ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SEPTEMBER 2011<br />
I A ADVISER<br />
ETHICS- BUSINESS VS. PERSONAL VS. PROFESSIONAL ETHICS<br />
AUDITING THE THUNDERS IN THE CLOUD<br />
RISK SOUND BITES
<strong>The</strong> Adviser is green!<br />
Progress Through Sharing<br />
<strong>The</strong> <strong>Institute</strong>’s Board has taken a bold step to ensure that the <strong>Institute</strong> Members will receive access to the IA Adviser via e-mail so ensure<br />
becomes more green. After careful consideration, it was decided that you don’t miss a single edition, please make sure your details are<br />
the Advisor will in future only be distributed in electronic format. up to date. If any change has occurred, please visit our website:<br />
Showing our support for the conservation <strong>of</strong> the earth is an important www.iiasa.org.za and download an update form or<br />
step toward showing the world that we are evolving.<br />
Email: membership@iiasa.org.za<br />
<strong>The</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong><br />
Telephone: +27 11 450 1040 ı E-mail: customerservices@iiasa.org.za ı Web: www.iiasa.org.za
BOARD OF DIRECTORS e-mail: directors@iiasa.org.za<br />
President: Shirley Machaba CCSA<br />
Snr Vice President: Mmathabo Sukati CIA<br />
Vice Presidents: Vonani Chauke CIA<br />
Harold Chiloane<br />
Brian Cleak<br />
Vukani Dlamini CIA<br />
Oupa Mbokodo CIA<br />
Khethiwe Mhlanga<br />
Felicia Msiza<br />
Rob Newsome CIA<br />
Ashley Smith<br />
Riaan Thiart CIA<br />
Arno Vorster<br />
Chief Executive Offi cer: Dr Claudelle von Eck<br />
Past Presidents: Justine K Mazzocco<br />
Past Past Presidents: Linda Yanta CIA<br />
6<br />
40<br />
CONTENTS<br />
MESSAGE FROM THE CHIEF EXECUTIVE OFFICER 5<br />
SA WALKS AWAY WITH AWARDS 6<br />
WELCOME TO NEW MEMBERS 7<br />
IIA SA EVENTS CALENDER 12<br />
FEEDBACK FROM THE REGIONS 15<br />
THE AUDITORS ARE BACK! 18<br />
ETHICS- BUSINESS VS. PERSONAL VS.<br />
PROFESSIONAL ETHICS 20<br />
AUDITING THE THUNDERS IN THE CLOUD 23<br />
RISK SOUND BITES 30<br />
QUALITY ASSURANCE OF THE INSTITUTE OF INTERNAL<br />
AUDITORS SOUTH AFRICA’S CONTINUING PROFESSIONAL<br />
DEVELOPMENT (CPD) PROGRAMS 34<br />
A KEEN FOCUS ON SUPPLY CHAIN MANAGEMENT<br />
BY GOVERNMENT WILL HELP TO BUILD CONFIDENCE<br />
IN OUR DEMOCRACY 36<br />
UNIVERSITY OF PRETORIA AND NANJING AUDIT<br />
UNIVERSITY: IAEP PROGRAMMES PROGRESS<br />
THROUGH SHARING 40<br />
REGIONAL GOVERNORS<br />
Central Region: Matlali Solfafa<br />
Eastern Cape - Border Kei: Mxolisi Silinga CIA<br />
Eastern Cape - Port Elizabeth: Houdini Fourie<br />
Gauteng - Johannesburg: Ingrid Ravenscr<strong>of</strong>t CIA<br />
Gauteng - Pretoria: Adrie de Klerk<br />
KwaZulu Natal: Jeanette Englund<br />
Limpopo: Jasmina Patel<br />
Mpumalanga: Thomas Varghese<br />
North West: Annelise Erasmus<br />
Northern Cape: Johan Snyders CIA<br />
Western Cape: Arno Vorster<br />
Lesotho: Ntefeleng Tsiboho<br />
Namibia: Melanie Späth CIA<br />
Swaziland: Wesley Mndzebele<br />
IA ADVISER September 2011 | 3
JOHANNESBURG: +27 11 706 9222<br />
CONTACT<br />
CAPE TOWN: +27 21 424 3042 DURBAN: +27 31 566 6140<br />
www.accountantsoncall.co.za<br />
INTERNATIONAL OPPORTUNITIES - SALARIES HIGHLY NEGOTIABLE<br />
• CA (SA) / CIA / CISA / MBA<br />
• Min. 5 years plus commercial with listed and or international<br />
experience<br />
• Min. 2 years plus management experience<br />
• Valid passport<br />
• Permanent opportunities<br />
<strong>The</strong>se positions are requiring quality orientated individuals,<br />
who want to gain international experience within a large<br />
listed and diverse group. You will be <strong>of</strong>fered an opportunity<br />
to gain experience that will elevate you to a new level with<br />
responsibilities on an international level.<br />
RISK MANAGER – HIGHLY NEGOTIABLE<br />
• CIA, B Comm (Hons), CCSA<br />
• IIA and RMSA membership<br />
• 4 -5 years Risk Management experience<br />
Newly created position within a listed group is seeking a passionate<br />
Risk Manager to join their eff ective team. This position<br />
will <strong>of</strong>f er you a chance to set up and start an eff ective risk func-<br />
Responsibilities include full management function, strategic<br />
focus by ensuring the effective achievement <strong>of</strong> the <strong>Internal</strong><br />
Audit Department’s objectives.<br />
Knowledge & experience include SOX and COSO risk assessment<br />
as well as large listed and or international client auditing<br />
experience.<br />
Skills include above average English report writing skills, ability to<br />
manage an outsourcing and co-sourcing services, CAATs, general IT<br />
audit skills, systems savvy as well as ability to lead, plan and execute.<br />
Ref: AD001<br />
tion where your contribution will be part <strong>of</strong> the success <strong>of</strong> the<br />
company in the future. You will be responsible to roll out and<br />
facilitate workshops to the rest <strong>of</strong> the group. We need a dynamic<br />
person who enjoys challenges, diversity and enjoys working<br />
with people.<br />
Ref: AD002<br />
SENIOR SPECIALIST INTERNAL AUDITOR – R650 000 NEGOTIABLE PLUS PERFORMANCE INCENTIVES<br />
• Gauteng<br />
• CA (SA) / CIA / CISA / B Comm (Hons)<br />
• Min. 5 years <strong>Internal</strong> Auditing experience<br />
Large corporate is seeking a specialist auditor to join their<br />
skilled team <strong>of</strong> highly specialized auditors. <strong>The</strong> ideal person will<br />
be analytical, be able to see the bigger picture, a lateral thinker<br />
SENIOR INTERNAL AUDITOR – R550 000 NEGOTIABLE PLUS PERFORMANCE INCENTIVES<br />
• Gauteng<br />
• CIA, B Comm (Hons), B Comm<br />
• Min. 4 - 5 years commercial or consulting experience<br />
A dynamic listed group is seeking a passionate, dedicated gogetter<br />
to join their highly dedicated team <strong>of</strong> specialists. Skills<br />
and a problem-solver, take control <strong>of</strong> situations and be able<br />
to initiate new approaches. Your ability to lead and supervise<br />
others will be advantageous. Time management will be required<br />
as you are working with deadlines.<br />
Ref: AD003<br />
required for this role would include SOX experience, supervisory<br />
experience, and the ability to lead an audit and work on your own.<br />
<strong>The</strong>re is an element <strong>of</strong> travelling involved on a quarterly basis.<br />
Ref: AD004<br />
To apply for any <strong>of</strong> these positions please contact<br />
Marichen Viviers - email: marichen@frontlinesolutions.co.za or 082 891 9816 or 011 706 9222<br />
Sonja von Poncet - email: sonja@frontlinesolutions.co.za or 082 779 1302 or 011 706 9222<br />
Chantal David - email: chantal@frontlinesoltuions.co.za or 082 898 1116 or 011 706 9222<br />
Please quote the reference number when applying for the position.
<strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong><br />
Unit 2, Bedfordview Offi ce Park<br />
Bedfordview , 2008<br />
P O Box 2290, Bedfordview, 2008<br />
Telephone: +27 11 450 1040<br />
Facsimile: +27 11 450 1070<br />
IIA SA Website: www.iiasa.org.za<br />
IIA Inc Website: www.theiia.org<br />
Business Hours:<br />
Mon - Thurs: 08h30 - 17h00<br />
Friday: 08h30 - 16h00<br />
Accounts / Finance: Patrick Clarence<br />
e-mail: patrick@iiasa.org.za<br />
fax: 086 685 0163<br />
Bookstore:<br />
e-mail: bookstore@iiasa.org.za<br />
fax: 086 685 0164<br />
Certifi cation: Tina Wolmarans<br />
e-mail: certifi cation@iiasa.org.za<br />
fax: 086 685 0162<br />
Communications and Business<br />
Development: Valentina Brazao<br />
e-mail: val@iiasa.org.za<br />
CPD: Jenine Dresse<br />
e-mail: seminars@iiasa.org.za<br />
fax: 086 685 0161<br />
Learnerships<br />
Bill Shellard: e-mail: bill@iiasa.org.za<br />
Lawrence Chetty: e-mail: lawrence@iiasa.org.za<br />
Membership: Stephanie Erasmus<br />
e-mail: membership@iiasa.org.za<br />
fax: 086 685 0160<br />
Regions:<br />
e-mail: regions@iiasa.org.za<br />
fax: 086 572 4301<br />
Technical: Charles Nel CIA<br />
e-mail: charles@iiasa.org.za<br />
fax: 086 685 0165<br />
Advertising For a copy <strong>of</strong> the advertising terms<br />
and conditions contact <strong>The</strong>ko Ntseare on theko@<br />
iiasa.org.za<br />
If you need to change your details<br />
please e-mail membership@iiasa.org.za<br />
Editorial / Article Submission<br />
Val Brazao: val@iiasa.org.za<br />
Charles Nel: charles@iiasa.org.za<br />
To submit an article e-mail: dorah@iiasa.org.za<br />
ISSN 2079-729X<br />
Published by the <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong><br />
<strong>Africa</strong> and supplied gratis to members. <strong>The</strong> IIA SA does<br />
not accept responsibility for any opinions expressed<br />
by the contributors or correspondents, nor for the accuracy<br />
<strong>of</strong> any information contained in contributions,<br />
advertisements or correspondence in this newsletter.<br />
All material submitted for consideration is subject to<br />
the discretion <strong>of</strong> the Editor and the Editorial Team. <strong>The</strong><br />
Editor reserves the right to edit all material. Advertisements<br />
do not constitute an endorsement.<br />
MESSAGE FROM THE<br />
CHIEF EXECUTIVE OFFICER<br />
As I breathe a sigh <strong>of</strong> relief after the conference,<br />
I am left with one consuming<br />
thought. It became clear on the fi rst morning<br />
<strong>of</strong> our conference that our stakeholders<br />
are asking more from internal audit then<br />
they have ever asked before. <strong>The</strong> societal<br />
burden I see growing on internal audit<br />
goes beyond adding value in organisations<br />
from an assurance and advice on best practice<br />
perspective. It is becoming abundantly<br />
clear to me that there is call on internal<br />
auditors to boldly assume their role as the<br />
conscience <strong>of</strong> the organisation. However<br />
that is not where it ends. <strong>The</strong>re seems to<br />
be an expectation on internal auditors to<br />
collectively provide a voice <strong>of</strong> conscience<br />
to the broader society. I listened carefully<br />
to speakers such as the Minister <strong>of</strong> Finance,<br />
Pravin Gordhan, and Pr<strong>of</strong> Habib and heard<br />
the call to internal auditors to speak to the<br />
risks in the broader society. Pr<strong>of</strong> Habib encouraged<br />
our members to stop shying away<br />
and being apologetic. For example, he referred<br />
to a time bomb we can hardly ignore<br />
in the form <strong>of</strong> young black graduates who<br />
are unable to fi nd jobs. Herein is a great risk<br />
to our society which would naturally have<br />
an impact on organisations. In other words,<br />
internal auditors are encouraged to courageously<br />
stand up in their organisations, but<br />
also have a collective voice in terms <strong>of</strong> the<br />
societal risks that we face. <strong>The</strong> conscience<br />
<strong>of</strong> society? If not you, then who?<br />
<strong>The</strong>re are great opportunities in such a notion.<br />
However such a responsibility does not<br />
come without a huge price tag. It would, <strong>of</strong><br />
course, give the pr<strong>of</strong>ession a wonderful<br />
platform and raise its pr<strong>of</strong>i le if internal audit<br />
could speak as the conscience <strong>of</strong> society.<br />
However, there are important elements that<br />
must be in place to ensure credibility and<br />
the right to be that voice to the conscience<br />
<strong>of</strong> our country. Firstly we would need to be<br />
competent and be known as such. I have<br />
touched on the issue <strong>of</strong> competence a number<br />
<strong>of</strong> times in the past, but that was in relation<br />
to the individual auditors within their<br />
place <strong>of</strong> work. What I am referring to here<br />
is that collectively we are only as strong as<br />
our weakest link. It is therefore imperative<br />
that we understand very clearly that each<br />
internal auditor has some role to play in<br />
the collective credibility <strong>of</strong> the pr<strong>of</strong>ession.<br />
<strong>The</strong>re is also the element <strong>of</strong> being relevant.<br />
We would only be perceived as credible if<br />
we touch on the right issues – the burning<br />
issues which, when addressed, would make<br />
a diff erence in our society. It certainly is<br />
food for thought.<br />
I could not help but wonder whether we<br />
were playing the role <strong>of</strong> oracle when we<br />
decided on the new trophy for the <strong>Internal</strong><br />
Auditor <strong>of</strong> the Year award. We felt it necessary<br />
to upgrade the old one and bring<br />
it into the 21st century. While looking at<br />
IA ADVISER September 2011 | 5
MESSAGE FROM THE CHIEF EXECUTIVE OFFICER<br />
a host <strong>of</strong> pictures <strong>of</strong> trophies, I was particularly<br />
drawn to the one we eventually<br />
chose. It consists <strong>of</strong> a pair <strong>of</strong> hands holding<br />
up the globe with <strong>Africa</strong> in the front view.<br />
<strong>The</strong> symbolism I saw in it is internal audit<br />
playing a signifi cant role in protecting our<br />
world. It seems to me that we do need to<br />
see internal audit making more bold statements<br />
about the risks that we face in our<br />
society. With that I would like to congratulate<br />
this year’s <strong>Internal</strong> Auditor <strong>of</strong> the Year<br />
winner, Kokela Siqendu. She certainly has<br />
made us proud.<br />
On refl ecting on that huge task on the shoulders<br />
<strong>of</strong> the pr<strong>of</strong>ession, referred to above, I am<br />
6 | IA ADVISER September 2011<br />
also reminded <strong>of</strong> another sobering thought<br />
put to us by Michael Judin on the last day <strong>of</strong><br />
the conference. Under the new Companies<br />
Act internal auditors can be sued. We need<br />
to take this message very seriously. <strong>Internal</strong><br />
auditors will be judged based on what<br />
could be reasonably expected <strong>of</strong> them in<br />
their positions. Now, this gives me sleepless<br />
nights when I think about the numbers <strong>of</strong> internal<br />
auditors who have not yet been able<br />
to meet the minimum requirements <strong>of</strong> the<br />
<strong>Institute</strong> in terms <strong>of</strong> ensuring that they are<br />
competent to do their jobs eff ectively and<br />
effi ciently. Michael made it clear that where<br />
companies are sued, the lawyers will call the<br />
internal auditors to the stand. We had bet-<br />
Dr Claudelle von Eck, Chief Executive Offi cer: IIA SA<br />
ter get our ducks in a row. <strong>The</strong> last thing I<br />
would like to see is one <strong>of</strong> our members being<br />
splashed all over the media after being<br />
sentenced to a term in jail.<br />
This year the conference speakers have challenged<br />
us like we have never been challenged<br />
before. From encouraging us to spend<br />
more time thinking about the future and how<br />
the processes in their organisations need to<br />
change to meet the future head on, to becoming<br />
more IT savvy, to coming out <strong>of</strong> the<br />
trenches and spending more time on looking<br />
at the strategic issues. It is apparent that we<br />
need to raise the bar to an even higher level<br />
than ever before.<br />
SA WALKS AWAY WITH AWARDS<br />
<strong>South</strong> <strong>Africa</strong> has produced the 100,000th qualifying CIA. Portia ti Ngesi N i was honoured h d on stage t at t the th international i t ti l conference f andd<br />
IIA <strong>South</strong> <strong>Africa</strong> also received an award for its avid support <strong>of</strong> the CIA program.
BORDER KEI<br />
WELCOME TO NEW MEMBERS<br />
Alfred Nzo District Municipality NN Nozigqwaba<br />
Department <strong>of</strong> Human Settlement CH Komanisi<br />
MB Ngwane<br />
Department <strong>of</strong> Rural Development & Agrarian Reform A Singh<br />
Gobodo Inc O Sparrius<br />
Joe Gqabi District Municipality SI Mankayi<br />
A Mfazwe<br />
Offi ce <strong>of</strong> <strong>The</strong> Premier K Bota<br />
NP Mrwebi<br />
PricewaterhouseCoopers AT Mentoro<br />
D Schadle<br />
Private Member O Hlungula<br />
Umzimvubu Local Municipality GP Skenjana<br />
University <strong>of</strong> Fort Hare SB Mtintso<br />
Wimpy SV Mntonga<br />
FREE STATE<br />
ACentral University <strong>of</strong> Technology V Koma<br />
Department <strong>of</strong> Justice LM Jingose<br />
Department <strong>of</strong> <strong>The</strong> Premier MM Makhema<br />
Dihlabeng Local Municipality VC Sikaundi<br />
Ernst & Young N Naudé<br />
R Nell<br />
IR van der Merwe<br />
Eskom Holdings Ltd MB Maimane<br />
NJ Sikhosana<br />
Motheo District Municipality RMM Malebo<br />
PricewaterhouseCoopers CF du Toit<br />
Private Member MHK Dhlamini<br />
BE Mothibedi<br />
Ramathe Chartered Accountants (SA) K Mokhako<br />
SAB&T Chartered Accountants LJ Makubu<br />
<strong>South</strong> <strong>Africa</strong>n Police Services T Sibuyi<br />
University <strong>of</strong> the Free State DJ Jacobs<br />
Xhariep District Municipality ND Mokoena<br />
JOHANNESBURG<br />
ABSA Bank Ltd MJ de Smedt<br />
F Essop<br />
J Naidoo<br />
VL Nakedi<br />
AECI Ltd KL Ellis<br />
SH Rutthan<br />
<strong>Africa</strong>n Bank Investment Ltd MT Moutlane<br />
XP Mpungose<br />
<strong>Africa</strong>n Oxygen Ltd OV Nong<br />
Akanani Consulting (Pty) Ltd T Tlhabang<br />
Alexander Forbes NM Mashego<br />
AN3 Consultancy Services Pty Ltd V Mavengedza<br />
AngloGold Ashanti Ltd TN Sephai<br />
OT Shakwane<br />
AR Process Projects (Pty) Ltd J Ndala<br />
Barloworld Ltd PN Lukhele<br />
BDO SA Advisory Services DA Fourie<br />
Cargo Carriers Limited SP Maseko<br />
Case Construction DA Mashatola<br />
Charter Financial & Auditing Corporated KK Mukenge<br />
Chili & Co Incorporated HP Maluleka<br />
Clientele Limited NJ Khumalo<br />
Datacentrix H Baloyi<br />
Deloitte & Touche TR Chidhakwa<br />
Deloitte & Touche C Jooma<br />
N Shabangu<br />
Department <strong>of</strong> Correctional Services ME Mahamotse<br />
Discovery Holdings N Mabuza<br />
NV Muluvhu<br />
N Rajbansi<br />
Eagle Wings Consulting EM Sefi tlholo<br />
Ebeneza Consulting Services QE Munyai<br />
EECSA Consulting ASX Demadema CIA<br />
Ekurhuleni Metropolitan Municipality CS El<strong>of</strong>f<br />
KL Motsi<br />
N Nkosi<br />
Elvey Security Tech TT Baloyi<br />
Ernst & Young TT Dooka<br />
MN Nteo<br />
Eskom RJ Hiss<br />
First Rand Bank PMZ Mbatha<br />
SV Coleman<br />
M Mashige<br />
TBG Mokone<br />
F Suffl a<br />
Fortenay Fuels HF September<br />
Gauteng Department <strong>of</strong> Finance NN Baloyi<br />
LL Makhurupetse<br />
T Mazwi<br />
ZP Nkosi<br />
ID Ntuli<br />
PD Sengakana<br />
Gauteng Shared Services Centre TD Moeng<br />
Goldfi elds Mining Ltd SP Makhubu<br />
Hollard Insurance Company Ltd AR Hoosen<br />
R van den Berg<br />
S Xinwa<br />
Horwath Leveton & Boner SB Khuboni<br />
Industrial Development Corporation <strong>of</strong> SA Ltd CC Makhuvele<br />
ST Ngcwabe<br />
Indyebo Consulting DC Mashashane<br />
P Matokwe<br />
Katanga Mining Services (Switzerland) AG JM Malahay<br />
KPMG LCA Amadi<br />
AC Basson<br />
M Geldenhuys<br />
Z Mpoto<br />
Z Prinsloo<br />
LAW Holdings TV Msindwana<br />
Legal Aid Board ENM Mashele<br />
Manase & Associates GM Mushangwe<br />
Massmart Holdings M Govender<br />
L Karropoulos<br />
K Pillay<br />
Medscheme Holdings R Gething<br />
Metal Industries Benefi t Fund Administrators NJ Lombardo<br />
S Lukele<br />
MIH Holdings Ltd NC Dlamini<br />
NBC Holdings (Pty) Ltd GJ Phillips<br />
Nedbank BE Mogokonyane<br />
K Padayachee<br />
V Perumal<br />
LM Monchosi<br />
Nkonki Inc ZR Nyoka<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General TJ Chauke<br />
OC Letlhakwane<br />
NA Makhale<br />
T Memela<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General TS Mthombeni<br />
IA ADVISER September 2011 | 7
WELCOME TO NEW MEMBERS<br />
Omnia Group Ltd MP Makhubele<br />
TJ Yssel<br />
PC Training & Business College KT Muruvi<br />
PKF BEE Solutions SMM Bashala<br />
PricewaterhouseCoopers A Henning<br />
F Khan<br />
SP Reynolds<br />
Pro Optima Audit Services B Kotze<br />
Rail Safety Regulator PB Lekula<br />
Right to Care B Nagar<br />
RSM Betty & Dickson CD Betty<br />
E Mutaki<br />
Sanlam AE Randall<br />
Sasfi n Bank N Govender<br />
Sekela Consulting MB Cebekulu<br />
TNM Choane<br />
C Ditsepu<br />
Sekela Consulting B Dube<br />
X Hlongwane<br />
SF Madiba<br />
CMX Makhathini<br />
DS Masanabo<br />
LM Mseleku<br />
NG Msibi<br />
NGJ Ndaba<br />
TK Nkosi<br />
TL Nogampula<br />
P Nxumalo<br />
G Sibanda<br />
Sizwe Ntsaluba VSP CM Chavula<br />
AM Maqelepo<br />
<strong>South</strong> <strong>Africa</strong>n Revenue Services CMN Motia<br />
PM Sebata<br />
MB Senwamadi<br />
<strong>South</strong> <strong>Africa</strong>n Tourism S Nemakwarani<br />
Spar Group Ltd I Snyman<br />
Standard Bank <strong>of</strong> SA Ltd BB Modisane<br />
TJ Sehlapelo<br />
FL van Wyngaard<br />
<strong>The</strong> New Reclamation Group L Owen-Crompton<br />
Tshikululu Social Investments KM Dennehy<br />
Ubank CR Matsondota<br />
Unisa Student KA Sekgota<br />
United National Breweries SA Pty Ltd D Arora<br />
University <strong>of</strong> Johannesburg FS Siaga<br />
Vaal University <strong>of</strong> Technology Student MJ Moeketsi<br />
Westrand District Municipality TM Rasekgala<br />
Wholesale Housing Supplies (Pty) Ltd L Meintjes<br />
Xabiso Chartered Accountants MTP Sereka<br />
Zama Bhengu Consulting ZJ Bhengu<br />
KWAZULU NATAL<br />
Baker Tilly Morrison Murray N Mangaru<br />
Buhr, Parry & Company PN Ntshangase<br />
Camelsa Consulting C Madamba<br />
Desai Jadwat Inc MR Amod<br />
Durban University <strong>of</strong> Technology LF Jali<br />
Ernst & Young L Mjwara<br />
V Raidoo<br />
ESP Consulting S Dlamini<br />
SL Mqadi<br />
P Naidoo<br />
Gold Circle (Pty) Ltd DA Garavarian<br />
Grindrod Bank K Pillay<br />
8 | IA ADVISER September 2011<br />
IT Dynamics P Nundkumar<br />
Massmart Holdings SS Ntombela<br />
Newcastle Municipality P Maharaj<br />
Nexia Levitt Kirson SN Nunkumar<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General K Kander<br />
V Maipath<br />
PricewaterhouseCoopers DA Bloem<br />
DD Gerber<br />
NP Mkhwanazi<br />
RI Kennedy & Associates S Dhanrathan<br />
S Maharaj<br />
V Singh<br />
Sizwe Ntsaluba VSP A Sonjani<br />
<strong>South</strong> <strong>Africa</strong>n National Defence Force Z McBean<br />
<strong>South</strong> <strong>Africa</strong>n Police Services LP Danca<br />
<strong>The</strong> Wholistics Planning Group J Nyamunda<br />
Ubucule Accountants STT Khumalo<br />
Umngeni Municipality HS Mpangase<br />
Umzimkhulu Municipality MD Gumede<br />
Unitrans Sugar & Agriculture CA Mainstone<br />
LESOTHO<br />
Centre for Accounting Studies MJ Nketekete<br />
Lesotho Revenue Authority LK Hoala<br />
LIMPOPO<br />
Agape Chartered Accountants Inc ND Tshithavhani<br />
SC Netshisaula<br />
Department <strong>of</strong> Agriculture MP Mamafa<br />
Limpopo Legislature AS Matlala<br />
AC Mudau<br />
Limpopo Provincial Treasury MS Mokgokong<br />
WA Rivombo<br />
KS Seema<br />
LJ Selala<br />
TA Sibiya<br />
MA Sibiya<br />
RD Tharage<br />
MS Tjiane<br />
RV Tshikalange<br />
Mopani District Municipality XP Chabalala<br />
TM Mokgola<br />
ST Sekgalakane<br />
MM Shai<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General IM Chokwe<br />
MJ Masiya<br />
SAB&T LM Legodi<br />
Thulamela Municipality TW Mulaudzi<br />
Department <strong>of</strong> Public Works & Transport KT Mothapo<br />
Gobodo Incorporated T Chitauro<br />
Limpopo Provincial Treasury NX Hlungwani<br />
Y Kente<br />
GT Kgowana<br />
PL Khumalo<br />
BM Kupa<br />
MP Kyatla<br />
LT Livhuwani<br />
HR Makgatho<br />
NM Moabelo<br />
SAK Moeti<br />
MS Molepo<br />
PL Moloto<br />
Limpopo Provincial Treasury MS Morifi
Limpopo Provincial Treasury TT Mudau<br />
L Mukhathedzwa<br />
LRR Mushanganyisi<br />
FD Ndou<br />
TV Ngoetjana<br />
ZL Ngono<br />
MJJ Peasnall<br />
ME Ramaselele<br />
SP Ratlabala<br />
MM Tshivhuyahuvhi<br />
Mookgophong Municipality MA Mothema<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General HW Chelhango<br />
PricewaterhouseCoopers MET Maluleke<br />
<strong>South</strong> <strong>Africa</strong>n National Defence Force KF Sebola<br />
MPUMALANGA<br />
Department <strong>of</strong> Economic Development & Planning KT Nthutang<br />
Department <strong>of</strong> Finance BE Mndawe<br />
NJ Nkosi<br />
Eskom Holdings DN Zulu<br />
KPMG LI Ngcobo<br />
SP Sithole<br />
<strong>South</strong> <strong>Africa</strong>n Police Services MJ Magoro<br />
PC Mpenyane<br />
M Mukomutelo<br />
MJ Munyai<br />
Private Member MA Molele<br />
NORTHERN CAPE<br />
Sol Plaatje Municipality RM Ndabezitha<br />
NORTH WEST<br />
Department <strong>of</strong> Public Safety KA Makgoe<br />
NWK Beperk WJA Kriel<br />
L Kruger<br />
AJ van Tonder<br />
PricewaterhouseCoopers EN Mbua<br />
Rustenburg Local Municipality CS Mabe<br />
Senwes Ltd T Shushu<br />
Private Member TG Ntsimane<br />
NAMIBIA<br />
Bank <strong>of</strong> Namibia JK Kahorongo<br />
Bank Windhoek L Fortuin<br />
T Nainda<br />
Ministry <strong>of</strong> Justice IM Hummel<br />
T Shapota<br />
EN Simon<br />
Namibia Water Corporation KA Iiyambo<br />
National Youth Service SH Nekaro<br />
Nedbank Namibia Limited TD Bock<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General Namibia LN Shuungula<br />
Stanlib Namibia AA Naris<br />
PORT ELIZABETH<br />
Eden District Municipality RI Bruiners<br />
NM Dlengezele<br />
Eden District Municipality ZP Manqina<br />
WELCOME TO NEW MEMBERS<br />
Nelson Mandela Metropolitan Univeristy Student S Nombekana<br />
Nelson Mandela Metropolitan University KD Pather<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General H Kika<br />
PRETORIA<br />
ABSA Bank TS Maluleka<br />
ABSA Consultants & Actuaries R Smit<br />
Alert Steel (Pty) Ltd MB Fourie<br />
Alexander Forbes JL Boikhutso<br />
Aurco Group (Pty) Ltd KB Dibodu<br />
NJ Mashego<br />
C-Track (Pty) Ltd SH Langeveld<br />
Deloitte & Touche AO Da Silva<br />
Department <strong>of</strong> Higher Education and Training DK Phasha<br />
Department <strong>of</strong> Infrastructure Development MP Mushoma<br />
Department <strong>of</strong> Justice & Constitutional Development SG Mokubela<br />
TN Rasodi<br />
Department <strong>of</strong> Labour MV Maswi<br />
Department <strong>of</strong> Mineral Resources TV Busakwe<br />
KK Mlangeni<br />
DK Ngandwe<br />
Department <strong>of</strong> Public Enterprises ML Mafereka<br />
Department <strong>of</strong> Roads & Transport MP Godobedzha<br />
Eskom Holdings OP Tube<br />
Habitat for Humanity International CS Makoni<br />
Hernic Ferrochrome (Pty) Ltd A Noormahomed<br />
Human Science Research Council AM Mogolane<br />
Imperial Holdings (Pty) Ltd Y Naidoo<br />
Ligwo Advisory Services FV Scheepers<br />
Moore Stephens Chartered Accountants S Cameron<br />
AE Prinsloo<br />
Mvelaserve Ltd P Jordaan<br />
National Department <strong>of</strong> Transport PZ Zuma<br />
National Lotteries Board R Hartzer<br />
National Treasury NM Kekana<br />
Nexus Forensic Services (Pty) Ltd E Naudé<br />
Nzalo White Consulting PT Masuku<br />
Offi ce <strong>of</strong> <strong>The</strong> Auditor General CJ Coetzer<br />
H Kallen<br />
PM Kekana<br />
AM Kemp<br />
NM Lenko<br />
MM Mahomane<br />
NG Maluleka<br />
BE Mokgongoana<br />
KP Mooketsi<br />
MH Sibiya<br />
B Weideman<br />
OMA Pr<strong>of</strong>essional Advisory Group TJ Chamboko<br />
Outsurance Holdings (Pty) Ltd MJ Bothma<br />
PACT <strong>South</strong> <strong>Africa</strong> MM Tshuma<br />
PricewaterhouseCoopers MP Nhlengethwa<br />
SA Council for Social Service Pr<strong>of</strong>essions MML Malebye<br />
SAB & T Incorporated KE Mosenye<br />
SAB&T Business Innovation Group (Pty) Ltd Y Gopaul<br />
MV Kanyane<br />
N Lekhuleni<br />
N Prinsloo<br />
KE Sealetsa<br />
PH van Zyl<br />
Sephaku Holdings Ltd AJ Fahy<br />
<strong>South</strong> <strong>Africa</strong>n National Defence Force DJ Matthews<br />
LXW Nengudza<br />
<strong>South</strong> <strong>Africa</strong>n Police Services ED Hlongoane<br />
IA ADVISER September 2011 | 9
WELCOME TO NEW MEMBERS<br />
<strong>South</strong> <strong>Africa</strong>n Police Services TTJ Magato<br />
MM Maphalla<br />
PJ Masegela<br />
ME Thosago<br />
IS Welcome<br />
TA Dube<br />
NJ Malaka<br />
MC Mthembu<br />
RO Pale<br />
CP Schröder<br />
Standard Bank <strong>of</strong> SA Ltd EL Maake<br />
Tshwane University <strong>of</strong> Technology NA Tshabalala<br />
Tshwane University <strong>of</strong> Technology Student KC Mmitsi<br />
UNISA DJF Carles<br />
AV Visser<br />
UNISA Student ND Sibanda<br />
University <strong>of</strong> Pretoria O van Biljon<br />
University <strong>of</strong> Pretoria Student C Atkinson<br />
MG Barnard<br />
T Boucher<br />
M Bouwer<br />
TO Burtone<br />
SS Dawson<br />
JF de Gouveia<br />
N de la Rey<br />
GJ Deist<br />
JS Dempers<br />
M du Preez<br />
J du Toit<br />
Y Fopma<br />
C Fourie<br />
P Gaybba<br />
J Gildenhuys<br />
KP Hlabati<br />
MR Ismail<br />
T Joubert<br />
M Kritzinger<br />
MF Mabitsela<br />
RT Mahapa<br />
JJ Marais<br />
MN Masemola<br />
B Mkize<br />
S Mlangeni<br />
FLV Moeletsi<br />
TP Moloto<br />
LMS Monkam<br />
DP Motiang<br />
M Mphahlele<br />
MM Mutheiwana<br />
SR Ndlovu<br />
MK Panicker<br />
JN Pieters<br />
LR Raju<br />
K Rattan<br />
MAB Salvador<br />
KP Saudi<br />
CI Segida<br />
MD Sengakana<br />
SN Shino<br />
NL Sikakane<br />
PM Silolo<br />
SM Skosana<br />
NF Songo<br />
K Sujee<br />
10 | IA ADVISER September 2011<br />
University <strong>of</strong> Pretoria Student LB Thobakgale<br />
KJ Thomson<br />
KL Thusago<br />
KR Tsiloane<br />
E van Aardt<br />
SWAZILAND<br />
Namboard WM Ntshakala<br />
Swade Ltd DS Zondo<br />
Swaziland Beverages Limited K Hlophe<br />
Swaziland Development and Savings Bank SN Nhlabaji<br />
WESTERN CAPE<br />
Allan Gray Ltd Y Mowlana<br />
HRN Nyatsanza<br />
BDO <strong>South</strong> <strong>Africa</strong> Inc NT Boora<br />
Cape English Language School MAE Amod<br />
Cape Peninsula University <strong>of</strong> Technology Student V Baatjies<br />
M de Jager<br />
AT Farao<br />
DJ Flowers<br />
L Fredericks<br />
ET Mangwende<br />
N Mberirua<br />
B Mkalipi<br />
TS Paulsen<br />
VL Pietersen<br />
NA Va<br />
Capitec Bank Ltd RC Croeser<br />
City <strong>of</strong> Cape Town RJ Mfati<br />
Damco Logistics (Part <strong>of</strong> Safmarine/Maersk) K Naicker<br />
Engen Petroleum Ltd A Abdulla<br />
Ernst & Young S Timmerman<br />
EF Wiid<br />
Foschini Retail Group (Pty) Ltd T Gabier<br />
Greenwoods Chartered Accountants DP Botha<br />
PL Pike<br />
KPMG AW Marney<br />
GA van Wyk<br />
Kuhumelela SJ Lapoorta<br />
Langeberg Municipality VM Floris<br />
LDP Inc LN Johnson<br />
Mazars Forensic Services GM Bolton<br />
P Ramjee<br />
Nova Group (Pty) Ltd L Alexander<br />
Oakhurst Insurance Company Ltd SA Louw<br />
Old Mutual M Sixaba<br />
EC Louw<br />
PricewaterhouseCoopers V Gono<br />
RSM Betty & Dickson A du Plessis<br />
N Matsanga<br />
Sanlam Ltd ST Renecke<br />
Shoprite Group <strong>of</strong> Companies M Lefefa<br />
LE Stynder<br />
Sizwe Ntsaluba VSP HH Alexander<br />
Tenk Loubser Incorporated JM Frank<br />
Thuo Gaming Western Cape RR Harker<br />
Wesgro I Blackie<br />
West Coast FET College NP Gqwaka<br />
Private Member AM le Grange CIA
IIA Membership<br />
Ask more than 170 000 members worldwide what exclusive IIA member benefits are their favourite then you’ll<br />
understand all the different reasons why they belong. From global networking and discounted training and products<br />
to specialised guidance each member has their own motivation for joining.<br />
We invite YOU to explore the many member benefits <strong>of</strong>fered by the IIA SA<br />
and you’ll discover a new favourite reason for being a member.<br />
For more information contact the Membership Administrator on<br />
Telephone: (011) 450 1040 or e-mail: membership@iiasa.org.za<br />
IIA SA website: www.iiasa.org.za
12 | IA ADVISER September 2011<br />
IIA SA EVENTS CALENDER<br />
UPCOMING SEMINARS<br />
OCTOBER<br />
TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 2 (TTB2) 3-7 OCT<br />
TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 1 (TTB1) 10-14 OCT<br />
ROOT CAUSE IDENTIFICATION (RCI) 13-14 SEP<br />
TOOLS AND TECHNIQUES FOR THE NEW AUDIT MANAGER (TNAM) 18-21 OCT<br />
PERFORMANCE AUDITING FOR THE PUBLIC SECTOR (PAUD) 19-21 OCT<br />
PREPARATION FOR CONTROL SELF-ASSESSMENT EXAMINATION (ICSA) 24-26 OCT<br />
USING THE GOVERNANCE APPROACH IN DEVELOPING AUDIT OBJECTIVES, TESTS AND<br />
RECOMMENDATIONS (UGAD)<br />
25-26 OCT<br />
CIA LEARNING SYSTEM INSTRUCTOR LED COURSE - PART 3 (CIA3) 26-28 OCT<br />
HOW TO EFFECTIVELY REVIEW YOUR ORGANISATION’S RISK MANAGEMENT PROCESS (ORMP) 31 OCT - 1 NOV<br />
IMPLEMENTING THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF) 31 OCT - 1 NOV<br />
NOVEMBER<br />
BUILDING, LEADING AND MANAGING THE INTERNAL AUDIT DEPARTMENT (BLIA) 2-3 NOV<br />
AUDITING THE MANAGEMENT AND REPORTING OF PERFORMANCE INFORMATION IN THE PUBLIC<br />
SECTOR (APIA)<br />
3-4 NOV<br />
ENVIRONMENTAL AUDITING FOR NON-ENVIRONMENTAL AUDITORS (ENEA) 3-4 NOV<br />
ESSENTIAL ELEMENTS FOR A FRAUD PREVENTION PLAN (EEFP) 4 NOV<br />
TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 3 (TTB3) 7-11 NOV<br />
DATA MINING FOR AUDITORS - A LOGICAL APPROACH TO CONTINUOUS AUDITING AND<br />
GOVERNANCE (DMIA)<br />
9-11 NOV<br />
SKILLS FOR SUPERVISING AN INTERNAL AUDIT PROJECT (SIAP) 11 NOV<br />
DEVELOPING A FRAUD RISK MANAGEMENT PROGRAM FOR YOUR ORGANISATION (DFRP) 14-15 NOV<br />
RISK BASED IT AUDITING (RITA) 14-16 NOV<br />
HOW TO DEVELOP A MODEL INTERNAL AUDIT PROGRAM (MIAP) 16 NOV<br />
IT AUDITING FOR NON-IT AUDITORS (BASICS OF IT AUDITING) (NONIT) 21-22 NOV<br />
ISSUING AN “ASSESSMENT” IN TERMS OF KING III (IAK3) 23 NOV<br />
HOW TO EFFECTIVELY REVIEW YOUR ORGANISATION’S RISK MANAGEMENT PROCESS (ORMP) 24- 25 NOV<br />
CIA LEARNING SYSTEM INSTRUCTOR LED COURSE - PART 4 (CIA4) 24 NOV<br />
ADVANCED PERFORMANCE AUDITING IN THE PUBLIC SECTOR (APAUD) 28-30 NOV<br />
TOOLS AND TECHNIQUES FOR THE INTERNAL AUDITOR – BLOCK 4 (TTB4) 28-30 NOV<br />
DECEMBER<br />
HOW TO DETECT AND PREVENT OCCUPATIONAL FRAUD (FRAUD) 6-9 DEC<br />
For more information please visit our website:<br />
www.iiasa.org.za or call our <strong>of</strong>fi ces: +27 11 450 1040
����� �������������� �����<br />
<strong>Internal</strong> Audit Specialist (Cape Town)<br />
GREY_CONSULTING ADVISER<br />
accounting,finance and risk recruitment specialists<br />
� ���� ��� � ���� ��� ��� ����� ���� �� �������� ��������� ����������� �����<br />
� �������������� �� �������� �������� �� ������ �� ������ �������� ��<br />
� ������� �� � ������ ���������� �� �� ��������� �����������<br />
��� ����������������� � ������ ������ ������������� � ������� ������� ������� �������� ��� ������� �������������<br />
������� � ���� ��� ������� ��� ��������� �� ���� ��� ���� � ������ ���� ���������� ������������ ������� ���������<br />
���������� �������� ��� ������� � ������� ����� ���� ��� ������ ����� ���� �� ��� �������� � �������� ��������� ��<br />
�������� �������� ��� ������ �������� �������� � ������� �� ��� ���������� ����������������� � ������� ����� ��<br />
����������� ����������� ��� ����� ����������� �� �������� �������� ��� ������ �������� �������� � ������� ����� ��<br />
�������� ��������� � ������ �������� ����� ������������ � ������ ���� ����� ��� ������ � ���� ����� ������������ ���<br />
������ ���������� �������� �� ���� � � � ����� ������������ � ������ ����� ��� ������� ���������� ��������<br />
������������� � �������� ��������� �� ���� ��������� � ���������� ��� ���� �� ������� ������ � ���������� ���<br />
��� ��������� ��� �������� ���������� �� ���� ������ �� ���������� ��������� � ����� ������������� �� ��������<br />
� ������������� �� ���� ��� ��� ��� ��������������� �� �� ����������� ������� �� �������� ����� ��� ���� ����������<br />
� ������� �� ����������� ��� ��� ����� ������������� �� ��� ���������� �������� ���� � ���������� ��� ���������� ���<br />
����� ������� ��� �� ����� �������� ��������� � �������� ��������� �� ��� �� ������� � ������� �������� ������<br />
��� ��� �� ������� �� ����� ���������� ���� ������<br />
Senior <strong>Internal</strong> Auditor (Cape Town)<br />
� ���� ��� � ���� ��� ��� ����� ���� �� �������� ��������� ����������� �����<br />
� �������������� �� �������� ��������<br />
� ������� �� � ������ ���������� �� �� ��������� ����������� ���������<br />
��� ����������������� � ������� ������� �������� ��� ������������� ������� �� �������� ��������� � ������� ����������<br />
����������� ������������� �� �� ��������� ��� ����� ���������� � ������� ����� ������� ��������� � ������� ����� �����<br />
������� ��� ���������� ���� ������� � ������ ������������� ���� ������ ���������� � �������� ��������� �� ��� ����� �����<br />
������������� � ����� ������������� �� ��� ��������� �������� �� �������� ��������� � ���������� ��� ���� �� ������� ������<br />
� ���������� ��� ��� ��������� �� ���� ������ �� ���������� ��������� � ���������� ��� ���������� ��� ����� ������� ��� ��<br />
����� �������� ��������� � �������� ��������� �� ��� �� ������� � ������� �������� ������ ��� ��� �� ������� �� �����<br />
���������� ���� ������<br />
<strong>Internal</strong> Auditor (Cape Town)<br />
� ���� ��� � ���� ��� ��� ����� ���� �� �������<br />
� �������������� �� �������� �������� �� ����� �� ���� �������� ����������� ���������� ������ �������� ������<br />
��������������<br />
��� ����������������� � ������� ������� ������������� ������� �� �������� ��������� � ������ ��� ����� ������ ���� ��� ��������� ��<br />
������� �������� ������� � ������� ����� ������� ����������<br />
������������� � ����� ������������� �� ��� ��������� �������� �� �������� ��������� � ���������� ��� ���� �� ������� ������<br />
� ���������� ��� ��� ��������� �� ���� ������ �� ���������� ��������� � ���������� ��� ���������� ��� ����� ������� ���� �� �����<br />
�������� ��������� � �������� ������� ���� ����������� ��� ���������� ���� ������<br />
������ ��� �� ���������� ��� ���� ���<br />
������� ������������� ������ ���� ����<br />
�� �� ���������������������������� �������<br />
��� �������� ����������<br />
��� ���������� ����� ������ ���� ��<br />
����� ���������<br />
�� ������ �� ���� �� ����<br />
����������� ��� ��� ��� ��������<br />
���� ����� ��� ����<br />
���� ���� ���������<br />
www.greyconsulting.co.za<br />
IA ADVISER September 2011 | 13
ADVISER<br />
14 | IA ADVISER September 2011<br />
www.pwc.com/za<br />
Scripting<br />
<strong>Internal</strong> Audit<br />
for a Changed<br />
World<br />
<strong>Internal</strong> Audit is responding to a changing risk environment with leading internal audit<br />
pr<strong>of</strong>essionals preparing to play a significant role in a changed world. New rules, further<br />
disclosures, and strict enforcement are causing dramatic changes for businesses around<br />
the globe. Shareholders and regulators demand transparency, accountability, and more<br />
input on issues once reserved for management and the board <strong>of</strong> directors. At PwC we are<br />
here to help you every step <strong>of</strong> the way. We will work with you to advise the board and audit<br />
committee on the changing role <strong>of</strong> internal audit within your organisation.<br />
������������������������������������������������������������������������������������������������������������������������������������������������<br />
���������������������������������������������������������������������������������������������������������������������������������������������������<br />
���������������������������������������������������������
<strong>Internal</strong> audit pr<strong>of</strong>essionals gathered at the<br />
IIASA KZN Region Function hosted by the<br />
KZN local chapter to discuss Ethics in relation<br />
to the <strong>Internal</strong> Audit pr<strong>of</strong>ession.<br />
<strong>The</strong> event was well attended by internal<br />
auditors from across the public and private<br />
sectors and they were treated to a thoughtprovoking<br />
and topical presentation focusing<br />
on Ethics and the challenges facing individuals,<br />
organisations and our pr<strong>of</strong>ession<br />
as a whole, in supporting a change in culture<br />
and promoting more ethical behavior.<br />
Guest speaker, Sean van der Merwe, Associate<br />
Director at Deloitte, focused on the<br />
challenges <strong>of</strong> <strong>ethics</strong> and shared some <strong>of</strong> his<br />
insights from his research and his extensive<br />
experience.<br />
Sean made the point that “Ethics is a particularly<br />
interesting and challenging topic because<br />
it hardly ever has a simple “yes or no” or<br />
“black and white” answer. He added that “we<br />
cannot aff ord to make snap decisions in assessing<br />
whether something is right or wrong,<br />
before seeking the full facts <strong>of</strong> each case”.<br />
A further interesting point to ponder: “We<br />
FEEDBACK FROM THE REGIONS<br />
IIASA KZN REGION FUNCTIONS: ETHICS AND THE INTERNAL AUDITOR<br />
are no longer alarmed by the incidence <strong>of</strong><br />
<strong>ethics</strong> failures and fraud – perhaps only by<br />
the magnitude. We have come to almost<br />
accept it!”<br />
It is evident that pr<strong>of</strong>essionals need to be<br />
knowledgeable in, and enforce the IIA code<br />
<strong>of</strong> <strong>ethics</strong>, in order to continue to enhance<br />
the credibility <strong>of</strong> the pr<strong>of</strong>ession.<br />
Sean also encouraged the delegates to<br />
increase focus on <strong>ethics</strong> audits and noted<br />
that internal audit pr<strong>of</strong>essionals should be<br />
aware <strong>of</strong> the factors evident when employees<br />
commit fraud or unethical behaviour<br />
- “Generally in cases <strong>of</strong> fraud, corruption<br />
or unethical behavior there will always be<br />
some kind <strong>of</strong> motivation, an opportunity<br />
such as weak controls, as well as the employees’<br />
own justifi cation”.<br />
On the above note, he made the point that<br />
internal auditors are most experienced and<br />
comfortable when addressing 'opportunity',<br />
in testing the internal controls and making<br />
recommendations about them. <strong>The</strong>y<br />
should be encouraged to start developing<br />
skills to recognise and understand the mo-<br />
Alex Winterbach, Manager: <strong>Internal</strong> Audit, Risk and Compliance Services<br />
tives, and possible justifi cations used by<br />
individuals when committing fraud. It is<br />
clear that auditors can no longer solely rely<br />
on fi nancial indicators <strong>of</strong> fraud, but should<br />
also be able to recognise nonfi nancial indicators<br />
<strong>of</strong> fraud and fraud red fl ags.<br />
Sean shared some thoughts on Business<br />
Ethics and Ethical leadership as outlined in<br />
<strong>The</strong> King Report on Corporate Governance<br />
and other best practice, and provided some<br />
very interesting tools to assist in dealing<br />
with ethical dilemnas, including ‘the PLUS<br />
factor’, which suggests that in considering<br />
an action one should determine whether<br />
it transgresses any policies, laws, universal<br />
behaviour or Self (being your own moral<br />
compass).<br />
In closing, Sean provided some hard-hitting<br />
quotations, one <strong>of</strong> which follows:<br />
“If you don't have integrity, you have<br />
nothing. You can't buy it. You can have<br />
all the money in the world, but if you<br />
are not a moral and ethical person, you<br />
really have nothing" - Henry Kravis.<br />
IA ADVISER September 2011 | 15
ADVISER FEEDBACK FROM THE REGIONS<br />
<strong>The</strong> Border-Kei Region recently hosted a<br />
successful member’s luncheon event on 8<br />
June 2011, at the East London Golf Club. It<br />
was also the Region's AGM.<br />
<strong>The</strong> event has well supported by members,<br />
and there were just over 130 attendees<br />
present. <strong>The</strong> speakers for the event were Dr<br />
Claudelle von Eck (IIA CEO) and Anton Van<br />
Wyk (National Risk Advisory Services Leader<br />
for PwC).<br />
Anton focused his presentation on the current<br />
status <strong>of</strong> King III. He gave the members insight<br />
into how organisation's were embracing King<br />
III, the challenges and their successes to date.<br />
<strong>The</strong>reafter, Claudelle gave the members<br />
IIA SA BORDER KEI REGION ANNUAL GENERAL MEETING<br />
an update into the affairs <strong>of</strong> the IIA, and<br />
current "hot" issues within the pr<strong>of</strong>ession.<br />
Both presenters were well received, and the<br />
Region is grateful to both for braving the<br />
unseasonably wet weather to join the Region<br />
at this event.<br />
After the keynote speakers, Frank Muller<br />
(event MC) gave the members feedback on<br />
the activities <strong>of</strong> the Regional Committee<br />
over the past two years. He noted that the<br />
Committee is very heartened at the members<br />
continued and growing support for Regional<br />
functions. Two recently qualified CIA's<br />
(Charlene Trimalley and Thandoxolo Xusa)<br />
were acknowledged at the function.<br />
S Hartzenberg (CIA)-Brigadier, Section Head: <strong>Internal</strong> Audit: Eastern Cape: SAPS<br />
Contact us on (011) 507-0123 or visit www.cqs.co.za and experience the difference<br />
our world class s<strong>of</strong>tware and exceptional people can make to your business.<br />
011 507-0123<br />
www.cqs.co.za<br />
At the end <strong>of</strong> the event, the new Committee<br />
members were announced, being Asanda<br />
Myataza, Ruth Luzuka, Mxolisi Silinga, Loyiso<br />
Mbiko, Kiran Bhika, and Makhosandile Kwaza.<br />
<strong>The</strong> outgoing Committee members (Selwyn<br />
Hartzenberg, Frank Muller and Candice<br />
Putzier) were thanked for their contributions<br />
over their term <strong>of</strong> <strong>of</strong>fice.<br />
<strong>The</strong> Regional Committee would like to<br />
thank the event organisers, event MC,<br />
Frank Muller, and event sponsors PwC and<br />
KPMG. <strong>The</strong> next member’s event will be<br />
announced shortly by the new Committee,<br />
and members are encouraged to attend and<br />
participate.<br />
��������������� ��������������������<br />
16 | IA ADVISER September 2011
<strong>The</strong> Johannesburg Region hosted a breakfast<br />
forum and AGM on 7 July 2011 at Discovery<br />
Holdings in Fredman Drive, Sandton.<br />
Our topic for the morning was “IT<br />
Governance” and we were privileged to<br />
have a fantastic group <strong>of</strong> speakers - Frik<br />
Coetzer, Thagraj Moodley and Sean Schmidt<br />
- who, after giving their presentations,<br />
participated in a panel discussion to answer<br />
delegates’ questions. <strong>The</strong> panel discussion<br />
was ably chaired by Caryn Newbold, a<br />
Johannesburg Region committee member.<br />
IIA SA JOHANNESBURG REGION BREAKFAST FORUM AND AGM<br />
Frik Coetzer is a partner at KPMG IT<br />
Advisory. His presentation, which he had<br />
previously given at an Audit Committee<br />
Forum Roundtable discussion, gave the<br />
delegates very good insight into what<br />
audit committee members should be<br />
looking for in respect <strong>of</strong> IT Governance.<br />
Please refer to Figure 1 for a diagrammatic<br />
summary <strong>of</strong> Frik’s presentation and Figure<br />
2 for a summary <strong>of</strong> key questions that audit<br />
committee members, and internal auditors,<br />
should be asking.<br />
Sean Schmidt is an Associate Director at<br />
FEEDBACK FROM THE REGIONS<br />
KPMG IT Advisory and his presentation<br />
focused on auditing IT Governance from<br />
an internal- and external audit perspective.<br />
Please refer to fi gure 3 for a diagrammatic<br />
summary <strong>of</strong> Sean’s presentation… the<br />
one slide Sean advised delegates not to<br />
forget.<br />
Thagraj Moodley is an Information<br />
Security Audit Manager at Nedbank. His<br />
presentation provided an internal audit<br />
perspective to auditing the application <strong>of</strong><br />
King III in IT Governance. Please refer to<br />
fi gure 4 for a summary <strong>of</strong> his presentation.<br />
IA ADVISER September 2011 | 17
FEEDBACK FROM THE REGIONS<br />
After the IT Governance session, the<br />
region’s AGM was held. <strong>The</strong> Regional<br />
Governor, Ingrid Ravenscr<strong>of</strong>t, took the<br />
delegates through the highlights <strong>of</strong> 2010<br />
and the regional committee’s plans for<br />
2011 and 2012. She also discussed the<br />
fi nancial statements for the year ended 30<br />
November 2010, which showed a strong<br />
18 | IA ADVISER September 2011<br />
surplus position and provide a strong base<br />
for strategies to be implemented in the<br />
next year or two. Ingrid then welcomed<br />
to the committee three new members –<br />
Adebukola Adewuyi (or “Bukkie”), Mogale<br />
Mogale and Davindran Munusamy – and<br />
two members who stood for re-election –<br />
Barry Ackers and Dion Poole.<br />
Ingrid Ravenscr<strong>of</strong>t, Governor: IIA SA Johannesburg Region<br />
We would like to thank our speakers, our<br />
sponsor BarnOwl, handset vendor IML<br />
and all the delegates for attending and for<br />
making this event a great success.<br />
Please keep an eye-out for invitations to our<br />
newly launched monthly discussion forums on<br />
emerging and topical issues for internal auditors.
THE AUDITORS ARE BACK!<br />
During the audit, auditors identify control weaknesses <strong>of</strong> varying signifi<br />
cance and agree on a plan <strong>of</strong> action with management to rectify<br />
these weaknesses within a reasonable period <strong>of</strong> time.<br />
<strong>The</strong> return <strong>of</strong> the auditors could cause consternation amongst management<br />
if they are not sure about the resolution <strong>of</strong> control weakness<br />
fi ndings that were raised during prior audits. Without a sound<br />
system for tracking control weakness raised in audit reports leadership<br />
and management will be unable to ensure systemic continuous<br />
improvements in the control environment.<br />
As part <strong>of</strong> initial audit procedures, during subsequent audit, a follow up<br />
on prior year fi ndings is performed to assess progress and sign <strong>of</strong>f the<br />
fi ndings that have been resolved. Sometimes a follow up on fi ndings is<br />
performed more frequently, especially for fi ndings relating to high risk<br />
exposure. This exercise could become another opportunity for management<br />
to open a debate on whether some <strong>of</strong> the fi ndings should have<br />
been raised in the fi rst place. This is usually the case when management<br />
has not taken any action to rectify the identifi ed control weakness. <strong>The</strong><br />
other side this exercise could present some comfort to auditor that there<br />
has been some improvement in the control environment, if management<br />
have indicated and gathered audit evidence that corroborates<br />
that promised action plans were implemented.<br />
Issue tracking can be a key driver <strong>of</strong> continuous improvement in the<br />
Tel: +27 11 785 4930<br />
Fax: +27 11 785 4939<br />
www.wexford.co.za<br />
��������������������������<br />
�����������������<br />
�������������<br />
INTERNAL AUDITORS<br />
R500 000 – R400 000 CTC, Bryanston<br />
����������������������������������������������������������������������������<br />
��������������������������������������������������������������������������<br />
�����������������������������������������������������������������������<br />
��������������������������������������������������������������������������<br />
����� tanya@wexford.co.za<br />
INTERNAL AUDITOR<br />
R450 000 – R400 000 CTC, Sandton<br />
����� ��������������� ��������� ��� �������� ����� ������� ��������� ������������<br />
����������������������������������������������������������������������������<br />
���������������������������������������������������������������������������<br />
��������������������������������������������������������������������������<br />
�����������������������������������������������������������������������������<br />
�����������������������������������������������������janet.b@wexford.co.za<br />
INTERNAL AUDITOR<br />
R420 000 – R350 000 CTC, Sandton<br />
�������������������������������������������������������������������������<br />
������������������������������������������������������������������������<br />
������������������������ candice@wexford.co.za<br />
INTERNAL AUDIT MANAGER<br />
R800 000 – R600 000 CTC, North<br />
������������������������������������������������������������������������������<br />
����������������������������������������������������������������������������<br />
�����������������������������������������������������������������������������<br />
����������������������������liz@wexford.co.za<br />
INTERNAL AUDITOR<br />
R500 000 – R350 000 CTC, North<br />
������������ ������������� ������������� ��������� ������������ ��� ��� ���� ���<br />
��������������������������������������������������������������������������<br />
�������������������������������������������������������������������������<br />
���������������������������������������������������������������������������<br />
felicia@wexford.co.za<br />
20 | IA ADVISER September 2011<br />
internal control environment in the organisation. If applied eff ectively,<br />
the audit committee can place reasonable reliance on this process<br />
in ensuring that management applies the most suited practices for<br />
the organisation in managing risk.<br />
When doing research on this topic for my thesis in 2010 it became<br />
evident that no academic research has been done on this process.<br />
<strong>The</strong> outcome <strong>of</strong> this study highlighted quite a number <strong>of</strong> areas that<br />
are under-researched within enterprise risk management and no research<br />
has been done on the tracking <strong>of</strong> audit fi ndings.<br />
<strong>The</strong> study I covered whether completed targeted institutions had a formalised<br />
issue tracking process, governance and positioning issue tracking<br />
process in the organisational structure and factors that are taken into<br />
account in concluding that the fi ndings is resolved. Furthermore opinions<br />
<strong>of</strong> risk <strong>of</strong>fi cers were sought on the eff ectiveness <strong>of</strong> issue tracking in<br />
the process <strong>of</strong> improving the quality <strong>of</strong> internal control environment.<br />
It was plausible that all banks that were participating in the study had<br />
issue tracking process in place. Varying observations were made with<br />
respect to governance and positioning <strong>of</strong> this process. Some banks had<br />
fi ndings tracking being driven by the executive committee; however,<br />
most banks rely on internal audit department to drive this process. In<br />
some instances the internal audit function was solely responsible for<br />
tracking their fi ndings and always in dispute with management about<br />
long outstanding fi ndings. <strong>The</strong> result <strong>of</strong> this was long outstanding fi ndings<br />
and a possibility that some fi ndings identifi ed were lost during system<br />
changes.<br />
<strong>The</strong> study could not conclude on the factors that are taken into account<br />
to conclude on whether the issue has been resolved, this was<br />
because management did not agree with all factors that were considered<br />
to be an indication <strong>of</strong> resolution <strong>of</strong> control weakness. All risk<br />
<strong>of</strong>fi cers agreed that issue tracking process is a key driver <strong>of</strong> improvements<br />
in the quality <strong>of</strong> internal control.<br />
<strong>The</strong> study recommended that issue tracking should remain the responsibility<br />
<strong>of</strong> management because it is a stage <strong>of</strong> risk management<br />
and it should be positioned as a strategic imperative <strong>of</strong> the organisation.<br />
Furthermore this process should follow an integrated approach,<br />
and not limit fi ndings to those raised by internal auditors, but also<br />
those self identifi ed fi ndings during managements’ risk control self<br />
assessment, external auditors during statutory audits and those<br />
identifi ed by other assurance providers.<br />
Issues <strong>of</strong> control weakness should be considered rectifi ed once corrective<br />
action has been fully embedded in the internal control process<br />
i.e. these may include updating and communicating the entity’s<br />
policy document, updating staff s job description and or updating<br />
staff ’s performance scorecards.<br />
To minimise stress levels on management during the return <strong>of</strong> independent<br />
assurance providers (internal and external auditors), management<br />
should realise the business case <strong>of</strong> improving the quality <strong>of</strong><br />
internal controls and the key role that a sound issue tracking process<br />
should play in improving overrall corporate governance. <strong>The</strong> return <strong>of</strong><br />
auditors will then be seen as providing independent assurance on the<br />
design and operation <strong>of</strong> internal controls and more value adding.<br />
Sethu Nsele (BCom, CIA, CFSA, MBL), Manager - Credit Risk<br />
Audit, GIA
ADVISER<br />
Is your company risk averse? Or risk intelligent?<br />
Current economic conditions can raise risk exposure beyond acceptable limits. Yet there may be long-term consequences to being<br />
risk averse in a downturn. Deloitte can help you recognize the dual nature <strong>of</strong> risk and devote sufficient resources to risk taking for<br />
reward and to protecting existing assets. Step ahead safely at www.deloitte.com<br />
© 2011 Deloitte & Touche. All rights reserved.<br />
Member <strong>of</strong> Deloitte Touche Tohmatsu Limited<br />
IA ADVISER September 2011 | 21
ETHICS- BUSINESS VS. PERSONAL VS.<br />
PROFESSIONAL ETHICS<br />
Ethics concerns itself with what is good<br />
or right in human interaction. <strong>The</strong> Oxford<br />
Dictionary defi nes <strong>ethics</strong> as “a set <strong>of</strong> moral<br />
principles that govern a person’s behavior<br />
or the conduct <strong>of</strong> an activity”.<br />
<strong>The</strong>re are three core concepts which embody<br />
the meaning <strong>of</strong> <strong>ethics</strong>, namely self,<br />
good and others. Ethical behavior is therefore<br />
when one does not merely consider<br />
what is good for oneself but also what is<br />
good for others.<br />
ETHICS AND THE LAW<br />
Both <strong>ethics</strong> and the law strive for what is<br />
right. <strong>The</strong> law does this through a public<br />
and political process, whilst <strong>ethics</strong> is derived<br />
from and modeled upon the value<br />
systems <strong>of</strong> both an individual and an entity.<br />
Confl icts can however arise between <strong>ethics</strong><br />
and the law. An example <strong>of</strong> a confl ict which<br />
could arise includes exceeding the speed<br />
limit in order to drive a seriously injured<br />
colleague to hospital. Whilst exceeding the<br />
speed limit is against the law, helping to<br />
get a seriously injured colleague to hospital<br />
and potentially saving their life, would be<br />
regarded as the ethical thing to do.<br />
A further example <strong>of</strong> a confl ict which could<br />
exist between <strong>ethics</strong> and the law includes<br />
the dumping <strong>of</strong> toxic waste in a country<br />
where no law against such conduct exists.<br />
Whilst dumping such waste is not ethical,<br />
it would also not be illegal in that particular<br />
country.<br />
In situations such as these, the entity and/or<br />
individual would need to use their pr<strong>of</strong>essional<br />
judgement in deciding what would<br />
be the ethical course <strong>of</strong> action.<br />
22 | IA ADVISER September 2011<br />
PROFESSIONAL ETHICS<br />
Guidelines for pr<strong>of</strong>essional <strong>ethics</strong> are usually<br />
codifi ed in codes <strong>of</strong> <strong>ethics</strong> or pr<strong>of</strong>essional<br />
conduct. Pr<strong>of</strong>essional bodies such as the <strong>Institute</strong><br />
<strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>of</strong> <strong>South</strong> <strong>Africa</strong>,<br />
the <strong>South</strong> <strong>Africa</strong>n <strong>Institute</strong> <strong>of</strong> Chartered<br />
Accountants and the Independent Regulatory<br />
Board for <strong>Auditors</strong> each have their own<br />
pr<strong>of</strong>essional codes <strong>of</strong> <strong>ethics</strong> which defi ne<br />
and detail what would be considered pr<strong>of</strong>essional<br />
ethical behaviour. Ethics can be<br />
broken down into four fundamental principles,<br />
namely:<br />
• Integrity;<br />
• Independence and Objectivity;<br />
• Confi dentiality; and<br />
• Pr<strong>of</strong>essional behaviour.<br />
INTEGRITY<br />
<strong>The</strong> formal defi nition <strong>of</strong> integrity taken<br />
from the Oxford Dictionary is “the quality<br />
<strong>of</strong> being honest and having strong moral<br />
principles”. A more tongue-in-cheek defi -<br />
nition by Jim Stovall defi nes integrity as<br />
“doing the right things, even if nobody is<br />
watching”.<br />
INDEPENDENCE AND OBJECTIVITY<br />
<strong>The</strong> International Standards for the Pr<strong>of</strong>essional<br />
Practice <strong>of</strong> <strong>Internal</strong> Auditing (“IIA<br />
standards”) defi ne independence as “the<br />
freedom from conditions that threaten the<br />
ability <strong>of</strong> the internal audit activity to carry<br />
out internal audit responsibilities in an unbiased<br />
manner.” Threats to independence<br />
need to be appropriately managed at an<br />
individual, engagement, functional and organizational<br />
level.<br />
Objectivity is closely linked with indepen-<br />
dence and comprises having an impartial,<br />
unbiased attitude and avoiding any confl<br />
icts <strong>of</strong> interest.<br />
CONFIDENTIALITY<br />
<strong>The</strong> principle <strong>of</strong> confi dentiality imposes an<br />
obligation on employees to refrain from:<br />
• Disclosing confi dential information acquired<br />
as a result <strong>of</strong> pr<strong>of</strong>essional and business<br />
relationships without proper and specifi<br />
c authority or unless there is a legal or<br />
pr<strong>of</strong>essional right or duty to disclose; and<br />
• Using confi dential information acquired<br />
as a result <strong>of</strong> pr<strong>of</strong>essional and business<br />
relationships to their personal advantage<br />
or the advantage <strong>of</strong> third parties.<br />
Exceptions to the confi dentiality rule exist<br />
where for example disclosure:<br />
– Is required by law e.g. subpoena; and<br />
– Is in terms <strong>of</strong> pr<strong>of</strong>essional rights or duties<br />
e.g. disciplinary enquiry, investigation<br />
etc.<br />
PROFESSIONAL BEHAVIOUR<br />
<strong>The</strong> principle <strong>of</strong> pr<strong>of</strong>essional behaviour imposes<br />
an obligation to comply with relevant<br />
laws and regulations and avoid any action<br />
that may discredit the individual’s pr<strong>of</strong>ession.<br />
SAFEGUARDS<br />
Safeguards can be implemented to ensure<br />
that threats to independence, objectivity,<br />
confi dentiality etc. are eliminated or reduced<br />
to an appropriately acceptable level.<br />
<strong>The</strong>y fall into two broad categories:<br />
– Safeguards created by the pr<strong>of</strong>ession,<br />
legislation or regulation; and<br />
– Safeguards in the work environment.<br />
Safeguards include educational, training
and experience requirements, continuing pr<strong>of</strong>essional development<br />
requirements, corporate governance regulations, pr<strong>of</strong>essional standards<br />
and pr<strong>of</strong>essional monitoring and disciplinary procedures.<br />
BUSINESS ETHICS<br />
Business Ethics involves identifying and applying standards <strong>of</strong> conduct<br />
in and for business that will ensure that the interests <strong>of</strong> stakeholders<br />
are respected i.e. that business does not detrimentally impact<br />
these interests. <strong>The</strong> Code <strong>of</strong> Corporate Governance Principles for<br />
<strong>South</strong> <strong>Africa</strong> – 2009 (“King III”) defi nes business <strong>ethics</strong> as “the principles,<br />
norms and standards that guide an organisation’s conduct <strong>of</strong><br />
its activities, internal relations and interactions with external stakeholders”.<br />
In addition King III also requires entities to demonstrate how<br />
they are providing leadership on ethical foundations.<br />
<strong>The</strong> extent to which <strong>ethics</strong> is embraced within a business aff ects<br />
both the perceptions <strong>of</strong> its stakeholders and the performance <strong>of</strong> the<br />
business. <strong>The</strong> confi dence <strong>of</strong> investors in organisations, the loyalty <strong>of</strong><br />
customers to companies, and the willingness <strong>of</strong> talented individuals<br />
to <strong>of</strong>f er their skills to organisations are all factors that are infl uenced<br />
by the <strong>ethics</strong> <strong>of</strong> a company.<br />
In making ethical business decisions as an entity or as a group <strong>of</strong><br />
individuals representing an entity, the following questions should<br />
be asked by the decision makers:<br />
– Is it legal?<br />
– Does it meet company/practice standards?<br />
– Is it fair to all stakeholders?<br />
– Can it be disclosed?<br />
PERSONAL ETHICS<br />
People with a strong commitment to ethical standards are <strong>of</strong>ten<br />
referred to as people <strong>of</strong> integrity. <strong>The</strong>re is an “Ethics quick test”<br />
which every individual should consider applying when faced with<br />
an ethical dilemma in their personal lives:<br />
– Is it legal?<br />
– How will it look in the newspaper?<br />
– Is it consistent with my own / the company’s values?<br />
– Is it fair to all?<br />
– If I do it, how will I feel?<br />
With social media becoming a medium where a person’s private<br />
life is <strong>of</strong>ten made very public, there is even more pressure on individuals<br />
to ensure that they behave in an ethical manner at all<br />
times, both in and outside <strong>of</strong> the work environment.<br />
ETHICS- BUSINESS VS. PERSONAL VS. PROFESSIONAL ADVISER ETHICS<br />
CONCLUSION<br />
All ‘forms’ <strong>of</strong> <strong>ethics</strong> ultimately have a common thread, namely integrity.<br />
If you behave in integrity in all areas <strong>of</strong> your life, namely business,<br />
pr<strong>of</strong>essional and personal, you will be behaving ethically. One<br />
cannot call themselves ethical unless you are ethical in all spheres <strong>of</strong><br />
your life. Integrity is not a 90% or 95% thing – either you have it or<br />
you don’t. Lastly I would like to leave you all with the following quote<br />
by Thomas Babington Macaulay: “<strong>The</strong> measure <strong>of</strong> a man’s real character<br />
is what he would do if he knew he would never be found out”.<br />
References:<br />
• International Standards for the Pr<strong>of</strong>essional Practice <strong>of</strong> <strong>Internal</strong><br />
Auditing.<br />
• IFAC Code <strong>of</strong> Ethics for Pr<strong>of</strong>essional Accountants.<br />
• Code <strong>of</strong> Ethics <strong>of</strong> the <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong>.<br />
• <strong>The</strong> Code <strong>of</strong> Governance Principles for <strong>South</strong> <strong>Africa</strong> - 2009.<br />
Kerry-Lee Laing CA (SA) CIA Registered Auditor Chartered<br />
MSCI (UK) <strong>Internal</strong> Audit and Governance Consultant<br />
PATON PERSONNEL<br />
INTELLIGENT RECRUITMENT<br />
JOB OPPOTUNITIES<br />
AUDITOR – SENIOR MANAGER (R850K) EE ONLY<br />
Top bank seeks CA(SA) with a flair for people as well as a passion for Audit, Risk<br />
and compliance. Lead and influence a dynamic team while you grow your<br />
career to new heights.<br />
AUDITOR – INVESTMENT BANKING (R700K) EE ONLY<br />
Show us your great track record & secure this exciting opportunity. BCom (Hons)<br />
& Investment Banking exp are essential for this leading Investment Banking<br />
brand.<br />
AUDITOR – ASSET MANAGEMENT (R600K)<br />
Bring your Financial Services Audit background to the table and secure this<br />
interesting role. BCom + CIA & relevant industry experience are the minimum<br />
requirement for us on this one. CA(SA) + 2 yrs experience preferred.<br />
AUDITOR – BANKING (R500K)<br />
Banking <strong>Auditors</strong> sought for various opportunities in Big 4 Banks. BCom +<br />
articles / BCom(Hons) / CA(SA)s are the qualifications sought to grab these great<br />
opportunities.<br />
AUDITOR – IT (R450K – R500K) EE ONLY<br />
A passion for IT Audit & relevant Banking exp are non-neg for a great role within<br />
industry leader. BCom Hons + articles are a min req. Bring your dynamic<br />
personality.<br />
RISK AUDITOR – BANKING (R450K+) EE ONLY<br />
BCom grad with a strong risk-minded approach to Banking audit. A solid track<br />
record in Credit Risk / Market Risk Audit will set you apart.<br />
AUDITOR – INSURANCE (R400K+) EE ONLY<br />
Industry specialist sought for this role. Degreed indiv with 3+ yrs in Financial<br />
Services Audit experience will set the pace.<br />
Contact Bulelwa Vundla at Paton on 011 325 5400<br />
For a complete list <strong>of</strong> our <strong>of</strong>ferings IA visit ADVISER www.paton.co.za<br />
September 2011 | 23
In a complicated world,<br />
we can help you make sense <strong>of</strong> it all.<br />
kpmg.co.za<br />
© 2011 KPMG Services (Proprietary) Limited, a <strong>South</strong> <strong>Africa</strong>n company and a member firm <strong>of</strong> the KPMG network <strong>of</strong> independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in <strong>South</strong> <strong>Africa</strong> MC6425.<br />
<strong>The</strong> KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks <strong>of</strong> KPMG International.
AUDITING THE THUNDERS IN THE CLOUD<br />
More companies the world over are adopting the cloud. According to Gartner (2010) the cloud market will be worth US $148.8 billion (about R1<br />
trillion) by 2014. Gartner forecast the cloud growth rate to be about 20% per year. In <strong>South</strong> <strong>Africa</strong> companies like T Systems are already providing<br />
cloud services. <strong>The</strong> cloud providers are growing on a daily basis.<br />
CLOUD COMPUTING DEFINITION<br />
<strong>The</strong> term cloud computing was inspired by the cloud symbol shown in Figure. 2. <strong>The</strong> symbol<br />
is <strong>of</strong>ten used to represent the Internet in fl ow charts and diagrams. Simply defi ned cloud<br />
computing is IT services accessible via the web and internet connection.<br />
<strong>The</strong> US National <strong>Institute</strong> <strong>of</strong> Standards and Technology (NIST) describes cloud computing<br />
as a model for enabling convenient, on-demand network access to a shared pool <strong>of</strong> confi<br />
gurable computing resources (e.g. networks, servers, storage, applications, and services)<br />
that can be rapidly provisioned and released with minimal management eff ort or service<br />
provider interaction.<br />
ISACA CEO defi nes Cloud computing as a “delivery model for consuming IT as a service<br />
and another way for an IT organization to deliver the technology necessary to run the<br />
enterprise business.”<br />
In its broadest usage, the term cloud computing refers to the delivery <strong>of</strong> scalable IT resources<br />
over the Internet, as opposed to hosting and operating those resources locally. It<br />
is a general term for anything that involves delivering hosted services over the Internet.<br />
Gartner defi nes cloud computing as “A style <strong>of</strong> computing where scalable and elastic IT<br />
related capabilities are provided ‘as a service’ to customers using Internet Technologies.”<br />
<strong>The</strong> essential characteristics <strong>of</strong> the cloud as described by NIST and Gartner are: on demand<br />
self services, broad network access, resource pooling, rapid elasticity, measured service<br />
and multi tenacity. Multi tenacity shown in Figure. 3 means users in diff erent sections <strong>of</strong> an<br />
enterprise will be rendered services on their own terms – usage rates, access restrictions<br />
uptimes.<br />
Cloud allows computing to be removed<br />
from the traditional shops to remote data<br />
centres. Cloud computing enables computer<br />
services such as email, applications,<br />
network or server service to be provided<br />
without requiring human interaction with<br />
each service provider. Cloud capabilities are<br />
available over the network and accessed<br />
through standard mechanisms that promote<br />
use by heterogeneous thin or thick<br />
client platforms such as mobile phones,<br />
laptops and PDAs. <strong>The</strong> provider’s computing<br />
resources are pooled together to serve<br />
multiple consumers using multiple-tenant<br />
model, with diff erent physical and virtual<br />
resources dynamically assigned and reassigned<br />
according to consumer demand.<br />
<strong>The</strong> resources include storage, processing,<br />
memory, network bandwidth, virtual<br />
machines and email services which build<br />
economies <strong>of</strong> scale. Cloud services can be<br />
rapidly and elastically provisioned, in some<br />
cases automatically, to quickly scale out and<br />
rapidly released to quickly scale in, thereby<br />
giving the client the ability to align IT with<br />
business objectives and requirements. To<br />
the consumer, the capabilities available for<br />
provisioning <strong>of</strong>ten appear to be unlimited<br />
and can be purchased in any quantity at<br />
any time. Under the cloud resource usage<br />
can be measured, controlled, and reported<br />
providing transparency for both the provider<br />
and consumer <strong>of</strong> the utilised service. This<br />
enables the user to control and optimise resource<br />
use. Just like air time, electricity or<br />
municipality water IT services are charged<br />
per usage metrics – pay per use. <strong>The</strong> more<br />
you utilise the higher the bill.<br />
Cloud impacts organisation’s IT size, structure,<br />
diversity, material assets and skill pool.<br />
<strong>The</strong> cloud changes the whole information<br />
technology (IT) landscape – IT roles, IT policies,<br />
processes and procedures, IT structures<br />
and the business governance <strong>of</strong> IT<br />
and may introduce an enterprise to more<br />
regulatory compliance issues. <strong>The</strong> shift<br />
in the traditional operation <strong>of</strong> IT requires<br />
Chief Information Offi cers (CIOs), Chief Risk<br />
Offi cers (RISOs), Chief Information Security<br />
Offi cers (CISOs), Chief Technology Offi cers<br />
(CTOs), Business Information Security Offi<br />
cers (BISOs), Chief Executive Offi cers<br />
(CEOs) or Chief Operations Offi cers (COOs)<br />
to develop diff erent IT strategies and skills.<br />
Skills required for eff ective enterprise governance<br />
<strong>of</strong> the cloud include managing<br />
contracts, overseeing integration between<br />
in-house and outsourced services, and<br />
mastering a diff erent model <strong>of</strong> IT budgets.<br />
<strong>The</strong> change in the IT set up requires a paradigm<br />
shift in providing assurance. According<br />
to ISACA in its IT Control Objectives for<br />
Cloud Computing: Controls and Assurance<br />
in the Cloud “assurance needs to become<br />
more real time, continuous and process oriented<br />
versus transactional in focus.”<br />
<strong>The</strong>re is a strong need for assurance mechanisms<br />
before moving ahead with the decision<br />
to roll out cloud services or utilise<br />
cloud services.<br />
IA ADVISER September 2011 | 25
AUDITING THE THUNDERS IN THE CLOUD<br />
Figure.1 shows a cluster <strong>of</strong> cloud service providers (CSP). Amazon leads the pack. <strong>The</strong> trend<br />
in <strong>Africa</strong> may be slow but cloud is an undeniable reality. Like any other IT enabled investment<br />
the strategic objectives <strong>of</strong> cloud implementation remain business IT strategy alignment,<br />
value creation (value delivery), risk management (value preservation) and resource management<br />
(optimum utilisation <strong>of</strong> resources).<br />
SERVICE MODELS:<br />
Cloud computing service models are<br />
broadly divided into three categories:<br />
S<strong>of</strong>tware-as-a-Service (SaaS), Platform-asa-Service<br />
(PaaS) and Infrastructure-as-a-<br />
Service (IaaS) also known as Utility Computing.<br />
Collectively all the service models<br />
Figure.2<br />
Broad<br />
Network Access<br />
S<strong>of</strong>tware as a<br />
Service (SaaS)<br />
26 | IA ADVISER September 2011<br />
Rapid Elasticity Measured Service<br />
Resource Pooling<br />
Platform as a<br />
Service (PaaS)<br />
can be referred to as IT as a service (ITaaS)<br />
or the SPI Model.<br />
DEPLOYMENT MODELS:<br />
As illustrated in Figure. 2 there are four deployment<br />
models for cloud services namely<br />
private, community, public and hybrid.<br />
On-Demand<br />
Self-Service<br />
Infrastructure as a<br />
Service (IaaS)<br />
Public Private Hybrid Community<br />
Essential<br />
Characteristics<br />
Service<br />
Models<br />
Deployment<br />
Models<br />
PRIVATE CLOUD<br />
A private cloud is a proprietary network or<br />
a data center that supplies hosted services<br />
to a limited number <strong>of</strong> people. <strong>The</strong> cloud<br />
infrastructure is operated solely for a single<br />
organization. It may be managed by the<br />
organization or a third party, and may exist<br />
on-premises or <strong>of</strong>f premises. When a service<br />
provider uses public cloud resources to create<br />
their private cloud, the result is called<br />
a virtual private cloud. <strong>The</strong> private cloud<br />
deployment method has minimum risk as<br />
identity management and corporate, legal<br />
and regulatory audits are easy to perform.<br />
Scalability and agility options may be limited<br />
in a private model.<br />
COMMUNITY CLOUD<br />
Community cloud infrastructure is shared<br />
by several organizations and supports a<br />
specifi c community that has shared concerns<br />
(e.g., mission, security requirements,<br />
policy, or compliance considerations). It<br />
may be managed by the organizations or a<br />
third party and may be hosted on-premises<br />
or <strong>of</strong>f -premises. Community model may be<br />
a cloud provided for insurance companies<br />
or fi nancial institutions. <strong>The</strong> disadvantage<br />
<strong>of</strong> a community model is that data <strong>of</strong> competitors<br />
may be stored together for example<br />
clients for Hollard and Federal Mutual<br />
Insurance companies may be hosted on<br />
the same database; subject to the contractual<br />
and service agreement with the CSP.<br />
PUBLIC CLOUD<br />
<strong>The</strong> cloud infrastructure is made available<br />
to the general public or a large industry<br />
group and is owned by an organization<br />
selling cloud services. Public CSPs <strong>of</strong>f er<br />
relatively undiff erentiated services. <strong>The</strong>y<br />
sell services to anyone on the Internet. Currently,<br />
Amazon Web Services is the largest<br />
public cloud provider.
Figure. 3<br />
HYBRID CLOUD<br />
Hybrid cloud is a heterogeneous mix <strong>of</strong> services—some<br />
from the public cloud, others<br />
from private clouds, still others developed<br />
in-house or purchased and customized.<br />
Infrastructure in a Hybrid cloud is a composition<br />
<strong>of</strong> two or more clouds (private,<br />
community, or public) that remain unique<br />
entities but are bound together by standardized<br />
or proprietary technology that enables<br />
data and application portability (e.g.,<br />
cloud bursting for load-balancing between<br />
clouds). Hybrid cloud is likely to characterise<br />
most institutional IT portfolios.<br />
THE RAINBOW AND THE THUNDERS IN<br />
THE CLOUD<br />
Whether the cloud is nimbostratus or altocumulus<br />
there are rainbows and thunderstorms<br />
in the cloud. <strong>The</strong> thunders and the<br />
rainbow vary depending on the service and<br />
deployment model, contractual and service<br />
levels agreements (SLA) and the maturity<br />
<strong>of</strong> the CSP.<br />
THE RAINBOW IN THE CLOUD<br />
Private, public, community or hybrid cloud<br />
computing enables an enterprises’ IT en-<br />
abled investments to meet business stakeholder<br />
requirements, sustain and extend<br />
enterprise strategy, create sustainable<br />
competitive advantages (unique selling<br />
plusses), measure the value <strong>of</strong> IT enabled<br />
investments to ensure that enterprise resources<br />
are used responsibly by providing<br />
easy, scalable access to computing resources<br />
and IT services. Cloud computing enables<br />
enterprises to streamline processes<br />
and increase innovation, it enables increasing<br />
productivity and transforming business<br />
processes through means that were prohibitively<br />
expensive. Business cyclical demands<br />
for performance can be readily met<br />
by cloud computing translating into more<br />
backup, satisfi ed customers, increased scalability<br />
and higher margins. Cloud allows<br />
fi rms that were previous lagging in taking<br />
advantage <strong>of</strong> cutting edge technology<br />
due to costs to leap frog traditional IT and<br />
benefi t from advanced computing services<br />
without having to build expensive infrastructure.<br />
Instantly cutting costs and creating<br />
selling unique plusses. Traditional System<br />
Development Life Cycles pains familiar<br />
with failed system changes are eliminated.<br />
Cloud computing allows enterprises to<br />
switch on to new applications platforms at<br />
the switch <strong>of</strong> a button. In a rapidly changing<br />
environment, speed direction setting<br />
AUDITING THE THUNDERS IN THE CLOUD<br />
and quick reaction to change are essential.<br />
Cloud agility enables the client company<br />
to meet today’s business environment dynamics.<br />
Traditional CAPEX and OPEX expenses<br />
such as servers, IT staff salaries and<br />
wages, physical and environmental control<br />
for data centre (primary and secondary<br />
sites), rentals, electricity and inventory <strong>of</strong><br />
equipment are eliminated with the adoption<br />
<strong>of</strong> the cloud.<br />
<strong>The</strong> green, yellow, red, orange, violet, indigo<br />
and blues in the cloud rainbow can be<br />
summarised as; cost containment, immediacy<br />
also referred to as agility, availability,<br />
scalability, effi ciency, and resilience.<br />
THUNDERSTORM IN THE CLOUD<br />
<strong>The</strong> cloud is internet-based, and the Internet<br />
is well known for security breaches, loss<br />
<strong>of</strong> data, compromises <strong>of</strong> privacy, and abuse<br />
<strong>of</strong> intellectual property (IP). <strong>The</strong> Internet<br />
and the systems that were built on it are all<br />
prone to security failures. Cloud computing<br />
introduces signifi cant concerns about<br />
privacy, security, data integrity, IP management,<br />
audit trails, and other issues. A 2011<br />
research done by Governance Enterprise<br />
IT(EGIT) – a division <strong>of</strong> ISACA for 834 business<br />
executives and heads <strong>of</strong> IT in 21 coun-<br />
IA ADVISER September 2011 | 27
AUDITING THE THUNDERS IN THE CLOUD<br />
Figure.4<br />
Security concerns<br />
Data privacy concerns<br />
Compliance concerns<br />
Reliability concerns<br />
Legacy infrastructure<br />
investments<br />
tries, 10 large and small industries shows<br />
data privacy issues as the major concern in<br />
cloud computing adoption. <strong>The</strong> following<br />
are cloud challenges highlighted by EGIT –<br />
statistically depicted in Figure.4.<br />
Moving to the cloud means that the client<br />
cedes on a number <strong>of</strong> security critical areas<br />
highlighted below aff ecting security:<br />
• External penetration testing not<br />
permitted<br />
• Limited verifi cation <strong>of</strong> logs available<br />
• Usually no forensics service <strong>of</strong>f ered<br />
• Not possible to inspect hardware<br />
• No information on location/jurisdiction<br />
<strong>of</strong> data<br />
• Outsource or sub-contract services to<br />
third-parties.<br />
CLOUD COMPUTING ASSURANCE AND<br />
ADVISORY:<br />
Providing assurance in the cloud requires an<br />
understanding <strong>of</strong> the Cloud Client (CC) business<br />
requirements, objectives and strategy,<br />
the CSP, scope <strong>of</strong> cloud services provided, obtaining<br />
and evaluating third party assurance<br />
reports such as Service Organisation Control<br />
(SOC) 1, 2 and 3 under the Statements <strong>of</strong><br />
Standards for Attestation Engagements SSAE<br />
28 | IA ADVISER September 2011<br />
Other<br />
15.7%<br />
25.2%<br />
41.7%<br />
34.6%<br />
47.2%<br />
49.6%<br />
0% 20% 40% 60% 80% 100%<br />
number 16, evaluating residual risk and determining<br />
whether an onsite visit to the CSP<br />
is required. CSP onsite visit is governed by the<br />
Service Level Agreement (SLA) or the legal<br />
cloud agreement (LCA) – cloud contract. Assurance<br />
should be aligned with overall business<br />
strategy objectives and Enterprise’s risk<br />
management framework.<br />
<strong>The</strong> scope <strong>of</strong> assurance can include reference<br />
to:<br />
• Specifi c criteria, such as reliability,<br />
eff ectiveness, effi ciency, availability<br />
and confi dentiality,<br />
• Technical standards, guidance and<br />
practices which include the Committee<br />
<strong>of</strong> the Sponsoring Organisations <strong>of</strong><br />
the Treadway Commission (COSO),<br />
BITS Shared Assessment, International<br />
Organisation for Standardisation (ISO)<br />
and Control Objectives for Information<br />
and Related Technology (COBIT),<br />
• Pr<strong>of</strong>essional working standards,<br />
guidelines and practices, such as:<br />
a) ISACA – Val IT, IT Audit Framework<br />
(ITAF), the Business Model for<br />
Information Security (BMIS), Risk IT,<br />
b) Payment Card Industry Data<br />
Security Standard (PCI DSS),<br />
c) US Federal Risk and Authorisation<br />
Management Programme<br />
(FedRAMP),<br />
d) <strong>The</strong> Cloud Security Alliance (CSA)<br />
Control Matrix,<br />
e) <strong>The</strong> American <strong>Institute</strong> <strong>of</strong> Certifi ed<br />
Public Accountants (AICPA),<br />
f) NIST,<br />
g) Jericho Forum Self Assessment<br />
Scheme,<br />
h) Health Information Trust Alliance<br />
(HITRUST) and the<br />
i) European Network and Information<br />
Security Agency (ENISA).<br />
Auditing in the cloud can either be from the<br />
CSP or CC point <strong>of</strong> view. This article focuses<br />
on CC assurance.<br />
Cloud computing scope auditing approach<br />
and scope include but is not limited to the<br />
following:<br />
1. EARLY INVOLVEMENT<br />
Assurance and advisory pr<strong>of</strong>essionals<br />
(compliance, risk, security and auditors)<br />
should be involved early in the process to<br />
ensure that complete due-diligence <strong>of</strong> the<br />
CSP, CSP capabilities and procurement procedures<br />
comply with company outsourcing
equirements and regulatory requirements.<br />
Due diligence and review <strong>of</strong> CSP capabilities<br />
should include:<br />
Strategy<br />
Cloud transition and adoption should be<br />
treated as a strategic business decision. Assurance<br />
should ensure that the CSP align<br />
business strategy and goals with cloud<br />
delivery strategies and service provider<br />
governance and management is part <strong>of</strong> the<br />
cloud strategy. Governance and management<br />
<strong>of</strong> the cloud should include establishing<br />
cloud service management committee<br />
(CSMC) that are charged with ensuring<br />
continuous alignment <strong>of</strong> the cloud services<br />
with the business strategy, establishing<br />
policies, processes, procedures and structures,<br />
measuring cloud performance, benefi<br />
ts realization and vendor governance to<br />
ensure that the cloud sustain and extend<br />
business strategy and objectives.<br />
Service and Infrastructure robustness<br />
Ensure that infrastructure and service delivery<br />
provided by CSP has capacity to meet business<br />
requirements, objectives and strategy.<br />
Skills<br />
Ensure that CSP staffi ng is adequate to support<br />
dynamic business needs, maintain the<br />
technical environment and that personnel<br />
understand information security requirements<br />
and are capable <strong>of</strong> discharging their<br />
protection responsibilities.<br />
2. GOVERNANCE OF CLOUD SERVICE LEVELS<br />
<strong>The</strong> governance <strong>of</strong> service levels is the<br />
backbone <strong>of</strong> eff ective cloud computing.<br />
<strong>The</strong> fi duciary responsibility <strong>of</strong> cloud services<br />
remain with the CC. According to the<br />
GEIT research some enterprises have put in<br />
place external service management committee<br />
(ESMC) for governance <strong>of</strong> external<br />
service levels SLAs to report on, oversee<br />
and co-ordinate third-party services to ensure<br />
compliance with corporate and regu-<br />
latory requirements, prevent value leakage<br />
and mitigate outsourcing risks.<br />
<strong>The</strong> ESMC and the CSMCs in conjunction<br />
with business stakeholders should defi ne<br />
cloud service requirements for cloud in<br />
a in a cloud service catalogue (CSC). <strong>The</strong><br />
services documented in the CSC should be<br />
used as the basis for selecting the CSP and<br />
formulating the SLAs and contracts. <strong>The</strong><br />
SLAs should be clear, reviewed and ratifi ed<br />
by legal, signed <strong>of</strong>f by all parties (CC and<br />
CSP representatives) and document key<br />
business functional and technical requirements.<br />
<strong>The</strong>y should include termination,<br />
credit and penalty, right to audit and data<br />
privacy and security clauses and billing<br />
terms, defi ne business and technology related<br />
KGI's, KPI's and establish a continuous<br />
monitoring program to ensure expectations<br />
are consistently met.<br />
<strong>The</strong> ESMC and the CSMC need to continuously<br />
monitor service levels to ensure that<br />
cloud service delivery is aligned to meet<br />
changing business requirements, objectives<br />
and strategy.<br />
3. RISK MANAGEMENT<br />
<strong>The</strong> decision to move to the cloud is a strategic<br />
decision and should be business driven.<br />
Management <strong>of</strong> risk in the cloud should<br />
consider technical and business risks. It<br />
should be governed by the principles <strong>of</strong> effective<br />
risk management namely:<br />
a. Maintaining business objectives focus<br />
b. Integrating IT (cloud) risk into<br />
Enterprise Risk Management (ERM)<br />
c. Balancing the costs and benefi ts <strong>of</strong><br />
managing risk<br />
d. Promotion <strong>of</strong> fair and open risk<br />
communication<br />
e. Establishing ‘tone at the top’ and<br />
assigning personal accountabilities<br />
f. Promotion <strong>of</strong> continuous improvement<br />
as part <strong>of</strong> daily activities.<br />
AUDITING THE THUNDERS IN THE CLOUD<br />
Risks must be addressed from a purely business<br />
perspective and not from a pure IT view<br />
point. A thorough risk assessment should be<br />
completed before migrating services to the<br />
cloud and should be continuous throughout<br />
the cloud placement period.<br />
<strong>The</strong> following risks should be considered in<br />
the review <strong>of</strong> cloud risk:<br />
Information Assets<br />
Resources (data, infrastructure and applications)<br />
on the cloud should be categorised<br />
and classifi ed with appropriate parameters<br />
and rated based on their criticality/severity<br />
to the achievement <strong>of</strong> business goals and<br />
objectives. <strong>The</strong> categorisation and classifi -<br />
cation <strong>of</strong> outsourced resources will ensure<br />
appropriate risks response.<br />
Processes and Procedures<br />
<strong>The</strong> transition to cloud computing will<br />
result in changes to the way business operations<br />
are carried out. Day to day IT and<br />
business operations would require to be reengineered<br />
to suit the cloud arrangements.<br />
<strong>The</strong> transition should be used as an opportunity<br />
to restructure business processes<br />
procedures and IT service management to<br />
bring value. Business processes activities<br />
and fl ows should be revised to maximize<br />
benefi t from cloud services. <strong>The</strong> revised<br />
processes and procedures should be formalised<br />
(documented and signed <strong>of</strong>f by senior<br />
executives) and should be continuously reviewed<br />
to ensure alignment with changing<br />
business goals and cloud services.<br />
Cost<br />
<strong>The</strong> true cost provided by the CSP should<br />
be continual to ensure maximization on<br />
total value, balance cost with functionality,<br />
resiliency, and business value and to provide<br />
assurance over accuracy <strong>of</strong> cloud usage<br />
metering and billing processes so that<br />
they are not overbilled.<br />
IA ADVISER September 2011 | 29
AUDITING THE THUNDERS IN THE CLOUD<br />
Business Continuity<br />
<strong>The</strong> CC should clearly defi ne business continuity<br />
needs, evaluate provider capabilities<br />
to meet the requirements and ensure that<br />
data is not co-mingled in <strong>of</strong>f site storage or<br />
back up facility. Requirements for future<br />
growth and the ability <strong>of</strong> service providers<br />
to meet growth demands should be fully<br />
considered. Business continuity and disaster<br />
recovery plans should be formalized,<br />
tested and coordinated with CSPs to address<br />
how events that can lead to incidents<br />
can be identifi ed and communicated and<br />
how incident response activities will be coordinated.<br />
A Blackout Plan to address situations<br />
where problems arise that cannot be<br />
corrected and service disruptions or quality<br />
<strong>of</strong> service is threatened should be in place.<br />
Legal and Regulatory Environment<br />
Adopting the cloud may mean that data <strong>of</strong><br />
the CC will reside in a diff erent country. This<br />
is problematic especially for multinational<br />
companies operating in diff erent cities,<br />
countries and continents. Diff erent cities,<br />
countries and continents have diff erent<br />
legal and regulatory requirements pertaining<br />
to data privacy and intellectual property.<br />
<strong>The</strong>se means that CC or the CSP has<br />
to comply with both the country for which<br />
Cloud Security Alliance Security (2009) Guidance for Critical Areas <strong>of</strong><br />
Focus in Cloud Computing V2.1<br />
Cloud Computing: Business Benefi ts With Security, Governance and<br />
Assurance Perspectives (2009), www.isaca.org<br />
Carl Cadregari & Alfnzo Cutaia, Every Silver Cloud Has a Dark Lining: A<br />
Primer on Cloud Computing, Regulatory and Data Security Risk (2011),<br />
ISACA Jounal.<br />
Liam Lynch Chief Security Strategist. eBay Marketplaces, Integration with<br />
legacy systems in the cloud 2011 ISACA Webinar Program<br />
www.itnewsafrica.com, T Systems Cloud Computing in <strong>South</strong> <strong>Africa</strong><br />
February 2011<br />
www.isaca.org, Cloud Computing: Business Benefi ts With Security<br />
Governance and Assurance Perspectives. 2009<br />
www.isaca.org, IT Control Objectives for Cloud Computing: Controls and<br />
Assurance in the Cloud. 2011<br />
30 | IA ADVISER September 2011<br />
the data is hosting and where the data is located.<br />
<strong>The</strong> challenge arises in cases where<br />
the regulations are contradictory. Both the<br />
CC and the CSP should understand the legal<br />
landscape <strong>of</strong> the diff erent cities, countries<br />
and continents <strong>of</strong> operation. In most<br />
instances non-compliance risk is huge.<br />
Exit /Termination Strategy<br />
<strong>The</strong> CC should develop plans for ending<br />
service provider service arrangements in<br />
particular to address sensitive data recovery<br />
or deletion. <strong>The</strong> plan should include data<br />
retrieval and retention in the event <strong>of</strong> cloud<br />
contract terminations or moving to another<br />
CSP. This should be documented in the LCA.<br />
Identity Access Management (Logical<br />
access)<br />
Moving to a cloud increases the risk <strong>of</strong> data<br />
manipulation and unauthorised access. A<br />
proper inventory, categorization and classifi<br />
cation <strong>of</strong> the data sitting on the cloud<br />
coupled with an eff ective Identity Access<br />
Management system will ensure that access<br />
is based on a need-to-do and least<br />
privilege basis. <strong>The</strong> IAM should ensure that<br />
proper access monitoring and reporting<br />
capabilities are available under normal and<br />
exceptional conditions.<br />
REFERENCE<br />
Skills<br />
Placement <strong>of</strong> a cloud will require a paradigm<br />
shift in the business governance and<br />
management <strong>of</strong> IT. Senior Management<br />
should ensure that internal staff is engaged<br />
in cloud service acquisition and management,<br />
has the skill and expertise to support<br />
the CC business cloud needs and to coordinate<br />
activities with cloud providers.<br />
CONCLUSION<br />
<strong>The</strong> level and type <strong>of</strong> auditing is driven by<br />
the type <strong>of</strong> the cloud service model (SaaS,<br />
IaaS or PaaS), cloud deployment model<br />
(public, private, community or hybrid), CSP<br />
(size, service maturity etc), CC (business requirements,<br />
objectives and strategy) and<br />
contractual agreements governing the<br />
cloud engagement. Assurance pr<strong>of</strong>essionals<br />
can use the various standards, guidance<br />
and practices available. One size fi ts all in<br />
the use <strong>of</strong> the standards, guidance and<br />
practices is not recommended. <strong>The</strong> standards,<br />
guidance and practices should be<br />
adapted and adopted in a way that enables<br />
the CC to achieve its strategic objectives<br />
namely value creation, resource and risk<br />
optimisation.<br />
www.isaca.org, Cloud Computing Benefi ts and Risks Detailed in New<br />
ISACA Guidance. 29 October 2009<br />
Shackleford_CloudModelSec_2011_Cloud delivery models and security<br />
Dr. Giles Hogben, Perspectives on Cloud Security in the European<br />
Landscape, April 2011,<br />
Defence Information Systems Agency, A Support Agency, Mr. Henry J<br />
Sienkiewicz. April 2009<br />
GSA, February 2010, Cloud Computing Initiative Vision and Strategy<br />
Document.<br />
<strong>The</strong> Future <strong>of</strong> Cloud computing, Expert Group Report, Opportunities for<br />
European Cloud Computing Beyond 2010.<br />
Primer, Shedding Light on Cloud Computing, Gregor Petri, October 2010<br />
http://www.techcentral.co.za/inside-standard-banks-giant-datacentre/19705/<br />
www.economist.com<br />
Tichaona Zororo CISA, CISM, CGEIT, Portfolio Manager IT Audit: Standard Bank Group and Founder <strong>of</strong> Enterprise Governance IT (EGIT)
ADVISER<br />
IA ADVISER September 2011 | 31
WHY THE CURRENT FOCUS ON RISK?<br />
Recent events have highlighted the need<br />
to move risk management up in importance<br />
scale for Boards and executive management.<br />
<strong>The</strong>se events include the Icelandic volcano,<br />
the Gulf oil spill, Japan’s tsunami and the<br />
Sishen mining rights. In the fi nancial services<br />
industry the continuing focus on risk<br />
through Basel II and III for banks and Solvency<br />
II (in SA Solvency Adequacy Management<br />
[SAM]) for insurance companies has<br />
created more regulatory pressure on ensuring<br />
the adequacy <strong>of</strong> risk management.<br />
<strong>The</strong> global credit crunch has also destroyed<br />
the myth that business will continue as it always<br />
has and now business needs to be far<br />
more able to respond and react to changing<br />
conditions. Risk management is seen<br />
as one <strong>of</strong> the key disciplines needed to<br />
prosper and survive in the world economy<br />
today. Note that many commentators have<br />
attributed poor risk management as one <strong>of</strong><br />
the causes <strong>of</strong> the credit crunch.<br />
“BLACK SWANS”<br />
<strong>The</strong> high impact low probability events are<br />
called “Black Swans”. [In Europe, as legend<br />
has it, they only knew swans as white so<br />
black swans were not possible].<br />
“Black Swans” are the events that wipe millions<br />
<strong>of</strong>f the market capitalisation <strong>of</strong> corporations<br />
such as BP and Arcelor Mittal. CEOs<br />
and boards now want to know what potential<br />
Black Swans the corporations they are<br />
responsible for managing are facing.<br />
32 | IA ADVISER September 2011<br />
RISK SOUND BITES<br />
Risk management is being acknowledged as an increasingly important discipline. <strong>The</strong>se sound bites are aimed at providing the reader with<br />
succinct insight into some <strong>of</strong> the key issues impacting on risk management and governance.<br />
This has opened the debate about the quantifi<br />
cation <strong>of</strong> risk. <strong>The</strong>se events now need to be<br />
included in the risk considerations. Typically<br />
risk management quantifi cation identifi ed<br />
only those risks that management considered<br />
not suffi ciently managed.<br />
<strong>The</strong> Black Swans typically cannot be prevented<br />
but the responses to the consequences<br />
are signifi cant. <strong>The</strong> approach being<br />
followed now is in considering events<br />
that will have specifi c consequences – e.g.<br />
collapse <strong>of</strong> distribution channels, loss <strong>of</strong><br />
key suppliers, sudden signifi cant exchange<br />
rate changes etc. <strong>The</strong> risk event becomes<br />
less important as the recent history has<br />
shown that these can be <strong>of</strong>f the radar!<br />
RISKS VS. RISK EVENTS<br />
Solvency II and ISO 31000 have focussed on<br />
the identifi cation <strong>of</strong> risks. In Solvency II the<br />
capital that needs to be allocated to risk has<br />
to establish what risk or risk event needs to<br />
be considered. A general risk <strong>of</strong>, say, loss <strong>of</strong><br />
skills cannot be measured. Similarly “underground<br />
fi re” in a mine is not suffi ciently articulated<br />
to establish the possible extent <strong>of</strong><br />
the event – it could be at the stopes, or on<br />
moveable machinery or in the shaft etc.<br />
Risk events need to be distinguished from<br />
the higher level risk names in order for the<br />
risk to be managed. “Competition risk”, for<br />
example, cannot be managed as a generic<br />
matter. <strong>The</strong> risk event will be a new market<br />
entrant in a region, specifi c product substitution,<br />
or product pricing. <strong>The</strong>se potential<br />
or actual events can be managed. Similarly<br />
“loss <strong>of</strong> skills” needs to be unpacked to the<br />
events that have to be managed such as<br />
what to do when the aging engineers retire<br />
as no obvious replacements have been<br />
identifi ed.<br />
All risks that are evaluated as having a potentially<br />
substantial impact on the organisation/business<br />
should be unpacked to<br />
constituent risk events.<br />
RISK MEASUREMENT<br />
Risk measurement is an art and not a science.<br />
<strong>The</strong>re are certain risks that the actuaries<br />
will model to come up with a very<br />
scientifi c assessment <strong>of</strong> the possible risk<br />
exposure. <strong>The</strong>re are others that achieve a<br />
high, medium or low assessment [green,<br />
yellow, red for us boring accountants].<br />
<strong>The</strong> key elements that should be included<br />
in the measurement are as follows:<br />
• <strong>The</strong>re should be suffi cient diff erentiation<br />
to allow a meaningful priority rating<br />
to be achieved. This can be on a<br />
100 basis points scale or on a monetary<br />
scale or on a numeric scale.<br />
• <strong>The</strong> current risk position should be established<br />
taking into consideration the<br />
current risk mitigation/controls. This isknown<br />
as the residual risk.<br />
• <strong>The</strong> risk exposure before control or<br />
maximum possible loss should be<br />
evaluated to determine the extent that<br />
existing mitigation/control is managing<br />
the risk. This is <strong>of</strong>ten referred to as<br />
inherent risk.<br />
• <strong>The</strong> amount <strong>of</strong> risk that the organisation<br />
is willing to accept should also be<br />
determined. This is known as risk tolerance<br />
or desired residual risk.
• <strong>The</strong> residual risk gap should be determined<br />
to establish the extent that remediation<br />
is required and to prioritise<br />
this remediation.<br />
Figure 1 is an example <strong>of</strong> applying the measurement<br />
scales:<br />
• Impact scale on 100 basis points.<br />
• Inherent likelihood on a percentage scale.<br />
• Control eff ectiveness on a percentage<br />
scale.<br />
Figure 1<br />
Other developments in measurement<br />
include<br />
• Frequency <strong>of</strong> the risk exposure is receiving<br />
more attention now to understand<br />
the risk better. For example the risks<br />
associated with plant operations are a<br />
daily exposure while contract risk is on<br />
as and when basis.<br />
• Risk controllability – the extent that the<br />
risk can be managed or mitigated. For ex-<br />
Impact 100<br />
Likelihood 60%<br />
Inherent Risk Impact x Likelihood 60<br />
Control Eff ectiveness 40%<br />
Residual Risk Inherent Risk x Control Eff ectiveness 36<br />
Desired Control Eff ectiveness 80%<br />
Risk Tolerance Inherent Risk x Control Eff ectiveness 12<br />
Residual Risk Gap Residual Risk - Risk Tolerance 24<br />
Figure 2<br />
2.2<br />
2<br />
1.8<br />
1.6<br />
1.4<br />
1.2<br />
1<br />
0.8<br />
0.6<br />
0.4<br />
0.2<br />
0<br />
Organisational Support Structure<br />
Corporate Governace<br />
Strategic Risk Assessment - Bar Graph: Top 10 Residual Risk Gap<br />
Residual Risk Gap Current Residual Risk Desired Residual Risk<br />
Growth<br />
Alternative Revenue Streams<br />
Business Effi ciency<br />
Going Concern<br />
Project Delivery<br />
RISK SOUND ADVISER BITES<br />
ample no organisation can control the Icelandic<br />
volcano that disrupted air travel to<br />
Europe – which in turn had a major impact<br />
on fresh fruit exports. <strong>The</strong> only mitigation<br />
is then to manage the consequence.<br />
• Using Monte Carlo simulations to assess<br />
more scientifi cally the potential<br />
and residual exposures – <strong>of</strong>ten used for<br />
contingency funding assessments on<br />
projects. <strong>The</strong>re are many other quantitative<br />
models that are used.<br />
Figure 2 demonstrates the results <strong>of</strong> applying<br />
the measurement concepts discussed above.<br />
<strong>The</strong> residual risk gap provides the priority for<br />
addressing the risk exposures.<br />
<strong>The</strong> results provide a basis for understanding<br />
the risk exposures without having to<br />
get a precise measurement.<br />
Leadership<br />
International Markets<br />
Critical Skills atrraction and retention<br />
IA ADVISER September 2011 | 33
ADVISER RISK SOUND BITES<br />
Solvency II and Basel II have put the focus on<br />
measuring the incidence <strong>of</strong> risk and the extent<br />
that capital has to be matched against<br />
identifi ed risk. Interestingly Basel II requires<br />
reserves to be kept based on the experience<br />
<strong>of</strong> residual risk without considering the other<br />
measurement criteria set out above.<br />
RISK APPETITE<br />
Risk appetite is the most misunderstood<br />
concept in risk management. How much<br />
risk is an organisation willing to accept? Or<br />
does the organisation have an appetite for<br />
risk? How does this tie back to performance<br />
management?<br />
Risk appetite and tolerance are <strong>of</strong>ten not<br />
understood and are therefore <strong>of</strong>ten not applied<br />
in practice. Financial Services (FS) have<br />
a better practical feel for the concepts with<br />
the value at risk and how much value can be<br />
risked - in total and per product/investment<br />
type. Non FS companies have a more diffi cult<br />
time in making the concepts realistic.<br />
Figure 3<br />
34 | IA ADVISER September 2011<br />
Figure 3 is an example <strong>of</strong> a typical risk appetite<br />
statement.<br />
<strong>The</strong>se high level statements provide parameters<br />
for risk consideration and intersect<br />
with value statements.<br />
<strong>The</strong> above risk appetite statement describes<br />
the parameters <strong>of</strong> strategic positioning as<br />
well as providing clarity on strategic intent.<br />
But it does not easily reach to the actual<br />
risks that need to be add underlying risks.<br />
Other appetite statements include – for example<br />
– a statement that risk appetite is described<br />
as an event that will impact 5% on<br />
EBITDA will result in a 10% chan nge in market<br />
capitalisation (share price). Potential risks<br />
are unpacked to risk event level and evaluated<br />
to provide a most likely kely value. This<br />
value is compared with the appetite.<br />
Key elements Peer example risk appetite statements<br />
Capital • Maintain an insurance solvency ratio <strong>of</strong> at least 150%<br />
• Maintain a ratio <strong>of</strong> insurance risk economic capital to life insurance reserves below 10% at all times<br />
• Maintain a ratio <strong>of</strong> credit risk economic capital to total bank lending book exposure below 4% at all times<br />
• Hold, as a minimum, suffi cient economic capital to withstand a one in 200loss on a one year basis<br />
• On an economic basis, we seek to maintain an AFR/Ecap ratio <strong>of</strong> a least 100%<br />
• Hold suffi cient capital to maintain the group's published core fi nancial strength ratings in the AA rating range<br />
Earnings • Our earnings will fall below budget by more than10% more frequently than once every 5 years<br />
• No expected loss to a single customer within the loan portfolio will be greater than 10bps <strong>of</strong> our own funds<br />
• Achieve steady, sustainable growth in operating pr<strong>of</strong>i ts on an EEV and IFRS basis<br />
• No one exposure to a single fi nancial institution counterparty, other than intercompany exposures, will be greater than 5% <strong>of</strong> Group<br />
Available Financial Resources, and exposure will only be to counterparties recognised in the relevant policy (e.g. above A+ for derivatives)<br />
Liquidity /<br />
ALM<br />
Figure 4<br />
RISK LEVELS: RISK DECISIONS:<br />
Risk Category Inherent Risk Current<br />
Residual<br />
Risk<br />
• Positive cashfl ows in extreme but plausible stress scenarios<br />
• No appetite for fi nancing required cash-fl ows in a manner detrimental to its main external stakeholder<br />
• General Insurance liabilities are matched as closely as possible with assets <strong>of</strong> appropriate amount, type (fi xed or real) and currency<br />
Reputation • Our people will have the highest levels <strong>of</strong> competence and integrity<br />
• We will treat our customers fairly<br />
• We seek to continue to have top quartile customer satisfaction in all <strong>of</strong> our core markets<br />
Other • We target an S&P rating <strong>of</strong> A+ on our senior debt<br />
• We seek to fully meet all regulatory expectations<br />
• We will have no tolerance for intentional regulatory breaches<br />
Risk<br />
Appetite<br />
Compliance 17% 19% 13% 6%<br />
Financial 33% 28% 14% 15%<br />
People 19% 22% 15% 7%<br />
Product 7% 15% 10% 5%<br />
Strategic 3% 30% 30% 0%<br />
Sytems 22% 33% 15% 18%<br />
Legend:<br />
Risk Exposure Above Risk Appetite: Less than 30%<br />
Risk Exposure Above Risk Appetite: Greater than 60%<br />
Risk Exposure Above Risk Appetite: Greater than 60%<br />
Risk Exposure<br />
Above Risk<br />
Appetite
We have taken a view that risks should be<br />
measured on their potential impact on the<br />
achievemment <strong>of</strong> strat egic objectives.<br />
<strong>The</strong> inherent risk for each strategic objective<br />
is assessed for the risks allocated to<br />
the strategic objective. <strong>The</strong> current residual<br />
Fazel Abram<br />
Angelique Adams<br />
Ridwaan Arense<br />
Delphine Bagwire<br />
Christiaan Becker<br />
Anel Bekker<br />
Jacques van Niekerk Bester<br />
Charl Beukes<br />
Antonett Ronel Botha<br />
Madelyn Chriszelda Buckley<br />
Francois Eugene Buys<br />
William Chingate<br />
Michael Connick<br />
Augusto Castanheira Cossa<br />
Ilse Cromhout<br />
Antoinette Day<br />
Asma Ayob Daya<br />
Amal Dharshana Dissanayake<br />
Kerasen Soobramoney Dorasamy<br />
Devin Driver<br />
Jake du Buisson<br />
Schalk du Plessis<br />
Ilana du Toit<br />
Johanna Christina Elizabeth du Toit<br />
Davison Dyiwa<br />
Ana Focke<br />
Prabashini Govender<br />
Godwin Grant<br />
Farhana Hassim<br />
risks for all risks per objective are aggregated<br />
to be expressed as a percentage and this<br />
is compared with a similar value achieved<br />
for risk tolerances which in aggregation is<br />
termed as "Appetite". <strong>The</strong> diff erence highlights<br />
the extent that the current position is<br />
outside <strong>of</strong> appetite. Ultimately it identifi es<br />
Rob Newsome, Chairman: IIA SA Technical Committee<br />
Congratulations to CIA candidates<br />
Jacobus Christiaan Heyns<br />
Dandi Israel Hlatshwayo<br />
Maria Jacobs<br />
Earl James<br />
Ilse Janse van Rensburg<br />
Audrey Kanyera<br />
Cuthbert Karasa<br />
Waseema Khan<br />
Phineas Mandla Kheswa<br />
Bekanani Edmund Mzikayise<br />
Khuzwayo<br />
Boitumelo Kitchin<br />
<strong>The</strong>o Kruger<br />
Walter Kuhn<br />
Misola Betty Kupayi<br />
Hugo Laubscher<br />
Maria Elisa Cornelio Lloyd<br />
Annja Louca<br />
<strong>The</strong>mba Godfrey Mabaso<br />
Athi Madolo<br />
Philani Muziwoxolo Magwaza<br />
Denise Remona Maharaj<br />
Mahali Mahlakolisane<br />
Sipho Makaringe<br />
Nomsombuluko Grace<br />
Mamabolo<br />
Tony Mancos<br />
Mothanyi Manyoga<br />
Ndamulelo Masakona<br />
Allan Masawi<br />
Philisiwe Mazibuko<br />
Andile Memela<br />
Jan Mfati<br />
Lawrence Mkhabela<br />
Phakamile Bawinile Mkhwanazi<br />
Odwa Claribel Mlotywa<br />
Reggy Mmotla<br />
Lephole John M<strong>of</strong>okeng<br />
Sekgodi Mokgethi<br />
Andrew William Mp<strong>of</strong>u<br />
Sakhile Mtshali<br />
Siphelele Mtshengu<br />
Tavison Mugorogodi<br />
Manfred Mukombo<br />
Horatio Naidoo<br />
ParushaNaidoo<br />
Shawn Naidu<br />
Nobantu Ngesi<br />
Hlayisanani Nkondo<br />
Lunga Nodliwa<br />
Stella Nyabadza<br />
Cornelius Oosthuizen<br />
Hanlie Oosthuizen<br />
Cliff Otega<br />
Kumaresan Perumaul<br />
Anasagree Pillay<br />
Gayle Postings<br />
Laetitia Pretorius<br />
RISK SOUND ADVISER BITES<br />
the risks exposures that need to be managed<br />
to achieve strategic objectives.<br />
A similar view per executive risk owner provides<br />
another interesting oversight.<br />
<strong>The</strong> real buy-in happens when the appetite<br />
is expressed per risk owner.<br />
Pfuluwani Reichwell Raphulu<br />
Gcobisile Rasmeni<br />
Segele Evon Ratsiu<br />
Shane Anthony Robinson<br />
<strong>The</strong>o-John Rochussen<br />
Marianze Roux<br />
Samasree Sagadevan<br />
Samantha Scholtz<br />
Tshepo Sebiloane<br />
Selaelo Daphney Sebone<br />
Mmabatho Sepuru<br />
Godspresent Shabane<br />
Bathabile Prudence Shezi<br />
Bongani Sikhosana<br />
Simeon B Simelane<br />
Oyama Siwundla<br />
Gideon Snyman<br />
Mark Solomon<br />
Sifi so Vincent Sotshede<br />
William Thirion<br />
Aobakwe Nick Tladi<br />
Faizel Uaendere<br />
Ferdinand van Heerden<br />
Beulah van Niekerk<br />
Nazir Yusuf Vanker<br />
John Walters<br />
Steve Williams<br />
Zakhele Alex Tummy Zitha<br />
IA ADVISER September 2011 | 35
QUALITY ASSURANCE OF THE INSTITUTE OF<br />
INTERNAL AUDITORS SOUTH AFRICA’S CONTINUING<br />
PROFESSIONAL DEVELOPMENT (CPD) PROGRAMS<br />
<strong>The</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong> (IIA SA) has in recent<br />
months had numerous queries regarding accreditation <strong>of</strong> its CPD Program<br />
and in order to give members clarity on the meaning <strong>of</strong> accreditation,<br />
we hereby would like to share the feedback we received from the<br />
Finance, Accounting, Management Consulting and other Financial Services<br />
SETA (FASSET) regarding accreditation for CPD.<br />
INTRODUCTION<br />
<strong>The</strong> current education and training legislation in <strong>South</strong> <strong>Africa</strong> (which includes<br />
the SAQA Act, the Skills Development Act, the Skills Development<br />
Levies Act and all the associated regulations) has been developed to support<br />
social and economic development in the country. It achieves this<br />
objective by creating an integrated, high quality education and training<br />
system which contributes to the full development <strong>of</strong> individuals, enhances<br />
career development and results in more competitive industries.<br />
Accreditation has become the latest “buzzword” as part <strong>of</strong> the new approach<br />
to the evaluation <strong>of</strong> the quality <strong>of</strong> training. <strong>The</strong> public’s knowledge<br />
and reliance on accreditation status is a direct outcome <strong>of</strong> the daily<br />
Advisory<br />
<strong>Internal</strong> audit<br />
Forensic audits<br />
Compliance<br />
Risk management<br />
Corporate governance<br />
IT auditing<br />
Performance audits<br />
Corporate fi nance<br />
Due diligence<br />
Valuations<br />
What we do:<br />
Assurance<br />
External audit<br />
Agreed-upon procedures<br />
Special reviews<br />
Financial management<br />
IFRS<br />
GRAP/GAAP<br />
Accounting services<br />
Consulting<br />
Get in touch with us:<br />
1st fl oor Building 22B, <strong>The</strong> Woodlands Offi ce Park,<br />
20 Woodlands Drive, Woodmead<br />
PO Box 74, <strong>The</strong> Woodlands, 2080<br />
Tel: 011 802 4155 Fax: 011 802 5957<br />
Web: www.xabiso.co.za Email: info@xabiso.co.za<br />
work that ETQAs are involved in. It is however, also one <strong>of</strong> the most misunderstood<br />
processes and has become the catch-all phrase when employers<br />
are seeking some kind <strong>of</strong> assurance that the training they pay for,<br />
will be <strong>of</strong> the ‘right standard.’<br />
IS ACCREDITATION APPLICAbLE TO CDP PROGRAMMES?<br />
It is thus necessary to place ‘accreditation’ in the correct context regarding<br />
Continuing Pr<strong>of</strong>essional/Development Programmes.<br />
Accreditation is defined in the ETQA Regulations as the “certification, usually<br />
for a particular period <strong>of</strong> time, <strong>of</strong> a person, a body or an institution as<br />
having the capacity to fulfill a particular function in the quality assurance<br />
system set up by the <strong>South</strong> <strong>Africa</strong>n Qualifications Authority in terms <strong>of</strong><br />
the Act.” This means that the organisation has met stipulated criteria as<br />
set out by SAQA. SAQA accredits ETQAs for SPECIFIC registered qualifications<br />
and unit standards and in turn ETQAs accredit providers.<br />
Important facts relating to accreditation:<br />
• A training provider (organisation) is accredited not the training programme.<br />
• Accreditation can only be done by an accredited ETQA.<br />
• An ETQA cannot use the term ‘accreditation’ if the qualifications or<br />
unit standards are not registered on the NQF.<br />
• Accreditation leads to ‘credit-bearing’ programmes being <strong>of</strong>fered to the<br />
learner AND thus the learner will earn credits to be recorded on the NQF.<br />
• Credit-bearing means an assessment <strong>of</strong> the learner’s competence<br />
needs to completed in order to grant credits (e.g. marks obtained in<br />
an examination).<br />
• Accreditation relates to obtaining or achieving a qualification not<br />
post-qualification.<br />
In view <strong>of</strong> the above, it is clear that a CPD programme or a training provider<br />
<strong>of</strong>fering CPD does not fit into the ETQA/accreditation arena. CPD<br />
programmes are too short to meet the unit standard outcomes, the<br />
courses are non-credit-bearing and they are done after a qualification.<br />
<strong>The</strong> need for CPDs is borne out <strong>of</strong> the necessity for pr<strong>of</strong>essionals,<br />
in general, to remain up to date with their technical knowledge. In<br />
the accounting and auditing pr<strong>of</strong>essional environment, it has also<br />
become an international requirement that relates specifically to the<br />
retention <strong>of</strong> pr<strong>of</strong>essional practice standards required <strong>of</strong> accountants<br />
by the International Federation <strong>of</strong> Accountants (IFAC). In view <strong>of</strong> this,<br />
most, if not all pr<strong>of</strong>essional bodies <strong>of</strong>fer their members CPD courses.<br />
<strong>The</strong> Pr<strong>of</strong>essional Bodies thus have strict measures in place to evaluate<br />
these programmes and the delivery there<strong>of</strong>.<br />
Fasset has a long-standing relationship with the <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong><br />
<strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong>. It is our understanding that a strict selection<br />
process is followed to utilise certain CPD training providers. <strong>The</strong> IIA<br />
SA has indicated that Fasset is welcome to verify this process and thus<br />
present an objective evaluation <strong>of</strong> the quality <strong>of</strong> CPD courses <strong>of</strong>fered.
Do your internal auditors<br />
comply with the <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong><br />
<strong>Auditors</strong>’ career path standards?<br />
IIA SA Pr<strong>of</strong>essional Training<br />
Programs (Learnerships)<br />
<strong>The</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong> provides clear guidelines on the career path <strong>of</strong> an internal auditor. This path includes the<br />
foundation designations which can be obtained through successfully completing the <strong>Institute</strong>’s Pr<strong>of</strong>essional Training Programs. Build capacity<br />
in your organisation through the IIA SA’s Pr<strong>of</strong>essional Training Programs and join satisfied employers who have experienced incredible success<br />
with the program.<br />
<strong>The</strong> <strong>Internal</strong> Audit Technician (IAT) and General <strong>Internal</strong> Auditor (GIA) learnerships combine the content <strong>of</strong> focused training modules<br />
with structured workplace training which provide the employer with real quantifiable benefits:<br />
�� ��������������������������������<br />
�� �������������������������������������������<br />
�� ������������������������������������������������������������<br />
�� ����������������������������������������������������<br />
�� ������������������������������������������������������������������������<br />
Who should attend? <strong>The</strong> Pr<strong>of</strong>essional Training Programs provide a solid foundation to<br />
candidates starting out in internal auditing or those who need to improve their internal audit skills.<br />
For more information contact<br />
Deputy Education and Training Manager<br />
���������������������������������������������������������������<br />
��������������������������������<br />
* conditions apply<br />
Progress Through Sharing<br />
IA ADVISER September 2011 | 37
A keen focus on supply chAin mAnAgement<br />
by government will help to build confidence<br />
in our democrAcy<br />
In my previous article I singled out supply chain management (SCM),<br />
commonly referred to as the tender process in <strong>South</strong> <strong>Africa</strong>, as one<br />
<strong>of</strong> the focus areas for national and provincial role players. It is an<br />
area across all spheres <strong>of</strong> government (national, provincial and local)<br />
on which citizens are raising major concerns as billions <strong>of</strong> rands are<br />
spent through SCM to procure goods and services.<br />
To ensure proper regulation <strong>of</strong> procurement/supply chain management,<br />
our country adopted some <strong>of</strong> the most advanced policies, laws<br />
and regulations in the world. To put this article into context: the laws<br />
and regulations adopted by our country provide clear direction to<br />
the public sector on the manner citizens expect procurement to be<br />
dealt with in the public sector.<br />
<strong>The</strong> principles <strong>of</strong> contracting for goods and services in a manner that<br />
is fair, equitable, transparent, competitive and cost effective come<br />
from our Constitution. <strong>The</strong> Public and Municipal Finance Management<br />
Acts and their regulations (PFMA and MFMA) prescribe the<br />
processes and rules to be followed in the public sector in order to<br />
apply the constitutional principles consistently and correctly and<br />
safeguard the process against abuse. <strong>The</strong> preferential procurement<br />
framework issued by the National Treasury further gives effect to<br />
the constitutional principle <strong>of</strong> giving preference to the previously<br />
disadvantaged in the allocation <strong>of</strong> work by the public sector. Finally,<br />
legislation provides for specific measures to ensure the system is not<br />
abused in order to favour certain <strong>of</strong>ficials and their own businesses or<br />
those <strong>of</strong> their family members or associates.<br />
All citizens hAve A criticAl role to plAy in ensuring<br />
cleAn AdministrAtion<br />
Despite the above measures being in place, supply chain management<br />
is still one <strong>of</strong> the areas that demand focus from national and<br />
provincial role players.<br />
During a recent series <strong>of</strong> interviews broadcast on radio stations<br />
on my <strong>of</strong>fice’s latest general report on the local government audit<br />
outcomes, many members <strong>of</strong> the public who called in to these talk<br />
shows consistently raised issues relating to supply chain management<br />
at departments, public entities and municipalities.<br />
<strong>The</strong>y expressed concerns and perceptions that tender processes at<br />
departments, public entities and municipalities are being handled in<br />
a way that financially benefits a few individuals and that laws and<br />
regulations governing SCM are intentionally ignored or flouted by<br />
government <strong>of</strong>ficials in order to give state <strong>of</strong>ficials and their families<br />
and associates unfair advantage over other competitors or would-be<br />
service providers to government.<br />
Many <strong>of</strong> the callers asked what my <strong>of</strong>fice is doing to curb such mal-<br />
38 | IA ADVISER September 2011<br />
practices. My first response is that,while my <strong>of</strong>fice is playing a watchdog<br />
role, all citizens, civil society fraud prevention agencies and leadership<br />
within the public sector have an important<br />
part to play in ensuring that our country’s public administration procures<br />
goods and services efficiently and cost-effectively. Specifically,<br />
members <strong>of</strong> the public and state employees should continue to report<br />
to the relevant authorities any form <strong>of</strong> irregularity they detect.<br />
Further, citizens should insist that their elected <strong>of</strong>ficials are held accountable<br />
and take steps to ensure that the measures citizens have<br />
assessed as necessary, and therefore voted into law, are adhered to<br />
and enforced.<br />
the role <strong>of</strong> the Audit <strong>of</strong>fice<br />
On our part my <strong>of</strong>fice, since 2009, has included SCM as a specific audit<br />
focus area across all spheres <strong>of</strong> government and identified SCM as a specific<br />
focus area for executive leadership and legislative oversight bodies.<br />
This focus was motivated, in no small measure, by our endeavours to<br />
promote, through auditing, public confidence in our democracy – in<br />
this instance, the aims and objectives relating to supply chain management<br />
legislation and regulations.<br />
<strong>The</strong> aim <strong>of</strong> our audits <strong>of</strong> SCM policies, practices and controls is to establish<br />
whether departments, public entities and municipalities have put<br />
in place effective procurement processes and internal controls that ensure<br />
a fair, equitable, transparent, competitive and cost-effective SCM<br />
system, comply with legislation and minimise the likelihood <strong>of</strong> fraud,<br />
corruption and favouritism as well as unfair and irregular practices.<br />
leAdership commits to ensuring compliAnce with scm<br />
regulAtions<br />
Our annual audits still continue to uncover many instances <strong>of</strong> noncompliance<br />
with such regulations. Our 2009-10 MFMA audits included<br />
specific tests to determine if <strong>of</strong>ficials or their family members had an interest<br />
in the suppliers <strong>of</strong> metros and the larger highcapacity municipalities<br />
(40% <strong>of</strong> our municipalities). We found that awards valued at some<br />
R76 million had been made to employees and councillors <strong>of</strong> municipalities<br />
and R102 million to their close family members. <strong>The</strong> AGSA reported<br />
these findings to those charged with governance <strong>of</strong> the municipalities in<br />
question, including provincial role players, to ensure these instances are<br />
investigated for undue influence and possible fraud; as in many cases<br />
the relationship was not declared by the supplier as required by legislation.<br />
<strong>The</strong> audits turned the spotlight on this matter and many municipalities<br />
have committed to improving their controls.<br />
<strong>The</strong> audits <strong>of</strong> departments and public entities included similar testing<br />
for conflicts <strong>of</strong> interest. <strong>The</strong> 2009-10 audits identified incidents
A keen focus on supply chAin mAnAgement by government will help to build confidence in our democrAcy<br />
<strong>of</strong> conflict <strong>of</strong> interests and non-compliance with legislation in this<br />
regard, but in smaller measure than at local government.<br />
<strong>The</strong> most common finding from our audits across all auditees is deviation<br />
from legally prescribed SCM processes. It is important that<br />
prescribed processes are followed in order to ensure the selected<br />
supplier has the capacity to deliver the goods and services and that<br />
it is done at a reasonable price. Inadequate management <strong>of</strong> projects<br />
and contracts remains a weakness in the public sector and more so<br />
at local government level. Our audits included an assessment <strong>of</strong> the<br />
basics <strong>of</strong> contract management and raised findings on the lack <strong>of</strong><br />
written contracts, payments made in excess <strong>of</strong> contract amounts, irregular<br />
amendments/extensions to contracts and inadequate monitoring<br />
<strong>of</strong> contracts. In most cases the reason for these weaknesses<br />
was insufficient capacity and skills to manage contracts.<br />
In addition to the AGSA’s audits, investigations initiated by auditees<br />
themselves continue to highlight that the SCM processes are handled<br />
to benefit a few individuals, or that SCM legislation is intentionally<br />
ignored or deliberately bypassed. We will continue to increase<br />
our focus in this area, as shortcomings result in delays, wastage and<br />
fruitless expenditure which impact directly on service delivery to the<br />
citizens.<br />
<strong>The</strong> complete results <strong>of</strong> our analyses are available in our general<br />
reports on the national, provincial and local government audit outcomes<br />
for 2009-10 (www.agsa.co.za).<br />
To accelerate the elimination <strong>of</strong> tender process irregularities, every<br />
accounting <strong>of</strong>ficer/authority, chief financial <strong>of</strong>ficer and senior <strong>of</strong>ficial<br />
needs to discharge their PFMA- and MFMA-prescribed obligations<br />
diligently. <strong>The</strong>y are required to take reasonable steps to prevent irregular<br />
expenditure by developing and implementing internal control<br />
systems that ensure fair, equitable, transparent, competitive and<br />
cost-effective SCM processes that could prevent and detect fraud,<br />
non-performance by suppliers, and<br />
non-compliance with SCM legislation.<br />
strong ethicAl leAdership needed to turn the<br />
situAtion Around<br />
It is encouraging to note that those charged with public governance<br />
and oversight have recently again committed to take the lead in turning<br />
around our auditees’ non-compliance with SCM legislation and ensuring<br />
a strong ethical culture within the public sector.<br />
Active governance and involvement by internal audit and audit<br />
committees can also go a long way in meeting the tender process<br />
challenges, thus helping the public sector move faster in its march<br />
towards clean administration by 2014 and beyond.<br />
Non-compliance must have consequences and accountability must be<br />
enforced at all levels. For example, there should be severe consequences<br />
for those who intentionally neglect regulations that govern strategic<br />
areas such as SCM. <strong>The</strong>re must be a conscious decision by political<br />
and administrative leadership to take action against transgressors.<br />
Only when the leadership has set that tone <strong>of</strong> decisively dealing with<br />
such malpractices would the citizenry have confidence in our public<br />
sector procurement and financial management systems.<br />
To conclude, SCM is the area where the bulk <strong>of</strong> the activities are concentrated<br />
in all three spheres <strong>of</strong> government. Continued non-adherence<br />
to SCM regulations therefore defers restoration <strong>of</strong> the public’s<br />
confidence in the ability <strong>of</strong> state <strong>of</strong>ficials to systematically take care<br />
<strong>of</strong> their interests – and deprives citizens <strong>of</strong> much needed services in<br />
all areas <strong>of</strong> service delivery including within the health, education or<br />
housing sectors.<br />
<strong>The</strong> level <strong>of</strong> service delivery to citizens and the degree to which government’s<br />
socio-economic objectives are promoted are directly and<br />
significantly helped or frustrated by the degree to which the procurement<br />
systems <strong>of</strong> departments, municipalities and other public sector<br />
entities comply with legislation and prescripts.<br />
As I indicated earlier, every citizen <strong>of</strong> this country has an important role<br />
to play in ensuring our public administration, and by extension our democracy,<br />
works efficiently. And I look forward to hearing more testimonies<br />
about <strong>South</strong> <strong>Africa</strong>ns who are working closely with their elected<br />
representatives or law enforcement agencies in thwarting supply chain<br />
management irregularities that could undermining our democracy.<br />
Terence Nombembe, Auditor General: AGSA.<br />
This article first appeared on the AGSA website.<br />
Conformance or performance? Is your<br />
internal audit function helping you<br />
achieve the right balance? Are you clear<br />
on how to navigate your governance, risk<br />
and compliance challenges?<br />
����������������������<br />
If not, you should consider talking to a BDO Risk Advisory<br />
specialist. We can help by:<br />
�� Setting up, transforming or streamlining your internal<br />
audit function<br />
�� <strong>Internal</strong> audit strategic partnering and co-sourcing<br />
�� Outsourcing and managing all or part <strong>of</strong> your internal<br />
audit requirements<br />
�� Performing a quality assurance review <strong>of</strong> your existing<br />
internal audit department<br />
�� Functional and business process performance<br />
improvement reviews<br />
For more information, visit www.bdo.co.za<br />
IA ADVISER September 2011 | 39
CCSA<br />
Anthony Brink<br />
Asma Ayob Daya<br />
Elmarie de Waal<br />
Johanna Christina Elizabeth du Toit<br />
Humza Ebrahim<br />
Ajay Goli<br />
Ajay Graham<br />
Anneke Hattingh<br />
Jacobus Christiaan Heyns<br />
Tania Jacobs<br />
Cuthbert Karasa<br />
Yihsuan Lin<br />
Maria Elisa Cornelio Lloyd<br />
Mafemane Mahlahlane<br />
Tony Mancos<br />
Nompumelelo Maseko<br />
40 | IA ADVISER September 2011<br />
Congratulations to CCSA, CFSA and CGAP candidates<br />
Prishani Moodley<br />
Molefe Michael Motsatsi<br />
Lungile Mthembu<br />
Ntando Ndaba<br />
Mlamuli Shadrack Ndlovu<br />
Veronica Nkuna<br />
Cornelle Olivier<br />
Gayle Postings<br />
Vuyisa Poswa<br />
Madimpe Josias Ramakgoakgoa<br />
Malesela Ramakgolo<br />
Segele Evon Ratsiu<br />
Alberto Reis<br />
Thozama Rululu<br />
Makhosazana habangu<br />
Vuyani Sibamba<br />
Linda Smit<br />
Leone Steyn<br />
Faizel Uaendere<br />
John Varga<br />
CFSA<br />
Carlo Bubalo<br />
Fernanda de Wit<br />
Keitumetse Mothobi<br />
Deon Rossouw<br />
Munyaradzi Zhawu<br />
CGAP<br />
Vhonani Eric Luvhengo<br />
Wayne Poggenpoel
University <strong>of</strong> Pretoria and nanjing aUdit<br />
University: iaeP Programmes<br />
Progress throUgh sharing<br />
Pr<strong>of</strong> Chen Danping from Nanjing Audit University, Nanjing, Peoples’<br />
Republic <strong>of</strong> China visited UP in March 2011 to present guest lectures<br />
to internal auditing practitioners, academia and students.<br />
A very dynamic working relationship exists between the School <strong>of</strong><br />
International Auditing at NAU and the Department <strong>of</strong> Auditing at the<br />
University <strong>of</strong> Pretoria (UP). Both <strong>of</strong> these institutions have been accredited<br />
by the <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> (IIA) as <strong>Internal</strong> Auditing<br />
Educational Partnership (IAEP) Schools. <strong>The</strong> Department <strong>of</strong> Auditing<br />
at UP has Centre <strong>of</strong> Excellence status (one <strong>of</strong> only five schools globally<br />
which has this status) and the IAEP School at NAU has been accredited<br />
at the Partner level (one <strong>of</strong> sixteen partner schools).<br />
During March 2011, Pr<strong>of</strong> Chen Danping from NAU visited UP to present<br />
guest lectures to internal auditing practitioners, academia and<br />
students. Pr<strong>of</strong> Chen also visited representatives from the IIA(SA), the<br />
Ethics <strong>Institute</strong> <strong>of</strong> <strong>South</strong> <strong>Africa</strong> (EthicSA) as well as the <strong>South</strong>ern Af-<br />
rican <strong>Institute</strong> <strong>of</strong> Government <strong>Auditors</strong> (SAIGA). Apart from working,<br />
she also enjoyed visits to Lesedi Cultural Village in the Hartebeestpoortdam<br />
area and the Cullinan diamond mine. Pr<strong>of</strong> Chen’s area <strong>of</strong><br />
specialisation is economic accountability audits. This is a unique type<br />
<strong>of</strong> audit engagement performed in China to assess the fairness <strong>of</strong> the<br />
economic decisions taken by the leaders <strong>of</strong> state-owned organisations<br />
during their terms <strong>of</strong> <strong>of</strong>fice. In her presentation, Pr<strong>of</strong> Chen highlighted<br />
that the purpose <strong>of</strong> an economic accountability audit is to:<br />
“…assess the enterprise’s truth, legality and performance <strong>of</strong> the assets,<br />
liabilities and equities, the relevant economic activities about<br />
significant operational decisions, as well as the conditions abiding by<br />
the relevant regulations and laws, following the processes, approaches<br />
and requirements regulated by the nation or organisation.” She<br />
discussed several interesting cases relating to economic accountability<br />
audits, for example the case in 2003 where the Chinese National<br />
Audit Office (CNAO) conducted economic accountability audits <strong>of</strong><br />
the leadership teams <strong>of</strong> several organisations in China. One such audit<br />
exposed significant losses <strong>of</strong> 7.84 billion yuan due to ineffective<br />
decision-making by the leadership team <strong>of</strong> an organisation. <strong>The</strong>se<br />
leaders were subsequently found guilty <strong>of</strong> crimes and jailed!<br />
Cooperation between the two IAEP programmes is <strong>of</strong> strategic importance<br />
to both institutions. UP lecturers will visit NAU in October<br />
2011 and UP students will join the NAU IAEP programme from September<br />
2012 to January 2013. Two NAU students will visit UP in July<br />
2011 as part <strong>of</strong> a 6-months exchange programme. UP and NAU are<br />
looking forward to a long-term working relationship through the IIA’s<br />
IAEP initiative with their common goal being to develop competent<br />
internal auditors for the pr<strong>of</strong>ession.<br />
Kato Plant, Senior Lecturer: Department <strong>of</strong> Auditing, University <strong>of</strong> Pretoria<br />
Audit<br />
focus<br />
We <strong>of</strong>fer you:<br />
- High quality services;<br />
- We are locally represented with <strong>of</strong>fices in Gauteng, Mpumalanga, Limpopo and North West;<br />
- Experience being part <strong>of</strong> the world’s largest internal outsource function i.e. Transnet;<br />
- A highly qualified and experienced team <strong>of</strong> individuals with vast and impressive credentials;<br />
- Our approach which is underpinned by leading practice, our tried and tested methodologies,<br />
modern internal audit know-how, and technology and knowledge systems; and<br />
- Our commitment to add value by means <strong>of</strong> delivering Service Beyond Expectation!<br />
Building a sustainable internal control environment:<br />
Our integrated risk management and outsourced assurance approach, will not only provide<br />
quality, timely deliverables during the course <strong>of</strong> the respective assignments, but will also create<br />
a basis for a best in class corporate governance environment within your business as well as a<br />
sustainable relationship between management and our firm.<br />
Contact us:<br />
Email: info@sekela.co.za<br />
Website: www.sekela.co.za<br />
Head Office: 011 797 6800
ADVISER<br />
IA ADVISER September 2011 | 43
ADVISER AD ADVI VI V SE S R<br />
44 | IA ADVISER September 2011<br />
ProgressThrough Sharing<br />
<strong>The</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong> <strong>South</strong> <strong>Africa</strong> (IIA SA) is part <strong>of</strong> an international network representing the interests <strong>of</strong> internal<br />
auditors worldwide and is the internationally recognised authority, standard setter, principal educator and acknowledged<br />
leader in certifi cation, research and technological guidance for the pr<strong>of</strong>ession <strong>of</strong> internal audit. <strong>The</strong> IIA SA provides internal<br />
auditors with the support and opportunities to develop to their fullest potential.<br />
We serve internal auditors by <strong>of</strong>f ering<br />
• Technical Advice<br />
• Continuing Pr<strong>of</strong>essional Development Opportunities<br />
• Learnerships<br />
• Certifi cation Programmes<br />
• Conferences and Seminars<br />
Become a member <strong>of</strong> the <strong>Institute</strong> and join a community<br />
<strong>of</strong> dynamic pr<strong>of</strong>essionals<br />
All relevant information for becoming a member <strong>of</strong> the IIA SA is available on<br />
Website: www.iiasa.org.za. Alternatively you can contact us on:<br />
Telephone: 011 450 1040 or E-mail: customerservices@iiasa.org.za Progress Through Sharing