Compliance and Risk Management: Audit, Risk, and Governance

These flashcards cover vocabulary and key concepts related to Audit Committees, External and Internal Auditing, Risk Management principles, and Corporate Governance requirements based on the Companies Act and King IV.

Audit Committee

The principal governance watchdog of a company, composed of board members with relevant financial, control, and risk management skills.

King IV: Principal 8

The principle stating that the governing body should ensure that its arrangements for delegation within its own structures promote independent judgment and assist with the balance of power.

Section 94 of the Companies Act

The specific section of the Companies Act that sets out the duties and statutory requirements for the Audit Committee in public and state-owned companies.

Membership Requirement (Regulation 42)

A regulation requiring that at least $\frac{1}{3}$ of Audit Committee members must have qualifications or experience in economics, law, corporate governance, finance, or accounting.

Assurance

The involvement of independent persons to reduce the risk of incorrect information, giving decision makers comfort that they can make informed decisions based on accurate information.

Planning Meeting

An Audit Committee meeting held early in the financial year to discuss audit coverage, budgets, and pre-approval of non-audit services.

Closed Sessions

A best practice where the Audit Committee meets at least once a year separately with internal and external auditors without management present to discuss sensitive concerns.

External Audit

The independent and objective examination of a company’s financial statements, systems, and controls conducted by qualified and independent auditors.

Independent Review

A form of reporting that provides some assurance but is not a full audit, with findings often expressed in negative terms (e.g., 'nothing has come to the auditor’s attention').

IRBA (Independent Regulatory Board of Auditors)

The regulatory body for auditors in South Africa, with members appointed by the Minister of Finance under the Auditing Profession Act $26$ of $2005$.

Reportable Irregularity

An event that an auditor has reason to believe is taking place at a client, which must be reported in writing to the IRBA before informing the client.

Mandatory Audit Firm Rotation

An IRBA rule requiring that an entire audit firm be rotated after $10$ years, and the firm will not be eligible for re-appointment for at least a further $5$ financial years.

Combined Assurance Model

A King IV model that incorporates and optimizes all assurance services (management, internal assurance providers, and external assurance providers) to enable an effective control environment.

Internal Auditing

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations through a systematic, disciplined approach.

Internal Audit Charter

A document approved by the governing body that defines the role, responsibilities, authority, and standards for the internal audit function.

Risk-Based Internal Audit

A King IV requirement that the internal audit function must focus its attention on the areas of the highest risk inside the organization.

Policies

High-level guidelines or principles that are broad, rarely change, and establish a framework for management philosophies, aims, and objectives.

Procedures

Detailed instructions outlining specific step-by-step actions that must be strictly followed to achieve a desired outcome.

Residual Risk

Risks that remain within the organization even after risk treatment treatments have been applied.

Secondary Risk

New risks that are created as a result of attempts to reduce or mitigate existing risks.

Risk Register

A comprehensive, documented record of all the risks of an organization, used to report, prioritize, and assign accountability for risk treatment.

Risk Matrix

A visual tool depicting potential risks based on two factors: the likelihood that the risk will occur and the impact of the risk.

Tolerate (Risk Treatment)

Acknowledging that a risk exists and living with it when the risk is within the organization's appetite, typically for low impact and low likelihood risks.

Terminate (Risk Treatment)

Eliminating a risk entirely by ceasing an activity, substituting elements, or withdrawing from certain markets or product lines.

Treat (Risk Treatment)

Using controls and actions, such as preventative or detective measures, to reduce the impact or likelihood of specific risks.

Transfer (Risk Treatment)

Sharing or shifting the responsibility of a risk to another party better suited to absorb it, such as through insurance or outsourcing.

Business Continuity Plan (BCP)

A strategic playbook used to maintain or quickly resume business functions if disruptions or changes occur.

Corporate Governance

The exercise of ethical and effective leadership by a governing body to achieve outcomes of ethical culture, good performance, effective controls, and legitimacy.

De Facto Director

An individual who acts as a director in terms of the $2008$ Companies Act, regardless of their official title.

Alternate Director

A person appointed to operate when their nominator (the usual director) is unable to perform their duties or is absent.

Integrated Reporting

A holistic concept that combines traditional financial reporting with non-financial elements like sustainability, risk management, and corporate governance.

GRI (Global Reporting Initiative)

An organization that creates the basis for sustainability reporting standards related to social, economic, and environmental impacts.

BBBEE (Broad Based Black Economic Empowerment)

A transformation issue that all JSE-listed companies must report compliance for within their Integrated Report.

Social and Ethics Committee

A statutory committee required for listed and state-owned companies to monitor issues like good corporate citizenship, labor, and the environment.