CASE STUDY

Namib Poultry

The IDC – long considered a partner in local and regional development – funded this project, the first commercial integrated poultry business in Namibia.

Corporate governance

Introduction

Management’s responsibility for risk management and fraud

Management is responsible for the development and implementation of IDC’s systems and procedures. Internal Audit is only responsible for the facilitation thereof and assists management by reviewing the developed or revised systems and procedures regarding the adequacy thereof as well as assessing their effectiveness.

Combined assurance and co-ordinated approach

In line with King III guidelines, a combined assurance approach has been adopted with various key stakeholders such as the Risk Management department, various oversight subcommittees set by management within the Corporation, the development of a control self-assessment programme as well as External Statutory Auditors. For the past five years, Internal Audit has enjoyed reliance by External Auditors on some of its work.

Internal Audit has applied the concept of “Combined Assurance” as introduced by the King III Code. This is a coordinated approach to all assurance activities aimed at ensuring that assurance provided by management, internal assurance providers (e.g. Internal Auditors) and external assurance providers (i.e. External Auditors) adequately addresses the significant risks facing the organisation and that suitable controls exist to mitigate and reduce these risks. This further increases effectiveness and efficiencies in the provision of assurance by creating harmony and minimising duplication of work amongst assurance providers. The stakeholders that are considered for the purpose of providing combined assurance are:
  • Internal Audit Department;
  • Risk Management Department;
  • Corporate Affairs and Strategy and Portfolio Management Department ;
  • Assets and Liabilities Committee;
  • Systems and Procedures Review function;
  • Management and Control Self-Assessments;
  • Compliance Function;
  • Corporate Secretariat; and
  • External Auditors.

IDC Internal Audit further provides an advisory as well as oversight role to some of the IDC’s key subsidiaries’ Internal Audit functions. As a result of providing support to various subsidiaries, some capacity constraints were experienced during the course of the year. This was however addressed by interim outsourcing some of the Information Technology related audits. With the continuous support from management, Internal Audit was able to increase its capacity and it is currently sufficiently capacitated to service the Corporation.

Information Technology

IT strategy

Information Technology (IT) plays a crucial role in enabling and supporting the IDC’s business processes while facilitating the secure access and sharing/exchange of business information.

The Corporation continues to implement strategic IT solutions and services that are aligned to the Corporation’s business strategy and goals with the objectives of creating business value, continuously improving business processes, customer service excellence and operational efficiency.

The following are some of the key strategic IT solutions and initiatives which have been or are being implemented:
  • IT security solutions and strengthened IT security controls to prevent and protect unauthorised access to the Corporation’s business and customer information;
  • Customer-oriented technology solutions such as mobile applications and Online Customer Service, which enable ease of access to IDC customer services;
  • Management information systems and business intelligence solutions for improved management and operational decision making;
  • Technology advisory, research and innovation to align IT with business in driving the IDC strategy and exploiting the technology advantage;
  • Continuous business process improvements through the rollout of IT business systems;
  • Green IT initiatives to reduce the Corporation’s carbon footprint;
  • IT cost containment without sacrificing the quality of IT services and infrastructure; and
  • Small Enterprise Finance Agency infrastructure architecture through the use of the Corporation’s IT practitioners which has resulted in significant cost savings and positive ROI.

IT governance

During the period under review, considerable progress was made in strengthening IT security and process controls, and aligning IT with business. These include, among others, the strengthening of the SAP system security access and controls with respect to financial and procurement processes in line with the industry best practices.

Continuous IT process improvements in accordance with COBIT and ITIL governance and service management frameworks have been realised through IT procedures and policies. Stringent process controls have also been put in place to monitor and report on sensitive financial transactions to reduce the risks of unauthorised business transactions and unauthorised access to business and customer information.

In ensuring that the Corporation is able to continue with business operations in the event of unforeseeable business disruptions, a cloud computing based IT disaster recovery solution has been implemented. This solution is expected to increase IT service availability while reducing the cost of having a traditional IT disaster recovery solution.

IT risk management

Since the information technology environment is prone to risks and security threats, the Corporation has implemented a risk management framework to mitigate IT related risks through strengthening of process controls, and proactive management of IT risks.

A COBIT quality assurance exercise of implemented controls is periodically conducted in conjunction with Internal and External Audit.

In addition, independent IT risk and security partners routinely conduct IT security health checks, benchmarks and give an opinion on the state of the Corporation’s IT security risks.

IT challenges

IT security is a priority for the IT Department. Measures and controls are constantly reviewed and assessed to mitigate risks. However, after a penetration testing exercise was performed recently to evaluate the quality of IT security controls, one of the concerns raised was that of a breach of security as a result of social engineering. The penetration testing exercise noted that staff were vulnerable to online fraudulent solicitation of information by perpetrators. For example, staff easily gave away online information without verifying authenticity of requesters. To address the social engineering weakness, security training and awareness programmes are going to be increased.

Fraud prevention

Background

Fraud prevention is a holistic activity and therefore a shared function across a number of functional departments and committees across the IDC, however, the investigation of fraud itself and the subsequent recommendations from such investigations emanate from the Internal Audit Department which is a direct report to the CEO.

All instances of fraud and related irregular activities reported, most of which are reported either through the Tip Offs Anonymous Hotline or directly to Internal Audit, are authorised for investigation through the Office of the CEO and the outcome of such investigations, inclusive of recommendations, are reported to Executive Management and the Board Audit Committee.

Fraud prevention in action

The IDC has a robust fraud risk management framework in place, co-ordinated through the Internal Audit Department, which includes not only a Fraud Prevention Policy, Fraud Prevention and Fraud Response plans, but also a Fraud and Corruption Prevention Committee and extensive fraud education and awareness initiatives designed to educate IDC employees about fraud risks throughout the IDC environment, and more particularly, in their own specific daily work environment at the IDC.

The IDC Fraud and Corruption Committee is key to fraud education and awareness initiatives, through the sharing of lessons learnt by senior managers for dissemination into their own areas of influence and holistic collaboration on fraud prevention and education strategies, thus increasing the impact of fraud prevention and detection activities. This is in addition to the regular fraud education and awareness briefing sessions during the recruitment of new employees, with operational SBUs and support departments.

Additional policies, systems and procedures such as, among others, the IDC Code of Business Conduct which regulates conflicts of interest, receipt of gifts and the ethical approach that IDC employees are required to uphold, further enhance the strong fraud prevention culture at the IDC.

Furthermore, regular intervention reports by the Internal Audit Department on how to mitigate control gaps identified during audits and investigations add further impetus to fraud prevention efforts.

IDC takes a precautionary approach by training its employees and, accordingly, during the year under review 58% of employees were trained on the Corporation’s anti-corruption policies and procedures. Ten out of seventeen business units (59%) were analysed for risks related to corruption during the year.

Central to the IDC fraud risk framework are two supporting activities: the IDC “Tone at the Top” and the manner in which IDC responds to incidences of fraud. The IDC “Tone at the Top” was seen during a 2012 benchmarking exercise to be consistently on par with that of a number of large financial services organisations and continues to provide significant support for fraud prevention and detection activities throughout the IDC Group.

It is in the manner in which the IDC deals with incidences of fraud that the real intent of IDC’s zero-tolerance approach to fraud is seen. In this regard, the following principles are entrenched in the IDC’s response to incidences of fraud:
  • Thorough investigation of incidents reported or discovered;
  • Appropriate and consistent action taken against violators;
  • Assessing relevant controls and, if required, improving them; and
  • Communication and training to reinforce the IDC values, code of business conduct and expectations.

Challenges and initiatives

The graph below reflects the year-on-year growth in the number of matters reported for investigation through the various reporting channels and highlights a growing concern that the IDC is experiencing a material increase in the number of external matters being reported:

Despite the success that the IDC has had in dealing with matters of internal fraud over the past year, the scourge of fraud committed by external stakeholders against the Corporation is uncomfortably high. This growth is attributed to the ongoing current poor economic environment, which is exacerbated through poor ethical decision-making by clients – behaviour which may have gone unnoticed in a positive economic environment.

The typical nature of irregularities/fraud committed by clients includes:
  • Misappropriation of IDC’s funds;
  • Over-invoicing of goods or services procured by clients when requesting re-imbursements from IDC;
  • Misrepresentation of the audit certificate; and
  • Non-compliance with restrictive clauses as per the loan agreements.

Given the manner in which the IDC, as a developmental institution, interacts across multiple industrial and commercial sectors, the possibilities in respect of fraud schemes are endless, and therefore the IDC places strong reliance on employee education and awareness training, as properly trained and aware employees are a significant deterrent to any would-be fraudster.

Further countermeasures put in place to reign-in the increase in matters reported for investigation include, amongst others, an increase in resource capacity for the Internal Audit Department, targeted interventions in respect of client education as to what is expected of clients who receive IDC funding and a continued strong focus on the criminal prosecution of all clients who access and apply IDC funding in a fraudulent manner.

Initiatives for the coming financial year, whilst continuing with the fraud countermeasures already in place, include the use of scenario-based anti-corruption training to IDC employees and increased focus on communication with clients regarding IDC’s expectations from clients and our zero-tolerance approach to all instances of fraud and related irregular activities.

Risk management framework

Introduction

IDC has a robust culture of risk awareness, founded on a framework that is shareholder value based, organisationally embedded, supported by the BR&SC and assured by External and Internal Audit. It is also reviewed continuously and follows best practice Enterprise Risk Management (ERM), which aligns strategies, policies, people, procedures, technology and business management continuity. Furthermore, it evaluates, manages and optimises the opportunities, threats and uncertainties that the IDC may encounter in its continuous efforts to maximise sustainable shareholder value.

Enterprise Risk Management

Enterprise Risk Management integrates risk and financial sustainability across IDC’s risk universe, including SBUs and support departments, regional offices and legal entities. Accordingly, risk management at the IDC is both decentralised and centralised, with every staff member of the Corporation being responsible for risk management. Against this, all IDC risks including those associated with sustainability are managed according to the ‘three lines of defence’ governance model depicted in the table below.

Three lines of defence governance model
Responsibilities of the three lines of defence  
First line   The Board and management of IDC are responsible for the implementation and management of risk  
Second line   BR&SC performs policy-setting and monitoring role to ensure implementation of risk management and adherence to regulation and legislation  
Third line   Internal and External Audit provide additional assurance on the effectiveness of risk management in the organisation  

ERM is designed to assist the IDC with the identification, quantification and prioritisation of material risks that have the ability to impact the business. ERM recognises that risks including opportunities are dynamic, often highly interdependent and ought not to be considered and managed in isolation. ERM responds to this challenge by providing a methodology for managing Corporation-wide risks in a comprehensive and integrated way.

The ERM process fully embedded within the SBUs, regional offices and support functions across the Corporation are supplemented by the IDC Risk Management Framework as well as a comprehensive set of risk policies and limits.

Risk Management Framework

The objectives of the IDC’s Risk Management Framework are achieved through the application and benchmarking of best practice, the adoption of legislative requirements, resource allocation and utilisation of the outcomes in decision-making by all levels in the Corporation in ensuring that these value-added activities assist the IDC in the achievement of its strategic objectives.

The Risk Management Framework as depicted in the following diagram lays out guiding principles for the IDC’s management of risk on an ERM basis.

IDC’s Risk Management Framework

IDC has adopted a hybrid risk management solution (both centralised and decentralised) to best reflect our business model as well as to maximise cost/benefit trade-offs. The components are discussed below.

Annual risk assessment

  • An assessment of risks faced by the IDC is undertaken annually, in compliance with the conditions of the Public Finance Management Act (Act 1 of 1999) (PFMA), and in line with the recommendations of the King Codes of Governance principles (King II, and King III) and the Public Sector Risk Management Framework. This process strives to achieve the identification, measurement and management of the critical risks (namely strategic, financial, governance, operational and IT governance) that the IDC may face to enable the Corporation to formulate appropriate risk strategies and action plans to mitigate and address the risks where necessary. Through the application of a seven step process (see diagram here) the Annual Risk Assessment of the Corporation will:
    • Align strategy and risk appetite:
      The approach followed in setting the IDC’s risk is top-down as recommended by King III and other best practice standards. In so doing the Board and Exco are able to monitor actual risk taking with risk thresholds levels and are able to ascertain whether the overall risk exposure is at an appropriate level to support the Corporation’s strategic objectives;
    • Identify and manage the key risks facing the Corporation:
      The risks that the Corporation may be exposed to are determined, based on a review of the prior year’s risk assessments; the Internal Audit Department findings for the previous two years; External Auditors Management Letter for the previous two years; inputs from Executive Management, SBU and departmental heads and other senior staff in the Corporation; and an analysis of benchmarked risk standards (mainly King III, Basel II) and other organisations’ ERM activities;
    • Assess the risks identified:
      The risks identified are assessed on a residual basis based on the probable impact following an occurrence and the likelihood of the occurrence happening in order to determine a risk ranking taking into account the Corporation’s existing controls;
    • Mitigate the risks identified:
      The risks are effectively mitigated by establishing controls though focused workshops with SBU and departmental heads and other senior role players;
    • Monitoring the risks identified:
      The results of the risk assessment, including key controls under review are presented to Executive Management and the BR&SC. Thereafter, a summary of key matters is presented to the Board. This process enables Executive Management and the Board to highlight areas where additional focus is required;
    • Assurance:
      Internal Audit, as the Corporation’s main assurance provider, ensures that the risks identified and the associated controls are appropriate and effective, as identified in the assessment. Internal Audit utilises this risk assessment in the formulation of its Internal Audit Programme; and
    • Reporting:
      Through the Risk Management Department, the risks are continuously measured, and the exposure is monitored and reported on.

Coega Dairy Holdings

The IDC has identified increased competition in the dairy value chain and import substitution in the cheese industry as key sector development goals. We also singled out the need for increased farmer (and specifically B-BBEE) participation in dairy value-adding initiatives.

Windtown Lagoon Resort 

The newly built Windtown Lagoon Resort and Spa reflects the IDC’s focus to funding community-based projects that have potential to create employment opportunities in far-flung regions.


APPROVALS
R13.1 billion
DISBURSEMENTS
R16.0 billion
JOBS FACILITATED
18 922
JOBS SAVED
3 950
© The IDC 2013. All rights not expressly allowed are reserved. P.O. Box 784055, Sandton, 2146, South Africa