South Africa
Lesotho
Mozambique
Tanzania
DRCRisk management
Management develops and enhances its risk and control procedures on an ongoing basis, aiming to continuously improve risk identification, assessment and monitoring. The directors consider business risks when setting strategies, approving budgets and monitoring progress against budgets.
A division reporting to the Chief Risk Officer assists in identifying, assessing and recording the strategic risks facing the Group and, where appropriate, monitors mitigating actions.
Risks are managed at three distinct levels - Risk Management Committees, the Risk Group and line management.
The Group Risk Management Committee (‘GRMC’) meets four times a year and is chaired by the Chief Financial Officer. The GRMC has been in existence for six years. Current membership comprises the Group Executive Committee members, the Chief Risk Officer and the Managing Directors of each country operation.
The GRMC’s two main functions are:
 |
To filter and approve the list of high and critical strategic risks, which are presented to the Group Board yearly; and |
|
To oversee and monitor the various structures and projects designed to manage specific risks such as Business Continuity Management for example. |
The GRMC also acts as the Risk Management Committee (RMC) for Vodacom South Africa.
During the year, a Risk Management Committee was established for each country operation, chaired by the respective Managing Director. The other members include the executive committee each operation. Each committee’s mandate is identical to that of the GRMC.
Risks are identified and managed at five levels within the organisation, namely project, process, operational, tactical and strategic levels. Risks are regularly reviewed and updated. In relation to strategic risks, a filtering and reporting process ensures that material risks are reported to the Risk Management Committees and then reviewed by the various Boards.
The major strategic risks identified during the year are detailed in the Risk Management Report in the Integrated Report for the year ended
31 March 2011.
Internal control
Management adopts internal controls, including policies, procedures and processes to provide reasonable assurance in safeguarding assets, preventing and detecting errors, the accuracy and completeness of accounting records, and the reliability of financial statements. Internal audit provides independent, objective assurance of the Group’s system of internal controls.
Internal audit
The Internal Audit function has a charter and conforms to the International Standards for the Professional Practice of Internal Auditing and Code of Ethics stipulated by the Institute of Internal Auditors (‘IIA’).
Vodacom’s audit methodology is risk based. The internal audit plan is compiled on a yearly basis in co-operation with Vodafone.The Audit, Risk and Compliance Committee approves the internal audit plan in March every year it is then communicated to executive management. Special assignments may be conducted on request. Appropriate arrangements are made to ensure that these ad hoc audits do not compromise the overall audit plan for the financial year.
Types of audits conducted by Internal Audit include:
|
financial systems audits; |
|
computer systems audits; |
|
revenue assurance; |
|
network operational audits; and |
|
safety, health and environmental audits. |
In January 2011, PwC was contracted to perform an external quality assurance review of Internal Audit. The assessment concluded that the Internal Audit function generally complied with the International Standards for the Professional Practice of Internal Auditing as issued by the IIA. Internal Audit’s charter stipulates that this external quality review should be performed every three years.