King IV Commenting Platform
Filled Tuesday, April 19, 2016
Page 1
Welcome to the official King IV Commenting Platform. After you have
downloaded and reviewed the draft King IV Report here [if this link does not
open, please copy and paste the following into your browser:
https://c.ymcdn.com/sites/iodsa.site-
ym.com/resource/resmgr/King_IV/King_IV_Report_draft.pdf], you will be able
to enter your comments using this platform. The public comment process takes
place in 2 phases, the first of which invites comment on the whole of the King IV
Report, bar the Sector Supplements. The Sector Supplements are to be
subjected to public comment during phase 2. This platform will remain open in
respect of phase 1 for two months from 15 March 2016 to 15 May 2016. Phase
two of the commentary process, being commentary on the sector supplements,
will be opened on notice. Commenting terms and conditionsPlease note that
this process is open and transparent. All comments submitted will be available
for public view at http://www.iodsa.co.za/page/KingIVCommentLibrary and NO
anonymous comments are permitted. Comments received are added to the
library for public viewing weekly together with the identity of the individual or
organisation on behalf of whom the submission is made. Only comments
submitted through this platform will be considered for the finalisation of the
King IV Report.
Do you agree to the King IV commenting terms and conditions? Yes
Page 2
Personal Details Section:
*Title: Ms
*First Name: Sandra
*Last Name: van Esch
*I am commenting on behalf of: Myself
Page 3
PART 1: Introduction and Foundational Concepts
PART 1: Introduction and Foundational Concepts Add your comments for this part here:
Variable Response
PART 1: Introduction and Foundational Concepts | 1. Introduction (No response)
PART 1: Introduction and Foundational Concepts | 2. Objectives of King IV (No response)
PART 1: Introduction and Foundational Concepts | 3. King IV definition of corporate (No
governance response)
PART 1: Introduction and Foundational Concepts | 4. The underpinning philosophies of King IV
(No response)
PART 1: Introduction and Foundational Concepts | 5. Local and international developments since King III
(No response)
PART 2: Content Elements and Development
PART 2: Content Elements and Development Add your comments for this part here:
Variable Response
PART 2: Content Elements and Development | 1. Overview of the nine parts of the King IV Report
(No response)
PART 2: Content Elements and Development | 2. King IV Code elements (No response)
PART 2: Content Elements and Development | 3. Sector Supplements (No response)
PART 2: Content Elements and Development | 4. Content development process (No response)
PART 2: Content Elements and Development | 5. Drafting convention (No response)
PART 2: Content Elements and Development | 6. Presentation features of King IV (No response)
PART 3: Application of King IV
PART 3: Application of King IV Add your comments for this part here:
Variable Response
PART 3: Application of King IV | 1. Legal status of King IV (No response)
PART 3: Application of King IV | 2. Scope of application of King IV (No response)
PART 3: Application of King IV | 3. Proportionality – appropriate application and adaption of practices
(No response)
PART 3: Application of King IV | 4. Disclosure on application of King IV (No response)
PART 3: Application of King IV | 5. Transition from King III to King IV (No response)
PART 4: King IV on a page
PART 4: King IV on a page Add your comments for this part here:
(No response)
PART 5, CHAPTER 1: Leadership, Ethics and Corporate Citizenship
PART 5CHAPTER 1: Leadership, Ethics and Corporate Citizenship Add your comments for this part here:
Variable Response
PART 5CHAPTER 1: Leadership, Ethics and Corporate Citizenship | 1.1 Ethical leadership
(No response)
PART 5CHAPTER 1: Leadership, Ethics and Corporate Citizenship | 1.2 Organisation values, ethics and culture
(No response)
PART 5CHAPTER 1: Leadership, Ethics and Corporate Citizenship | 1.3 Responsible corporate citizenship
(No response)
PART 5, CHAPTER 2: Performance and Reporting
PART 5CHAPTER 2: Performance and Reporting Add your comments for this part here:
Variable Response
PART 5CHAPTER 2: Performance and Reporting | 2.1 Strategy, implementation, performance
(No response)
PART 5CHAPTER 2: Performance and Reporting | 2.2 Reports and disclosure (No response)
PART 5, CHAPTER 3: Governing Structures and Delegation
PART 5CHAPTER 3: Governing Structures and Delegation Add your comments for this part here:
Variable Response
PART 5CHAPTER 3: Governing Structures and Delegation | 3.1 Role of the governing body
(No response)
PART 5CHAPTER 3: Governing Structures and Delegation | 3.2 Composition of the governing body
(No response)
PART 5CHAPTER 3: Governing Structures and Delegation | 3.3 Committees of the governing body
(No response)
PART 5CHAPTER 3: Governing Structures and Delegation | 3.4 Delegation to management
(No response)
PART 5CHAPTER 3: Governing Structures and Delegation | 3.5 Performance evaluations
(No response)
PART 5, CHAPTER 4: Governance Functional Areas
PART 5CHAPTER 4: Governance Functional Areas Add your comments for this part here:
Variable Response
PART 5CHAPTER 4: Governance Functional Areas | 4.1 Risk and opportunity governance
(No response)
PART 5CHAPTER 4: Governance Functional Areas | 4.2 Technology and information governance
(No response)
PART 5CHAPTER 4: Governance Functional Areas | 4.3 Compliance governance (No response)
PART 5CHAPTER 4: Governance Functional Areas | 4.4 Remuneration governance (No response)
PART 5CHAPTER 4: Governance Functional Areas | 4.5 Assurance (No response)
PART 5, CHAPTER 5: Stakeholder Relationships
PART 5CHAPTER 5: Stakeholder Relationships Add your comments for this part here:
Variable Response
PART 5CHAPTER 5: Stakeholder Relationships | 5.1 Stakeholders (No response)
PART 5CHAPTER 5: Stakeholder Relationships | 5.2 Responsibilities of shareholders (No response)
PART 6: Sector Supplements
PART 6: Sector Supplements Content on Part 6: Sector Supplements will be published and opened for commentary during May
2016.
PART 7: Application Register
PART 7: Application Register Commentary on Part 7: Application register will be addressed in the Comment Questions section,
Question 10.
PART 8: Glossary of Terms
PART 8: Glossary of Terms Add your comments for this part here:
(No response)
Comment Questions (1-5)
Comment QuestionsQuestion 1 - Question 5
Question 1 The set objectives of the King IV Report are to: -promote good corporate governance as integral to
running an enterprise and delivering benefits to it;broaden the acceptance of good corporate
governance by making it accessible and fit for application by organisations of a variety of sizes,
resources and complexity of strategic objectives and operations;reinforce good corporate
governance as a holistic and inter-related set of arrangements to be understood and implemented
in an integrated manner; andpresent good corporate governance as concerned with not only
structure, policy and process but also an ethical consciousness and behaviour.To what extent would
the draft King IV Report as it stands achieve each of these objectives?Please comment on how this
could be optimised.
(No response)
Question 2 Part 2 of the draft King IV Report: Content Elements and Development, deals with outcomes,
principles and practices. Clear differentiation of these content elements is key to reinforcing
qualitative governance which is outcomes driven rather than about mindless compliance. Is the
rationale and the difference between these content elements clearly explained? Please provide
suggestions on how this could be further enhanced.
(No response)
Question 3 King IV uses the broader form of address namely: ‘organisations’; ‘governing body’; and ‘those
charged with governance duties’. Does this make the King IV Report more broadly relevant to all
organisations and sectors?
(No response)
Question 4 The King IV Code recommends that as a minimum, the chief executive officer (CEO) and one other
executive should be appointed to the governing body. Other than in King III, it does not specifically
recommend the inclusion of the chief financial officer (CFO) as a member of the governing body.
This allows flexibility for another executive to be appointed as a member of the board, depending
on the nature and needs of the business.Would a recommendation specifically providing for
inclusion of the CFO be more appropriate or is flexibility preferable in light thereof that
organisations differ?
(No response)
Question 5 Do the independence criteria in Chapter 3 of the Code provide clear and useful guidance for
assessment of independence on a substance over form basis?
(No response)
Comment Questions (6-10)
Comment QuestionsQuestion 6 - Question 10
Question 6 Will the new disclosure and voting requirements on remuneration in Chapter 4 of the Code lead to
increased transparency and more meaningful engagement on remuneration between organisations
and their stakeholders? Please provide suggestions for further enhancement.
(No response)
Question 7 King IV introduces in Chapter 4 of the Code, the 5 lines on assurance in the place of the traditional 3
lines of defence. It also expands on the implementation of the combined assurance model. Will this
assist with more effective co-ordination and alignment of assurance? Please provide suggestions for
further enhancement.
15 May 2016
Comments submitted on-line 15 May 2016
Ansie Ramalho
King IV Project Lead
The King Committee
The Institute of Directors (SA)
(No response)
Dear Ansie,
Comment on the Draft King IV Report on Corporate Governance for South Africa
Thank you for the opportunity to comment on the Draft King IV Report on Corporate Governance
for South Africa (Draft King IV). My comments are provided in my personal capacity as a CA (SA)
with extensive experience in the development of audit and assurance standards and long standing
interest in corporate governance and professional ethics.
Whilst I serve as a member of the Integrated Reporting Council (South Africa) Working Group
(IRCWG) and have contributed to, and support the comments provided by the IRC, my further
comments that follow, relate to specific concerns regarding the Concepts, Principles and
Recommended Practices applicable to an audit committee, and the proposed combined assurance
recommendations which is not the focus of the IRCWG.
I currently represent the Independent Regulatory Board for Auditors (IRBA) on the IAASB’s
Integrated Reporting Working Group. In this capacity, I am aware of the international debates
around assurance on emerging external reporting, including Integrated Reporting based on the
IIRC’s International <IR> Framework, sustainability reports and / or regulatory requirements, in
different jurisdictions, for more extensive strategic reporting and specified disclosures by
organisations.
The exposure period allowed for public comment on the Draft King IV was relatively short, given
the number of public holidays intervening between the release date on 15 March 2016 and the 15
May 2016 closing date for comment. This may limit the number of responses likely to be received.
I have not commented on editorial aspects, as I’m sure other commentators will do so. My focus is
on Question 7 and the related Sections of King IV.
Yours sincerely,
Sandy van Esch CA(SA)
Comments on Draft King IV Report
A. Audit Committees
1. I commend the King IV Committee on its Principle 3.3 Committees of the governing body, in
particular the Recommended Practices (RP) 50-57 relating to Audit Committees.
2. Key matters of importance, in my view are: the following:
2.1. “RP 50 … Its role should be to provide independent oversight of:
2.2. Audit and assurance requirements
2.3. Independence of the auditor and other assurance providers…”
2.4. “RP 52 In addition to being a statutory committee, the audit committee may serve as a
committee of the governing body with assigned responsibilities beyond its statutory duties. The
governing body is ultimately accountable on such matters.”
3. Principle 3.3 in RP 58, refers to the audit committee’s “disclosures” (presumably in the audit
committee’s report in the Integrated Annual Report), yet appears to focus on financial reporting,
i.e.:
3.1. “(b) The arrangements in place for the finance function and internal audit, and the audit
committee’s views on their effectiveness.
3.2. (c) The arrangements in place for a combined assurance model, and the committee’s views on
its effectiveness.
3.3. (d) The audit committee’s views on the effectiveness of internal financial controls and the
nature and extent of material weaknesses in the design, implementation or execution of internal
financial controls that resulted in material financial loss, fraud, corruption or material errors.
3.4. (e) Significant matters that the audit committee considered in relation to the external
assurance over reports, and how these were addressed by the committee.”
4. Although Principle 3.3 in RP58 appears to focus on financial reporting the “assigned
responsibilities” in Chapter 4 Governance Functional Areas in Principle 4.5 Assurance – Combined
assurance model in RP 45-48, in RP 46 the focus seems to be on how an audit committee “derives
assurance” in order for the governing body to acknowledge its responsibility for the Integrated
Annual Report (refer response to Question 7 that follows).
5. Principle 4.5 Assurance of reports in RP 62 states “The Governing body should delegate to the
audit committee oversight of assurance provided over reports other than financial statements,
which includes:” inter alia
5.1. “(e) assurance methodology applied by assurance providers, and
5.2. (f) Possible limitations or scope restrictions.”
6. While an audit committee may well determine the scope of the assurance engagement, and
applicable criteria they should not be determining the methodology followed by independent
external assurance providers who will be bound by the relevant audit and assurance standards
applicable.
6.1. The Introduction and Foundational Concepts in 5.4 recognises that external audit and
assurance providers apply the IAASB’s International Audit and Assurance Standards, and any
additional requirements of the Independent Regulatory Board for Auditors (the IRBA), in the
conduct of their engagements, so it is not for an Audit Committee to determine the methodology to
be applied by external auditors.
(No response)
B. Draft King IV Report – Question 7
“King IV introduces in Chapter 4 of the Code, the 5 lines on assurance in the place of the traditional
3 lines of defence. It also expands on the implementation of the combined assurance model. Will
this assists with more effective co-ordination and alignment of assurance? Please provide
suggestions for further enhancement.
(No response)
My concerns articulated below, relate principally to Chapter 4, Principle 4.5 and Recommended
Practice (RP) 46 (a – e) – “The 5 Lines of assurance”.
(No response)
Delegation of Line responsibilities of the governing body and management to the Audit Committee
1. The description of combined assurance and lines of assurance is not adequately explained in the
Code. It appears to relate to how the Governing Body, by dint of delegation of its own line
responsibility, to the Audit Committee, is expected to “derive confidence” that the organisation’s
Annual Integrated Report and any other sustainability reports incorporated in, or issued separately,
have integrity (credibility) and thus enhance the trust placed thereon by investors, and other
stakeholders (users) who seek to understand, and believe, the story of ‘value created’ by the
organisation, and hence its sustainability in the short, medium and long term.
2. Concept 5.10 states “the model emphasises that assurance is not primarily about defence but
rather about having an adequate and effective control environment and strengthening the integrity
of reports” and goes on to indicate: “the audit committee should oversee that implementation of the
combined assurance model results in combining, co-ordinating and aligning assurance activities
across the various lines of assurance, so that assurance has the appropriate depth and reach.”
3. Principle 3.1 Role of the governing body in RP 3(d)(v) identifies the functional governance areas
inter alia, as:
3.1. “RP 3(d)(v) .. “ensuring that assurance results in an adequate and effective control environment
and integrity of reports for better decision making”.
3.2. RP 4(c) Reports have been assured by the “line(s) of assurance” as is appropriate for its
purpose.
4. Principle 4.1 Risk and opportunity governance in RP 1 to RP 7 make it clear that the governing
body should govern risk and opportunity and inter alia “should delegate to management
responsibility for implementing policy on an enterprise-wide risk and opportunity management”.
4.1. In Principle 4.1 Risk and opportunity governance in RP 8 it is clear that the “governing body
should oversee the adequacy and effectiveness of risk and opportunity management”, and in RP9
“the governing body should oversee that a formal review is conducted periodically”.
4.2. Consequently it is questionable whether in Principle 4.5 Assurance RP 46 the responsibility for
“establishing and overseeing a combined assurance model” can then be delegated to an Audit
Committee, comprised of 3 non-executive directors, for all the “five lines of assurance” as described
that follow. It is unlikely that the audit committee with 3 non-executive directors would have the
time necessary to “establish and oversee” such extended responsibilities, when clearly a number of
those responsibilities relate directly to line management responsibilities of “executive members” of
the governing body and “suitably qualified” line management.
4.3. The five lines of assurance described in Principle 4.5 in RP 46 confuse the meaning of “comfort
or assurance derived” by the audit committee from internal processes, monitoring and other
procedures performed to evaluate the design, implementation and effectiveness of internal controls
over financial reporting by comparison to independent external assurance, where an independent
opinion or conclusion is expressed based on evidence obtained. Bearing in mind that the Draft King
IV (Concept 5.4) recognises that South African external auditors and assurance providers are
required to comply with the IAASB’s International Standards which could apply to the performance
of an audit, review, other assurance engagement or agreed upon procedures engagement and such
other requirements as the IRBA may determine, the draft King IV should not seek to override.
(No response)
Combined assurance: ‘Five Lines of Assurance’
5. Principle 4.5 Assurance, in RP 46, clearly seeks to provide a “risk mitigation” process for the
governing body, which is responsible for approving and signing off on “reports” issued, having
satisfied themselves that the ‘information has integrity and is credible’.
5.1. Principle 4.5 Assurance, in RP 46(a) and (b) the “first and second lines of assurance” in (a) and
(b), clearly relates to the appropriateness and effectiveness of implementation of internal controls
and processes over data and information likely to be included in the various reports issued. These
are not, of themselves independent “audit or assurance” procedures, and as indicated above, is the
direct responsibility of the governing body to be delegated to line management who in turn should
be accountable to the executives on the governing body.
5.2. Although, where applicable an audit committee is expected in the organisation’s Annual Report
to make disclosures regarding the reliability of the internal controls, there is no requirement in
South Africa for an independent external auditor’s assurance report on the quality of internal
controls, such as the SoX requirements of the SEC in the United States. Perhaps the IAASB’s KAM
reporting disclosures by the auditors, required for listed entities, may in future, highlight significant
weaknesses. This would enable the audit committee to provide their perspective thereon.
5.3. Principle 4.5. Assurance, in RP 46(c) the “third line of assurance” incorporates reference to:
internal assurance providers that provide objective assurance such as internal audit, internal
forensic examiners, fraud examiners and auditors, safety and process assessors, and statutory
actuaries.
5.3.1. It is recognised that the work of internal auditors, whether by way of an internal audit
function or an outsourced internal audit service provider, and their reports on the design,
implementation and effectiveness of internal controls relating to disclosures in financial reports,
integrated reports or sustainability KPI’s, that are relevant to the external audit, may provide
support to the external auditors including for purposes of ‘assurance’ provided on ‘other
information,’ whether financial or non-financial, included in the integrated annual report or other
separate sustainability reports. Such internal auditor’s reports may take the form of a “dashboard”
assurance conclusion per se. they my identify areas where the audit committee may determine
corrective action is taken.
5.3.2. It is, however, likely that internal auditors’ focus will be on internal financial reporting
controls essential for the statutory annual report and regulatory returns, as provided for in
Principle 3.3 at RP 58 (b), than internal controls over information included in an integrated report
or sustainability report, which controls may at this stage, be far less mature and formalised.
5.3.3. The remaining ‘assurance providers’ described in 5.3 above, who may be internal or external
to the organisation, are not in essence, “assurance providers”, but rather “specialists” reporting
their “findings” as a result of their investigations and or based on reports submitted in response to
regulatory requirements for specific sectors, such as:
5.3.3.1. Internal forensic examiners, fraud examiners, safety and process assessors, and statutory
actuaries’ reports relate to specific engagements arising out of the organisation’s activities which
may, if material, require disclosures in the annual integrated report or other reports or
communications.
5.3.3.2. Internal forensic examiners and fraud examiners are likely to be appointed and briefed by
line management to investigate specific alleged or suspected fraudulent activities. Fraud incidents
investigated, may support a need for legal action to be taken by the governing body, usually by the
executive members and / or senior management, rather than non-executive members. Whilst the
audit committee may well exercise oversight by way of reports received, or challenge executive
management on the brief or outcomes, it is unlikely that the audit committee can be held
responsible for establishing them as a “line of assurance”.
5.3.3.3. Compliance reports are usually sector specific and may include: Operational safety reports
or regulatory non-compliance reports by process assessors should be factual and specific to a
compliance situation for example, Safety and Quality Processes in terms of ISO standards or
relevant environmental or mining legislation, health and safety, labour returns, and many others
requiring action by the executive members of the governing body and / or senior management.
5.3.3.4. Further examples of “compliance reports” are usually sector dependent and might include:
Regulatory returns to: the SA Reserve Bank, or FICA – compliance reports of irregular deposits and
money laundering activities; Regulatory returns to the FSB by Insurance companies and retirement
funds; and returns by medical aids to the Medical Council. Interestingly, none of which appear to be
included in the “third line of assurance”. There are many other examples in the highly regulated
environment affecting businesses in South Africa.
5.3.3.5. Statutory actuaries’ reports may provide supporting evidence for relevant “statutory”
disclosures, in an integrated annual report, for audit purposes. Once again these are not really an
“assurance report”.
5.3.3.6. Each of the above circumstances potentially necessitates action by management and the
governing body and if material, may affect disclosures in integrated annual reports, or other
communications, which should perhaps be brought to the oversight of the audit committee but do
not of themselves, express an “assurance” conclusion.
5.3.4. Auditors are the only independent external assurance providers in the “third line of
assurance” that provide a report with an audit opinion or assurance conclusion. Unfortunately their
role is not adequately differentiated and is blurred with that the internal service providers
mentioned above, who may also not be regarded as independent. The inclusion of auditors in the
“third line of assurance” is further confused by their inclusion (twice), in the “fourth line of
assurance” of “external audit” and “auditors” – consequently, it is unclear what distinction is
intended.
5.4. Principle 4.5. Assurance, in RP 46(d) as “fourth line of assurance”: external assurance
providers such as external audit, sustainability and environmental auditors or regulatory
inspectors, external actuaries and external forensic examiners, and fraud examiners and auditors;
5.4.1. While external auditors are required be independent and do in fact express their opinion on
the external audit of the financial statements; sustainability and environmental auditors may
provide “other assurance reports” on sustainability reports and express limited or reasonable
assurance over selected indicators or KPI’s. Such engagements may be performed at the behest of
the audit committee / governing body based on contractual arrangements which are negotiated.
Such engagements are generally performed in accordance with the IAASB’s International Audit and
Assurance standards. It is unclear why “and auditors” is repeated again at the end of RP 46(d), as it
is already included as “external audit” earlier in the sentence.
5.4.2. In certain sectors for example, banking and insurance, the regular statutory regulatory
returns submitted to the bank or insurance may indeed provide prompt oversight by those
regulatory inspectors and result in communication of material non-compliance or unacceptable
levels of risk to the governing body, and the audit committee. Such regulators frequently require
periodic audits of the regulatory returns, by the organisation’s external auditors. In such
circumstances, these processes would provide some level of “assurance” to the audit committee.
5.4.3. The earlier comments in 5.3 above apply equally to “regulatory inspectors, external actuaries
and external forensic examiners, and fraud examiners”, who may be independent of the
organisation, but still relate to findings reported based on specific engagements that are not of
themselves “assurance engagements”. Whilst the audit committee may well exercise oversight by
way of reports received, or challenge executive management on the brief or outcomes, it is unlikely
that an audit committee comprised of three non-executive members can be held responsible for
establishing them as a “line of assurance”. The findings, if communicated to the audit committee,
may inform their evaluation of disclosures of material items in the integrated annual report or
other reports, but do not constitute a “line of assurance” for the audit committee. It may however,
enable the audit committee to provide oversight of actions taken by the governing body and
management to address relevant findings.
5.5. Principle 4.5. Assurance in RP 46(e) the “fifth line of assurance” the governing body, audit and
other committees. In reality, this is the governing body (those charged with governance) formally
“accepting responsibility” for the disclosures of material items in the integrated annual report or
other reports, effectively indicating they are satisfied that “financial and narrative disclosures are
not materially misstated or misleading”. They do not however, “express assurance” thereon.
5.5.1. Principle 4.5 Assurance of reports in RP 63 states: “Reports other than financial statements,
that are published by the organisation should disclose:
5.5.1.1. (a) a description of the assurance performed
5.5.1.2. (b) Detail of the work of other assurance providers that have been relied upon, and
5.5.1.3. (c) an assurance conclusion”.
5.5.2. Consequently the disclosures should include how the governing body, audit and other
committees have satisfied themselves via their “combined assurance” processes regarding the
integrity of material disclosures, both financial and other information, in the relevant report
content. Whilst they can explain how they “derived assurance” and the relevance to their
disclosures in the relevant reports, including their different sources, they cannot however, express
an assurance conclusion themselves, over opinions of conclusions expressed by such diverse
“assurance providers”.
5.5.3. In addition the published integrated annual report or other e.g. sustainability reports should
ordinarily contain the relevant audit or other assurance reports duly signed by the appointed
external auditor or other assurance provider.
5.6. Principle 4.5. Assurance in RP 48 states:
5.6.1. The audit committee should oversee that the scope of combined assurance is informed by the
risks and opportunities that materially affect the ability of the organisation to create value, and
addressed as follows:
5.6.1.1. (a) The relevant risks and opportunities should be mapped to the line of assurance required
and the specific assurance provider(s) within each line of assurance; and
5.6.1.2. (b) Mapping should take into consideration the intended user(s) and use(s) of the
information assured.
5.6.2. While risk mitigation controls should be implemented to address known risks assessed based
on the risk appetite of the governing body, and which may be subject to internal monitoring and
internal audit, it is difficult to envisage what controls, beyond strategic plans with disclosure of
underlying assumptions, could be designed and implemented over future orientated
“opportunities”, still to be initiated by management, that are likely to ensure the future growth and
sustainability of the organisation. It is also uncertain just how an audit committee might be
expected to “derive assurance” thereon.
6. It will be appreciated if the King Committee, having regard to these comments can clarify in the
Draft King IV what they intend for the audit committee to “establish and oversee” a “Combined
Assurance Model” or, alternatively, find a better term to describe the “five lines of assurance”.
(No response)
C. IAASB International Standards – meaning of assurance
7. Assurance is defined in the IAASB Glossary of Terms as: “An engagement in which a practitioner
aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance
the degree of confidence of the intended users other than the responsible party about the subject
matter information (that is the outcome of the evaluation or measurement of the underlying subject
matter against criteria). Each assurance engagement is classified on two dimensions:
(i) Either a reasonable assurance engagement or a limited assurance engagement.
(ii) Either an attestation engagement or a direct engagement. ….”
9. Consequently, to overlay the IIA “combined assurance model” concept, which recognises, internal
audit “assurance” functions and well as “advisory functions” and those functions where “internal
audit” should not play a role, creates confusion as to what is actually intended in the Draft King IV in
Chapter 4.5 Recommended Practice 46. Perhaps a different term could be found to explain it.
10. Whereas reports on sustainability KPI’s are commonly encountered, the role of assurance on
“integrated reports”, prepared in accordance with the IIRC’s International <IR> Framework is still
emerging. Alternative advisory engagements are emerging such as the PwC Trust Through Insights
and the Credence Model both assessing the stage of maturity of an organizations progress.
11. Assurance providers, whether auditors or other sustainability assurance providers reference
ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial
Information frequently perform such assurance engagements in accordance with this International
Standard.
12. The IAASB IRWG is due to release a Discussion Paper later this year dealing with the flexibility
of its existing International Standards for application of assurance engagements over emerging
external reporting, intended to enhance the credibility of, and hence trust in, such reports or
aspects thereof. The Discussion Paper seeks to identify whether there is a need for further guidance
for independent practitioners providing such assurance services, and if so, in what respect.
13. IAASB ISA 720 (Revised) 2015 The auditor’s responsibilities in relation to other information in
documents containing audited financial statements. ISA 720 (Revised) makes it clear that it is not
an “assurance standard” but the objectives for the auditor are to read the other information to
determine:
13.1.1. whether there are any material inconsistencies between the other information and the
financial information; and
13.1.2. whether there is any inconsistency between the other information and the auditor’s
knowledge obtained in the audit;
13.1.3. to respond appropriately; and
13.1.4. to report accordingly.
**************************
Appendix A
Institutes of Internal Auditors - What is meant by “Combined Assurance”?
The Three Lines of Defense Model
The concept of the Three Lines of Defence Model is referred to the IIA Institutes of France, the
Netherlands, Norway, Spain, and the UK and Ireland by way of the Role of internal audit’s value
proposition for enhancing integrated reporting.
Combined Assurance
Extract from the CIIA (UK) The role of internal audit in non-financial and integrated reporting ,
“Section B: The role of internal audit in integrated reporting – assurance and advisory
Refer the Fan Diagram on page 9 which reflects:
• Core internal audit roles in regard to <IR>;
• Legitimate internal audit roles with safeguards; and
• Roles internal audit should not undertake.”
It is envisaged in this paper that:
“Internal audit’s role is likely to move from an advisory to an assurance role as the organisation’s
integrated reporting programme becomes more mature.”
However, the paper also recognises that: “Internal audit’s assurance role will not fundamentally
change as it will continue to provide assurance to the board and the executive on how controls
mitigate the risks to the entity.”
Combined Assurance is explained in this paper as:
“Combined assurance is fundamentally about marshalling assurance provision so that the people
governing the organisation and stakeholders know that objectives are being achieved through the
management of risk. Internal audit can build on the role it already has in some areas in relation to
providing combined assurance with external audit.
Where it doesn’t already do this then working to the integrated reporting model can act as a
catalyst to do so. As part of a combined assurance model internal audit can support external audit
providers who will also have to go outside their comfort zone if they are to provide the same level
of assurance over integrated reporting as over financial statements. The Marks and Spencer case
study in section C shows how internal audit is working with a big 4 firm to provide combined
assurance on sustainability reporting.
There is recognition that integrated reporting is a process in its infancy where there will be
continued development, and claims of providing full, or even reasonable, assurance at this stage
may later be seen as premature. Furthermore, whilst the degree of assurance which can be given in
some areas may increase over time, there may remain areas where it will never be possible to
provide assurance because of the nature of the reporting”.
Assurance around non-financial information and risk
“There will be challenges relating to the internal controls, as there have been historically around
any information that is presented outside of the finance process. The development of robust
internal controls, however, has developed in other areas such as environmental impact and should
do so too in integrated reporting.
In the short term there is a risk that the take-up causes confusion amongst investors, either because
they do not accept the gradual approach, or they are misled by the assurance provided. However,
this approach does not seem to have caused issues as yet for those early adopters.
Integrated reporting should also inform and improve risk management, providing additional focus
on and measure of materiality i.e. those areas that matter to a business. There should be a
responsibility to give a view on the reasonableness of both the process that delivers the conclusion
and the conclusion itself. Internal audit can provide this view on non-financial materiality.”
Comment
The views expressed in this paper, have regard to “Combined Assurance” and “Assurance around
non-financial information and risk” that arise in response to challenges presented by:
“A new era for corporate reporting is dawning as business strategies and how they are controlled
come under greater scrutiny by their stakeholders including investors, customers, local
communities, and legislative/regulatory policy-makers.
(No response)
• The UK Government introduction in 2013 of a new regulation under the Companies Act requiring
all incorporated entities to prepare a strategic report;
• The IIRC publication of its International Integrated <IR> Reporting Framework; and
• The EU Council’s adoption in September 2014 of a Directive on non-financial reporting requiring
companies to disclose a wider range of information, including policies risks and outcomes on issues
such as the environment, human rights, social, anti-corruption, diversity, etc.”
“But implementing these new types of reports presents challenges. They require organisations to
bring together information on what may be disparate parts of the business into an inclusive view of
its activities and impact.
One of the challenges is how to ensure that controls are effective, the right things are measured and
that systems and processes are in place to capture the data needed for reporting purposes. The
quality of those systems and outputs must be, as far as possible, evaluated and stakeholders
assured on them so that reporting is accurate and reliable.
Internal audit has a broad view across the organisation’s systems and processes and it should have
a role in providing assurance over the quality of information contained in the strategic and
integrated reports. This key role is well within the remit of a well-resourced, appropriately
positioned and influential internal audit function.”
The observations expressed above are related specifically to the discussion regarding ‘internal
auditors’ possible role in regard to integrated reporting by way of support to risk management and
to external audit and assurance.
**************************
(No response)
Question 8 The governing body as the focal point of corporate governance and is therefore the primary
audience of the King IV Report. King IV requires the governing body of an institutional investor to
ensure that the organisation exercises its rights as holders of beneficial interest in companies,
responsibly.Does this principle establish the necessary linkage between King IV and the Code for
Responsible Investing in South Africa (CRISA) so that governance is reinforced by all role players?
How can King IV further reinforce responsible investing practices? (For access to CRISA go to
www.iodsa.co.za.)
(No response)
Question 9 King IV introduces ‘risk and opportunity’ governance to emphasise risk as being about uncertainty
and the effect of it occurring or not occurring having a possible negative or positive effect on the
organisation achieving its objectives.Is it useful to refer to risk and opportunity governance and will
it reinforce it as a value-add rather than conformance exercise?
(No response)
Question 10 The application regime of King IV is ‘apply and explain’ as opposed to ‘apply or explain’ in King III.
The main difference between the application regime of King III and King IV is that application of the
principles is assumed in King IV as they are basic to good corporate governance. Furthermore, the
75 principles in King III have been replaced with 17 principles in King IV. For the ‘apply and
explain’ regime, explanation is required in the form of a high level narrative of the practices that
have been implemented and the progress made in the journey towards giving effect to each
principle. Will ‘apply and explain’ encourage greater transparency and qualitative? Should
disclosure on King IV application be required to be signed off by the governing body? (For further
information on the application regime refer to Part 3: Application of King IV and to Part 7 for a
template of the application register.)
(No response)
Survey Questions
Survey Questions
How much do you agree or disagree with the following statements, please give
a reason for your answer. You may need to scroll to the right to see all the options, depending on the size of the screen you are
using.
Why do you say that?
The King IV document is easy to understand (No response) (No response)
The document meets the King IV objectives (No response) (No response)
King IV is an improvement on King III (No response) (No response)
END
Have you added all the comments you would like to add? If not please click on
the section you would like to add comments to. Once you have done this you
may return to this page and submit your comments.