6 minute read
Report of the Audit and Risk Oversight Committee
The Cape Peninsula University of Technology’s (CPUT) Audit and Risk Oversight Committee (AROC) of Council has a specific mandate, and its terms of reference specify that members of the Committee must be independent of the University. As such, members of the AROC must be independent of Management, and should not be involved in any business or other relationships that may have a material bearing on the exercise of their independent judgement as members of the Committee.
The Committee does not assume the functions of Management, which remain the responsibility of the Vice-Chancellor, Deputy Vice-Chancellors, Executive Directors, and other members of Senior Management.
The Committee fulfils its role in line with the approved Terms of Reference, and may call on the Chairpersons of the other committees of Council, the Vice-Chancellor, Deputy Vice-Chancellor, and any of the Executive Directors, Officers, Secretariat or other assurance providers to provide information, subject to a Council approved process.
1. Composition and attendance
At the end of 2021, the Committee had four (4) members, three (3) external Council members and one (1) external member, all of whom are independent of the University. There was one vacancy in 2021, following a resignation effective from 31 March 2020. The members of the AROC have a variety of skills, ranging from business, auditing, legal, governance, information technology (IT), risk management, and financial services. The term of office of independent external committee members appointed by Council is four (4) years.
Meetings are held at least four (4) times a year, and are attended by the External and Internal Auditors and relevant members of the Executive Management of CPUT. During 2021, the Committee held quarterly meetings that were all quorate, and carried out its oversight duties as set out in the Terms of Reference.
Audit and Risk Oversight Committee member 12-02-2021 Date of Meetings
30-04-2021 (Special Meeting) 04-06-2021 30-07-2021 08-10-2021 11-02-2022
K Patel (Mr) * PR PR PR PR PR PR N Dhevcharran (Ms) * ICH ICH A ICH ICH ICH R Bredenkamp (Mr) ** PR PR ICH PR PR PR L Platzky (Dr) * PR PR PR PR PR PR
* Member of Council ** External member ICH Interim Chair PR Present A Apology Table 1: AROC meeting attendance, 2021
2. Summary of main activities
The Audit and Risk Oversight Committee complied with key aspects of its mandate in 2021. In executing its duties, the Committee attended to the following key matters:
2.1 Internal audit
The Committee is responsible for overseeing Internal Audit, and during the year under review, the Committee performed the following: • Reviewed and approved the annual Internal Audit Plan and budget; • Reviewed and approved the CPUT Combined Assurance
Framework; • Reviewed and approved the Internal Audit Strategy, which is aligned with CPUT’s Vision 2030;
• Obtained feedback on the outcomes of internal audits completed in 2021; • Obtained feedback on the risk management and corporate governance practices, as assessed by Internal Audit; • Ensured that there is a process of follow-up on significant findings, and that Internal Audit reports on the progress of implementing agreed Management actions; and • Appointed the audit firm (BDO Advisory) to undertake the internal audits under the directorship of the Director Internal
Audit, effective 1 January 2022.
2.2 External audit
The Committee is responsible for recommending the appointment of the External Auditor, and to oversee the external audit process. In this regard, the Committee: • Monitors the appointment of the External Auditors to ensure the external audit function is fulfilled at CPUT; • Approved the terms of engagement and remuneration of the external audit engagement; • Monitored and reported on the independence of the External
Auditors in the annual financial statements; • Reviewed the contracts for non-audit services to be rendered by the External Auditors; and • Followed up on any possible reportable irregularities identified and reported by the External Auditors.
2.3 Risk management and internal controls
The Committee is an integral component of the risk management process. During the year under review, the Committee: • Ensured that continuous risk monitoring by Management takes place; • Ensured that appropriate risk responses are implemented; • Liaised with the Internal Auditors and Management to exchange information relevant to risk; • Ensured the effectiveness of the system and process of risk management is formally communicated to Council; • Reviewed and approved the CPUT Risk Management Policy and Framework; • Reviewed and approved the Enterprise Risk Management
Strategy, which is aligned with CPUT’s Vision 2030; • Reviewed reporting concerning risk management that is to be included in the Annual Report for it being timely, comprehensive and relevant; and • Provided oversight over the financial reporting risks, internal financial controls, and fraud risks, as these relate to financial reporting and general IT risks.
2.4 Combined assurance
The Committee ensured that a combined assurance model was applied to provide a coordinated approach to all assurance activities to address all the significant risks that CPUT is facing, and monitored the relationship between the various internal and external assurance providers. The combined assurance model is articulated in a documented framework approved by the Committee and Council in 2021.
2.5 Information technology (IT) governance
The Committee ensured that IT risks are adequately addressed, and received appropriate assurance on controls; and considered the impact of IT in relation to financial reporting and on significant operational activities. The Committee has increased its scrutiny of the University’s IT systems and related IT risks. During 2021, the Director: Computer and Telecommunications Services (CTS) presented quarterly reports to the Committee, which focused on: • Progress in addressing external and internal audit findings; • IT strategic and operational risks, including cyber security risk; and • IT resilience and disaster recovery.
2.6 Fraud and litigation
The Committee received reports on matters of fraud, and the results of forensic investigations into cases of fraud. It considered Management’s actions in dealing with these cases of fraud, and received assurance from Management regarding their compliance with relevant legislation regarding the incidents of fraud, and actions to recover monies and assets. Management provided feedback on areas of litigation that posed a risk to CPUT in terms of financial impact and/or reputational consequences.
2.7 Compliance with laws and regulations
Various laws and regulations are applicable to CPUT. Management regularly reported to AROC on CPUT’s compliance with laws and regulations. Independent assurance was provided by the Internal and External Auditors based on their annual audit coverage plans.
3. Conclusion
Arising from each AROC meeting is a Chairperson’s Report to Council, indicating matters requiring Council attention for noting, approval or action.
AROC complied with its Terms of Reference, and is satisfied that CPUT has continued to maintain and manage internal control systems effectively, in a manner that ensures the achievement of institutional objectives and operational goals. This was obtained by means of a risk management process, combined assurance approach, as well as the identification of corrective actions and enhancements to internal processes and controls. The Committee reviewed and recommended the following reports in this Annual Report to Council for approval: • Report on Internal Administrative/Operational Structures and
Financial Controls; and • Report on Assessment of Risk Exposure and Risk Management. The Audit and Risk Oversight Committee therefore recommends the 2021 Annual Report to Council for approval.
Interim Chair of Audit and Risk Oversight Committee (AROC) Ms N Dhevcharran
