Public Finance Management Act, 1999 (Act No. 1 of 1999)RegulationsTreasury Regulations for Departments, Constitutional Institutions and Public EntitiesPart 9 : Public entities27. Internal control and corporate management |
27.1 | Audit committees [Sections 51(1)(a)(ii) and 76(4)(d) of the PFMA] |
27.1.1 | The accounting authority of a public entity must establish an audit committee as a subcommittee of the accounting authority. |
27.1.2 | A shared audit committee may be established for a public entity and any subsidiaries under the ownership and control of that entity. |
27.1.3 | The chairperson of the audit committee must be independent, be knowledgeable of the status of the position, have the requisite business, financial and leadership skills and may not be the chairperson of the accounting authority or a person who fulfils an executive function in the public entity. |
27.1.4 | The majority of the members of an audit committee shall consist of non-executive members appointed by the accounting authority, although committee members need not all be members of the accounting authority. The majority of persons serving on an audit committee must be financially literate. |
27.1.5 | The relevant executive authority must concur with any premature termination of services of a member of the audit committee. |
27.1.6 | The audit committee must operate in terms of a written terms of reference, which must deal adequately with its membership, authority and responsibilities. The terms of reference must be reviewed at least annually to ensure its relevance. |
27.1.7 | It must be disclosed in the entity’s annual report whether or not the audit committee has adopted a formal terms of reference and if so, whether the committee satisfied its responsibilities for the year, in compliance with its terms of reference. |
27.1.8 | The audit committee must, amongst others, review the following: |
(a) | the effectiveness of the internal control systems; |
(b) | the effectiveness of internal audit; |
(c) | the risk areas of the entity’s operations to be covered in the scope of internal and external audits; |
(d) | the adequacy, reliability and accuracy of financial information provided to management and other users of such information; |
(e) | any accounting and auditing concerns identified as a result of internal and external audits; |
(f) | the entity’s compliance with legal and regulatory provisions; and |
(g) | the activities of the internal audit function, including its annual work programme, coordination with the external auditors, the reports of significant investigations and the responses of management to specific recommendations; and |
(h) | where relevant, the independence and objectivity of the external auditors. |
27.1.9 | The audit committee must have explicit authority to investigate matters within its powers, as identified in the written terms of reference. The audit committee must be provided with the resources it needs to investigate such matters and shall have full access to information. The audit committee must safeguard all information supplied to it withinthe ambit of the law. |
27.1.10 | The audit committee must— |
(a) | report and make recommendations to the accounting authority; |
(b) | report on the effectiveness of internal controls in the annual report of the institution; and |
(c) | comment on its evaluation of the financial statements in the annual report. |
27.1.11 | Should a report from internal audit (or any other source) to the audit committee implicate any member(s) of the accounting authority in fraud, corruption or gross negligence, the chairperson of the audit committee must promptly report this to the relevant executive authority and the Auditor-General. |
27.1.12 | The audit committee must communicate any concerns it deems necessary to the executive authority, the Auditor-General and if appropriate, to the external auditor. |
27.1.13 | The audit committee must meet at least annually with the Auditor-General or the external auditor, whichever applicable, to ensure that there are no unresolved issues of concern. |
27.2 | Internal controls and internal audit [Sections 51(1)(a)(ii) and 76(4)(b) and (e) of the PFMA] |
27.2.1 | The accounting authority must ensure that a risk assessment is conducted regularly so as to identify emerging risks of the public entity. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all employees to ensure that the risk management strategy is incorporated into the language and culture of the public entity. |
27.2.2 | All public entities to which these regulations apply must have an internal audit function. |
27.2.3 | A public entity and subsidiaries under the ownership control of the entity may have a shared internal audit function. |
27.2.4 | The internal audit function may, in accordance with preferred tendering procedures, be contracted out to an external institution with specialist audit expertise, provided that the external auditors may not perform the internal audit function. |
27.2.5 | The purpose, authority and responsibility of the internal audit function must, in consultation with the Board, be formally defined in an audit charter and be consistent with the Institute of Internal Auditors ("IIA") definition of internal auditing. |
27.2.6 | Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors. |
27.2.7 | The internal audit function must, in consultation with the audit committee, prepare: |
(a) | a rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the public entity, having regard to its current operations, the operations proposed in its corporate or strategic plan and its risk management strategy; |
(b) | an internal audit plan for the first year of the rolling plan; |
(c) | plans indicating the scope of each audit in the annual internal audit plan; and |
(d) | reports to the audit committee detailing its performance against the plan, to allow effective monitoring and intervention when necessary. |
27.2.8 | The internal audit function must report directly to the accounting authority and shall report at all audit committee meetings. The function must be independent of activities that are audited, with no limitation on its access to information. |
27.2.9 | The internal audit function must co-ordinate with other internal and external providers of assurance to ensure proper coverage and to minimise duplication of effort. |
27.2.10 | The internal audit function must assist the accounting authority in maintaining effective controls by evaluating those controls to determine their effectiveness and efficiency, and by developing recommendations for enhancement or improvement. The controls subject to evaluation should encompass the following: |
(a) | the information systems environment; |
(b) | the reliability and integrity of financial and operational information; |
(c) | the effectiveness of operations; |
(d) | safeguarding of assets; and |
(e) | compliance with laws, regulations and controls. |
27.2.11 | The internal audit function must assist the accounting authority in achieving the objectives of the institution by evaluating and developing recommendations for the enhancement or improvement of the processes through which: |
(a) | objectives and values are established and communicated; |
(b) | the accomplishment of objectives is monitored; |
(c) | accountability is ensured; and |
(d) | corporate values are preserved. |
27.3 | Chief financial officers |
27.3.1 | Unless directed otherwise by the relevant treasury, each public entity listed in Schedule 3A or 3C of the Act shall have a chief financial officer as the head of the finance division. |
27.3.2 | Without limiting the right of the accounting authority to assign specific responsibilities, the general responsibility of the chief financial officer is to assist the accounting authority in discharging the duties prescribed in Part 2 of Chapter 6 of the Act. |