Republic of South Africa (RSA): COSO Components 2 & 3 with 3 Lines of Defence Approach

Slide Note
Embed
Share

The presentation delves into RSA's approach to the COSO components, focusing on Risk Assessment and Internal Controls. It discusses the legislative mandate, Treasury regulations, and the COSO Internal Control Integrated Framework. The Risk Assessment section covers levels, matrices, and key instruments for risk management, while the Internal Controls section examines components and activities. The presentation emphasizes the importance of maintaining effective systems for financial, risk management, and internal control in national departments and public entities.


Uploaded on Aug 02, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. REPUBLIC OF SOUTH AFRICA (RSA) APPROACH TO THE COSO COMPONENTS 2 & 3 AND THE 3 LINES OF DEFENCE (COMBINED ASSURANCE) Presenter: Pulane Mkhize | National Treasury - RSA | 10 April 2019

  2. TABLE OF CONTENTS Background The COSO Internal Control Integrated Framework COSO IC Component 2 Risk Assessment COSO IC Component 3 Internal Controls Lines of Assurance Combined Assurance Approach in RSA Combined Assurance Process 2 2

  3. BACKGROUND Legislative Mandate PFMA Section 38 1(a) (i) - National Departments (Ministries) The accounting officer for a department, trading entity or constitutional institution must ensure that that department, trading entity or constitutional institution has and maintains effective, efficient and transparent systems of financial and risk management and internal control Section 51 1(a) (i) Public Entities (State Owned Entities) An accounting authority for a public entity must ensure that that public entity has and maintains effective, efficient and transparent systems of financial and risk management and internal control TREASURY REGULATIONS Issued in terms of PFMA for Departments, Constitutional Institutions and Public Entities Chapter 3 3 3

  4. The COSO Internal Control Integrated Framework Control Environment Monitoring Risk Assessment Internal Control Components Information & Communication Control Activities

  5. COSO IC Component 2 Risk Assessment Objectives Levels of Risk Assessments in SA Strategic, tactical and operational levels (for 3-tier organisations e.g. SOEs) Strategic and operational levels (for 2-tier organisations e.g. government departments) Basis for Risk Assessments Strategic objectives are used to compile strategic risk registers Strategic objectives are set out in multi-year, strategic plans Operational/annual performance objectives are used to compile operational risk registers Operational objectives are set out in corporate plans/annual performance plans Risk Assessment Matrices A rating is assigned based on the level of probability for risk occurrence (likelihood rating) and the effect the risk may have on an organisations objectives (impact rating) Internal control effectiveness is assessed, using a specified rating Basic Risk Register Components a) Risk name and description b) Contributing factors c) Consequence description d) Internal controls e) Residual risks f) Risk tolerance levels (RRT) g) Net risk exposure h) Mitigation plans Key Risk Management Instruments a) Risk management policy b) Risk management strategy & route map c) Annual risk implementation plan d) Risk management framework e) Risk management tool Risk Monitoring a) Emerging risks b) Risk movements c) Near-miss events d) Loss events e) Retired risks f) Risk management performance Risk Management Reporting Internal reporting (to all risk monitoring forums) Connected reporting (to the Risk Management Committee and the Board/Council/Executive Authority) External reporting (to Shareholders/the Public) Risk Management Structures a) Board/Council/Executive Authority b) Risk Management Committee c) EXCO c) Risk Management Function d) Risk Champions Forum

  6. COSO IC Component 3 Internal Controls Internal Control Framework This is an internally-developed framework, which outlines: a) Nature, type and category of controls b) Criteria for control adequacy c) Criteria for control effectiveness d) Processes for design, implementation and monitoring of internal controls e) Assessment of internal controls Classification of Controls by Key Functional Process a) Critical operational performance controls (COPCs) b) Critical financial reporting controls (CFRCs) c) All these controls may be manual, automated or a hybrid Key Control Classifications a) Entity-level controls these provide direction and set out requirements for what must be done to achieve objectives e.g. policies b) Process-level controls these are integral to the organisational processes and activities performed on the daily basis to achieve policy directives and requirements c) Key controls (made up of primary and compensating controls) Risk and Control Relationship Internal controls do not respond directly to risks, but to each contributing factor identified for a risk One (1) risk may have multiple contributing factors each of these must be appropriately addressed, by a relevant internal control A combination of controls, that respond to multiple contributing factors for one (1) risk, are make up one (1) key control Policies, Procedures & Forms a) All policies serve as entity-level controls as they provide direction on various key focus areas b) Standard operating procedures outline specific activities that must be carried out in implementing policy directives c) Forms, registers and other templates help ensure that standardization of processes is achieved organization Mitigation Plan These are planned enhancements to internal controls, in cases where existing controls have been assessed as inadequate/ineffective Or Introduction of new controls, in cases where no controls existed to respond to identified and assessed risks

  7. COSO IC Component 3 Internal Controls cont Design, Implementation and Assessment Guide Economy Efficiency Effectiveness The cost of the key control should exceed the deriving from that key control Both the opportunity be considered Duplications process of implementing an internal control should be identified eliminated Any controls that cause delays in service, production decision-making be enhanced for inefficiencies must be reduced/eliminated in the Key measures, targets and indicators developed for internal controls to objective assessment of performance The entire key control, and not components control, must effectively and achieve the pre-set KPTs performance not benefits must be and enable real costs and must customer or should (causes just a few key of a operate

  8. COSO IC Component 3 Internal Controls cont monitoring is made an integral part of every Committee organization, Executive Management Committee sub-committees of EXCO Internal control The King IV Report sets out 4 outcomes for the Governing Body a) Ethical culture b) Good performance c) Effective control d) Legitimacy Management is required to design adequate internal controls, lead implementation monitor their effectiveness By following directives outlined in policies and steps/methods set out in the SOPs, employees embed internal controls in their daily functions. Employees Internal Control Structures Board/Council/Executive Authority Management their and within from an the (EXCO) to In South Africa, the Management Control Policy outlines Management s responsibilities design, implementation, monitoring, updating of the policy. support, and availability of resources, in order to efficiently and effectively achieve control objectives Employees through require training In some organisations, a dedicated Control Function stablished to provide IC subject matter expertise to Management employees for the The PFMA, MFMA and Treasury Regulations require the Board/Council/Executive Authority to ensure controls are in place and operating effectively Internal is review and key and

  9. Lines of Assurance First Line of Assurance Second Line of Assurance Third Line of Assurance Management Oversight Technical Support Structure Objective Assurance monitoring is made an integral part of every Committee organization, Executive Management Committee sub-committees of EXCO external quality regulatory health inspectors, independent actuaries etc. Internal control Nature of Assurance: management responsible for the management of risk and performance. Management can establish a system of self-assessment/reviews to inform them on the adequacy and effectiveness of risk management activities. Nature of Assurance: Nature of Assurance: This is independent assurance generally provided by objective assurance providers such as internal auditors, Line is accountable and Specialist Units are subject matter experts, and as such provide technical support to line management in executing their duties. These include functions such as risk management, legal & compliance, internal control, quality assurance and health & safety specialists. within from an the auditors, external (EXCO) assurers, to In some organisations, a dedicated Control Function stablished to provide IC subject matter expertise to Management employees Internal is Reporting Lines Sub-committees of Executive Management (across the Group) Reporting Lines Sub-committees of Executive Management (across the Group) Risk Management Committee Reporting Lines Audit Committee Accounting Authority Executive Authority and Oversight Structures (Governing Body, GB Sub-Committees, EXCO, EXCO Sub-Committees) Oversight structures review and approve the combined assurance framework, policy and plan, and then monitor the roll out of the framework and the implementation of the policy and the plan. As part of their monitoring activities, oversight structures assess whether there are improvements in the control environment; whether the is increased integrity of internal information; and whether information included in external reports is valid and credible. Oversight structures use the results of internal and external audits to make this assessment.

  10. Combined Assurance - Approach in RSA Paragraph 3.2.6 (27.2.5 for Public Entities) of the Treasury Regulations requires that Internal audit must accordance with the standards set by the Institute of Internal Auditors. Thus, Treasury Regulations give regulatory status to the International Professional Practices Framework (IPPF) of the IIA. Principle 15 of the King IV Report recommends that the governing body should establish effective combined assurance processes to achieve: Effective internal control environment; Improved integrity of information used for internal decision-making; and Improved integrity of external reports. Standard 2050 of the Institute of Internal Auditors (IIA) requires that The chief audit executive should coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage duplication of efforts. Thus, the IPPF requires that custodianship of combined assurance must rest with the CAE. monitoring is made an integral part of every Committee organization, Executive Management Committee sub-committees of EXCO Internal be control conducted in share information, within from an the (EXCO) to and minimize In some organisations, a dedicated Control Function stablished to provide IC subject matter expertise to Management employees Internal is and No other Function within an organisation, apart from the Internal Audit Function, is required either by legislation or professional standards to coordinate custodianship combined processes. Further, delegation of combined assurance oversight responsibilities to the Audit Committee by the governing body confirms the Internal custodianship of combined processes. The Treasury Regulations are recognised as statute in South Africa, and as such failure to achieve the requirements of paragraph 3.2.6 (27.2.5 for Public Entities) of the Regulations constitutes non-compliance with laws and regulations. In conclusion, in order for the Internal Audit Function to be assessed as conforming with the requirements of Standard coordinate and assume combined assurance organisation. Any arrangements outside this requirement, in relation to coordination of combined assurance processes, constitutes non- compliance with laws and regulations. 2050, custodianship processes it must and assurance take of an within Thus, failure by the Internal Audit Function to comply with the requirements of Standard 2050 constitutes failure to comply with Treasury Regulations. Audit Function s assurance

  11. Combined Assurance Process Identification and assessment of key controls for mitigation of assessed risks Key risk identification and assessment monitoring is made an integral part of every Committee organization, Executive Management Committee sub-committees of EXCO Internal control Context analysis within from an the (EXCO) to In some organisations, a dedicated Control Function stablished to provide IC subject matter expertise to Management employees Internal is Determining assurance objectives and scope, and assigning assurance activities to assurance providers Collectively planning, executing, monitoring and reporting the results of combined assurance activities and Determining the level and extent of assurance required

  12. Combined Assurance Process cont First Line of Assurance (Management) This level is tasked with designing and implementing internal controls Management monitors internal controls through reviews and control-self assessments monitoring is made an integral part of every Committee organization, Executive Management Committee sub-committees of EXCO Internal control within from an the (EXCO) to Second Line of Assurance (Subject Matter Experts) In some organisations, a dedicated Control Function stablished to provide IC subject matter expertise to Management employees Internal The Internal Control Function (in organisations that have one) support Management with the design and monitoring of internal controls is The Risk Management Function provides ERM support to the Risk Owners (Senior Management) and employees and Third Line of Assurance (Internal Audit) Where residual risks are low, the Internal Audit Function provides objective assurance (i.e. conducts audit reviews) Where residual risks are high, the Internal Audit Function support Management with consulting services

  13. THANK YOU 13 13

More Related Content