Ensuring appropriate levels of authority and responsibility are in place for all eventualities remains a key area of focus, with substantial focus on internal controls. These controls have been integrated with the company’s risk management processes to ensure that control measures for the effective mitigation of risks identified are in place, and to ensure compliance with legislation and securities exchange listings requirements.
Compliance testing, enterprise risk management and legal compliance are the responsibilities of an integrated compliance team comprising various identified assurance providers, and eliminating any duplication of compliance assurance. An integrated compliance assurance plan has been developed to provide executive management and the audit committee with assurance that internal controls and risk mitigations are appropriately designed and implemented. A compliance-based assurance plan follows the outputs of exposure identification, assessment and control evaluation processes while encouraging the allocation of assurance resources based on compliance priorities.
The implementation of this combined approach requires that Harmony’s business units each have an assurance provider for every risk or compliance element. Internal audit supports this process by addressing gaps in the control effort rather than replicating management activity or that of other assurance providers. At the same time, however, the internal audit function provides objective and robust challenges on the effectiveness of management reporting and monitoring processes.
Operational compliance registers are updated by general managers and their teams each month and included in their monthly review packs. A corporate compliance risk register is updated quarterly. Information from the operational compliance registers and corporate compliance register is used to indicate compliance levels in the quarterly audit committee report.
Harmony has an internal audit function covering its global operations. Internal audit is an independent appraisal function established by the board to evaluate the adequacy and effectiveness of controls, disciplines, systems and procedures in Harmony, to reduce business risks to an acceptable level, cost-effectively. The internal audit function reports to the audit committee.
Harmony’s internal audit function is internally managed by the head: internal control and governance.
The procedures and systems, which act as checks and balances in the provision/gathering of information, are reviewed by the audit committee from time to time. This process has been supplemented by the integrated compliance assurance plan.
Internal audits are conducted in line with the code of ethics and standards of the professional practice of internal auditing, as laid down by the Institute of Internal Auditors. Although the role of internal audit is to review internal controls, systems, procedures and risks, among others, management and, ultimately, the board, retain full responsibility for ensuring Harmony maintains an appropriate framework of controls to reduce business risks to an acceptable level.
Internal audit is responsible for:
- Assisting the board and management in monitoring the adequacy and effectiveness of the company’s risk management process
- Assisting the board and management in maintaining an effective internal control environment by evaluating those controls continually to determine whether they are adequately designed, operating efficiently and effectively and to recommend improvements
- Coordinating, combining and integrating the assurance provided by various parties (such as line management, internal and external assurance providers) in line with the combined assurance model introduced by King III.
Internal controls reviewed consist of strategic, operating, financial and compliance controls and encompass controls relating to the:
- Information management environment
- Reliability and integrity of financial and operating information
- Safeguarding assets
- Effective and efficient use of the company’s resources.
Corporate governance best practice requires that the internal audit function reports directly to the audit committee. Such direct reporting is ensured by the audit committee’s mandate to:
- Evaluate the effectiveness of internal control
- Review and approve the internal audit charter, plans and conclusions about internal control
- Review significant internal audit findings and the adequacy of corrective action taken
- Assess the performance of the internal audit function and adequacy of available internal audit resources
- Review significant differences of opinion between management and the internal audit function
- Consider the appointment, dismissal or reassignment of the head of internal audit.
The purpose authority and responsibility of the internal audit function are formally documented in the internal audit charter as approved by the audit and risk committee. The head of internal audit reports directly to the audit and committee, but on administrative matters reports to the executive: risk management and services improvement.