Audit and Risk Committee

Read more:

Corporate Governance

More information on the Audit and Risk Committee.

The reconstituted Audit and Risk Committee comprises Mr Chris Seabrooke (Chairman) and Ms Phumzile Langeni and Dr Lulu Gwagwa, all of whom are independent non-executive directors and who each have the requisite financial and commercial skills and experience to contribute to the Committee’s deliberations. The roles and responsibilities of the previously separate Risk and Audit Committees were combined with effect from June 2011. Cambridge Food CEO, Mr Kevin Vyvyan-Day, attends the Risk section of this Committee meeting.

Audit

The CEO, the COO, the FD, senior financial executives of the Group and representatives from the External and Internal Auditors attend all meetings by invitation.

Audit and risk Committee responsibilities:

  • Overseeing the effectiveness
    of the Group’s governance, risk and internal control systems.
  • With regard to the External Auditor, to nominate their appointment, to determine audit fees payable, to pre-determine fees and scope of non-audit services, and monitor their independence.
  • Reviewing the scope and effectiveness of the External
    and Internal Audit functions.
  • Ensuring that adequate accounting records have
    been maintained.
  • Ensuring the appropriate accounting policies have
    been adopted and consistently applied.
  • Reviewing and reporting
    on the application of King III.
  • Testing that the Group’s going-concern assertion remains appropriate.
  • Overseeing the quality
    and integrity of the annual
    financial statements.
  • Ensuring that Internal Audit reports functionally to the Committee, is considered independent, and applies King III and IIA standards. It approves Internal Audit’s plan and ensures that Internal Audit have sufficient resource and skill to effectively perform their function.
  • Reviewing the adequacy and effectiveness of combined assurance, compliance and IT.
  • Receiving and reviewing
    the assurance assertion of Internal Audit and presenting this to the Board.

The Internal and External Auditors have unfettered access to the Audit and Risk Committee and its members, and both present formal reports to the Committee.

The Chairman of the Committee meets quarterly with the CAE, and at the start of every Committee meeting the External Auditors have a private audience with the Committee.

In specific response to the requirements of the Companies Act, King III and in terms of its charter, the Committee can report as follows:

  • The Committee has reviewed the scope, quality, effectiveness, independence and objectivity of the External Auditors and is satisfied with all of these areas. Ernst & Young have been proposed to the shareholders for approval to be the Group’s auditor for the financial year ending 23 December 2012 (a six-month financial year occasioned by a change in year-end from June to December). The change in year-end and the proposed appointment of Ernst & Young are both intended to align the Group better with Walmart’s financial reporting requirements. Ernst & Young, and audit partner Allister Carshagen, are, in the Committee’s opinion, independent of the Group.
  • The Committee is satisfied that the internal financial controls of the Divisions and Group operated effectively throughout the 2012 financial year and can be relied upon. In addition, the Committee is satisfied with the Group’s accounting policies and that these have been appropriately and consistently applied throughout the 2012 financial year.
  • The Committee reviewed this Integrated Annual Report and recommended it to the Board for approval.
  • The nature and extent of non-audit services provided by the External Auditors is reviewed annually to ensure that fees for such services do not become so significant as to call into question their independence of Massmart. The nature and extent of any future non-audit services have been defined and pre-approved, and the total fee associated with those non-audit services may not exceed 50% of the total audit fee without approval of the Committee. During the 2012 financial year, non-audit services represented 25.9% of the audit fee. If it appears that this guideline will be exceeded on a consistent basis, non-audit services will be outsourced to alternative auditors.
  • No reportable irregularities were identified and reported by the External Auditors to the Committee.
  • The Massmart website (www.massmart.co.za) has a link enabling the general public to lodge complaints with the Committee. Since establishing this functionality in 2009, no complaints have been received.

Annually the Committee considers whether it is meeting its duties and responsibilities as set out in the Committee charter and in terms of the requirements of the Companies Act.

As part of the Audit section, the Committee receives reports on Group companies’ financial performance, governance, and internal controls, adherence to accounting policies, compliance and areas of significant risk, amongst others. The Committee also receives written reports by both the External and Internal Auditors, which are accompanied by discussion with Committee members. After considering these reports, the Committee formally reports to the Board, twice each year, regarding the overall control framework and effectiveness of controls.

Each of the four Divisions has a Financial Review Committee which meets twice a year – before the finalisation and release of the Group’s Interim and Preliminary financial results, respectively. These Committees effectively function as Divisional Audit Committees but not strictly in the manner required by the regulators or King III. The attendance at these meetings includes the following invitees: the FD, Divisional Chief Executive and Divisional Finance Director, key finance and accounting staff, members of Internal and External Audit, and Massmart Corporate Finance executives. Minutes from these meetings are included with the papers of the following Committee meeting. Annually the Audit and Risk Committee reviews the Financial Review Committee minutes, External Audit report and annual financial statements to comply with the Companies Act requirements of a holding company audit committee and its responsibilities in regard to all Company subsidiaries.

"Each of the four Divisions has a Financial Review Committee which meets twice a year."

The Group’s interim and provisional reports are always subject to independent review by the External Auditors.

The Committee’s report in accordance with section 94(7)(f) of the Companies Act, can be found in the Directors’ Report.

Suitability of the financial director

As required by the JSE, the Committee and Board have considered the skills, qualifications and performance of the FD, Ilan Zwarenstein, and are unanimously satisfied of his continuing suitability for the position. His biographical details can be found here.

Read more:

Group Financial Statements

Approval of the Audited Annual Financial Statements.

External audit

During the financial year, Deloitte & Touche were the External Auditors for all Group companies, with the exception of Massmart International Limited who are audited by RBC Trust Company (Guernsey) Limited, and the following companies who are audited by Ernst & Young:

  • The Rhino Cash and Carry Group;
  • Fruitspot;
  • The Zimbabwean entities of Mercantile Investment Company (1971) (Pvt) Ltd and the Dealsave Trust; and
  • Builders Trade Depot (Botswana) (Pty) Ltd.

Fees to external auditors:

Rm   %
Audit services 20.6 74.1
Non-audit services 7.2 25.9
27.8 100.0

During the year, Deloitte & Touche provided certain non-audit services, including tax reviews and advice, and reviews of information technology systems and applications. Total fees paid during the 2012 financial year to Deloitte & Touche were R26.8 million, of which R7.2 million related to non-audit services.

Internal audit

The Committee considers Massmart Internal Audit Services (MIAS) to be an independent, objective body providing assurance to the Group’s governance, risk and control activities. MIAS comprises a dedicated team that, although managed from Massmart Corporate, is deployed Group-wide. The team comprises appropriately tertiary qualified and experienced personnel, including internal audit and retail/wholesale professionals, to ensure the delivery of a relevant and high-quality risk-based audit service. Pleasingly, 91% of the audit team is African, Coloured or Indian.

The responsibilities of MIAS are defined and governed by a charter approved by the Audit and Risk Committee and the Board. MIAS has the unequivocal support of the Board and this Committee and has access to any part of or person in Massmart. All employees are expected to co-operate positively with MIAS.

Internal Audit:

  • MIAS is an objective body providing assurance concerning the Group’s governance, risk and control activities.
  • MIAS has the unequivocal support of the Board and Audit and Risk Committee.
  • MIAS is considered independent and has been subjected to a quality review.
  • The MIAS team formally reports any material findings at the Divisional Boards and the Audit and Risk Committee on a quarterly basis.
  • There is significant MIAS involvement in Information Technology (IT) throughout the Group to ensure satisfactory IT governance and assurance.

To ensure independence, MIAS reports functionally to the Audit and Risk Committee and administratively to the CEO. Massmart does not apply the King III recommendation that this Committee be responsible for the appointment, remuneration, performance/assessment and where necessary dismissal of the CAE. This process is conducted jointly by the Committee and the Massmart Executive Directors as this is deemed more effective. The Committee approves the annual MIAS plan and the MIAS budgets. The CAE has unrestricted access to anyone in the organisation, has frequent and independent discussions and updates with the Committee Chairman and Massmart Executive Directors. The CAE holds a senior executive position in the organisation and has an influential impact across the business strategically and operationally. The Board provides MIAS with the authority to attend any strategic session, Committee or Board meeting and to have unrestricted access to all information across the Group to assist with its determination of the types and levels of governance, control and risk that exist across Massmart.

The MIAS team formally reports any material findings and matters of significance to the Divisional Boards on a quarterly basis and to the Audit and Risk Committee when it meets. The reports highlight whether actual or potential risks to business are being appropriately managed and controlled. Progress in addressing previous unsatisfactory audit findings is monitored until MIAS reports the proper resolution of the problem area.

There is significant MIAS involvement in IT throughout the Group in order to ensure satisfactory IT governance and assurance. All new major IT systems in the Group require specific MIAS sign-off prior to implementation and all significant IT projects are subject to MIAS review.

The MIAS role is twofold: to assess the process and controls around large IT projects at significant phases of these projects; and to assess the control environment within existing IT systems and the Group’s general computer control environment. MIAS adopted the COBIT methodology for technology auditing several years ago.

MIAS and External Audit’s scope and work-plans, and those of other assurance providers, are properly co-ordinated and when appropriate are relied upon in order to provide efficient and effective assurance to the Committee and to reduce the governance burden.

MIAS applies the standards of the International Institute of Internal Auditors and the recommendations of King III and has had a quality review and was found to ‘generally conform’ (the standard required by the Internal Audit Institute and the highest standard possible)

Risk

The Board recognises its responsibility to report a balanced and accurate assessment of the Group’s financial results and position, its business, operations and prospects. Aspects of how this is achieved are covered in the section below.

Internal control framework

Massmart maintains clear principles and procedures designed to achieve corporate accountability and control across the Group. These are codified in the Massmart Governance Authorities that describes the specific levels of authority and the required approvals necessary for all major decisions at both Group and Divisional level. Through this framework, operational and financial responsibility is formally and clearly delegated to the Divisional Boards. This is designed to maintain an appropriate control environment within the constraints of Board-approved strategies and budgets, while providing the necessary local autonomy for day-to-day operations.

RISK MODEL

The Board is responsible for the risk management programme that attempts to balance the risks and rewards in achieving the Group’s objectives.

On behalf of the Board, the Audit and Risk Committee oversees the Group’s risk management programme. Responsibility for risk management and loss prevention rests however, with the Group and Divisional Executive Committees.

Massmart’s risk landscape, split into strategic and operational risk, can be summarised as follows:


Strategic/ENVIRONMENTAL risk

Business model
  • Non-adherence to business
    model or poor strategic execution
  • Insufficient progress with transformation
Human capital
  • Talent retention and succession
Economic
  • Economic volatility
Governance/Regulatory
  • Expected standards of sustainability conduct
  • FCPA and related
    non-compliance risk

Operational risk

Operating environment
  • Major store fire
  • Supply chain
  • In-store health and safety
  • Reliance on IT systems
Geo-political/Economic
  • Complexity of the Group’s
    African operations
Competitive
  • Competitor attack on our major merchandise categories
Financial (covered in
the Group Financial Statements HERE)
  • Market risk (comprising interest rate risk, currency risk and other price risk)
  • Liquidity risk
  • Credit risk

Risk and the Audit and Risk Committee

The Board considers risk management to be a key business discipline designed to balance risk and reward, and to protect the Group against risks and uncertainties that could threaten the achievement of business objectives. The Board’s risk strategy has been established through debate with the executive directors where the Group’s risk tolerance has been considered and balanced against the drive towards the achievement of its strategies and objectives.

The Committee is responsible to the Board for overseeing the Group’s risk management programme. The day-to-day responsibility for risk management, including maintaining an appropriate loss prevention and internal control framework, remains with the executives of the Group and of each Division.

The Committee’s primary role is one of oversight and therefore it reviews and assesses the dynamic interventions, within the Group’s available resources and skills, required in response to business-specific, industry-wide and general risks. The Committee tables a Group risk register, aggregated from those prepared by the Divisions and the Group Executive Committee, to the Board annually in August. The Committee considers there to be two categories of Group risk which can broadly be described as Strategic/Environmental risks and Operational risks.

Strategic/Environmental risks, tend to be longer-term or more material in nature and can, in most cases, only be monitored, managed and partially mitigated through longer-term strategic or tactical business responses. These risks, which, for example, include executive talent retention and succession, transformation and supply chain, are the primary focus of the Group’s Risk Management process.

The Group risk register summarises the major risks facing the Group, taking into account the likelihood of occurrence, the potential impact and any mitigating factors or compensating controls. The Audit and Risk Committee oversees the maintaining of a sound system of governance, risk management and control with regard to operations, safeguarding assets, reliability of management reporting, and compliance with laws and regulations.

Operational risks by their nature can be immediately addressed or mitigated by local management actions. These risks – which include in-store health, safety and security, compliance, fire prevention and detection, IT systems and food safety, amongst others – are therefore the direct responsibility of each Divisional Executive Committee where a Loss Prevention or Risk Officer has line-responsibility for overseeing these risks.

Litigation and legal

On 9 March 2012 the Competition Appeals Court of South Africa dismissed a review application initiated by various Government ministries. Within the same order, the court also considered an appeal lodged by various trade unions. On the appeal, the court approved the merger between Walmart and Massmart subject to two conditions relating to prior retrenchments and Massmart’s voluntary undertaking to create a Supplier Development Fund. Massmart has taken all necessary and reasonable steps to reinstate those employees who were subject to the retrenchment and presented themselves for reinstatement. With respect to the Supplier Development Fund condition, all parties to the litigation have presented their views and we are now awaiting a final ruling from the court.

Information Technology

Protecting Massmart’s electronic assets is increasingly complex as networks, systems and electronic data expand and, in some cases, are shared with third parties and business partnerships. Depending on the internet for communication brings additional risk. Ensuring proper system security, data integrity and business continuity is the responsibility of the Board, but is given effect by the Audit and Risk Committee, the Massmart Technology Information and Process Forum (TIP) and Massmart’s formally contracted IT business partners and providers and is independently reviewed by the External and Internal Auditors.

Financial risk and appraisal

Financial targets agreed in Group budgets and strategy processes are predicated on assumptions about the future that are uncertain and may prove incorrect or inaccurate. The monitoring and management of this risk is the responsibility of the Group Executive Committee. Monthly performance is measured and compared to the budget and prior year, and corrective or remedial action taken as appropriate.

Despite extensive financial, accounting and management controls and procedures, including reviews by Internal and External Auditors, there are risks arising from the Group’s cash management and treasury operations, direct and indirect taxation, and employee or third-party fraud or economic crime.

In addition to financial reviews, Massmart has implemented voluntary processes that enable independent reviews of its corporate accountability performances. These include a bi-annual ethics review by the South African Institute of Ethics and an annual SRII review that is co-ordinated by the JSE.

Group risk landscape – strategic/environmental risk

Click here to view

Group risk landscape – operational risk

Click here to view