Individual Assignment

Cover Sheet

Student’s full name Richemond Stewart NGOMA

Student number 202001990

Name of Campus Mowbray Campus
Year of Study 3rd Year Semester 2nd

Programme BCOM Business Management

Compliance Auditing
Module Name Module Code ADT 320

Lecturer Bure Makomborero

Due date 26th AUGUST 2022 Date submitted 26th AUGUST 2022

KEEP A COPY
Please note that it is your responsibility to retain copies of your assessments.
A CheckforPlagiarism report MUST be attached to each assignment submission.

DECLARATION BY STUDENT

I, the undersigned declare that:

 I have retained a copy of this assessment.
 I understand what plagiarism is and are aware of the Damelin’s policy in this regard.
 The work hereby submitted is my original work, gathered and utilised to fulfil the requirements of this
assignment except for source material explicitly acknowledged.
 I have not used work previously produced by another student or any other persons to hand in as my own.
 I have not allowed, and will not allow, anyone to copy my work with the intention of passing it off as their
own work.

Signature of Student Date

Table of Contents
QUESTION 1: Relationship and independence of the internal audit function, the
relationship between corporate governance, internal audit and audit committee. ..... 3

Introduction .......................................................................................................... 3

Body part ............................................................................................................. 3

Conclusion ........................................................................................................... 5

QUESTION 2: Measures to mitigate and efficiently prevent reputational risks. 6

Introduction .......................................................................................................... 6

Body part .............................................................................................................. 6

Conclusion ........................................................................................................... 8

QUESTION 3: The three lines of defence. ............................................................. 8

Introduction ............................................................................................................. 8

Body part................................................................................................................. 8

Conclusion .............................................................................................................. 9

Reference list: .......................................................................................................... 9

QUESTION 1: Relationship and independence of the internal audit function, the
relationship between corporate governance, internal audit and audit committee.

From early times dating back to 3500 BC, extant records of various civilizations
indicate by patterns of checks and ticks that verification of records took place, the
genesis of internal auditing was done by two officials working together, with one official
reading from one of the record sheets and the other checking against the other record
sheet. This captures the notion that the profession of internal auditing, as with many
other professions, has its roots in the industrial revolution of the nineteenth century.
Hence with the fall of the Roman Empire, auditing and control disappeared and it was
not until the Middle Ages that the growth of centralized control once again demanded
proof of the adequacy and correctness of record-keeping. The discussion lies in the
interdependence and relationship of the internal audit function and accordingly we will
critically evaluate the reporting relationship and independence between the internal
audit, corporate governance and audit committee in the following sections.

According to Cascarino (2015:8), internal audit can demonstrate its professionalism

by adhering to the IIA‘s Standards for the Professional Practice of Internal Auditing.
Adherence can also assure the head of internal audit that internal audit is complying
with company and departmental policies and procedures, and that fieldwork also
complies with these policies and procedures. The board of directors gains assurance
that the internal audit function complies with internationally accepted norms, while the
independent external auditors will be satisfied that the work of internal audit can be
used as audit evidence for particular aspects of their work. Internal auditors
themselves also gain confidence that they are achieving quality and proficiency of
output at a measurable and acceptable standard.

Internal auditing responsibilities include:

➤ reviewing the reliability and integrity of financial and operating information;

➤ reviewing operational systems to ensure compliance with policies, plans,

procedures, laws and regulations;

➤ reviewing the means of safeguarding assets and verifying their existence;

➤ appraising the economy and efficiency of the use of resources; and

➤ reviewing operational effectiveness

Moreover, Cascarino (2015:10) argued, many committees involved in the governance

and control of organizations, the audit committee has the most significant impact on
the role and effectiveness of the chief audit executive (CAE). Audit committees fulfill a
similar function within all organizations, however, the nature of the organization itself
can prescribe a particular emphasis in the working of the audit committee. This, in
turn, affects the nature of the relationship between the chief audit executive and the
committee as a whole. The authority of an audit committee derives from the board of
directors, the rules and regulations within the organization, as well as any relevant
governance legislation of the country or countries within which the organization
operates and the operative market sector. Its primary function is to assist an
organization achieve an effective internal control structure derived directly from the
tone at the top.

Based on the relationship with internal audit, Cascarino (2015:10) added that a healthy
relationship with the internal auditors can be fostered when the audit committee chair
ensures the keeping of open communications channels. This can take many forms
including getting to know the CAE on a personal basis, frequent contact between
meetings, and the committee chair taking an interest in, and caring about, the internal
audit activity. It is also good practice for the audit committee chair to meet with the
entire senior internal audit staff from time to time to get to know some of the individuals
who report to the CAE, and to thank them for their efforts. The audit committee
provides internal audit with oversight, strategic direction, accountability and
enforcement where required. Part of its oversight involves ensuring that the internal
audit function is properly positioned, adequately resourced and strongly supported,
including reviewing and approving:

➤ The internal audit activity’s charter and mission statement to ensure the needs of
the organization can be met;

➤ The annual work plan to ensure all significant risk areas are being appropriately
addressed and that no inappropriate restrictions are placed on the scope of internal
audit activities;
➤ the adequacy of resources, skill levels, and budget to ensure the work plan is
achievable within the appropriate time; and

➤ The selection of internal audit projects, adequacy of performance and

appropriateness of recommendation

Based on the independence, Cascarino (2015:11) noted audit committee relies heavily
on the internal audit function to provide objective opinions, information and, when
necessary, education to the audit committee while the audit committee in turn will
provide oversight and validation to the internal audit function. In today’s environment
this could include the outsourcing or co-sourcing of all or part of the internal audit
function but the audit committee should ensure that the role of the chief audit executive
remains within the organization itself. As part of the audit committee’s responsibility
for ensuring the independence of internal audit, the audit committee is responsible for
providing input into the appointment, dismissal, evaluation, compensation, and
succession planning of the chief audit executive. This is a critical activity of the audit
committee since the CAE will, of neccessity, have a high degree of interaction with the
audit committee. The committee will typically seek to ensure that candidates for a CAE
position have distinguished themselves professionally. They would normally have an
advanced degree, the appropriate professional designation, and several years’
experience in an audit supervisory role.

It seems to be clear that internal audit plays a vital role within the organization. The
essay comes to an end and what we can summarize is that internal auditing and audit
committee perform similar functions and one of them has to rely on the other in terms
of relationship and independence.
QUESTION 2: Measures to mitigate and efficiently prevent reputational risks.

“We shall have to practise to lead our life on the basis of our needs, not under the
influence of our greed”, says Lobsang Tenzin. For the last past years, ESKOM has
suffered a loss narrowed to 18.9 billion rand in the year earlier due mismanagement
and any other act that could bring down the company’s reputation. This captures the
notion that companies whose reputation is tarnished are exposed to risks and those
risks are called reputational risks. Given this the essay deals with the impact of
reputational risks and accordingly, we will point out what measures can ESKOM adopt
so as to mitigate and prevent any reputational risks from happening in the next
sections.

It is well known that any house is only as strong as its foundation and as weather proof
as its insulation. The same goes for an organisation. Agwu (2014:20) argued that it is
necessary, therefore, that a strong foundation is built by leveraging robust information
technology systems, framing effective policies and procedures, laying down strict
compliance processes, setting high integrity standards, developing efficient monitoring
capabilities and initiating strict punitive action against the culprits in a time bound
manner. Given this, it also imperative that ESKOM must insulate itself from
unscrupulous activities by strengthening the fraud detection, mitigation and control
mechanism through prompt identification, investigation and exchange of information.
This is necessary not just for the reputation of the company but for ensuring the
stability and resilience of the overall financial system and sustaining the confidence
that various stakeholders have in its strength and integrity.
Here are some of the recommendations that may help ESKOM to prevent its
reputational risk:

 Conduct periodic surprise audits and annual reviews of procedures.

 Provide for the physical security of all payments.

 Maintain payment images in preference to paper copies.

 Ensure appropriate security over signature plates, cards, and software.

  Require additional review process for all financial record over a specified
amount.

 Ensure two party authorizations (initiation and release) on all transactions.

 Ensure proper segregation of duties among staff initiating, authorizing,

preparing, signing, and mailing payments and reconciling bank statements.

 Review all bank accounts at least annually. Consolidate or eliminate bank

accounts that are not frequently utilized.

 Ensure that controls exist for the storage and destruction of all documents that
contain account and other related information.

 Identifying the risks to which systems and procedures are exposed.

 Developing and maintaining effective controls to prevent.

 Ensuring that controls are being complied with.

Furthermore, Fombrun, Gardberg and Barnett (2000:88) defined reputational risk as

the range of possible gains and losses in reputational capital for a given firm. Below
are some recent statements by senior executive of several prominent companies who
believe that a company’s reputation can be still regain if using the following (Fombrun,
Gardberg and Barnett (2000:87):
 Building a community ties and maintaining a license operate.
 Increase morale and attachement of current employyes.
 Prepare and attract potential employees.
 Develop potential customers
 Enact the environment where the company can prosper.
In conclusion, different risks require different measures to be taken so as to tackle
accordingly. Like any other type of risk, reputational risks also need to be detected,
prevented and corrected so as when internal controls are put in place, risks can be
mitigated and prevented.

QUESTION 3: The three lines of defence.

The three lines of defence model (TLoD) aims to provide a simple and effective way
to improve coordination and enhance communications on risk management and
control by clarifying the essential roles and duties of different governance functions.
Without effective coordination of these governance functions, work can be duplicated
or key risks may be missed or misjudged. It has been accepted as a best practice for
listed companies and as a required organizational model by banking regulators and
The Basel Committee on Banking Supervision in regulated financial institutions as a
response to deficient risk management in the financial crisis. The discussion of our
essay deals with the three lines of defence and accordingly, we will explain each of
them in the following sections.

According to Bantleon, Eulerich, Hucke, Pedell, and Ratzinger‐Sakel (2021:59-60), the

TLoD provides a simple and effective way to enhance communications on risk
management and control by clarifying essential roles and duties. In particular,
management control is the first line of defence in risk management, the various risk
control and compliance oversight functions established by management are the
second line of defence, and independent assurance provided by the internal audit
function (IAF) is the third line of defence. The effectiveness of risk management will
be realized if the control and assurance functions are carried out proportionally by the
three lines of defense where the first line of defense must take the dominant portion
of the control function, while the second line of defense must take the portion of the
control and assurance function in a balanced manner, and lastly, the third lines of
defense must take control the assurance function (Muhsyaf, Cahyaningtyas and
Sasanti, 2021:90).
In conclusion, different risks require different measures to be taken so as to tackle
accordingly. Thus, a company that continuously identify, assess, evaluate and monitor
its risks have more chance to prevent the company from losses.

Reference list:

Agwu, M.E., 2014. Reputational risk impact of internal frauds on bank customers in
Nigeria. International Journal of Development and Management Review, 9(1), pp.175-
192.
Bantleon, U., d'Arcy, A., Eulerich, M., Hucke, A., Pedell, B. and Ratzinger‐Sakel, N.V.,
2021. Coordination challenges in implementing the three lines of defense
model. International Journal of Auditing, 25(1), pp.59-74.

Fombrun, C.J., Gardberg, N.A. and Barnett, M.L., 2000. Opportunity platforms and
safety nets: Corporate citizenship and reputational risk. Business and review, 105(1).

Muhsyaf, S.A., Cahyaningtyas, S.R. and Sasanti, E.E., 2021, June. Three line of
defense: An effective risk management. In 18th International Symposium on
Management (INSYMA 2021) (pp. 85-91). Atlantis Press.