!@#

Final King III synopsisSeptember 2009

The Code of Governance Principles forSouth Africa 2009 – colloquially known asKing III -was released by the Institute ofDirectors (IoD) in February 2009 for aperiod of public comment and debatewith the revised and final version beingreleased in September 2009.

The update to the King II Report issued in2002, came about due to changes tomany pieces of South African legislation,specifically the Companies Act, morestringent legislation in certainjurisdiction, and changes in globalcorporate governance standards andexpectations of stakeholders.

The Code strengthens previousrequirements, clarifies certain issues,expands on existing recommendationsand introduces new concepts andrecommendations. It ensures that it isaligned to the new and impendingCompanies Act and attempts todifferentiate between what is a legalrequirement with the words “must” andwhat is a recommendation with the word“should”.

It has attempted to move to a moreprinciple based approach that can beapplied by any organisation – private orpublic sector; listed or owner managed –and hence is applicable to all entities.

The “comply or explain” principle hasbeen changed to the “apply or explain”principle: essentially there has been nofundamental change in the approach togovernance, ie, there are many differentways to implement good governanceprinciples and the view from the KingCommittee is that a “comply or else”regime should not be implemented inSouth Africa.

This synopsis highlights some of the keyrequirements, major changes to the KingII Report and gives some rationale for therequirements put in place. We dohowever recommend that all directorsread the full report to ensure they areaware of and understand all the issuesand requirements.

Introduction

Final King III synopsis 1

Key requirements• The board should ensure that the

company is and is seen to be aresponsible corporate citizen throughthe development and implementationof strategies and polices in relation toeconomic, social and environmentalimpacts.

• Leadership should be effective andbased on an ethical foundation.

• The board should ensure thatmanagement cultivates a culture ofethical conduct through the creationof an ethics risk profile, theestablishment of a code of conduct,through the integration of ethics intoall company practices, procedures,policies and conduct and through theassessment, monitoring, reporting anddisclosure of the company’s ethicsperformance.

• The assurance of the company’s ethicsperformance supported by anassurance statement in the integratedreport is recommended.

Key changes from King II• The whole chapter is new and

although the concept of organisationalintegrity was included in the previousreport these requirements areessentially new concepts.

RationaleOne of the key concepts of the report issustainability. In order for sustainabilityto become integrated into the company,effective leadership is required. As suchthe board is to be responsible for thecompany’s “sustainable development”and as a result, an entire chapter hasbeen dedicated to this notion i.t.ocorporate citizenship and the need foreffective ethical leadership in this regard.

Ethical leadership and corporate citizenship

Key requirements• All companies should be headed by a unitary

board comprised of majority of non-executivedirectors.

• There should be a minimum of two executivedirectors on the board – the Chief ExecutiveOfficer (CEO) and the director responsible for thefinance function.

• The board chairman should be an independentnon-executive director.

• The board should appoint the CEO, who should beseparate from the chairman.

• The board should meet as often as required tofulfil their duties, preferably at least four timesper annum.

• The board should appreciate that sustainability isnot separate from strategy, risk and performanceand should link long term sustainability tostrategy to create business opportunities.

• The board should ensure an effective risk-basedinternal audit and the integrity of the integratedreport.

• The board should ensure that there is transparentand effective communication with stakeholders onboth positive and negative aspects of thebusiness.

• The board should report on the effectiveness ofthe company’s system of internal controls in theintegrated report.

• The following should be disclosed in theintegrated report:• The board and board committee’s composition,

the number of meetings held, attendance andactivities

• The length of service and age of directors• Significant directorships of each board member• The reasons for the cessation of appointment of

directors• The education, qualification and experience of

directors• Any actual or potential connections or

exposure

• Whether supervising of management isrequired in which case retention of boardexperience should be called for.

• The board should appoint an audit, risk, andremuneration and nomination committee.

• Board committees, other than the risk committee,should comprise only of board members andshould have a majority of non-executive directors.The majority of these non-executive directorsshould be independent. Other than the executivecommittee which is usually chaired by the CEO, allcommittees should be chaired by an independentnon-executive director.

• The performance of the board, its committeesand individual directors should be assessedannually and the results thereof should bedisclosed in the integrated report, along withactions plans to be implemented, if any.

• A policy to pay salaries on average above themedian requires special justification.

Key changes from King II• The majority of non-executive directors should be

independent.• Non-executive directors should not receive share

options.• The chairman and non-executive directors should

not receive incentive awards geared to the shareprice or corporate performance.

• The remuneration policy should be approved byshareholders at the annual general meeting.

• The chairman of the board should be independentand free of conflicts of interest on appointment.Failing which, the board should considerappointing a lead independent non-executivedirector.

• Changes have been made to the definitions ofnon-executive directors and independentdirectors as follows:

Final King III synopsis2

Boards and directors

Final King III synopsis 3

• The memorandum of incorporation should allowthe board to remove any director includingexecutive directors.

• Adopting and implementing policies andprocedures of the holding company in theoperations of the subsidiary company should be amatter for the board of the subsidiary company toconsider and approve, if the subsidiary company’sboard considers it appropriate. The subsidiarycompany should disclose this adoption andimplementation in its integrated report.

• The retired CEO should not become chairman ofthe board of the same company until three yearshave passed since the end of his/her tenure as anexecutive director and an assessment of his/herindependence has been performed.

• The remuneration of each individual director andthe three most highly paid employees who are notdirectors of the company should be disclosed.

• Every year, the chairman and the board shouldevaluate the independence of independent non-executive directors. The classification of directors

in the integrated report as independent should bedone on the basis of this assessment.

• If an independent non-executive director hasserved on the board for more than nine years, theboard should assess if his/her independence hasbeen impaired. If not, a statement that theindependent director’s independence of characterand judgement has not been affected or impairedshould be included in the integrated report.

• The integrated report should disclose any externaladvisers who regularly attend or are invited toattend committee meetings.

RationaleMany of these requirements are a continuation fromKing II, with at times more stringent or updatedrequirements and expansion in certain areas. Thethemes are however consistent. The major area ofchange, after criticism of the King II Report andmedia and press coverage of the issue, is a majorstrengthening of the remuneration oversightrequirements.

Non-executive Director

An individual not involved in the management of the company. An individual in the full-time employment ofthe holding company is also considered to be a non-executive director of a subsidiary company unless theindividual, by his conduct or executive authority, is involved in the day-to-day management of thesubsidiary.

Independent Non-executive Director

A non-executive director who:• Is not a representative of a major shareholder who can control or significantly influence management or

the board• Does not have a material direct or indirect interest in the company/group which:

• Is greater than 5% of the group’s total number of shares in issue• Is less than 5% of the group’s total number of shares in issue, but is material to his/her personal wealth

• Has not been employed by the group or appointed as designated auditor or partner in the group’sexternal audit firm, or senior legal adviser in the previous 3 financial years

• Is not related (immediate family) to someone who has been employed by the group in an executivecapacity in the previous 3 financial years

• Is not a professional advisor to the group• Is free from any other business or relationship that could be a conflict, such as being a director of a

material customer of or supplier to the company• Does not receive remuneration based on the company’s performance

Final King III synopsis4

Key requirements • The board should ensure that an effective and independent

audit committee consisting of at least three members isestablished that complies with the Companies Actrequirements in terms of appointment and membership.

• The audit committee should be chaired by an independentnon-executive director and not the board chairman.

• The board chairman should not be an audit committeemember, but may attend meetings by invitation.

• Audit committee members should collectively have anunderstanding of integrated reporting (including financialreporting), internal financial controls, the external andinternal audit process, corporate law, risk management,sustainability issues, information technology governance andthe governance processes within the company.

• The audit committee is responsible for the oversight ofintegrated reporting, internal audit and external audit andshould determine annually whether the expertise, resourcesand experience of the finance function is appropriate.

• The audit committee should recommend to the board toengage an external assurance provider to provide assuranceover material elements of the sustainability part of theintegrated report. The audit committee should evaluate theindependence and credentials of the external assuranceprovider.

• The audit committee should ensure that a combinedassurance model is applied to provide a coordinatedapproach to all assurance activities.

• The audit committee must recommend to shareholders theappointment, reappointment and removal of external

auditors. For listed companies, the audit committee shouldensure that the external auditor that is recommended isapproved by the JSE.

• The audit committee must develop a policy for boardapproval as to the nature, extent and terms under which theexternal auditor may perform non-audit services.

• Regardless of whether the audit committee has beenassigned responsibility by the board for the oversight of riskmanagement, it should satisfy itself that financial reportingrisks, internal financial controls and fraud and IT risks as theyrelate to financial reporting have been appropriatelyaddressed.

• The audit committee should evaluate the nature and extentof a formal documented review of internal financial controlsto be performed by internal audit. The audit committee mustconclude and report yearly to the board and stakeholders onthe effectiveness of the company’s internal financial controls.

Key changes from King II• The audit committee of a public company and state-owned

company must be appointed by shareholders at the AGM. • The audit committee should receive and deal appropriately

with any complaints relating either to the accountingpractices and internal audit of the company or to the contentor auditing of its financial statements, or to any relatedmatter.

• The audit committee should report in the integrated report:• The committee’s role• Existence of formal terms of reference and if these have

been adhered to

Audit committees

Final King III synopsis 5

• Names and qualification of members and theperiod for which they have served

• The number of and attendance at meetings • Whether it has considered and recommended

the internal audit charter for approval by theboard

• A description of the working relationship withthe chief audit executive

• Information regarding any other responsibilities• Whether it has complied with its legal,

regulatory or other responsibilities• Whether it has recommended the integrated

report to the board for approval• The audit committee should report at the AGM:

• A description of how the functions were carriedout

• Satisfaction with the auditors independence• Any commentary considered appropriate in

relation to the financial statements, accountingpractices and internal financial control

• The board is required to develop a process fornotifying the audit committee of reportableirregularities.

• The audit committee should annually evaluate theresources and expertise in the financial function.For listed companies the audit committee shouldevaluate the financial director.

• The audit committee should ensure that the

internal audit function is subject to anindependent quality review, either in line with IIAstandards or when the audit committee deems itappropriate.

• The audit committee should understand how theboard and external auditor (and any otherrelevant external assurance provider) evaluatemateriality for integrated reporting purposes.

RationaleVarious changes and additions to the requirementswere made to take the new Companies Actrequirements into account and to strengthen the roleand expectation of the audit committee.

The requirement for the listed company’s auditcommittees to satisfy themselves as to theexperience and competence of the finance directorand for listed company’s external auditors to beapproved by the JSE were included in King III inorder to align it with the JSE Listing Requirements.

The fact that the audit committee has been maderesponsible for overseeing integrated reporting andassurance of sustainability information is linked tothe fact that sustainability per King III should belinked to the company’s strategy and risks and hasthus a more prominent role to play in the company.

Final King III synopsis6

Key requirements • The board is ultimately responsible for the

governance of risk and is required to approve therisk management policy and plan.

• Risk tolerance and risk appetite limits should beset and monitored by the board.

• The execution of the risk strategy should bedelegated to management and an experiencedChief Risk Officer (CRO) can assist with this.However ownership cannot reside in one personor function. Risk management has to beembedded into the day to day operations of thecompany.

• The board should appoint a risk committee or itmay be assigned to the audit committee. The riskcommittee should comprise a minimum threemembers (non-exec and exec) and thecommittees responsibilities should be defined inits terms of reference.

• The board should disclose its views on theeffectiveness of the company’s risk managementin the integrated report. Furthermore it shouldinclude undue, unexpected or unusual risks it hastaken in the pursuit of reward as well as anymaterial losses and the causes of the losses, withdue regard to the company’s commerciallyprivileged information.

Key changes from King II• An accepted and appropriate methodology should

be adopted to identify, respond to and monitorrisks. The risk assessment should include aframework to anticipate unpredictable risks, theframework should have the followingcharacteristics:• Insight: the ability to identify the cause of the

risk, where there are multiple causes or rootcauses that are not immediately obvious.

• Information: comprehensive information aboutall aspects of risks and risk sources, especiallyof financial risks.

• Incentives: the ability to separate risk

origination and risk ownership ensuring properdue diligence and accountability.

• Instinct: the ability to avoid ‘following the herd’when there are systemic and pervasive risks.

• Independence: the ability to view the companyindependently from its environment.

• Interconnectivity: the ability to identify andunderstand how risks are related, especiallywhen their relatedness might exacerbate therisk.

• Each year, internal audit should provide a writtenassessment on the effectiveness of the company’ssystem of internal control and risk managementto the board. This provides the board withindependent assurance on the integrity androbustness of the risk management process.

RationaleKing III focuses on defining roles and responsibilitiesfor risk management which is crucial in thesuccessful embedding of risk management withinorganisations. Supporting this is the concept thatrisk must not reside with one person or function, ie,the CRO or the risk management function butrequires an inclusive approach across the companyin order to be successful.

The other key focus in this chapter is the adoption ofan acceptable risk managementapproach/framework based on key principles ratherthan prescriptive measures.

In the last few years we have experienced significantcorporate failures which in many instances could besaid is due a company’s failure to anticipate andreact to risks. This includes risks that are systemic,as well as risks that are normally considered to beunpredictable; King III has identified this flaw in theapproach to risk management and hasrecommended that companies consider these riskswithin a defined framework with specificcharacteristics.

The governance of risk

Final King III synopsis 7

Key requirements• Information Technology (IT) governance should

be part of a company’s governance structures andresponsibility rests with the board.

• The board should ensure that the company’s ITstrategy is integrated with overall businessstrategy and processes. IT should be leveraged toimprove the performance and sustainability of thecompany.

• The board should delegate to management theresponsibility of implementing an IT governanceframework. The CEO should appoint a personresponsible for the management of IT, ie, ChiefInformation Officer (CIO). The CIO should be asuitable qualified and experienced person that hasaccess to regularly interact on strategic ITmatters.

• The board should monitor and evaluate significantIT investments and expenditure. This includesmonitoring the value delivery of IT and the ROI ofsignificant IT projects. In addition, independentassurance should be obtained on the ITgovernance practices of IT services outsourced toa third party.

• IT should form an integral part of the company’srisk management practices and managementshould regularly demonstrate to the board thatadequate business resilience arrangements are inplace for disaster recovery. In addition, the boardis responsible for ensuring that the companycomplies with relevant IT laws, rules, codes andstandards.

• It is the board’s responsibility to ensure thatinformation assets are managed effectively. Thisincludes information security, informationmanagement and information privacy.

• The risk and audit committee should assist theboard in carrying out its IT responsibilities. Therisk committee should ensure and obtainassurance that IT risks are adequately addressed.

The audit committee should consider IT risks as itrelates to financial reporting and the goingconcern of the company. In addition, technologyshould be used to improve audit coverage andefficiency.

Key changes from King II• There is significantly more focus on IT. King II

only addressed aspects relating to IT internalcontrol, potential benefits from utilisingtechnology to enhance reporting andtransparency and the governance implications ofe-business.

• King III addresses the key governance areasrelated to information technology and clearlyplaces the responsibility of IT governance with theboard.

RationaleAs technology becomes increasingly important andintegrated into business processes, the need foradequate governance and management of ITresources become imperative for any business.There are increased risks to organisations thatembrace technology and therefore directors shouldensure that reasonable steps have been taken bymanagement to govern IT.

Companies are making significant investments intechnology without being able to demonstrate thevalue delivered from such investments.

IT governance is an integral part of corporategovernance and should not be seen in isolation.King III address IT governance in a separate chapteras it is a relatively new concept within corporategovernance, however, companies should address ITgovernance within their existing corporategovernance framework.

The governance of information technology

Final King III synopsis8

Key requirements • Compliance should be part of the risk

management process, the culture of the companyand the detailed polices and procedures.

• The structure, size, role and reporting line of thecompliance function should be considered toensure that it is appropriate for the company andshould reflect the company’s decision on howcompliance is integrated with its ethics and riskmanagement.

• Compliance is a board responsibility and shouldbe a standing agenda item.

• The board should disclose in the integrated reporthow it has discharged its responsibility to ensurethe establishment of an effective complianceframework and process.

Key changes from King III:• The board and each individual director has a duty

to keep abreast of laws, regulations, rules and

standards applicable to the company as well asbeing accountable for the company’s compliancewith these.

RationaleCorporate compliance is taken to new level.Although corporate compliance was referred to invarious sections of King II, King III dedicates achapter specifically on compliance with laws,regulations, rules, codes and standards.

It is not just compliance to the minimum laws andregulations only, i.t.o. “keeping us out of trouble”that is prescribed, but consideration is given toadherence with “non-binding” rules, codes andstandards to achieve good governance is envisaged.

Compliance is also not being “diluted” bymarginalising it into the operations and / or that thecompany will be tempted to have operational issuestake precedent over compliance issues.

Compliance with laws, codes, rules and standards

Final King III synopsis 9

Key requirements• Companies should establish and maintain an effective

internal audit function and if the board decides not toestablish an internal audit function, full reasons should beprovided in the company’s integrated report.

• As part of its key responsibilities, internal audit is required toevaluate the company’s governance processes includingethics, especially “tone at the top”.

• Where outsourcing of the internal audit function is selected asenior executive or director should be responsible for theeffective functioning of the internal audit activities.

• Internal audit should adopt a risk based approach and shouldbe informed by and aligned to the strategy of the company.

• Internal audit, as a significant role player in the governanceprocess, should contribute to the effort to achieve strategicobjectives and should provide effective challenge to allaspects of the governance, risk management and internalcontrol environment.

• An internal audit function should consider the risks that mayprevent or slow down the realisation of strategic goals as wellas the opportunities that will promote the realisation ofstrategic goals.

• The audit committee should ensure the internal auditfunction is subject to an independent quality assurancereview in line with the IIA standards

• The Chief Audit Executive (CAE) should develop a soundworking relationship with the audit committee by positioninginternal audit as a trusted strategic adviser to the auditcommittee.

Key changes from King II• Internal audit should provide a written assessment of the

effectiveness of the system of internal controls and riskmanagement to the board. The assessment regardinginternal financial controls should be reported specifically tothe audit committee.

• Internal audit should play a pivotal role in the combinedassurance model by providing independent assurance on riskmanagement and internal controls.

• Internal audit should be strategically aligned to achieve itsobjectives and the CAE should have a standing invitation toexecutive and other strategically relevant meetings.

RationaleInternal audit executives are being continually pressured toimprove their function’s effectiveness and efficiency whileincreasing risk coverage and business improvement focus.Executive management and the audit committee continue tolook to internal audit for balanced focus between complianceand business improvement.

In today’s dynamic business world where risks change andemerge daily, internal audit needs to remain relevant andensure they are flexible enough to align their work to thechanging landscape. This supports the concept of internal auditbeing strategically aligned, furthermore the skills requiredwithin the internal audit need to keep up to these demands,

An independent quality assurance review is in line with therequirements of the International Internal Audit Standards forProfessional Practice of Internal Auditing. Many auditcommittees and CAE’s are requesting these independentreviews to:• Provide the audit committee and executives with an

independent assessment of the extent that internal auditfunction meets leading practices

• Determine the extent the work performed by the internalaudit function complies with the “Standards” as prescribedby the Institute of Internal Auditors (IIA)

• Create an improvement agenda

With the shortage of skills and business focusing on their coreactivities, more and more internal audit functions are beingoutsourced. This is recognised but it is emphasised that theresponsibility and accountability has to remain with theorganisation.

The move to a combined assurance model is as a result ofnumerous risk providers such as risk management, legal andcompliance, etc, within an organisation operating in silos with alack of coordination. Internal audit is an integral part of thecombined assurance model and as the board is required toreport on the effectiveness of the systems of internal controlthey are now also looking for a written assessment from internalaudit to guide them in this assessment. However, managementand internal audit will need to define the components of theinternal audit framework to which the internal controlenvironment can be measured.

Internal audit

Final King III synopsis10

Key requirements• Management should develop for adoption by the

board a stakeholder management strategy andpolicy.

• Communication with stakeholders should betransparent, in simple language andunderstandable and in accordance with aresponsible communication programme adoptedby the board.

• A company should consider disclosing in itsintegrated report the number and reasons forrefusals of requests for information lodged interms of the Promotion of Access to InformationAct, 2000.

• The board should ensure that internal andexternal disputes are resolved efficiently andeffectively. Arbitration, mediation andconciliation are dispute resolution processes thatthe board can consider as alternatives to formallegal proceedings in court.

Key changes from King II• Alternate Dispute Resolution (ADR) is a new

principle introduced in King III.

RationaleStakeholder engagement is not a new concept forKing, but because it forms the cornerstone ofsustainability, which is one of the fundamentalprinciples in King III, it has been expanded upon in aseparate chapter in the report.

ADR has become accepted globally as an importantelement of good corporate governance. ADR allowsdisputes to be resolved efficiently, timeously andeffectively taking both parties needs into account.This can contribute to preserving businessrelationship and allows for flexible solutions to beachieved.

Governing stakeholder relationships

Final King III synopsis 11

Key requirements• Companies should report annually, through an

integrated report, on the operations of thecompany, the sustainability issues affecting thebusiness, the financial results, and the results ofits operations and cash flows. The report shouldbe complete, timely, relevant, accurate, honestand accessible and comparable with thecompany’s past performance and should coverboth positive and negative aspects of thecompany’s impacts on stakeholders.

• The annual financial statements should beincluded in the integrated report.

• While a truly integrated report should bepresented in one document, it can be presented inmore than one document. However, if this isdone, the documents should be made available atthe same time and disclosed as an integratedreport.

• Sustainability reporting should be independentlyassured.

• The scope of assurance should be agreed anddisclosed.

• The International Standard on AssuranceEngagements (ISAE3000) and AccountAbility’sAA1000 Assurance Standard (AA1000AS)should be used in combination to provideassurance over sustainability information.

Key changes from King II• The previous King report focused on reporting

whereas the recommendations now extend intothe actual doing and inclusion into the businessstrategy.

RationaleIn the words of Mervyn King in the preface to King III– “Sustainability is the primary moral and economicimperative for the 21st century.”

Although sustainability reporting was recommendedin King II, a renewed and extended focus wasrequired and hence sustainability has beenintegrated in various sections throughout the King IIIreport along with a separate chapter on integratedreporting.

Integrated reporting and disclosure

Final King III synopsis12

We have many professionals who can assist you implementingand interpreting the various requirements and recommendationof the King III Report.

Our key contacts are:

Mike Bourne, Director

Professional Practice Groupmichael.bourne@za.ey.com+27 21 443 0258

Jayne Mammatt, Associate Director

Climate Change & Sustainability Servicesjayne.mammatt@za.ey.com+27 11 772 3349

Celestine Munda, Director

Business Risk Services – Internal Auditcelestine.munda@za.ey.com+27 11 772 3315

Lisa Jonker, Director

Business Risk Services – Enterprise Risk Managementlisa.jonker@za.ey.com+ 27 83 454 0510

Marius Van der Berg, Director

Information Technology Risk and Assurancemarius.vandenberg@za.ey.com + 27 11 772 3706

Our expertise

Final King III synopsis 13

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax,transaction and advisory services. Worldwide, our135,000 people are united by our shared valuesand an unwavering commitment to quality. Wemake a difference by helping our people, ourclients and our wider communities achieve theirpotential.

For more information, please visitwww.ey.com/za

Ernst & Young refers to the global organisation of member firmsof Ernst & Young Global Limited, each of which is a separate legalentity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients.

© Ernst & Young South Africa 2009.All rights reserved.

Studio ref. 090901. Artwork by Govender.