benefi t from advanced computing services 

without having to build expensive infrastructure. 

Instantly cutting costs and creating 

selling unique plusses. Traditional System 

Development Life Cycles pains familiar 

with failed system changes are eliminated. 

Cloud computing allows enterprises to 

switch on to new applications platforms at 

the switch of a button. In a rapidly changing 

environment, speed direction setting 


and quick reaction to change are essential. 

Cloud agility enables the client company 

to meet today’s business environment dynamics. 

Traditional CAPEX and OPEX expenses 

such as servers, IT staff salaries and 

wages, physical and environmental control 

for data centre (primary and secondary 

sites), rentals, electricity and inventory of 

equipment are eliminated with the adoption 

of the cloud. 

The green, yellow, red, orange, violet, indigo 

and blues in the cloud rainbow can be 

summarised as; cost containment, immediacy 

also referred to as agility, availability, 

scalability, effi ciency, and resilience. 

THUNDERSTORM IN THE CLOUD 

The cloud is internet-based, and the Internet 

is well known for security breaches, loss 

of data, compromises of privacy, and abuse 

of intellectual property (IP). The Internet 

and the systems that were built on it are all 

prone to security failures. Cloud computing 

introduces signifi cant concerns about 

privacy, security, data integrity, IP management, 

audit trails, and other issues. A 2011 

research done by Governance Enterprise 

IT(EGIT) – a division of ISACA for 834 business 

executives and heads of IT in 21 coun- 



Figure.4 

Security concerns 

Data privacy concerns 

Compliance concerns 

Reliability concerns 

Legacy infrastructure 

investments 

tries, 10 large and small industries shows 

data privacy issues as the major concern in 

cloud computing adoption. The following 

are cloud challenges highlighted by EGIT – 

statistically depicted in Figure.4. 

Moving to the cloud means that the client 

cedes on a number of security critical areas 

highlighted below aff ecting security: 

• External penetration testing not 

permitted 

• Limited verifi cation of logs available 

• Usually no forensics service off ered 

• Not possible to inspect hardware 

• No information on location/jurisdiction 

of data 

• Outsource or sub-contract services to 

third-parties. 

CLOUD COMPUTING ASSURANCE AND 

ADVISORY: 

Providing assurance in the cloud requires an 

understanding of the Cloud Client (CC) business 

requirements, objectives and strategy, 

the CSP, scope of cloud services provided, obtaining 

and evaluating third party assurance 

reports such as Service Organisation Control 

(SOC) 1, 2 and 3 under the Statements of 

Standards for Attestation Engagements SSAE 


Other 

15.7% 

25.2% 

41.7% 

34.6% 

47.2% 

49.6% 

0% 20% 40% 60% 80% 100% 

number 16, evaluating residual risk and determining 

whether an onsite visit to the CSP 

is required. CSP onsite visit is governed by the 

Service Level Agreement (SLA) or the legal 

cloud agreement (LCA) – cloud contract. Assurance 

should be aligned with overall business 

strategy objectives and Enterprise’s risk 

management framework. 

The scope of assurance can include reference 

to: 

• Specifi c criteria, such as reliability, 

eff ectiveness, effi ciency, availability 

and confi dentiality, 

• Technical standards, guidance and 

practices which include the Committee 

of the Sponsoring Organisations of 

the Treadway Commission (COSO), 

BITS Shared Assessment, International 

Organisation for Standardisation (ISO) 

and Control Objectives for Information 

and Related Technology (COBIT), 

• Professional working standards, 

guidelines and practices, such as: 

a) ISACA – Val IT, IT Audit Framework 

(ITAF), the Business Model for 

Information Security (BMIS), Risk IT, 

b) Payment Card Industry Data 

Security Standard (PCI DSS), 

c) US Federal Risk and Authorisation 

Management Programme 

(FedRAMP), 

d) The Cloud Security Alliance (CSA) 

Control Matrix, 

e) The American Institute of Certifi ed 

Public Accountants (AICPA), 

f) NIST, 

g) Jericho Forum Self Assessment 

Scheme, 

h) Health Information Trust Alliance 

(HITRUST) and the 

i) European Network and Information 

Security Agency (ENISA). 

Auditing in the cloud can either be from the 

CSP or CC point of view. This article focuses 

on CC assurance. 

Cloud computing scope auditing approach 

and scope include but is not limited to the 

following: 

1. EARLY INVOLVEMENT 

Assurance and advisory professionals 

(compliance, risk, security and auditors) 

should be involved early in the process to 

ensure that complete due-diligence of the 

CSP, CSP capabilities and procurement procedures 

comply with company outsourcing

equirements and regulatory requirements. 

Due diligence and review of CSP capabilities 

should include: 

Strategy 

Cloud transition and adoption should be 

treated as a strategic business decision. Assurance 

should ensure that the CSP align 

business strategy and goals with cloud 

delivery strategies and service provider 

governance and management is part of the 

cloud strategy. Governance and management 

of the cloud should include establishing 

cloud service management committee 

(CSMC) that are charged with ensuring 

continuous alignment of the cloud services 

with the business strategy, establishing 

policies, processes, procedures and structures, 

measuring cloud performance, benefi 

ts realization and vendor governance to 

ensure that the cloud sustain and extend 

business strategy and objectives. 

Service and Infrastructure robustness 

Ensure that infrastructure and service delivery 

provided by CSP has capacity to meet business 

requirements, objectives and strategy. 

Skills 

Ensure that CSP staffi ng is adequate to support 

dynamic business needs, maintain the 

technical environment and that personnel 

understand information security requirements 

and are capable of discharging their 

protection responsibilities. 

2. GOVERNANCE OF CLOUD SERVICE LEVELS 

The governance of service levels is the 

backbone of eff ective cloud computing. 

The fi duciary responsibility of cloud services 

remain with the CC. According to the 

GEIT research some enterprises have put in 

place external service management committee 

(ESMC) for governance of external 

service levels SLAs to report on, oversee 

and co-ordinate third-party services to ensure 

compliance with corporate and regu- 

latory requirements, prevent value leakage 

and mitigate outsourcing risks. 

The ESMC and the CSMCs in conjunction 

with business stakeholders should defi ne 

cloud service requirements for cloud in 

a in a cloud service catalogue (CSC). The 

services documented in the CSC should be 

used as the basis for selecting the CSP and 

formulating the SLAs and contracts. The 

SLAs should be clear, reviewed and ratifi ed 

by legal, signed off by all parties (CC and 

CSP representatives) and document key 

business functional and technical requirements. 

They should include termination, 

credit and penalty, right to audit and data 

privacy and security clauses and billing 

terms, defi ne business and technology related 

KGI's, KPI's and establish a continuous 

monitoring program to ensure expectations 

are consistently met. 

The ESMC and the CSMC need to continuously 

monitor service levels to ensure that 

cloud service delivery is aligned to meet 

changing business requirements, objectives 

and strategy. 

3. RISK MANAGEMENT 

The decision to move to the cloud is a strategic 

decision and should be business driven. 

Management of risk in the cloud should 

consider technical and business risks. It 

should be governed by the principles of effective 

risk management namely: 

a. Maintaining business objectives focus 

b. Integrating IT (cloud) risk into 

Enterprise Risk Management (ERM) 

c. Balancing the costs and benefi ts of 

managing risk 

d. Promotion of fair and open risk 

communication 

e. Establishing ‘tone at the top’ and 

assigning personal accountabilities 

f. Promotion of continuous improvement 

as part of daily activities. 


Risks must be addressed from a purely business 

perspective and not from a pure IT view 

point. A thorough risk assessment should be 

completed before migrating services to the 

cloud and should be continuous throughout 

the cloud placement period. 

The following risks should be considered in 

the review of cloud risk: 

Information Assets 

Resources (data, infrastructure and applications) 

on the cloud should be categorised 

and classifi ed with appropriate parameters 

and rated based on their criticality/severity 

to the achievement of business goals and 

objectives. The categorisation and classifi - 

cation of outsourced resources will ensure 

appropriate risks response. 

Processes and Procedures 

The transition to cloud computing will 

result in changes to the way business operations 

are carried out. Day to day IT and 

business operations would require to be reengineered 

to suit the cloud arrangements. 

The transition should be used as an opportunity 

to restructure business processes 

procedures and IT service management to 

bring value. Business processes activities 

and fl ows should be revised to maximize 

benefi t from cloud services. The revised 

processes and procedures should be formalised 

(documented and signed off by senior 

executives) and should be continuously reviewed 

to ensure alignment with changing 

business goals and cloud services. 

Cost 

The true cost provided by the CSP should 

be continual to ensure maximization on 

total value, balance cost with functionality, 

resiliency, and business value and to provide 

assurance over accuracy of cloud usage 

metering and billing processes so that 

they are not overbilled. 



Business Continuity 

The CC should clearly defi ne business continuity 

needs, evaluate provider capabilities 

to meet the requirements and ensure that 

data is not co-mingled in off site storage or 

back up facility. Requirements for future 

growth and the ability of service providers 

to meet growth demands should be fully 

considered. Business continuity and disaster 

recovery plans should be formalized, 

tested and coordinated with CSPs to address 

how events that can lead to incidents 

can be identifi ed and communicated and 

how incident response activities will be coordinated. 

A Blackout Plan to address situations 

where problems arise that cannot be 

corrected and service disruptions or quality 

of service is threatened should be in place. 

Legal and Regulatory Environment 

Adopting the cloud may mean that data of 

the CC will reside in a diff erent country. This 

is problematic especially for multinational 

companies operating in diff erent cities, 

countries and continents. Diff erent cities, 

countries and continents have diff erent 

legal and regulatory requirements pertaining 

to data privacy and intellectual property. 

These means that CC or the CSP has 

to comply with both the country for which 

Cloud Security Alliance Security (2009) Guidance for Critical Areas of 

Focus in Cloud Computing V2.1 

Cloud Computing: Business Benefi ts With Security, Governance and 

Assurance Perspectives (2009), www.isaca.org 

Carl Cadregari & Alfnzo Cutaia, Every Silver Cloud Has a Dark Lining: A 

Primer on Cloud Computing, Regulatory and Data Security Risk (2011), 

ISACA Jounal. 

Liam Lynch Chief Security Strategist. eBay Marketplaces, Integration with 

legacy systems in the cloud 2011 ISACA Webinar Program 

www.itnewsafrica.com, T Systems Cloud Computing in South Africa 

February 2011 

www.isaca.org, Cloud Computing: Business Benefi ts With Security 

Governance and Assurance Perspectives. 2009 

www.isaca.org, IT Control Objectives for Cloud Computing: Controls and 

Assurance in the Cloud. 2011 


the data is hosting and where the data is located. 

The challenge arises in cases where 

the regulations are contradictory. Both the 

CC and the CSP should understand the legal 

landscape of the diff erent cities, countries 

and continents of operation. In most 

instances non-compliance risk is huge. 

Exit /Termination Strategy 

The CC should develop plans for ending 

service provider service arrangements in 

particular to address sensitive data recovery 

or deletion. The plan should include data 

retrieval and retention in the event of cloud 

contract terminations or moving to another 

CSP. This should be documented in the LCA. 

Identity Access Management (Logical 

access) 

Moving to a cloud increases the risk of data 

manipulation and unauthorised access. A 

proper inventory, categorization and classifi 

cation of the data sitting on the cloud 

coupled with an eff ective Identity Access 

Management system will ensure that access 

is based on a need-to-do and least 

privilege basis. The IAM should ensure that 

proper access monitoring and reporting 

capabilities are available under normal and 

exceptional conditions. 

REFERENCE 

Skills 

Placement of a cloud will require a paradigm 

shift in the business governance and 

management of IT. Senior Management 

should ensure that internal staff is engaged 

in cloud service acquisition and management, 

has the skill and expertise to support 

the CC business cloud needs and to coordinate 

activities with cloud providers. 

CONCLUSION 

The level and type of auditing is driven by 

the type of the cloud service model (SaaS, 

IaaS or PaaS), cloud deployment model 

(public, private, community or hybrid), CSP 

(size, service maturity etc), CC (business requirements, 

objectives and strategy) and 

contractual agreements governing the 

cloud engagement. Assurance professionals 

can use the various standards, guidance 

and practices available. One size fi ts all in 

the use of the standards, guidance and 

practices is not recommended. The standards, 

guidance and practices should be 

adapted and adopted in a way that enables 

the CC to achieve its strategic objectives 

namely value creation, resource and risk 

optimisation. 

www.isaca.org, Cloud Computing Benefi ts and Risks Detailed in New 

ISACA Guidance. 29 October 2009 

Shackleford_CloudModelSec_2011_Cloud delivery models and security 

Dr. Giles Hogben, Perspectives on Cloud Security in the European 

Landscape, April 2011, 

Defence Information Systems Agency, A Support Agency, Mr. Henry J 

Sienkiewicz. April 2009 

GSA, February 2010, Cloud Computing Initiative Vision and Strategy 

Document. 

The Future of Cloud computing, Expert Group Report, Opportunities for 

European Cloud Computing Beyond 2010. 

Primer, Shedding Light on Cloud Computing, Gregor Petri, October 2010 

http://www.techcentral.co.za/inside-standard-banks-giant-datacentre/19705/ 

www.economist.com 

Tichaona Zororo CISA, CISM, CGEIT, Portfolio Manager IT Audit: Standard Bank Group and Founder of Enterprise Governance IT (EGIT)

ADVISER 


WHY THE CURRENT FOCUS ON RISK? 

Recent events have highlighted the need 

to move risk management up in importance 

scale for Boards and executive management. 

These events include the Icelandic volcano, 

the Gulf oil spill, Japan’s tsunami and the 

Sishen mining rights. In the fi nancial services 

industry the continuing focus on risk 

through Basel II and III for banks and Solvency 

II (in SA Solvency Adequacy Management 

[SAM]) for insurance companies has 

created more regulatory pressure on ensuring 

the adequacy of risk management. 

The global credit crunch has also destroyed 

the myth that business will continue as it always 

has and now business needs to be far 

more able to respond and react to changing 

conditions. Risk management is seen 

as one of the key disciplines needed to 

prosper and survive in the world economy 

today. Note that many commentators have 

attributed poor risk management as one of 

the causes of the credit crunch. 

“BLACK SWANS” 

The high impact low probability events are 

called “Black Swans”. [In Europe, as legend 

has it, they only knew swans as white so 

black swans were not possible]. 

“Black Swans” are the events that wipe millions 

off the market capitalisation of corporations 

such as BP and Arcelor Mittal. CEOs 

and boards now want to know what potential 

Black Swans the corporations they are 

responsible for managing are facing. 


RISK SOUND BITES 

Risk management is being acknowledged as an increasingly important discipline. These sound bites are aimed at providing the reader with 

succinct insight into some of the key issues impacting on risk management and governance. 

This has opened the debate about the quantifi 

cation of risk. These events now need to be 

included in the risk considerations. Typically 

risk management quantifi cation identifi ed 

only those risks that management considered 

not suffi ciently managed. 

The Black Swans typically cannot be prevented 

but the responses to the consequences 

are signifi cant. The approach being 

followed now is in considering events 

that will have specifi c consequences – e.g. 

collapse of distribution channels, loss of 

key suppliers, sudden signifi cant exchange 

rate changes etc. The risk event becomes 

less important as the recent history has 

shown that these can be off the radar! 

RISKS VS. RISK EVENTS 

Solvency II and ISO 31000 have focussed on 

the identifi cation of risks. In Solvency II the 

capital that needs to be allocated to risk has 

to establish what risk or risk event needs to 

be considered. A general risk of, say, loss of 

skills cannot be measured. Similarly “underground 

fi re” in a mine is not suffi ciently articulated 

to establish the possible extent of 

the event – it could be at the stopes, or on 

moveable machinery or in the shaft etc. 

Risk events need to be distinguished from 

the higher level risk names in order for the 

risk to be managed. “Competition risk”, for 

example, cannot be managed as a generic 

matter. The risk event will be a new market 

entrant in a region, specifi c product substitution, 

or product pricing. These potential 

or actual events can be managed. Similarly 

“loss of skills” needs to be unpacked to the 

events that have to be managed such as 

what to do when the aging engineers retire 

as no obvious replacements have been 

identifi ed. 

All risks that are evaluated as having a potentially 

substantial impact on the organisation/business 

should be unpacked to 

constituent risk events. 

RISK MEASUREMENT 

Risk measurement is an art and not a science. 

There are certain risks that the actuaries 

will model to come up with a very 

scientifi c assessment of the possible risk 

exposure. There are others that achieve a 

high, medium or low assessment [green, 

yellow, red for us boring accountants]. 

The key elements that should be included 

in the measurement are as follows: 

• There should be suffi cient diff erentiation 

to allow a meaningful priority rating 

to be achieved. This can be on a 

100 basis points scale or on a monetary 

scale or on a numeric scale. 

• The current risk position should be established 

taking into consideration the 

current risk mitigation/controls. This isknown 

as the residual risk. 

• The risk exposure before control or 

maximum possible loss should be 

evaluated to determine the extent that 

existing mitigation/control is managing 

the risk. This is often referred to as 

inherent risk. 

• The amount of risk that the organisation 

is willing to accept should also be 

determined. This is known as risk tolerance 

or desired residual risk.

• The residual risk gap should be determined 

to establish the extent that remediation 

is required and to prioritise 

this remediation. 

Figure 1 is an example of applying the measurement 

scales: 

• Impact scale on 100 basis points. 

• Inherent likelihood on a percentage scale. 

• Control eff ectiveness on a percentage 

scale. 

Figure 1 

Other developments in measurement 

include 

• Frequency of the risk exposure is receiving 

more attention now to understand 

the risk better. For example the risks 

associated with plant operations are a 

daily exposure while contract risk is on 

as and when basis. 

• Risk controllability – the extent that the 

risk can be managed or mitigated. For ex- 

Impact 100 

Likelihood 60% 

Inherent Risk Impact x Likelihood 60 

Control Eff ectiveness 40% 

Residual Risk Inherent Risk x Control Eff ectiveness 36 

Desired Control Eff ectiveness 80% 

Risk Tolerance Inherent Risk x Control Eff ectiveness 12 

Residual Risk Gap Residual Risk - Risk Tolerance 24 

Figure 2 

2.2 

2 

1.8 

1.6 

1.4 

1.2 

1 

0.8 

0.6 

0.4 

0.2 

0 

Organisational Support Structure 

Corporate Governace 

Strategic Risk Assessment - Bar Graph: Top 10 Residual Risk Gap 

Residual Risk Gap Current Residual Risk Desired Residual Risk 

Growth 

Alternative Revenue Streams 

Business Effi ciency 

Going Concern 

Project Delivery 

RISK SOUND ADVISER BITES 

ample no organisation can control the Icelandic 

volcano that disrupted air travel to 

Europe – which in turn had a major impact 

on fresh fruit exports. The only mitigation 

is then to manage the consequence. 

• Using Monte Carlo simulations to assess 

more scientifi cally the potential 

and residual exposures – often used for 

contingency funding assessments on 

projects. There are many other quantitative 

models that are used. 

Figure 2 demonstrates the results of applying 

the measurement concepts discussed above. 

The residual risk gap provides the priority for 

addressing the risk exposures. 

The results provide a basis for understanding 

the risk exposures without having to 

get a precise measurement. 

Leadership 

International Markets 

Critical Skills atrraction and retention 


ADVISER RISK SOUND BITES 

Solvency II and Basel II have put the focus on 

measuring the incidence of risk and the extent 

that capital has to be matched against 

identifi ed risk. Interestingly Basel II requires 

reserves to be kept based on the experience 

of residual risk without considering the other 

measurement criteria set out above. 

RISK APPETITE 

Risk appetite is the most misunderstood 

concept in risk management. How much 

risk is an organisation willing to accept? Or 

does the organisation have an appetite for 

risk? How does this tie back to performance 

management? 

Risk appetite and tolerance are often not 

understood and are therefore often not applied 

in practice. Financial Services (FS) have 

a better practical feel for the concepts with 

the value at risk and how much value can be 

risked - in total and per product/investment 

type. Non FS companies have a more diffi cult 

time in making the concepts realistic. 

Figure 3 


Figure 3 is an example of a typical risk appetite 

statement. 

These high level statements provide parameters 

for risk consideration and intersect 

with value statements. 

The above risk appetite statement describes 

the parameters of strategic positioning as 

well as providing clarity on strategic intent. 

But it does not easily reach to the actual 

risks that need to be add underlying risks. 

Other appetite statements include – for example 

– a statement that risk appetite is described 

as an event that will impact 5% on 

EBITDA will result in a 10% chan nge in market 

capitalisation (share price). Potential risks 

are unpacked to risk event level and evaluated 

to provide a most likely kely value. This 

value is compared with the appetite. 

Key elements Peer example risk appetite statements 

Capital • Maintain an insurance solvency ratio of at least 150% 

• Maintain a ratio of insurance risk economic capital to life insurance reserves below 10% at all times 

• Maintain a ratio of credit risk economic capital to total bank lending book exposure below 4% at all times 

• Hold, as a minimum, suffi cient economic capital to withstand a one in 200loss on a one year basis 

• On an economic basis, we seek to maintain an AFR/Ecap ratio of a least 100% 

• Hold suffi cient capital to maintain the group's published core fi nancial strength ratings in the AA rating range 

Earnings • Our earnings will fall below budget by more than10% more frequently than once every 5 years 

• No expected loss to a single customer within the loan portfolio will be greater than 10bps of our own funds 

• Achieve steady, sustainable growth in operating profi ts on an EEV and IFRS basis 

• No one exposure to a single fi nancial institution counterparty, other than intercompany exposures, will be greater than 5% of Group 

Available Financial Resources, and exposure will only be to counterparties recognised in the relevant policy (e.g. above A+ for derivatives) 

Liquidity / 

ALM 

Figure 4 

RISK LEVELS: RISK DECISIONS: 

Risk Category Inherent Risk Current 

Residual 

Risk 

• Positive cashfl ows in extreme but plausible stress scenarios 

• No appetite for fi nancing required cash-fl ows in a manner detrimental to its main external stakeholder 

• General Insurance liabilities are matched as closely as possible with assets of appropriate amount, type (fi xed or real) and currency 

Reputation • Our people will have the highest levels of competence and integrity 

• We will treat our customers fairly 

• We seek to continue to have top quartile customer satisfaction in all of our core markets 

Other • We target an S&P rating of A+ on our senior debt 

• We seek to fully meet all regulatory expectations 

• We will have no tolerance for intentional regulatory breaches 

Risk 

Appetite 

Compliance 17% 19% 13% 6% 

Financial 33% 28% 14% 15% 

People 19% 22% 15% 7% 

Product 7% 15% 10% 5% 

Strategic 3% 30% 30% 0% 

Sytems 22% 33% 15% 18% 

Legend: 

Risk Exposure Above Risk Appetite: Less than 30% 

Risk Exposure Above Risk Appetite: Greater than 60% 

Risk Exposure Above Risk Appetite: Greater than 60% 

Risk Exposure 

Above Risk 

Appetite

We have taken a view that risks should be 

measured on their potential impact on the 

achievemment of strat egic objectives. 

The inherent risk for each strategic objective 

is assessed for the risks allocated to 

the strategic objective. The current residual 

Fazel Abram 

Angelique Adams 

Ridwaan Arense 

Delphine Bagwire 

Christiaan Becker 

Anel Bekker 

Jacques van Niekerk Bester 

Charl Beukes 

Antonett Ronel Botha 

Madelyn Chriszelda Buckley 

Francois Eugene Buys 

William Chingate 

Michael Connick 

Augusto Castanheira Cossa 

Ilse Cromhout 

Antoinette Day 

Asma Ayob Daya 

Amal Dharshana Dissanayake 

Kerasen Soobramoney Dorasamy 

Devin Driver 

Jake du Buisson 

Schalk du Plessis 

Ilana du Toit 

Johanna Christina Elizabeth du Toit 

Davison Dyiwa 

Ana Focke 

Prabashini Govender 

Godwin Grant 

Farhana Hassim 

risks for all risks per objective are aggregated 

to be expressed as a percentage and this 

is compared with a similar value achieved 

for risk tolerances which in aggregation is 

termed as "Appetite". The diff erence highlights 

the extent that the current position is 

outside of appetite. Ultimately it identifi es 

Rob Newsome, Chairman: IIA SA Technical Committee 

Congratulations to CIA candidates 

Jacobus Christiaan Heyns 

Dandi Israel Hlatshwayo 

Maria Jacobs 

Earl James 

Ilse Janse van Rensburg 

Audrey Kanyera 

Cuthbert Karasa 

Waseema Khan 

Phineas Mandla Kheswa 

Bekanani Edmund Mzikayise 

Khuzwayo 

Boitumelo Kitchin 

Theo Kruger 

Walter Kuhn 

Misola Betty Kupayi 

Hugo Laubscher 

Maria Elisa Cornelio Lloyd 

Annja Louca 

Themba Godfrey Mabaso 

Athi Madolo 

Philani Muziwoxolo Magwaza 

Denise Remona Maharaj 

Mahali Mahlakolisane 

Sipho Makaringe 

Nomsombuluko Grace 

Mamabolo 

Tony Mancos 

Mothanyi Manyoga 

Ndamulelo Masakona 

Allan Masawi 

Philisiwe Mazibuko 

Andile Memela 

Jan Mfati 

Lawrence Mkhabela 

Phakamile Bawinile Mkhwanazi 

Odwa Claribel Mlotywa 

Reggy Mmotla 

Lephole John Mofokeng 

Sekgodi Mokgethi 

Andrew William Mpofu 

Sakhile Mtshali 

Siphelele Mtshengu 

Tavison Mugorogodi 

Manfred Mukombo 

Horatio Naidoo 

ParushaNaidoo 

Shawn Naidu 

Nobantu Ngesi 

Hlayisanani Nkondo 

Lunga Nodliwa 

Stella Nyabadza 

Cornelius Oosthuizen 

Hanlie Oosthuizen 

Cliff Otega 

Kumaresan Perumaul 

Anasagree Pillay 

Gayle Postings 

Laetitia Pretorius 

RISK SOUND ADVISER BITES 

the risks exposures that need to be managed 

to achieve strategic objectives. 

A similar view per executive risk owner provides 

another interesting oversight. 

The real buy-in happens when the appetite 

is expressed per risk owner. 

Pfuluwani Reichwell Raphulu 

Gcobisile Rasmeni 

Segele Evon Ratsiu 

Shane Anthony Robinson 

Theo-John Rochussen 

Marianze Roux 

Samasree Sagadevan 

Samantha Scholtz 

Tshepo Sebiloane 

Selaelo Daphney Sebone 

Mmabatho Sepuru 

Godspresent Shabane 

Bathabile Prudence Shezi 

Bongani Sikhosana 

Simeon B Simelane 

Oyama Siwundla 

Gideon Snyman 

Mark Solomon 

Sifi so Vincent Sotshede 

William Thirion 

Aobakwe Nick Tladi 

Faizel Uaendere 

Ferdinand van Heerden 

Beulah van Niekerk 

Nazir Yusuf Vanker 

John Walters 

Steve Williams 

Zakhele Alex Tummy Zitha 


QUALITY ASSURANCE OF THE INSTITUTE OF 

INTERNAL AUDITORS SOUTH AFRICA’S CONTINUING 

PROFESSIONAL DEVELOPMENT (CPD) PROGRAMS 

The Institute of Internal Auditors South Africa (IIA SA) has in recent 

months had numerous queries regarding accreditation of its CPD Program 

and in order to give members clarity on the meaning of accreditation, 

we hereby would like to share the feedback we received from the 

Finance, Accounting, Management Consulting and other Financial Services 

SETA (FASSET) regarding accreditation for CPD. 

INTRODUCTION 

The current education and training legislation in South Africa (which includes 

the SAQA Act, the Skills Development Act, the Skills Development 

Levies Act and all the associated regulations) has been developed to support 

social and economic development in the country. It achieves this 

objective by creating an integrated, high quality education and training 

system which contributes to the full development of individuals, enhances 

career development and results in more competitive industries. 

Accreditation has become the latest “buzzword” as part of the new approach 

to the evaluation of the quality of training. The public’s knowledge 

and reliance on accreditation status is a direct outcome of the daily 

Advisory 

Internal audit 

Forensic audits 

Compliance 

Risk management 

Corporate governance 

IT auditing 

Performance audits 

Corporate fi nance 

Due diligence 

Valuations 

What we do: 

Assurance 

External audit 

Agreed-upon procedures 

Special reviews 

Financial management 

IFRS 

GRAP/GAAP 

Accounting services 

Consulting 

Get in touch with us: 

1st fl oor Building 22B, The Woodlands Offi ce Park, 

20 Woodlands Drive, Woodmead 

PO Box 74, The Woodlands, 2080 

Tel: 011 802 4155 Fax: 011 802 5957 

Web: www.xabiso.co.za Email: info@xabiso.co.za 

work that ETQAs are involved in. It is however, also one of the most misunderstood 

processes and has become the catch-all phrase when employers 

are seeking some kind of assurance that the training they pay for, 

will be of the ‘right standard.’ 

IS ACCREDITATION APPLICAbLE TO CDP PROGRAMMES? 

It is thus necessary to place ‘accreditation’ in the correct context regarding 

Continuing Professional/Development Programmes. 

Accreditation is defined in the ETQA Regulations as the “certification, usually 

for a particular period of time, of a person, a body or an institution as 

having the capacity to fulfill a particular function in the quality assurance 

system set up by the South African Qualifications Authority in terms of 

the Act.” This means that the organisation has met stipulated criteria as 

set out by SAQA. SAQA accredits ETQAs for SPECIFIC registered qualifications 

and unit standards and in turn ETQAs accredit providers. 

Important facts relating to accreditation: 

• A training provider (organisation) is accredited not the training programme. 

• Accreditation can only be done by an accredited ETQA. 

• An ETQA cannot use the term ‘accreditation’ if the qualifications or 

unit standards are not registered on the NQF. 

• Accreditation leads to ‘credit-bearing’ programmes being offered to the 

learner AND thus the learner will earn credits to be recorded on the NQF. 

• Credit-bearing means an assessment of the learner’s competence 

needs to completed in order to grant credits (e.g. marks obtained in 

an examination). 

• Accreditation relates to obtaining or achieving a qualification not 

post-qualification. 

In view of the above, it is clear that a CPD programme or a training provider 

offering CPD does not fit into the ETQA/accreditation arena. CPD 

programmes are too short to meet the unit standard outcomes, the 

courses are non-credit-bearing and they are done after a qualification. 

The need for CPDs is borne out of the necessity for professionals, 

in general, to remain up to date with their technical knowledge. In 

the accounting and auditing professional environment, it has also 

become an international requirement that relates specifically to the 

retention of professional practice standards required of accountants 

by the International Federation of Accountants (IFAC). In view of this, 

most, if not all professional bodies offer their members CPD courses. 

The Professional Bodies thus have strict measures in place to evaluate 

these programmes and the delivery thereof. 

Fasset has a long-standing relationship with the Institute of Internal 

Auditors South Africa. It is our understanding that a strict selection 

process is followed to utilise certain CPD training providers. The IIA 

SA has indicated that Fasset is welcome to verify this process and thus 

present an objective evaluation of the quality of CPD courses offered.

Do your internal auditors 

comply with the Institute of Internal 

Auditors’ career path standards? 

IIA SA Professional Training 

Programs (Learnerships) 

The Institute of Internal Auditors South Africa provides clear guidelines on the career path of an internal auditor. This path includes the 

foundation designations which can be obtained through successfully completing the Institute’s Professional Training Programs. Build capacity 

in your organisation through the IIA SA’s Professional Training Programs and join satisfied employers who have experienced incredible success 

with the program. 

The Internal Audit Technician (IAT) and General Internal Auditor (GIA) learnerships combine the content of focused training modules 

with structured workplace training which provide the employer with real quantifiable benefits: 

�� 

�� 

�� 

�� 

�� 

Who should attend? The Professional Training Programs provide a solid foundation to 

candidates starting out in internal auditing or those who need to improve their internal audit skills. 

For more information contact 

Deputy Education and Training Manager 

�� 

�� 

* conditions apply 

Progress Through Sharing 


A keen focus on supply chAin mAnAgement 

by government will help to build confidence 

in our democrAcy 

In my previous article I singled out supply chain management (SCM), 

commonly referred to as the tender process in South Africa, as one 

of the focus areas for national and provincial role players. It is an 

area across all spheres of government (national, provincial and local) 

on which citizens are raising major concerns as billions of rands are 

spent through SCM to procure goods and services. 

To ensure proper regulation of procurement/supply chain management, 

our country adopted some of the most advanced policies, laws 

and regulations in the world. To put this article into context: the laws 

and regulations adopted by our country provide clear direction to 

the public sector on the manner citizens expect procurement to be 

dealt with in the public sector. 

The principles of contracting for goods and services in a manner that 

is fair, equitable, transparent, competitive and cost effective come 

from our Constitution. The Public and Municipal Finance Management 

Acts and their regulations (PFMA and MFMA) prescribe the 

processes and rules to be followed in the public sector in order to 

apply the constitutional principles consistently and correctly and 

safeguard the process against abuse. The preferential procurement 

framework issued by the National Treasury further gives effect to 

the constitutional principle of giving preference to the previously 

disadvantaged in the allocation of work by the public sector. Finally, 

legislation provides for specific measures to ensure the system is not 

abused in order to favour certain officials and their own businesses or 

those of their family members or associates. 

All citizens hAve A criticAl role to plAy in ensuring 

cleAn AdministrAtion 

Despite the above measures being in place, supply chain management 

is still one of the areas that demand focus from national and 

provincial role players. 

During a recent series of interviews broadcast on radio stations 

on my office’s latest general report on the local government audit 

outcomes, many members of the public who called in to these talk 

shows consistently raised issues relating to supply chain management 

at departments, public entities and municipalities. 

They expressed concerns and perceptions that tender processes at 

departments, public entities and municipalities are being handled in 

a way that financially benefits a few individuals and that laws and 

regulations governing SCM are intentionally ignored or flouted by 

government officials in order to give state officials and their families 

and associates unfair advantage over other competitors or would-be 

service providers to government. 

Many of the callers asked what my office is doing to curb such mal- 


practices. My first response is that,while my office is playing a watchdog 

role, all citizens, civil society fraud prevention agencies and leadership 

within the public sector have an important 

part to play in ensuring that our country’s public administration procures 

goods and services efficiently and cost-effectively. Specifically, 

members of the public and state employees should continue to report 

to the relevant authorities any form of irregularity they detect. 

Further, citizens should insist that their elected officials are held accountable 

and take steps to ensure that the measures citizens have 

assessed as necessary, and therefore voted into law, are adhered to 

and enforced. 

the role of the Audit office 

On our part my office, since 2009, has included SCM as a specific audit 

focus area across all spheres of government and identified SCM as a specific 

focus area for executive leadership and legislative oversight bodies. 

This focus was motivated, in no small measure, by our endeavours to 

promote, through auditing, public confidence in our democracy – in 

this instance, the aims and objectives relating to supply chain management 

legislation and regulations. 

The aim of our audits of SCM policies, practices and controls is to establish 

whether departments, public entities and municipalities have put 

in place effective procurement processes and internal controls that ensure 

a fair, equitable, transparent, competitive and cost-effective SCM 

system, comply with legislation and minimise the likelihood of fraud, 

corruption and favouritism as well as unfair and irregular practices. 

leAdership commits to ensuring compliAnce with scm 

regulAtions 

Our annual audits still continue to uncover many instances of noncompliance 

with such regulations. Our 2009-10 MFMA audits included 

specific tests to determine if officials or their family members had an interest 

in the suppliers of metros and the larger highcapacity municipalities 

(40% of our municipalities). We found that awards valued at some 

R76 million had been made to employees and councillors of municipalities 

and R102 million to their close family members. The AGSA reported 

these findings to those charged with governance of the municipalities in 

question, including provincial role players, to ensure these instances are 

investigated for undue influence and possible fraud; as in many cases 

the relationship was not declared by the supplier as required by legislation. 

The audits turned the spotlight on this matter and many municipalities 

have committed to improving their controls. 

The audits of departments and public entities included similar testing 

for conflicts of interest. The 2009-10 audits identified incidents

A keen focus on supply chAin mAnAgement by government will help to build confidence in our democrAcy 

of conflict of interests and non-compliance with legislation in this 

regard, but in smaller measure than at local government. 

The most common finding from our audits across all auditees is deviation 

from legally prescribed SCM processes. It is important that 

prescribed processes are followed in order to ensure the selected 

supplier has the capacity to deliver the goods and services and that 

it is done at a reasonable price. Inadequate management of projects 

and contracts remains a weakness in the public sector and more so 

at local government level. Our audits included an assessment of the 

basics of contract management and raised findings on the lack of 

written contracts, payments made in excess of contract amounts, irregular 

amendments/extensions to contracts and inadequate monitoring 

of contracts. In most cases the reason for these weaknesses 

was insufficient capacity and skills to manage contracts. 

In addition to the AGSA’s audits, investigations initiated by auditees 

themselves continue to highlight that the SCM processes are handled 

to benefit a few individuals, or that SCM legislation is intentionally 

ignored or deliberately bypassed. We will continue to increase 

our focus in this area, as shortcomings result in delays, wastage and 

fruitless expenditure which impact directly on service delivery to the 

citizens. 

The complete results of our analyses are available in our general 

reports on the national, provincial and local government audit outcomes 

for 2009-10 (www.agsa.co.za). 

To accelerate the elimination of tender process irregularities, every 

accounting officer/authority, chief financial officer and senior official 

needs to discharge their PFMA- and MFMA-prescribed obligations 

diligently. They are required to take reasonable steps to prevent irregular 

expenditure by developing and implementing internal control 

systems that ensure fair, equitable, transparent, competitive and 

cost-effective SCM processes that could prevent and detect fraud, 

non-performance by suppliers, and 

non-compliance with SCM legislation. 

strong ethicAl leAdership needed to turn the 

situAtion Around 

It is encouraging to note that those charged with public governance 

and oversight have recently again committed to take the lead in turning 

around our auditees’ non-compliance with SCM legislation and ensuring 

a strong ethical culture within the public sector. 

Active governance and involvement by internal audit and audit 

committees can also go a long way in meeting the tender process 

challenges, thus helping the public sector move faster in its march 

towards clean administration by 2014 and beyond. 

Non-compliance must have consequences and accountability must be 

enforced at all levels. For example, there should be severe consequences 

for those who intentionally neglect regulations that govern strategic 

areas such as SCM. There must be a conscious decision by political 

and administrative leadership to take action against transgressors. 

Only when the leadership has set that tone of decisively dealing with 

such malpractices would the citizenry have confidence in our public 

sector procurement and financial management systems. 

To conclude, SCM is the area where the bulk of the activities are concentrated 

in all three spheres of government. Continued non-adherence 

to SCM regulations therefore defers restoration of the public’s 

confidence in the ability of state officials to systematically take care 

of their interests – and deprives citizens of much needed services in 

all areas of service delivery including within the health, education or 

housing sectors. 

The level of service delivery to citizens and the degree to which government’s 

socio-economic objectives are promoted are directly and 

significantly helped or frustrated by the degree to which the procurement 

systems of departments, municipalities and other public sector 

entities comply with legislation and prescripts. 

As I indicated earlier, every citizen of this country has an important role 

to play in ensuring our public administration, and by extension our democracy, 

works efficiently. And I look forward to hearing more testimonies 

about South Africans who are working closely with their elected 

representatives or law enforcement agencies in thwarting supply chain 

management irregularities that could undermining our democracy. 

Terence Nombembe, Auditor General: AGSA. 

This article first appeared on the AGSA website. 

Conformance or performance? Is your 

internal audit function helping you 

achieve the right balance? Are you clear 

on how to navigate your governance, risk 

and compliance challenges? 

�� 

If not, you should consider talking to a BDO Risk Advisory 

specialist. We can help by: 

�� Setting up, transforming or streamlining your internal 

audit function 

�� Internal audit strategic partnering and co-sourcing 

�� Outsourcing and managing all or part of your internal 

audit requirements 

�� Performing a quality assurance review of your existing 

internal audit department 

�� Functional and business process performance 

improvement reviews 

For more information, visit www.bdo.co.za 


CCSA 

Anthony Brink 

Asma Ayob Daya 

Elmarie de Waal 

Johanna Christina Elizabeth du Toit 

Humza Ebrahim 

Ajay Goli 

Ajay Graham 

Anneke Hattingh 

Jacobus Christiaan Heyns 

Tania Jacobs 

Cuthbert Karasa 

Yihsuan Lin 

Maria Elisa Cornelio Lloyd 

Mafemane Mahlahlane 

Tony Mancos 

Nompumelelo Maseko 


Congratulations to CCSA, CFSA and CGAP candidates 

Prishani Moodley 

Molefe Michael Motsatsi 

Lungile Mthembu 

Ntando Ndaba 

Mlamuli Shadrack Ndlovu 

Veronica Nkuna 

Cornelle Olivier 

Gayle Postings 

Vuyisa Poswa 

Madimpe Josias Ramakgoakgoa 

Malesela Ramakgolo 

Segele Evon Ratsiu 

Alberto Reis 

Thozama Rululu 

Makhosazana habangu 

Vuyani Sibamba 

Linda Smit 

Leone Steyn 

Faizel Uaendere 

John Varga 

CFSA 

Carlo Bubalo 

Fernanda de Wit 

Keitumetse Mothobi 

Deon Rossouw 

Munyaradzi Zhawu 

CGAP 

Vhonani Eric Luvhengo 

Wayne Poggenpoel

University of Pretoria and nanjing aUdit 

University: iaeP Programmes 

Progress throUgh sharing 

Prof Chen Danping from Nanjing Audit University, Nanjing, Peoples’ 

Republic of China visited UP in March 2011 to present guest lectures 

to internal auditing practitioners, academia and students. 

A very dynamic working relationship exists between the School of 

International Auditing at NAU and the Department of Auditing at the 

University of Pretoria (UP). Both of these institutions have been accredited 

by the Institute of Internal Auditors (IIA) as Internal Auditing 

Educational Partnership (IAEP) Schools. The Department of Auditing 

at UP has Centre of Excellence status (one of only five schools globally 

which has this status) and the IAEP School at NAU has been accredited 

at the Partner level (one of sixteen partner schools). 

During March 2011, Prof Chen Danping from NAU visited UP to present 

guest lectures to internal auditing practitioners, academia and 

students. Prof Chen also visited representatives from the IIA(SA), the 

Ethics Institute of South Africa (EthicSA) as well as the Southern Af- 

rican Institute of Government Auditors (SAIGA). Apart from working, 

she also enjoyed visits to Lesedi Cultural Village in the Hartebeestpoortdam 

area and the Cullinan diamond mine. Prof Chen’s area of 

specialisation is economic accountability audits. This is a unique type 

of audit engagement performed in China to assess the fairness of the 

economic decisions taken by the leaders of state-owned organisations 

during their terms of office. In her presentation, Prof Chen highlighted 

that the purpose of an economic accountability audit is to: 

“…assess the enterprise’s truth, legality and performance of the assets, 

liabilities and equities, the relevant economic activities about 

significant operational decisions, as well as the conditions abiding by 

the relevant regulations and laws, following the processes, approaches 

and requirements regulated by the nation or organisation.” She 

discussed several interesting cases relating to economic accountability 

audits, for example the case in 2003 where the Chinese National 

Audit Office (CNAO) conducted economic accountability audits of 

the leadership teams of several organisations in China. One such audit 

exposed significant losses of 7.84 billion yuan due to ineffective 

decision-making by the leadership team of an organisation. These 

leaders were subsequently found guilty of crimes and jailed! 

Cooperation between the two IAEP programmes is of strategic importance 

to both institutions. UP lecturers will visit NAU in October 

2011 and UP students will join the NAU IAEP programme from September 

2012 to January 2013. Two NAU students will visit UP in July 

2011 as part of a 6-months exchange programme. UP and NAU are 

looking forward to a long-term working relationship through the IIA’s 

IAEP initiative with their common goal being to develop competent 

internal auditors for the profession. 

Kato Plant, Senior Lecturer: Department of Auditing, University of Pretoria 

Audit 

focus 

We offer you: 

- High quality services; 

- We are locally represented with offices in Gauteng, Mpumalanga, Limpopo and North West; 

- Experience being part of the world’s largest internal outsource function i.e. Transnet; 

- A highly qualified and experienced team of individuals with vast and impressive credentials; 

- Our approach which is underpinned by leading practice, our tried and tested methodologies, 

modern internal audit know-how, and technology and knowledge systems; and 

- Our commitment to add value by means of delivering Service Beyond Expectation! 

Building a sustainable internal control environment: 

Our integrated risk management and outsourced assurance approach, will not only provide 

quality, timely deliverables during the course of the respective assignments, but will also create 

a basis for a best in class corporate governance environment within your business as well as a 

sustainable relationship between management and our firm. 

Contact us: 

Email: info@sekela.co.za 

Website: www.sekela.co.za 

Head Office: 011 797 6800

ADVISER 


ADVISER AD ADVI VI V SE S R 


ProgressThrough Sharing 

The Institute of Internal Auditors South Africa (IIA SA) is part of an international network representing the interests of internal 

auditors worldwide and is the internationally recognised authority, standard setter, principal educator and acknowledged 

leader in certifi cation, research and technological guidance for the profession of internal audit. The IIA SA provides internal 

auditors with the support and opportunities to develop to their fullest potential. 

We serve internal auditors by off ering 

• Technical Advice 

• Continuing Professional Development Opportunities 

• Learnerships 

• Certifi cation Programmes 

• Conferences and Seminars 

Become a member of the Institute and join a community 

of dynamic professionals 

All relevant information for becoming a member of the IIA SA is available on 

Website: www.iiasa.org.za. Alternatively you can contact us on: 

Telephone: 011 450 1040 or E-mail: customerservices@iiasa.org.za Progress Through Sharing

ethics - The Institute of Internal Auditors South Africa

Create successful ePaper yourself

Delete template?

Save as template?