Industries – Public Sector

THE CHALLENGE

The public sector is required to meet higher governance standards by complying with national legislation such as the PFMA (Public Financial Management Act) and the MFMA (Municipal Financial Management Act). The Executive Authority is accountable to the legislature / parliament in terms of the achievement of the goals and objectives of the Institution. The Executive Authority should take an interest in risk management to the extent necessary to obtain comfort that properly established and functioning systems of risk management are in place to protect the Institution against significant risks. As risk management is an important tool to support the achievement of this goal, it is important that the Executive Authority should provide leadership to governance and risk management.

Typical business challenges facing public sector institutions include:

  • Compliance with the PFMA and MFMA
  • Service delivery
  • Budget constraints
  • Supply chain management
  • Unauthorised, irregular, fruitless and wasteful expenditure
  • Fraud and corruption
  • Increased social responsibility and social unrest
  • Health & safety (EH&S) risks
  • Skills shortage
  • Operational inefficiencies
  • Infrastructure quality
  • Reputational risk
  • Qualified audits

THE LEGISLATION

The following is a brief extract of the sections in the PFMA which refer to risk management and internal control / audit assurance:

38. General responsibilities of accounting officers.—(1) The accounting officer for a department, trading

entity or constitutional institution—

(a) must ensure that, that department, trading entity or constitutional institution has and maintains—

(i) effective, efficient and transparent systems of financial and risk management and internal control;

(ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77;

51. General responsibilities of accounting authorities.—(1) An accounting authority for a public entity—

(a) must ensure that, that public entity has and maintains—

(i) effective, efficient and transparent systems of financial and risk management and internal control; (ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77;

3. Internal control

3.1 Audit committees 3.1.10 The audit committee must, amongst others review the following—

(a) the effectiveness of the internal control systems;

(b) the effectiveness of the internal audit function;

(c) the risk areas of the institution’s operations to be covered in the scope of internal and external audits;

(d) the adequacy, reliability and accuracy of the financial information provided to management and other users of such information;

(e) any accounting and auditing concerns identified as a result of internal and external audits;

) the institution’s compliance with legal and regulatory provisions; and (g) the activities of the internal audit function, including its annual work programme, coordination with

the external auditors, the reports of significant investigations and the responses of management to

specific recommendations.

3.1.13 In addition to the above, an audit committee must, in the annual report of the institution, comment on—

(a) the effectiveness of internal control;

(b) the quality of in year management and monthly/quarterly reports submitted in terms of the Act and

the Division of Revenue Act; and

(c) its evaluation of the annual financial statements.

3.2 Internal controls and internal audit

3.2.1 The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of the institution. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all officials to ensure that the risk management strategy is incorporated into the language and culture of the institution.

3.2.7 An internal audit function must prepare, in consultation with and for approval by the audit committee –

(a) a rolling three year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy;

9. Unauthorised, irregular, fruitless and wasteful expenditure

9.1 General

9.1.1 The accounting officer of an institution must exercise all reasonable care to prevent and detect unauthorised, irregular, fruitless and wasteful expenditure, and must for this purpose implement effective, efficient and transparent processes of financial and risk management.

King IV code (copyrighted to The Institute of Directors Southern Africa) and municipal and public sector entities:

Principle 4: The council / accounting authority should appreciate that the municipality’s / entity core purpose, its risks and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process.

Principle 11: The council / accounting authority should govern risk in a way that supports the municipality / entity in setting and achieving its strategic objectives.

Principle 13: The council / accounting authority should govern compliance with applicable laws and adopted, non- binding rules, codes and standards in a way that support the municipality / entity being ethical and a good corporate citizen.

Principle 15: The council / accounting authority should ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the municipality’s / entity’s external reports.

THE SOLUTION

The Public Sector Risk Management Framework (Framework) has been developed (by National Treasury) in response to the requirements of the Public Finance Management Act and Municipal Finance Management Act for Institutions to implement and maintain effective, efficient and transparent systems of risk management and control. Public sector institutions need an effective way of prioritising and managing risk across the institution in order to comply with the legislation. Proactive risk management involves the documenting and managing of risks, controls, incidents / near misses and the ongoing monitoring of risk mitigation plans.

HOW BARNOWL FACILITATES THE SOLUTION

BarnOwl GRC software streamlines your GRC processes, integrates risk, compliance and assurance information on a centralised platform, standardises risk and control taxonomies and offers the flexibility and scalability required for your changing business environment. BarnOwl:

  • provides a flexible risk management framework for the public sector (in line with the National Treasury framework and the COSO & ISO31000 standards) for you to manage your risk and compliance process as well as facilitate inspections / audits, findings and detailed analysis.
  • enables you to identify and document risks, causes, consequences and related controls.
  • automates risk and control self-assessments.
  • facilitates performance management with the measurement and reporting of KPIs (SDBIP)and KRIs.
  • enables you to record, monitor and report on issues / incidents.
  • provides a centralised repository for all your regulatory compliance requirements (fully integrated 3rd party compliance library) and tracks how you are meeting each compliance requirement.
  • streamlines internal audits, as well as third-party audits and allows you to gain real-time visibility into risk-based auditing, audit findings, root cause analysis and the ongoing monitoring of mitigation actions.
  • brings together risk management, compliance, assurance, as well as all related communication, analysis and reporting under a common platform.
  • provides continuous monitoring of your risk universe with early-warning notifications.
  • drives proactive risk mitigation strategies.
  • provides risk intelligence and trend reporting at all levels of the institution.

THE BENEFITS OF USING BARNOWL

The benefits of using BarnOwl include:

  • Improved GRC maturity through an integrated and flexible GRC solution.
  • Optimise and monitor risk-reward outcomes by gaining a comprehensive, real time view of your institution’s risk profile.
  • Simplify regulatory compliance, using a single system to manage your compliance requirements and activities.
  • Enhance GRC productivity and efficiency as well as embed standards across the value chain.
  • Facilitate greater communication and collaboration on GRC tasks across all business units and locations.
  • Drive ownership and accountability for risk management across the institution.
  • Facilitate the principle that an institution’s risk and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process. (King IV™ Principle 4)
Accessibility by WAH