About this report
download this section
Organisational overview
download this sectionPerformance review
download this sectionRSA performance
download this sectionGroup investment performance
download this sectionGovernance
download this sectionA systematic, disciplined approach to evaluating and improving the effectiveness of our risk management, control and governance processes enables us to accomplish our objectives.
The Board has assumed responsibility for the internal audit function, and in doing so has set the direction for the internal audit arrangements and delegated oversight of internal audit to the Audit Committee.
Our Head of Internal Audit and Risk Management is responsible for the internal audit function. His appointment, remuneration and removal are agreed upon in consultation with the chairmen of both the Audit and Risk Management committees. The Head of Internal Audit and Risk Management is a member of The Institute of Internal Auditors and an associate member of the South African Institute of Chartered Accountants and subject to the code of ethics of both professional bodies.
Authority
The internal audit function derives its authority from the Audit Committee, to which it reports every quarter. Terms of reference guide this committee while the objectives, authority and responsibility of the internal audit function are governed by a formal charter. Internal audit personnel have authority to review all areas of operation and have complete and unrestricted access to all activities, records, property and employees. Additionally, the Head of Internal Audit and Risk Management has unrestricted access to the chairman of the Audit Committee, as well as committee members in the absence of management, at quarterly meetings, if required.
Responsibilities
The responsibilities of the internal audit function include:
- Submitting an annual internal audit plan to the Audit Committee to indicate the extent and frequency of the work to be conducted and enable the committee to establish whether internal audit resources are sufficient and if so, how these should be allocated
- Conducting reviews of the key business processes to ensure the:
– adherence to policies, plans, procedures, laws, regulations and contracts
– achievement of established objectives and goals
– reliability and integrity of financial and operational information
– economical and efficient employment of resources
– safeguarding of assets - Reporting the results of reviews, together with opinions and recommendations, to management of sufficient authority to ensure appropriate action is taken when required
- Quarterly reporting to the Audit Committee on:
– the adequacy or design effectiveness and the operating effectiveness of the systems of internal control
– internal audit findings, recommendations and management's action plans
– progress measured against the internal audit plan and the reasons for any deviations
- Co-ordinating audit efforts with those of the external auditor
- Addressing matters brought to the attention of the organisation through the Tip-offs Anonymous Helpline, operated by Deloitte, and reporting to the Audit Committee the nature of the incidents and any remedial actions taken by executive management.
Internal audit processes
The scope of the internal audit function and the assignments planned for the following financial year are presented, discussed and approved at the final Audit Committee meeting each financial year. The internal audit plan is based on an assessment of Growthpoint's key risk areas which are determined through the risk management process and its stated objectives.
The internal audit plan is, however, subject to change during the financial year depending on:
- Unforeseen circumstances within the organisation
- Any specific changes agreed with executive management
- Any specific requirements of the Audit Committee.
Both executive and operational management are responsible for establishing and maintaining internal control systems to provide the Directors of Growthpoint with reasonable assurance that business objectives will be attained. The work of internal audit enables the Board and management to assess whether systems of internal control are both adequate and effective.
Adequacy is defined as being the situation when the key controls address the related significant inherent risks. Effectiveness is defined as being the situation when the key controls are operating as intended.
The Head of Internal Audit and Risk Management reports quarterly to the Audit Committee regarding the adequacy of the internal control environment and any significant breakdown in internal control. The Head also reports to the Risk Management Committee in respect of both the adequacy and effectiveness of risk management processes.