Growthpoint's policy is to provide and support an internal audit function that operates as an independent, objective assurance and consulting activity. This assists us to accomplish our objectives through a systematic, disciplined approach to evaluating and improving the effectiveness of our risk management, control and governance processes.
The Board has assumed responsibility for the internal audit function, set the direction for the internal audit arrangements and delegated oversight of internal audit to the Audit Committee.
The internal audit function is provided in-house and is the responsibility of the Head of Internal Audit and Risk Management, whose appointment, remuneration and removal are decided on in consultation with the chairmen of both the Audit and Risk Management Committees. The Head of Internal Audit and Risk Management is a member of The Institute of Internal Auditors and an associate member of the South African Institute of Chartered Accountants and subject to the code of ethics of both professional bodies.
The internal audit function derives its authority from the Audit Committee to which it reports every quarter. This committee is guided by its Terms of Reference. The objectives, authority and responsibility of the internal audit function are governed by a formal charter. Internal audit personnel are authorised to review all areas of operation. They have complete and unrestricted access to all activities, records, property and employees. Additionally, the Head of Internal Audit and Risk Management has unrestricted access to the chairman of the Audit Committee, as well as committee members in the absence of management, at quarterly meetings, if required.
The responsibilities of the internal audit function include:
- Submitting an annual internal audit plan to the Audit Committee which indicates the extent and frequency of the work to be conducted and enables the committee to establish whether internal audit resources, as well as the allocation thereof, are appropriate to its requirements
- Conducting reviews of the key business processes to ensure the:
– adherence to policies, plans, procedures, laws, regulations and contracts
– achievement of established objectives and goals
– reliability and integrity of financial and operational information
– economical and efficient employment of resources
– safeguarding of assets
- Reporting the results of reviews, together with opinions and recommendations, to management of sufficient authority to ensure appropriate action is taken when required
- Quarterly reporting to the Audit Committee on:
– the adequacy or design effectiveness and the operating effectiveness of the systems of internal control
– internal audit findings, recommendations and management's action plans
– progress measured against the internal audit plan and the reasons for any deviations
- Co-ordinating audit efforts with those of the external auditor
- Addressing matters brought to the attention of the organisation through the Tip-offs Anonymous Helpline operated by Deloitte and reporting to the Audit Committee the nature of the incidents as well as any remedial actions taken by executive management
Internal audit processes
The scope of the internal audit function and the assignments planned for the following financial year are presented, discussed and approved at the last Audit Committee meeting of each financial year. The internal audit plan is based on an assessment of Growthpoint's key areas of risk in current operations, which is made as part of the risk management process as well as its stated objectives.
The internal audit plan is, however, subject to change during the financial year depending on:
- Unforeseen circumstances within the organisation
- Any specific changes agreed with executive management
- Any specific requirements of the Audit Committee
Both executive and operational management carry the responsibility for establishing and maintaining the systems of internal control necessary to provide the directors of Growthpoint with reasonable assurance that business objectives will be attained. Internal audit's role is to assist the Board and management in assessing whether the systems of internal control are both adequate and effective.
Adequacy is defined as to whether the key controls address the related significant inherent risks. Effectiveness is defined as to whether the key controls are operating as intended.
The Head of Internal Audit and Risk Management reports quarterly to the Audit Committee as to the adequacy of the internal control environment and any significant breakdown in internal control, and to the Risk Management Committee as to the adequacy and effectiveness of risk management processes.