External audit
The external auditors are responsible for reporting on whether the financial statements are fairly presented in terms of International Financial Reporting Standards and the Companies Act of South Africa. The external auditors offer reasonable, but not absolute, assurance on the accuracy of financial disclosures. The preparation of all financial statements is the responsibility of the board.
There is consultation between external and internal auditors to ensure an efficient and comprehensive audit process. This includes periodic meetings to discuss matters of mutual interest. The audit and risk committee determines the principles for approving the use of the external auditors for non-audit services.
Internal audit
The board, guided by the audit and risk committee, is satisfied that the group has an effective internal audit function that operates in line with a board-approved internal audit charter. The internal audit function is provided by an in-house department and by an external service provider, Sizwe Ntsaluba VSP. The roles and functions of both sets of internal auditors are defined by the standards of the Institute of Internal Auditors.
Internal audit provides an independent, objective assurance that adds value to the company’s operations. Internal audit assists the group in accomplishing its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the group’s risk management, internal control and governance processes.
Internal audit plans cover matters identified in risk management assessments as well as issues highlighted by the board, the audit and risk committee, executive directors and senior management. The audit and risk committee approves the internal audit work plan.
Financial and operational risks and controls
Risk governance operates within a defined structure approved by the board and monitored by the audit and risk committee. The objectives are to identify the level of risk appropriate to the group, taking into account the need to increase shareholder value through an entrepreneurial culture and ensuring that the group achieves its objectives. Risk identification includes both actual and potential risks. The potential impact of key risks is measured against a broad set of assumptions.
Steps to mitigate risks and compensating controls are implemented and monitored. This process is recorded in a critical risk areas document which covers a broad range of risks including physical and operational risks, human resources risks, technology risks, business continuity and disaster recovery risks, credit and market risks, and compliance risks. All business unit management committees review and update their own critical risk areas at least twice a year. Systems of internal controls include defined lines of accountability. The board is satisfied as to the effectiveness of the company’s internal controls.
Operational risks are managed to acceptable levels by ensuring the appropriate infrastructure, controls, systems and people are in place across the group. Contingency plans are in place to ensure ongoing product service delivery under adverse conditions.
An independent hotline is available to enable any suspected irregularity involving employees, stakeholders and any third parties who have a business relationship with Avusa to be reported, with appropriate action subsequently taken.
The adequacy and effectiveness of the company’s risk management is assessed by internal and external assurance providers. The board is aware that it operates in a dynamic environment, and is alert to new areas of risk exposure that may require its attention. Accordingly, there is a continual focus on ensuring that the control environment in which the business operates is understood and maintained at the required level. The board is satisfied that an adequate risk management process is in place to identify, evaluate and manage the key risks faced by the group.