Beruflich Dokumente
Kultur Dokumente
& King 3
ADVISORY
implications for boards, Implications: KPMG anticipates that entities and stakeholders will require a
directors, management, deeper understanding of governance in order to decide how governance
assurance providers and principles and practices should be adopted and implemented in their particular
entity – ‘the one size does not fit all’ consequence. This will necessitate
stakeholders. education, dialogue, decisions and disclosure.
2
Internal Audit IT governance Alternate Dispute
King 3 requires companies to establish King 3 highlights the role of IT Resolution (ADR)
an internal audit function which governance and the board’s related There is advocation of enforceable
provides assurance over the company’s responsibilities. The recommendations ADR clauses in contracts so as to
governance, risk management and are extensive. efficiently resolve disputes according
internal controls. Internal audit will be to parties needs, rather than just their
required to provide a written Implications: This is a new and expanded
legal rights and obligations.
assessment of the system of internal area for King. More resources,
controls and risk management to the management and director time will be Implications: The board will have to
board, as well as a written assessment required to address IT governance and become involved in terms of
of the internal financial controls to the the related procedures and practices. IT appointing the appropriate person and
audit committee. (King 3 differs from governance will impact the risk there will be coordination costs.
Sarbanes-Oxley in that no attestation is management, assurance and reporting
required from external auditors on frameworks. Director development and
internal controls on financial reporting). performance management
Compliance King 3 recommends induction and
Implications: Internal audit may require King 3 states that compliance should ongoing training for directors.
more resources to provide assurance form an integral part of the risk Performance assessments of the board,
on the system of internal control and management function and that its committees and the individual
risk management to the board. companies should consider directors are recommended every year
Currently in practice, many internal establishing a compliance function.
audit functions take care not to Implications: Boards will have to
duplicate the work of external audit Implications: There may be an increased consider whether to conduct evaluations
and thereby do not provide assurance demand for compliance officers and the inhouse or through independent service
on exclusively internal financial role and positioning of the function will providers. An overview of results and
controls. Internal audit will have to have organisational structure and action plans are recommended for
determine the basis and methodology reporting implications. Companies will disclosure. We anticipate that these
by which it can provide a written also have to incorporate compliance recommendations will require more
assessment on the internal financial methodologies into the risk time commitments from directors and
controls to the audit committee going management and combined assurance the company secretary.
forward. The audit committee will have frameworks.
to ensure that internal audit is properly Conclusion
resourced and has sufficient budget. Remuneration, disclosure King 3 is an aspirational code and it is
and shareholders’–votes likely that entities could take several
Risk management King 3 requires disclosure of the years to achieve application of all the
Under King 3, risk management remuneration of each individual director principles and best practice
remains important and more detailed and the top three most highly paid recommendations. The challenges will be
guidance is given on how it is to be employees. Guidance is given on in deciding the optimal level of
accomplished. The board is responsible remuneration policy and practices, application required, balancing the costs
for the governance of risk and including that non-executive directors and benefits to all stakeholders, and then
disclosure, and management is should not receive share options. King 3 being able to disclose such principles
responsible for the risk management recommends that the remuneration policy and practices in a manner that is clear
design, implementation and monitoring be put to the shareholders for a non- and understandable to stakeholders.
of the risk management plan. binding advisory vote, and that the board
should determine the remuneration of the
Implications: Boards will have to spend executive directors in line with the policy.
more time on risk management.
Management will have to integrate risk Implications: Companies may be
management more fully into the concerned about the effect of disclosure
running of business. The disclosure of on both executive remuneration
key risks will require articulation and negotiations in terms of staying
stakeholder management. competitive with global standards of
remuneration for highly mobile executive
talent, as well as the impact that it could
have on labour relations locally.
3
King 3 - Quick
The third South African report on ■ Be responsible for IT governance and this should be reported
corporate governance (King 3) was ■ Ensure the company complies with ■ Board should be able to remove any
released on 1 September 2009 and laws and considers rules, codes and director without shareholder
becomes effective on 1 March 2010. standards approval.
The quick reference guide that follows
■ Ensure there is an effective risk– The King Report provides detailed
contains a summary and extracts of the
based internal audit function guidance on the role of the chairman
salient details. However, the reader is
■ Ensure integrity of the integrated and the CEO.
encouraged to consult the full King
Report and the Code of Governance report
Principles now available from the ■ Report on the effectiveness of Appointment, development
Institute of Directors. internal controls and performance
■ Act in the best interests of the assessment of directors
■ A formal process should be
Board and Directors company (including managing
conflicts and dealing in securities) established for appointment and
The board, director and company refers
development of directors
to the functional responsibility of those ■ Immediatley consider business
charged with governance in any entity. rescue proceedings should the ■ A nominations committee should
company become financially assist with the identification and
Role of the board distressed recommendation of potential
The board should: directors to the board
■ Elect annually an independent, non-
executive director as chairman. If the ■ Backgrounds and references should
■ Lead the entity ethically for
chairman is not independent or is be checked before nomination
sustainability in terms of the
economy, environment and society, executive, then a lead independent ■ Letters of appointment should be
taking into account its impact on non-executive director should be provided to non-executive directors
internal and external stakeholders appointed and justified in the ■ Full disclosure of directors should be
■ Strategically direct, control, set the integrated report. The CEO should not made to shareholders (King 3 has
values, align management to the become chairman until after three details of disclosure e.g. education,
latter and promote the years, the number of chairmanships experience, age, other directorships,
stakeholder–inclusive approach of should be considered and there etc)
governance should be a chairman succession plan ■ Directors should receive induction and
■ Ensure that each director adheres to ■ Appoint the CEO, define the board’s ongoing training (including changes to
the duties of a director materiality, establish a delegation of laws, rules, standards and codes)
authority, evaluate CEO performance ■ The performance of the board, its
■ Ensure that the company is and is
and ensure a succession plan for the committees and individual directors
seen to be a responsible corporate
CEO and senior executives. should be evaluated every year by
citizen
Structure and composition of the the chairman or an independent
■ Ensure the company’s ethics are
board provider. Results should assist
managed effectively through building
The board should comprise a balance training and be disclosed in the
an ethical culture, setting ethics
of power with: integrated report
standards, measuring adherence and
incorporating ethics into its risk ■ Performance evaluation results
■ A majority of non-executive
management, operations, should inform the nomination for
directors, of whom the majority
performance management and re-appointment of a director.
should be independent
disclosure
■ Knowledge, skills, resources, size, Company secretary
■ Be the focal point of governance; diversity and demographics of board ■ The board should appoint/remove,
have a charter, meet at least four to be considered empower and be assisted by a
times a year, monitor management competent, qualified and
■ A minimum of two executive
and stakeholder relations and ensure experienced company secretary
directors (CEO and Finance Director)
the company survives and thrives (who is not a director and who is at
■ The CEO and chairman positions
■ Appreciate strategy, risk, ‘arms-length’)
should be separate
performance and sustainability are ■ The company secretary should assist
■ One third of non-executives should
inseparable the nominations committee, facilitate
rotate annually
■ Ensure the company has an effective training, provide guidance to the
■ Non-executive directors on the board
and independent audit committee board, keep the board and
for longer than nine years must be
■ Govern risks committee charters current, prepare
assessed annually for independence
4
Reference Guide
and circulate board papers, assist recuse themselves when conflicts within the remuneration report in the
communication into and around board arise or when their performance integrated report. Other information
meetings, assist drafting workplans, and/or remuneration is discussed. to be disclosed should be base pay
keep minutes, and assist with CEO’s should not become a chairman policy, participation in incentive
evaluations of the board, committees of a company outside the group schemes, benchmarks used,
and individual directors. ■ External advisors and executive retention schemes, justifications for
directors may attend by invitation. salaries above medians, material ex-
Group boards of gratia payments, executive
Non-directors serving as members
companies on committees of the board should employment policies, and maximum
A governance framework should be potential dilution from incentive
be aware of sections 76 and 77 of
agreed between the group and its awards
the Companies Act 71 of 2008
subsidiary boards (subject to legal and
which places the same standards of ■ Shareholders should vote a non-
fiduciary duties of subsidiary directors
conduct and liability as if they were binding advisory vote on the
to the subsidiary company).
directors (but without the benefit of company’s remuneration policy
Implementation and adoption of
a committee vote) (including share schemes)
policies, processes or procedures of
■ Committees should be able to take ■ The board should determine
the holding company should be
outside professional advice subject executive directors’ remuneration in
considered and approved by the
to following an approved process accordance with the policy put to
subsidiary company and disclosed by
■ Committee chairmen should give at shareholders.
the subsidiary company. Where the
holding company of a South African least an oral summary of their
Audit committees
subsidiary is listed on another committee’s deliberations at the
The board should ensure that it has an
exchange, King 3 principles should be following board meeting.
effective and independent audit
applied to the subsidiary.
Remuneration committees committee, with approved terms of
and remuneration reference. The audit committee is an
Committees integral part of the risk management
■ Companies should remunerate
Audit, Risk, Nomination and process with oversight of financial
directors and executives fairly and
Remuneration committees should reporting risks, internal financial
responsibly i.e. align remuneration
be established. controls, and fraud and IT risks relevant
policies to company strategy and
individual performance. Detailed to financial reporting.
Board committees should have:
guidance is provided in the report as
The audit committee should:
■ Terms of reference approved by the to what is considered fair and
board that are reviewed annually responsible remuneration practices ■ Consist of at least three independent
■ Composition and terms of reference ■ The remuneration committee should members, all of whom should be
should be disclosed in the integrated assist the board with setting and independent non-executive directors.
report administering remuneration policies The chairman of the board should not
■ Composition should comprise a (which should address base pay, be the chairman of, nor a member of,
majority of non-executive directors bonuses, contracts, severance, the audit committee. The audit
of which the majority should be retirement benefits, share and committee chairman should be
independent (risk committee may incentive schemes) elected by the board, set the agenda
have a mixed composition – refer and be present at the AGM
■ Non-executive director fees should
below) comprise a base and an attendance ■ Meet at least twice a year (at least
■ The chairman should not be a fee component. Non-executive once a year external and internal
member of the audit committee. directors and the chairman should auditors should attend without
He/she should not chair the risk or not receive share options or other management)
remuneration committees but may incentive awards. Non-executive ■ Have sufficient qualifications and
be a member of these committees. director fees should be approved by experience and be up-to-date with
The chairman should be a member shareholders in advance by way of relevant developments
of the nomination committee and special resolution at intervals of not ■ Be able to consult with specialists
may also be its chairman more than two years subject to a board–approved process
■ The CEO should not be a member of ■ The detail of each individual
the remuneration, audit or directors’ remuneration as well as
nomination committees but should that of the three most highly paid
attend by invitation. CEO’s should employees should be disclosed
5
King 3 - Quick Reference
■ Oversee integrated reporting (i.e. the – effectiveness of the internal financial ■ Receive assurance on the
integrity of the integrated report, its controls effectiveness of risk management
financial statements and the – its role, composition, meetings and from management as well as a written
disclosure of sustainability for activities assessment of the effectiveness of
consistency with the financial the system of internal controls and risk
■ Recommend the integrated report
information) management from internal audit
for approval by the board.
■ Recommend engaging an external ■ Disclose in the integrated report its
assurance provider on material Risk management view on the effectiveness of the risk
sustainability issues The board is responsible for the management process and any
■ Consider the need to issue interim governance of risk (to be specified in unusual risks.
results the board charter). The board
responsibilities include the following: IT Governance
■ Review summarised information and The board is responsible for
engage external auditors to provide ■ Develop a documented risk Information Technology (IT)
assurance on summarised financial management policy and plan, governance.
information approved by the board, which policy
■ Ensure there is a combined is widely distributed The board should:
assurance approach for assurance ■ Comment in the integrated report on ■ Ensure IT is on the agenda, an IT
activities to address all significant the effectiveness of the risk charter exists, IT policies are in
risks management system and process place, an IT internal control
■ Monitor the relationship between ■ Review implementation of the risk framework exists and independent
external assurance providers and management plan at least annually, assurance on effectiveness of IT
the company with continuous monitoring controls is obtained
■ Review annually and satisfy itself on ■ Determine levels of risk tolerance ■ Align IT to performance and
the company’s finance function and (annual risk tolerance to be set with sustainability objectives of the
disclose such in the integrated risk limits and appetites) company
report
■ Appoint a risk committee which ■ Delegate responsibility for
■ Oversee internal audit (including considers the risk policy, plan and implementation of an IT governance
appointment/dismissal and monitoring. The risk committee may framework to management (The
performance management of the comprise a minimum of three board may appoint an IT steering
Chief Audit Executive (CAE), approve members from executive, non- committee. The CEO should appoint
the internal audit plan, evaluate the executive directors, senior a suitably qualified Chief Information
document review of internal financial management and independent risk Officer)
controls, assess internal audit experts. It should meet at least twice ■ Monitor and evaluate significant IT
performance and quality review the a year spend in terms of value and return
function, ensure properly resourced
■ Evaluate the performance of the risk on investment
with sufficient budget)
committee ■ Ensure protection of intellectual
■ Recommend the external audit
■ Delegate to management the property, information management
appointment and oversee the external
responsibility for the risk and security (including personal data)
audit process (nomination, terms of
management plan on IT systems
engagement, remuneration,
■ Ensure that risk assessments are ■ Ensure compliance with IT laws and
monitoring independence, defining
performed on a continual basis at standards
non-audit services policy and
least once a year on a top-down ■ Obtain independent assurance on IT
pre-approval of non-audit services, be
approach governance and controls on
informed of Reportable Irregularities,
and review quality and effectiveness ■ Receive and review the company’s outsourced IT services.
of external audit process) risk register (quantified where Management should demonstrate
possible) adequate disaster recovery
■ Report internally to the board and
externally to shareholders on ■ Ensure a framework for anticipating arrangements.
unpredictable risks
– the discharge of its statutory duties The risk committee should ensure that
■ Ensure management continually
– independence of external auditor IT risks are adequately addressed and
implements appropriate risk
– financial statements and accounting get appropriate assurance on controls.
management responses with risk
practices
monitoring
6
Guide (Continued)
The audit committee should consider ■ Analyse business processes and ■ Adopt communication guidelines for
IT in relation to financial reporting and controls stakeholder communication so that
the going concern. ■ Provide information on fraud and communication is clear, relevant,
unethical practices timely, honest and accessible to
Compliance stakeholders
■ Have an internal audit plan that is
Compliance should form an integral informed by the strategy and risks ■ Consider disclosing in the integrated
part of the risk management process. report the number and refusals to
■ Be independent from management
The risk of non-compliance should be information access in terms of the
and objective
identified, assessed and responded to Promotion of Access to Information
in the risk management process. The ■ Provide a written assessment on the Act, 2000
establishment of a compliance function effectiveness of the company’s
■ Adopt a formal dispute resolution
should be considered. system of internal controls and risk
process
management to the board
The board should: ■ Select the appropriate individuals for
■ Provide a written assessment of the
Alternate Dispute Resolution (ADR)
internal financial controls to the audit
■ Ensure the company complies with representation.
committee (after formally
applicable laws and considers
documenting and testing internal Integrated reporting and
adherence to rules, codes and
financial controlls annually).
standards disclosure
The CAE should be able to attend all The board should:
■ Delegate to management the
executive committee meetings, and
implementation of an effective
should develop a quality assurance and ■ Ensure integrity of integrated
compliance framework and processes
improvement programme. reporting. (There should be controls
(this may include an approved
to ensure integrity of the integrated
compliance policy, code of conduct,
report. The report should be
structures, training, appointment of a Stakeholder management
prepared annually, cover sufficient
compliance officer, key performance The board should:
financial and sustainability
indicators, integration with risk
■ Appreciate that stakeholder performance, focus on substance
management and ethics programmes)
perceptions affect reputation and over form, and describe how the
■ Monitor compliance and have it as a should seek to manage reputation risk company made its money)
regular item on the board agenda
■ Identify important stakeholders ■ Delegate evaluation of sustainability
■ Receive assurance on the disclosures to the audit committee
■ Delegate to management the
effectiveness of compliance controls
responsibility to deal with stakeholder ■ Comment on the financial results
■ Disclose details on how it has relationships ■ Disclose if the company is a going
established an effective compliance
■ Consider publishing stakeholder concern
framework and processes, as well as
policies ■ Convey positive and negative
disclose material or oft repeated
■ Oversee the mechanisms and impacts of operations and how these
instances of non-compliance.
processes for the constructive will be improved in the next year
Internal audit engagement of stakeholders ■ Delegate oversight and reporting of
The board should ensure that there is ■ Encourage shareholders to attend sustainability to the audit committee
an effective risk based internal audit the AGM (who should ensure that sustainability
function which is governed by an reporting and disclosure is
■ Disclose in the integrated report its
internal audit charter approved by the independently assured).
stakeholder dealings
board, and which adheres to the IIA
■ Strive to achieve balancing of various
Standards and code of ethics.
stakeholders legitimate expectations
Internal audit should: in the best interests of the company
■ Ensure equitable treatment of
■ Report functionally to the audit
shareholders of the same class and
committee (CAE should report
protection of minority shareholders
functionally to the audit committee
chairman) and report at all audit
committee meetings
■ Evaluate the company’s governance
processes
■ Objectively assess the effectiveness
of risk management and the internal 7
control framework
kpmg.co.za
Contacts
Please contact any of the following directors:
The information contained herein is of a general nature and is not intended to address the circumstances of any © 2009 KPMG Services (Proprietary) Limited, a South
particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no African company and a member firm of the KPMG
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the network of independent member firms affiliated with
future. No one should act on such information without appropriate professional advice after a thorough examination of KPMG International, a Swiss cooperative. All rights
the particular situation. reserved. Printed in South Africa. mc5202