PWC - Combined Assurance (including Governance)

www.pwc.comCombined Assurance(includingGovernance)

Agenda1.Why we are seeing corporate failure?2. What Board are saying?3. What is combined assurance?4. Challenges5. Combined Assurance Model6. Value of Combined Assurance7.What key questions should you be asking?8. QuestionsPwCJune 20192

Why are we seeing corporate failuresReasons for significant value destruction across a number of industries over the past 3 years,globally and in South Africa (for example Steinhoff) highlighted several apparent failures interms of: Understanding the nature and quantum of risk, Appropriate involvement in risk assurance oversight at Board level, Strategy and operating models that are able to appropriately respond to declining marketconditions, Understanding relationships with key stakeholders, Regulatory compliance strategies that are able to deal with onerous and ever-changing laws,and Risk assurance strategies that provide not only appropriate levels of assurance, but alsosufficient personal protection for the Board/Council and Executive management.PwCJune 20193

What Boards/Councils are saying? I need to know that everything is undercontrol”.“I needassurancebecause I need to know whether what I am beingtold is correct”. I need to be confident that I am going toachieve my organisational objectives andgoals”. I need to know if things are going horriblywrong”. I need to know whether the project isgoing to finish on time and within budget”.PwCJune 20194

What is combined assurance? King III introduced combined assurance and in King IV thecombined assurance model evolved A combined assurance model incorporate and optimizes allassurance services and functions so that, taken as a whole, theseenable an effective control environment; support theintegrity of information used for internal decision-making bymanagement, the governing body and its committees.PwCJune 20195

Combined Assurance ModelGoverning body shouldassess the output ofcombined assurance, & forman opinion on the integrityof information & reports, &if an effective controlenvironment has beenachieved Responsibility ofgoverning body, may bedelegated to auditcommittee Internal audit charter Ensure internal audit hasthe necessary skills &resources to address thecomplexity & risk faced bythe organisationPwCAssessDesignCombinedAssurance ModelInternalAuditObjectivesAssurance ofintegrated reportsNot prescribed by the Code.Allows for the governing body touse its judgement in this regard Effective internal controlenvironment Supporting the integrity ofinformation Supporting the integrity ofexternal reports Responsibility of thegoverning body Consider legal requirements External reports shoulddisclose information about thetype of assurance processapplied in that reportJune 20196

Governance responsibilities1st line of defence2nd line of defencePrimary responsibilityfor establishingeffective governance andrisk and controlenvironmentProvides confidencethat risk controlenvironment is in place,fit for purpose andworking as intendedOperate Riskand controlenvironmentSetExpectationsand MonitorGovernance3rd line of defenceIndependent challenge –justifies that confidencePwCJustifyConfidenceJune 20197

Governance modelToneBehaviour vitiesPwCCore businessmodelJune 20198

It’s important to get the balance across the 3LoDScenario AScenario B1st line: Risk and control environment: OK1st line: Risk and control environment: WeakAbility to communicate this to the 2nd Line poorBut tells a good story able to diver 2nd L Line toother areas of the business ResultResult112?Role of IA challenge – tohelp make risk and controlenvironment explicit andtransparent – A CoachingRolePwC2FalseAssurance?2nd Lines increasedemands onorganisation toexplain how objectiveswill be met and whythey are so confidentRole of IA challenge – to ensure risk and controlenvironment is in place, fit for purpose andworking as intended and that there is justifiedconfidence in the assurances being provided by linemanagement – A Challenging roleJune 20199

Challenges Auditor General has reported overall regression in assuranceprovided by role players Lack of harmonization of assurance functions Tone at the Top – Risk Governance values, behaviours, expectations Silo agendas Lack of understanding of roles and responsibilities Inability to find common language and lack of agreement ondefinition of top risks Combined assurance is a watered-down internal and external auditcoordination document The concept of ‘assurance’ is not understood or valuedPwCJune 201910

Combined Assurance OverviewCombined Assurance brings togetherthe business’ lines of assurance tomost effectively and efficientlyidentify, manage and monitor keybusiness risks, while aligning tostrategy and enablingwith technology; resulting in riskinformed business decisionmaking.PwCJune 201911

Principle 15 :Integrated Assurance – Drivers of ValuePwCJune 201912

Its important to understand the integrity of allassuranceStrategic RiskCorrectiveactionAssuranceRequired?External AuditRegulatory PrioroversightYear4th lineReview?InvestigationOtherIndependent3rd lineIT SecurityComplianceAACBusiness ControlERMSupply ChainInspectionFunctional oversight2nd 1st lineResultsInclude in IAPlan?Assurance Provider3rd PartyAssurancePerformance ProviderNNFinancial RiskYYInvestment and Project RiskYYRegulatory & ComplianceNNOperational – ITYYOperational – PeopleNNOperational - CommercialNYCyber RiskYYBusiness ContinuityNYFraud RiskYYOverall provisionProvider assessmentKey:High AssuranceModerate AssuranceRelative strength of control environmentPwCLow AssuranceKey:Gap in PlanOpportunity to refocusMaintain currentJune 201913

Combined Assurance Maturity ModelLaying theFOUNDATION Approval and adoption ofCombined AssuranceFramework Alignment of combinedassurance with risk classificationmodel Establish regular engagementbetween Lines of Assurance Integrated combined assuranceplanning - collaboration betweenassurance providers on scopeand timing of assurance work Regular Combined Assurancereporting to Audit CommitteePwCBuilding theSTRUCTURE Defined and consistentidentification of keyprocesses and key controlsacross the lines of assurance Combined AssuranceReporting facilitatesIntegrated Board Oversight Formalised assurancemethodologies for all threeLines of AssuranceEstablished &EMBEDDED Reliance on the work of otherassurance providers (asappropriate) Consistent use of assurancemethodologies Formalised assuranceprovided by Line1 Embedded risk culture,including combinedassurance, across theorganisationJune 201914

The value of Combined AssuranceWorking off acommon risklandscape andrelevant assuranceefforts are directedto the risks thatmatter most1Better utilisation anddeployment ofassurance resourceswhich couldultimately result incost-savings5PwCA betterunderstanding of theassurance focus ofthe organisation’sissues achievedthrough assuranceproviders2Enhanced controlenvironment,awareness anddiscipline – reportsreach the right levels6Reduces thelikelihood ofassurance risks“falling through thecracks”3Better coordinationbetween assuranceproviders result inbetter planning ofthe timing ofassurance on thebusiness4Increased executivemanagement andAudit CommitteeconfidenceSingle picture ofassurance is formed78June 201915

What key questions should you be asking? Have you defined a governance framework which include a risk and combinedassurance framework? Do all assurance providers understand their roles and responsibilities? Have you established a mechanism for regular engagement? Are risks contained in the Combined Assurance Plan the key top risks of theorganisation? Does it adequately reflect the risk profile of the organisation? Are all areas of King IV addressed? How did management arrive at the view to include these risks in the CombinedAssurance Plan? What has changed in the organization’s environment (internal and external) whichcould affect the top risks included in the Combined Assurance Plan? How did management arrive at their view of the level of assurance needed and plannedfor each key risk included on the Plan? How does the results of assurance affect the assessment of the control environment andrisk? Will the plan support the AC disclosures with respect to control effectiveness?PwCJune 201916

Thank youGiovanna De RisiAssociate DirectorOffice: 27 (12) 797 5830Email: giovanna.de-risi@pwc.comPwCJune 201917

QuestionsPwCJune 201918

“The information contained in this publication by PwC is provided for discussion purposes onlyand is intended to provide the reader or his/her entity with general information of interest. Theinformation is supplied on an “as is” basis and has not been compiled to meet the reader’s orhis/her entity’s individual requirements. It is the reader’s responsibility to satisfy him or her thatthe content meets the individual or his/ her entity’s requirements. The information should notbe regarded as professional or legal advice or the official opinion of PwC. No action should betaken on the strength of the information without obtaining professional advice. Although PwCtake all reasonable steps to ensure the quality and accuracy of the information, accuracy is notguaranteed. PwC, shall not be liable for any damage, loss or liability of any nature incurreddirectly or indirectly by whomever and resulting from any cause in connection with theinformation contained herein.” PwC Inc. [Registration number 1998/012055/21](“PwC”). All rights reserved. PwC refers tothe South African member firm, and may sometimes refer to the PwC network. Each memberfirm is a separate legal entity. Please see www.pwc.co.za for further details.

Email: giovanna.de-risi@pwc.com. PwC Questions June 2019 18 “The information contained in this publication by PwC is provided for discussion purposes only and is intended to provide the reader or