Figure 1.
Combined assurance model (adapted from King Ⅲ (IoDSA, 2009, p.62)).
In addition to integrated reporting, which was arguably first introduced by the third King Report on Governance for South Africa (King Ⅲ), King Ⅲ also formally introduced the combined assurance model as a further governance innovation, aimed at enhancing the quality of organisational reporting. Although the combined assurance model is primarily an internal enterprise risk management innovation, designed to incorporate, integrate and optimise all assurance services and functions, it simultaneously enhances the credibility of organisational reporting. Taken as a whole, the combined assurance model enables an effective control environment, supports the integrity of information used for internal decision-making by management, the governing body and its committees; while supporting the integrity of the organisation's external reports. Organisations adopting King Ⅳ, including state-owned enterprises (SOEs), are expected to explain how the provisions of the combined assurance model have been implemented. Explaining conformance, introduces an element of innovation into organisational reporting as envisaged by King Ⅳ, by providing stakeholders with assurance about the veracity of the disclosures contained in the internal and external reports of organisations. This exploratory paper analyses the extent to which South African SOEs have conformed to seven key combined assurance indicators. The disclosures contained in the publicly available annual/integrated reports of South African SOEs, listed in Schedule 2 of the Public Finance Management Act (PFMA), were thematically analysed to fulfil the objective of the study. We found that although the combined assurance related disclosures suggest high levels of adoption by some SOEs, the majority have not provided sufficient information to explain how they have applied combined assurance, if at all. Although their reports appear to provide internal management with some level of assurance about the extent to which risks have been managed, these reports may not necessarily provide external users with confidence that all material risks have been effectively mitigated, within the organisation's risk appetite. This paper discuses implications for policy and practice and concludes by providing avenues for further research.
Citation: Adeyemi Adebayo, Barry Ackers. Adoption of the combined assurance model by South African state-owned enterprises (SOEs)[J]. National Accounting Review, 2023, 5(1): 41-66. doi: 10.3934/NAR.2023004
| [1] | Xue Chang . The impact of corporate tax outcomes on forced CEO turnover. National Accounting Review, 2022, 4(3): 218-236. doi: 10.3934/NAR.2022013 |
| [2] | Jinhui Zhu, Zhenghui Li . Can digital financial inclusion effectively stimulate technological Innovation of agricultural enterprises?—A case study on China. National Accounting Review, 2021, 3(4): 398-421. doi: 10.3934/NAR.2021021 |
| [3] | Pavel Ivanov, Tatyana Altufeva . Stimulating the processes of attracting investments in industry of the constituent entities of the Russian Federation. National Accounting Review, 2024, 6(3): 352-366. doi: 10.3934/NAR.2024016 |
| [4] | Fabrizio Antolini . Evaluating public expenditures on tourism: the utility of the Italian public accounting reforms. National Accounting Review, 2021, 3(2): 179-203. doi: 10.3934/NAR.2021009 |
| [5] | Sweta C. Saxena, Giuseppe Tesoriere, Syed T. Ahmed, Wafa Aidi . Building new social contracts: a critical review of ideas and actions to fulfill African aspirations through education. National Accounting Review, 2025, 7(1): 85-105. doi: 10.3934/NAR.2025004 |
| [6] | Shan Huang, Khor Teik Huat, Zifei Zhou . The studies on Chinese traditional culture and corporate environmental responsibility: literature review and its implications. National Accounting Review, 2022, 4(1): 1-15. doi: 10.3934/NAR.2022001 |
| [7] | Jaroslav Sedláček, Veronika Popelková . Non-financial information and their reporting—evidence of small and medium-sized enterprises and large corporations on the Czech capital market. National Accounting Review, 2020, 2(2): 204-216. doi: 10.3934/NAR.2020012 |
| [8] | Francesco Scalamonti . A quantitative and qualitative macroeconomic and sociopolitical outlook of the MEDA transitional economies: development-paths, governance climate, and sociocultural factors. National Accounting Review, 2024, 6(3): 407-448. doi: 10.3934/NAR.2024019 |
| [9] | Daniel Francois Meyer . Economic sectoral diversification: A case study of the Gauteng provincial region, South Africa. National Accounting Review, 2023, 5(4): 356-372. doi: 10.3934/NAR.2023021 |
| [10] | Serena Fatica, Wildmer Daniel Gregori . Income shifting by multinational enterprises as a source of mismeasurement in aggregate statistics. National Accounting Review, 2024, 6(4): 548-563. doi: 10.3934/NAR.2024025 |
In addition to integrated reporting, which was arguably first introduced by the third King Report on Governance for South Africa (King Ⅲ), King Ⅲ also formally introduced the combined assurance model as a further governance innovation, aimed at enhancing the quality of organisational reporting. Although the combined assurance model is primarily an internal enterprise risk management innovation, designed to incorporate, integrate and optimise all assurance services and functions, it simultaneously enhances the credibility of organisational reporting. Taken as a whole, the combined assurance model enables an effective control environment, supports the integrity of information used for internal decision-making by management, the governing body and its committees; while supporting the integrity of the organisation's external reports. Organisations adopting King Ⅳ, including state-owned enterprises (SOEs), are expected to explain how the provisions of the combined assurance model have been implemented. Explaining conformance, introduces an element of innovation into organisational reporting as envisaged by King Ⅳ, by providing stakeholders with assurance about the veracity of the disclosures contained in the internal and external reports of organisations. This exploratory paper analyses the extent to which South African SOEs have conformed to seven key combined assurance indicators. The disclosures contained in the publicly available annual/integrated reports of South African SOEs, listed in Schedule 2 of the Public Finance Management Act (PFMA), were thematically analysed to fulfil the objective of the study. We found that although the combined assurance related disclosures suggest high levels of adoption by some SOEs, the majority have not provided sufficient information to explain how they have applied combined assurance, if at all. Although their reports appear to provide internal management with some level of assurance about the extent to which risks have been managed, these reports may not necessarily provide external users with confidence that all material risks have been effectively mitigated, within the organisation's risk appetite. This paper discuses implications for policy and practice and concludes by providing avenues for further research.
Observers have attributed the surge in the number of corporate failures, fines and lawsuits, to inadequate or failed governance, risk and compliance processes (Chikwiri and de la Rosa, 2015; PWC, 2019). Similarly, commentators have suggested that the 2008 global financial crisis was caused by poor risk management, exacerbated by the failure to timeously discover and mitigate risks due to ineffective identification or assessment processes (Decaux and Sarens, 2015; Forte and Barac, 2015). Others opined that boards of directors do not always have access to pertinent risk-related information, to properly discharge their oversight responsibilities, and that even when they do have access, may be unable to process the available information (Decaux and Sarens, 2015; KPMG, 2021; Pirson and Turnbull, 2011). The focus of the monitoring and control function should therefore move away from assuring the effectiveness of internal controls, to assuring the effectiveness of risk management processes (Decaux and Sarens, 2015; KPMG, 2021; Shortreed et al., 2012). Internal controls alone are insufficient, a broader risk management strategy is necessary (Ampri and Adhariani, 2019), since risk management is integrated with the strategic side of business and is more inclusive than internal controls, which focus on the operational side of business and may not effectively link with higher objectives and strategies (Decaux and Sarens, 2015).
Organisational governance therefore tends to improve when boards receive assurance about the effectiveness of both risk management and internal control systems. The introduction of the combined assurance model confirms the importance of a robust system of enterprise risk management (ERM) and attempts to provide the board with a broad range of assurance over an organisation's activities. ERM is a process of identifying events that could negatively impact organisational activities, requiring identified risks to be managed within the organisation's risk appetite, across all business making ERM a fundamental and integral component of corporate governance (Forte and Barac, 2015; Prinsloo and Maroun, 2020). Organisations constantly face new and disruptive challenges, ever-increasing levels of complexity, regulatory challenges, as well as market instability and unforeseen global events such as wars, pandemics and climate change (PWC, 2021). Organisations should therefore ensure that their operations are safeguarded, and that stakeholder confidence is preserved (PWC, 2021).
PWC's 24th Annual Global CEO Survey for 2021, finds that the main way business leaders regain stakeholder trust, is by transparently sharing information about how their organisations create value for their beneficiaries. However, CEOs expressed concern about the spread of organisational misinformation (PWC, 2021), which historically contributes to low levels of trust. Boards must therefore adopt a broader and more holistic approach to identifying and managing risk to protect stakeholder trust (IoDSA, 2016, 2009; PWC, 2021). One of the tools that has recently emerged to deal with such a risk management approach, is the combined assurance model.
Not only was the concept of integrated reporting first introduced by the King Report on Governance for South Africa (King Ⅲ), in 2009, so too was combined assurance (IoDSA, 2009). Combined assurance is a reporting innovation aimed at integrating and optimising all assurance services and functions, to facilitate an effective control environment, support the integrity of information used by management and the governing body for internal decision-making, while providing assurance about the veracity of the disclosures in external organisational reports (Hoang and Phang, 2020; IoDSA, 2016; Decaux and Sarens, 2015). Combined assurance coordinates and integrates the diverse assurance services provided by various role-players, responding to increasing organisational complexity. Combined assurance decreases assurance fatigue, reducing the duplication of assurance services, improving reporting quality, while also being a tool to assist with risk management (Decaux and Sarens, 2015; Zhou et al., 2019). The combined assurance model promotes a shared understanding of risk and control information, enabling the board to confidently assess whether controls are really addressing critical operational risks, reducing siloed thinking, and enabling an integrated approach to developing, implementing and maintaining an effective internal control environment (CGF Research Institute, 2019). Unlike King Ⅲ, which required the governing bodies of organisations to apply the combined assurance model (principle 3.5) (IoDSA, 2009), or to explain why it has not, in addition to applying its principles, principle 15 of King Ⅳ requires organisations to describe how the various assurance providers have enabled an effective control environment with reference to combined assurance (IoDSA, 2016). It is important to note that the various iterations of the King Reports, apply equally to both private and public sector organisations, and to SOEs in particular. The board of directors, also referred to as the accounting authority, or those charged with governance, is the governing body of a South African SOE accountable to Parliament (IoDSA, 2016).
The internal audit function's unique position within the organisation, arguably perfectly positions it to coordinate the combined assurance model (Coetzee and Lubbe, 2011; Hoang and Phang, 2020). Recent corporate governance developments, further underscore the important contribution of internal audit in this regard (Millichamp and Taylor, 2018). Although internal audit is usually considered a voluntary governance intervention in most jurisdictions around the world, the Public Finance Management Act (PFMA), applicable to the South African public sector, makes the provision of an effective internal audit function, mandatory for all SOEs (South Africa, 1999). Despite being independent of operations and adopting a risk-based auditing approach, the internal audit activities are overseen and approved by the audit committee and/or the board, which may be unduly influenced by management (Keasey and Wright, 1993). Combined assurance assists in reducing the opportunity for management, the audit committee and/or the board, to influence the activities of the internal audit function for their benefit (Ampri and Adhariani, 2019; Hoang and Phang, 2020).
Corporate governance has been identified as the most problematic issue facing SOEs (Okhmatovskiy et al., 2021). Although effective corporate governance may assist to resolve agency problems, such as information asymmetry (Hussain et al., 2018), the audit committee and accordingly the board, usually rely on disparate information for effective decision-making. Correctly implemented combined assurance is not only able to streamline assurance processes, but it also to provide more holistic and comprehensive insights into how the organisation is managing its material risks. Engaging with several assurance providers, as well as receiving appropriate assurances from management, contribute to the board's ability to ensure the veracity of organisational reports and disclosures, which both internal and external stakeholders rely on.
Relatively little is known about the extent to which public sector organisations, have implemented the combined assurance model for their annual/integrated reports (hereafter, annual reports), with prior research mainly focusing on private sector enterprises (Decaux and Sarens, 2015; Maroun and Prinsloo, 2020; Prinsloo and Maroun, 2020), resulting in a paucity of research on combined assurance amongst SOEs. Given that combined assurance is a key principle of King Ⅳ, this paper appropriately investigates the combined assurance disclosures of commercially oriented South African SOEs, an African Union and Southern African Development Community (SADC) member country.
Our paper makes three main contributions. The first, reflects on the evolution from a 'comply or explain' approach advocated by King Ⅲ to King Ⅳ's 'apply and explain' approach. The second, reflects on the extent to which South African SOEs have deployed the combined assurance model. Finally, we document the implications for policy and practice and provide recommendations to improve implementation of the combined assurance model.
Often utilising public resources to provide goods and services on behalf of their respective governments, obliges SOEs to not only to account to the state, but also to the taxpaying public. Notwithstanding the state being the notional shareholder of SOEs, given the state's use of public funds to finance SOEs, we assert that the public are the real providers of financial capital and accordingly, the real owners of SOEs, to whom they should account (Ackers and Adebayo, 2022). The issue of accountability is accordingly more relevant to public sector organisations (Bovens et al., 2014). We commence the literature review by discussing how combined assurance, could be deployed as a mechanism to augment corporate governance practices, improve risk management and enhance the credibility of SOE disclosures. Thereafter, we examine the corporate governance provisions applicable to South African SOEs, before developing a framework of the indicators SOEs should disclose about their combined assurance practices.
South Africa has more than 700 public enterprises1, categorised as Constitutional Institutions (Schedule 1), Major Public Enterprises (Schedule 2), and Other Public Entities (Schedule 3), which is further divided into National Public Entities (Part A), National Government Business Enterprises (Part B), Provincial Public Entities (Part C) and Provincial Government Business Enterprises (Part D) (South Africa, 1999). This study is however, confined to the SOEs listed in Schedule 2, mandated to generate funds to cover their own operational costs and expansion programmes (Thomas, 2012). This profit-orientation differentiates Schedule 2 SOEs from other PFMA entities. Apart from Telkom, which is partly state-owned, listed on the Johannesburg Stock Exchange and operates autonomously, the remaining SOEs operate under the executive authority of various government departments, such as National Treasury or Public Enterprises.
1Available at: https://www.state.gov/reports/2021-investment-climate-statements/south-africa/.
Governance in the public sector and in particularly in SOEs, usually involves balancing the conflicting objectives of providing affordable public goods and services, and surplus generation, despite SOEs often being loss-making and requiring substantial state subsidies (Ebrahim et al., 2014; Klijn, 2008). Since the primary purpose of SOEs, is arguably to serve the public interest (Mansi et al., 2017), SOEs often focus their accountability disclosures on how they have addressed their social mandates (Almquist et al., 2013). Accountability involves being answerable for decisions or actions, which is a critical component of good governance (Bovens, 2010; Devaney, 2016).
Each South African SOE is governed by a combination of its own enabling legislation, the PFMA and the Companies Act of 2008, and not by an overarching central Act. The Companies Act stipulates that the provisions applicable to publicly listed companies, apply equally to SOEs. When conflicts arise between an individual SOE Act and the Companies Act, the Companies Act prescribes that "(a) the provisions of both Acts apply concurrently, to the extent that it is possible to apply and comply with one of the inconsistent provisions without contravening the second; and (b) to the extent that it is impossible to apply or comply with one of the inconsistent provisions without contravening the second" (South Africa, 2008, p.38). Other legislation, regulations and frameworks relevant to South African SOEs include King Ⅳ, the Protocol on Corporate Governance in the Public Sector (the Protocol) (South Africa, 2002), the Treasury Regulations for Departments, Trading Entities, Constitutional Institutions and Public Entities, issued in terms of the PFMA (South Africa, 2005). Unlike the King code which covers a broad range of private and public sector organisations, the Protocol provides the public sector with specific guidance and takes the unique mandate of each SOE into account, including the need to achieve the state's socio/politico/economic objectives (South Africa, 2000). Part 5 of the Protocol addresses governance in public enterprises, including issues such as boards of directors and financial governance. Part 2, Section 2.1 of the Protocol specifically identifies the King Code as the main corporate governance, legal and policy framework, applicable to South African SOEs, asserting that "The purpose of the King Report is to promote the highest standards of corporate governance in South Africa; the Code of Corporate Practices and Conduct contained in the King Report applies inter alia, to SOEs and agencies that fall under the PFMA" (South Africa, 2000, p.3). Notwithstanding the various legislation, regulations, frameworks, protocols and guidelines, the application of the King Ⅳ principles is not mandatory for South African SOEs, but arguably remains a voluntary governance intervention. Although the PFMA does not explicitly list or categorise South African SOEs as SOEs, some SOEs are included under Schedule 2 (Major Public Entities), with others under Schedule 3B (National Government Business Enterprises) (South Africa, 1999).
The Public Audit Act (South Africa, 2004) provides the Auditor-General of South Africa (AGSA) with a mandate to perform regularity audits over South African public sector organisations, including SOEs (Nzewi and Musokeru, 2014; South Africa, 2004). Unlike external auditors in the private sector, the Public Audit Act provides public sector auditors with an expanded mandate to not only provide an audit opinion on the extent to which the annual financial statements are fairly presented in all material respects, but also on the extent of compliance with applicable legislation and regulations, as well as on their performance against predetermined objectives (South Africa, 2004, p.23). However, the Public Audit Act and King Ⅳ, allows the AGSA to either audit the SOEs, or permits the audit committees of SOEs to nominate third party external auditors to fulfil this role (IoDSA, 2016).
Combined assurance assists to ensure that material organisational risks are effectively and efficiently managed, optimally integrating various assurance processes and providers (Decaux and Sarens, 2015; Donkor et al., 2021). Unlike assurance models that deal with single reports in an insular manner, such as financial statements or sustainability reports, the need for a combined assurance model is necessitated by increasing organisational complexity, requiring a diversity of both internal and external assurance role-players (Donkor et al., 2021). Assurance in this regard, is therefore more than the opinion by an independent assuror on the financial statements, or on selected disclosures in sustainability or integrated reports (Maroun, 2019).
Combined assurance, shared between a range of internal and external assurance providers, enables a holistic overview of the entire assurance process (Engelbrecht and Deegan, 2010). It promotes a shared understanding of risk and control information, improving the board's ability to competently assess the extent to which internal controls address critical business risks, reducing organisational siloed thinking, and enabling an integrated approach to developing an effective control environment (CGF Research Institute, 2019). The emphasis on ensuring effective risk management, expands the orientation of internal audit from merely being compliance-based, to adopting a risk-based approach as expounded by King Ⅳ (IoDSA, 2016). Combined assurance is therefore more than simply obtaining assurance from independent third-party experts, and should be part of a broader ERM strategy, which address various types of systems, processes, controls and professional services, upon which the board relies to effectively discharge its fiduciary duties. As such, combined assurance serves a dual purpose: first, as a risk management tool; and second, as an assurance tool (Simnett et al., 2016). Combined assurance, accordingly, provides a contemporary cost-effective assurance framework, which enhances the quality and credibility of information relating to the organisation (Zhou et al., 2019).
Integrating and aligning assurance processes, optimises oversight over organisational risk management, corporate governance and control efficiencies, while optimising overall assurance received by the audit and risk committee, within the organisation's risk appetite, is a key benefit of an effective combined assurance model (Engelbrecht and Deegan, 2010). In this regard, Hoang and Phang (2020) found that communicating combined assurance assisted in restoring the confidence of investors about the reliability of reported information, increasing their willingness to invest. A combined assurance approach enhances the reliability of existing information (de Villiers, et al., 2017), with the combined assurance model influencing the accuracy of analyst forecasts, thereby reducing information risk (Zhou et al., 2016). However, although combined assurance does enhance the reliability of existing information, it does not add new information, which analysts can use for more accurate forecasts. The ability of combined assurance to provide an appreciable level of assurance therefore depends on the effectiveness of the combined assurance model and how innovatively management describes how combined assurance has been used (Deloitte, 2016). Organisations have and increasingly continue developing integrated audits to ensure that the combined assurance model comprehensively covers the entire business (Sierra-García et al., 2015; Rivera-Arrubla et al., 2017). Combined assurance may therefore be considered a proxy of quality that could impact the presentation quality and disclosures of annual reports.
As discussed earlier, King Ⅲ principle 3.5 first introduced the combined assurance model, to coordinate all assurance activities and to overcome the information asymmetry arising from the agency problem (Ackers, 2017; BDO, 2017). King Ⅲ identifies the organisation's audit committee as the body responsible for monitoring the combined assurance model and ensuring that material risks have been identified and are being appropriately mitigated, within the organisation's risk appetite. Although King Ⅲ suggests that that the activities of the internal and external auditors should be coordinated to optimise assurance, it identifies the primary assurance role-players as including internal audit, risk management, quality assurers, environmental and occupational health and safety auditors, external audit, other external assurance providers and management (IoDSA, 2009). These assurance role-players were colloquially referred to as the 'three lines of defence' depicted in Figure 1 below, with management, internal assurors (such as internal audit) and external assurors (such as external audit), each providing the audit committee and/or the board, with assurance relating to different risks (Sarens et al., 2012).
The manner in which combined assurance has evolved since first being introduced in King Ⅲ, is reflected in the comprehensive way that King Ⅳ principle 15, requires the governing body to "ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and the organisation's external reports", when compared to the narrower view reflected in King Ⅲ principle 3.5, requiring the audit committee to "ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities". King Ⅳ further expands the concept of combined assurance by promoting a more inclusive approach and positioning combined assurance as a model that consolidates and enhances all assurance services and functions, enabling an effective control environment and improving the integrity of information used for internal decision-making by management, the governing body and its committees while supporting the integrity of the organisations' external reports (Hoang and Phang, 2020; IoDSA, 2016; Decaux and Sarens, 2015). As illustrated in Figure 2 below, King Ⅲ's 'three lines of defence' have evolved into King Ⅳ's 'five lines of assurance', which now include (ⅰ) line functions that own and manage risk, (ⅱ) specialist functions that oversee risk management and compliance, (ⅲ) internal assurance providers, such as internal auditors and forensic accountants, (ⅳ) external assurance providers, such as external auditors, and (ⅴ) other external assurance providers, such as sustainability auditors and external actuaries, and arguably also regulatory inspectors (Botes et al., 2020; IoDSA, 2016, p.68).
As illustrated in Figure 2 above, combined assurance harnesses the work of different types of assurance providers and the various types of assurances, while including relevant external regulators able to provide assurance on different aspects of organisational activities. In addition to independent third-party assurance providers, these external assurance providers, for example, include standards bureaux as well as health and safety bodies for manufacturing firms, civil aviation authorities for airlines and communications regulatory authorities for telecommunication firms. The combined assurance model introduces the concept of horizontal and vertical relationships relating to the depth and reach of the assurance providers, requiring coordination of assurance activities to enable the matrix of assurance providers to support the development of an effective control environment and ensure the integrity of reports. The five lines of assurance illustrated in Figure 2 above, are separated by the level of risk, ownership as well as the level of independence of assurance provider (Deloitte, 2016). The specific goal of combined assurance, as documented in King Ⅳ, is assisting the board assess the adequacy and effectiveness of the internal control environment, as well as the integrity of the information used for reporting and decision-making (Deloitte, 2016). As such, combined assurance provides assurance about the reliability of external stakeholder reporting, such as the annual reports, while remaining focused on the internal risk and control components (Hoang and Phang, 2020).
Audit committees and/or boards have a fiduciary responsibility to provide effective oversight over the combined assurance process, ensuring that the information contained in external reports are reliable. Whereas financial statement audits are usually mandatory in most jurisdictions, combined assurance remains a voluntary governance intervention covering unregulated reporting practices, such as integrated reporting. It is therefore imperative for the audit committee and/or board to consider whether the process or data will be assured, to determine the boundaries of such assurance, the level of assurance, the criteria against which the assurance will be evaluated, as well as assurance over future-orientated information. King Ⅳ specifically requires organisations to disclose and describe the nature of the assurance work performed, as well as the assurance conclusion (Deloitte, 2016; IoDSA, 2016).
King Ⅳ does not specify what the contents of organisational reports should include in relation to combined assurance. However, the 'apply and explain' approach advocated by King Ⅳ, not only requires South African organisations to implement combined assurance, but more importantly, to describe how the combined assurance model has been applied, increasing transparency (IoDSA, 2016; Prinsloo and Maroun, 2020; PWC, 2019). The combined assurance section of the annual report should at least cover seven areas identified in the literature (see especially Prinsloo and Maroun, 2020; PWC, 2019; Decaux and Sarens, 2015), as well as from King Ⅳ (IoDSA, 2016). These include: (ⅰ) assurance strategy, (ⅱ) assurance mapping, (ⅲ) diagrammatic modelling, (ⅳ) combined assurance forum, (ⅴ) assurance provided in the report, (ⅵ) combined assurance report and (ⅶ) audit committee review on effectiveness of combined assurance. These indicators discussed below should be disclosed in the annual report, and constitute the elements of the specifically developed combined assurance conformance reporting quality (CACRQ) index, reflected in Appendix Table A1.
The efficacy of the combined assurance model rests on the effectiveness of the organisation's risk management processes. The first step in implementing combined assurance, is therefore compiling a comprehensive assurance strategy to address the material risks facing the organisation. Combined assurance requires the board to actively consider the assurance it receives on the identified risks to which the organisation is exposed, focusing on how assurance is achieved and reported (PWC, 2009). To ensure that assurance efforts focus on the significant risks, requires high level agreement on the material risks (Decaux and Sarens, 2015). The effectiveness of the combined assurance model to address the identified risks, therefore depends on comprehensively documenting and mapping the risk universe, enabling the effective coordination of the assurance provided by the various lines of assurance.
Implementing the combined assurance model requires all assurance providers to be identified and mapped, according to their respective contributions to the lines of assurance (IoDSA, 2016; Decaux and Sarens, 2015). It is imperative to provide a clear accountability model that addresses the organisation's significant risks (Decaux and Sarens, 2015). As more assurance providers emerge, a comprehensive mapping process provides an integrated view of the various assurance processes and providers, ensuring that the participants in each line of assurance, are aware of their respective responsibilities.
The next step involves diagrammatically illustrating the combined assurance model. Graphically providing pertinent information about both the process and the role-players, improves the ability of report users to understand who is doing what (Decaux and Sarens, 2015). The importance of diagrammatically modelling the combined assurance process, was illustrated by Nkonki2 in their SOE Integrated Reporting Awards for 2016, noting that the judges were particularly impressed at how ESKOM had innovatively "included a very good graphic of the combined assurance model with the lines of defence" in their 2015 integrated report (Nkonki, 2016, p.17), depicted in Figure 3, below.
2A South African firm of external auditors at the time.
The key to implementing combined assurance is the establishment of combined assurance forums to implement and embed the combined assurance framework principles (Chikwiri and de la Rosa, 2015). Thus, establishing a new governance committee (combined assurance forum) should assist in ensuring that various aspects of the combined assurance process have been effectively implemented. Decaux and Sarens (2015) note that such forums ensure that organisations receive the right amount of assurance over the correct areas, from appropriate assurance providers, with the most relevant expertise and skills, as cost effectively as possible. Forums permit participants to assess various aspects of combined assurance, such as the views of assurance providers, the planned assurance activities, the assurance activities covered, as well as emerging areas of concern. In this regard, as previously submitted, the internal audit function is ideally positioned to coordinate the combined assurance model and accordingly the forum (Coetzee and Lubbe, 2011; Hoang and Phang, 2020). Decaux and Sarens (2015) contend that forums permit organisations to:
● Report combined assurance activities to the audit committee, providing the board and other stakeholders with assurance that an appropriate combined assurance process exists;
● Define a framework and consistent reporting requirements for combined assurance, as well as the taxonomy to be used;
● Communicate combined assurance activities and impacts to the stakeholders;
● Provide guidance and direction regarding combined assurance activities; and,
● Escalate to those charged with governance, when combined assurance activities are not progressing as intended.
Since it is not mandatory for all annual report disclosures to be independently assured, organisations should identify the components that have been subject to some type of assurance, thereby assisting report users understand which disclosures have been assured (IoDSA, 2016, 2009). This assurance should be provided as an affirmative statement and described in the combined assurance report section of the annual report.
Since the provision of combined assurance is a specific King Ⅳ requirement, South African organisations, including SOEs, should not only disclose the adoption of combined assurance, but also explain how the combined assurance model has been implemented. King Ⅳ enhances accountability by requiring organisations to disclose sufficient relevant information, allowing report users understand exactly what has been assured and by whom. The annual report should therefore include a section clearly demarcated as a combined assurance report.
The combination of fiduciary responsibilities, strategic role and oversight function of the governing body, makes it the appropriate custodian of the combined assurance model. King Ⅳ requires the governing body, or the audit committee on its behalf, to establish and oversee the implementation of the combined assurance model, ensuring that all assurance activities are effectively coordinated and that all significant risks are adequately addressed (Deloitte, 2016). As illustrated in Figure 2, since the governing body and its committees represent the fifth or final line of assurance, it is appropriate for them to have the final say on how the combined assurance model will be implemented and the process mapped. The specific tasks include, providing oversight to ensure that the following objectives are achieved:
1. Enabling an effective internal control environment;
2. Supporting the integrity of information used for internal decision-making by management, the governing body and its committees; and,
3. Supporting the integrity of external reports.
The empirical component of this study included a thematic content analysis of archival documents, guided by the approach exemplified by Thomas (2012). Using the CACRQ index specifically developed for this study, the first phase thematically analysed the extent to which purposively selected South African SOEs disclosed their combined assurance practices in publicly available annual reports. For the purpose of this paper, annual reports include integrated reports. In the second phase, the annual reports were scrutinised to establish how innovatively SOEs disclosed their combined assurance practices, especially since the King Ⅳ apply and explain principle, advocates an innovative approach to corporate governance. Investigating the combined assurance disclosures of South African SOEs, provides important insights into how effective implementation of the combined assurance model could assist organisations ensure that both internal and external stakeholders are provided with accurate, complete and reliable reports, thereby improving external report credibility.
This study investigates the disclosed combined assurance practices of SOEs in South Africa. Although South Africa has approximately 700 SOEs (USA, 2021), the purposively selected sample for this study is confined to the 21 Major Public Entities (SOEs) listed in Schedule 2 of the PFMA (South Africa, 1999), based on their size, national importance and the expectation that they should fund their own operational costs and expansion programmes. The perception that South Africa has strong corporate governance practices, including leadership in combined assurance (Atkins et al., 2015; Zhou et al., 2019), makes it a suitable country to investigate the disclosure of combined assurance practices by SOEs. Despite increased topicality, combined assurance has been part of South African corporate governance practices since 2002 (Maroun and Prinsloo, 2020). It has since become an embedded practice amongst many private and public sector organisations in South Africa, and is widely acknowledged as a credible mechanism to ensure the integrity of organisational reporting (IoDSA, 2016, 2009). Consequently, South Africa offers a mature assurance environment for studying variations in combined assurance models (Zhou et al., 2019).
The content analysis used a purposively developed index of CACRQ indicators (disclosed in Appendix Table A1), to identify the SOEs whose annual reports referenced their combined assurance practices, and the extent thereof, as well as how the index allowed for comparability and cross-indicator analysis (Miles and Huberman, 1994). We obtained secondary data from the most recent annual reports of the 21 South African SOEs, publicly available on their institutional websites. However, our search revealed that the most recent annual reports of the South African SOEs related to 2021/2022, 2020/2021 or even 2019/2020, with the most recent reports of South African Airways and South African Express being for 2016/2017, caused by serious failures in financial governance (Daily Maverick, 2019). Therefore, to meaningfully compare the combined assurance disclosures of the various SOEs across the same reporting period, we only used the reports for the 2019/2020 year (even when they were not the most recent), and excluded the reports of South African Airways and South African Express, reducing the study sample to 19 SOEs. Of these 19 SOEs, six prepared annual reports (31.6%) and thirteen SOEs prepared integrated reports (68.4%), as reflected in Appendix Table A2. It is noteworthy that all four SOEs achieving perfect CACRQ index scores (reflected in Appendix Table A2) prepared integrated reports.
Important themes relating to the disclosure of combined assurance practices were identified through thematic analysis (Daly et al., 1997). These themes are posteriori indicators based on the review of scholarly literature, corporate governance codes, internal organisational documents, as well as documents from professional accounting bodies and firms. The data emerging from the content analysis of the SOE annual reports, were analysed using scores calculated using the CACRQ index, based on whether the predetermined combined assurance reporting indicators were disclosed (Gerged et al., 2018). The semantic content analysis coding was based on the perceived meaning of the textual narrative, or diagrams, and not simply on the occurrence of specific words, or images (Liu et al., 2019). Similar studies using content analysis have either used disclosure indices (Abhishek and Divyashree, 2019; Chariri, 2019; Kiliç and Kuzey, 2018; Liu et al., 2019; Nakib and Dey, 2018; Rivera-Arrubla, et al., 2017), or scoring systems (Eccles et al., 2019; Ghani et al., 2018; Pistoni et al., 2018; Ruiz-Lozano and Tirado-Valencia, 2016).
To meaningfully interpret these SOE annual report disclosures within the context of the combined assurance framework, ordinal measures are used to categorise the SOE's CACRQ scores, reflected in Table 1, based on the following two-point scale.
| SN | Rating categories |
| 1 | Assurance strategy |
| 2 | Assurance mapping |
| 3 | Diagrammatic modelling |
| 4 | Combined assurance forum |
| 5 | Assurance provided in the report |
| 6 | Combined assurance report |
| 7 | Audit committee reviews the effectiveness of combined assurance |
DownLoad:
CSV
1. no relevant disclosures.
2. relevant disclosures.
A two-point rather than a three- or four-point scale was adopted to limit researcher bias by using binary classification, simply based on whether the identified category has been disclosed. The purposively developed rating system and disclosure indicators, identifies the seven core categories (identified in Table 1 and described in Appendix Table A1), that should be reflected relating to combined assurance. The raw scores used to calculate the disclosure index, is based on a scores of one (1) representing no relevant disclosures, or non-reporting on the underlying category, and two (2) indicating disclosure of the category. Thus, the maximum cumulative score for the seven CACRQ indicators is 14 points. Similarly, the optimal score for each individual SOE is 14 points. To limit research subjectivity, quality elements were treated as having equal importance (Prinsloo and Maroun, 2020). The equation below is used to establish the cumulative mean value of the CACRQ, indicating that scores tending towards two (2) implies better SOE adherence with the combined assurance principles:
| (1) |
Researcher bias may occur in qualitative research generally, and in archival analysis in particular (Mackieson et al., 2018). Thus, purposive and not convenience sampling, was used to minimise selection bias (Smith and Noble, 2014), with the selection process being described. Further, to minimise analysis bias (Smith and Noble, 2014), some order was imposed on the data by developing a rating scale to ensure a systematic and rigorous analysis of the unstructured data used in this study (Mackieson et al., 2018). An applied thematic approach (Guest et al., 2012) (ATA) was used to limit researcher bias (Mackieson et al., 2018). The ATA framework was specifically developed to provide a purposeful and systematic approach to qualitative research and for planning and preparing text-based qualitative analysis. To further reduce bias, the analysis was undertaken in three distinct phases, informed by insights from Mackieson et al. (2018) and Guest et al. (2012). In the first phase, the rating tool was developed in line with similar previous studies and observations by credible professional bodies. In the second phase, each of the two researchers on the project, independently analysed the reports of the sampled SOE reports using the CACRQ rating tool. Finally, in the third phase, the results were compared and deliberated in depth on a few minor discrepancies found, before consensus was reached and conclusions drawn.
The study observations provide a general overview of the state of combined assurance amongst the SOEs included in the study, before reflecting on each of the seven indicators, both at a cumulative level, as well as by each included SOE.
The CACRQ index scores depicted in Table 2, ranging from a perfect mean score of 2.0, in terms of which all SOEs mapped their risks and described their combined assurance strategy, to the lowest mean score of 1.26 for diagrammatically modelling the combined assurance process, reveal inconsistent SOE conformance with the CACRQ indicators. It is however, acknowledged that mapping the risks and disclosing the assurance strategy, does not necessarily translate into conformance with the combined assurance principles. Although all the SOEs reported their risks and strategies, not all formally adopted the combined assurance model (see for example, Independent Development Trust, South African Airways and South African Express).
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | ||
| N | Valid | 19 | 19 | 19 | 19 | 19 | 19 | 19 |
| Missing | 2 | 2 | 2 | 2 | 2 | 2 | 2 | |
| Mean | 2.0 | 1.42 | 1.26 | 1.37 | 1.89 | 1.42 | 1.47 | |
| Minimum | 2 | 1 | 1 | 1 | 1 | 1 | 1 | |
| Maximum | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
DownLoad:
CSV
It may be argued that the 100% conformance of SOEs disclosing their combined assurance strategies, suggests that risk management may already have been an integral SOE reporting practice (Maroun and Prinsloo, 2020; Chikwiri and de la Rosa, 2015; Decaux and Sarens, 2015), before King Ⅲ (IoDSA, 2009) formally introduced of combined assurance. By contrast to the optimal assurance strategy disclosure score (μ = 2.00), the lowest disclosure score achieved was for diagrammatically modelling the combined assurance process (μ = 1.26). Although this aspect is not mandatory, graphically depicting it in a report reflects innovative combined assurance reporting (Nkonki, 2016), providing users with an overview of the combined assurance approach adopted.
Developing an appropriate assurance strategy requires organisations to first identify the significant risks that could prevent the achievement of objectives. ERM is therefore about articulating the universe of risks that should be assured through a comprehensive combined assurance programme (Chikwiri and de la Rosa, 2015; Forte and Barac, 2015). It is accordingly unsurprising that SOEs conformed better in respect of identifying their risks and disclosing their assurance strategies (μ = 2), than in respect of the other five indicators. Further analysis reveals that in addition to having audit committees, some SOEs also have enterprise risk committees charged with assessing and managing risks, while others have consolidated these into a single committee. In this regard, in addition to a Board Audit Committee, the Industrial Development Corporation also has a Board Risk and Sustainability Committee (Industrial Development Corporation, Integrated Report, 2020). Similarly, Telkom also has a Risk Committee in addition to its Audit Committee (Telkom, Integrated Report, 2020). In essence, all SOEs appear to have adequate risk assessment practices and assurance strategies.
Since assurance mapping provides a comprehensive overview of the assurance provided by all internal and external assurance providers, it may be argued that mapping may be the most important component of combined assurance disclosure (Deloitte, 2016; IoDSA, 2016). Nevertheless, Table 2 reveals that most SOEs do not really disclose this indicator (μ = 1.42). Further analysis, illustrated in Table 3, shows that only eight SOEs (42%) disclosed this indicator. The 2020 Integrated Report of DENEL (p.94) compellingly describes assurance mapping as:
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | |
| Relevant disclosure by SOEs | 19 | 8 | 5 | 7 | 17 | 8 | 9 |
| % of Relevant disclosures | 100% | 42% | 26% | 37% | 89% | 42% | 47% |
DownLoad:
CSV
"Assurance is provided through management self-assessments, observations, risk management, internal audit, external audit, the Parliamentary Portfolio Committee, as well as various external bodies. External bodies involved in Denel include the National Key Point Secretariat, National Conventional Arms Inspections and Audit Directorate, Armscor, the South African Bureau of Standards, Dekra, Bureau Veritas, OEMs and the South African National Accreditation System. Internal Audit conducts a risk-based assessment of the control environment, and management assurance covers all critical business processes and their performance. Internal audit completes its assurance processes based on the approved audit plan designed for Denel's risk profile. External Audit follows a specific audit scope approved by the Audit Committee and places reliance on internal audit work, as and where appropriate".
In addition to assisting DENEL streamline its operations by engaging both internal and external experts, disclosing this information in their publicly available integrated report appears to confirm DENEL's desire to continuously improve its combined assurance processes and enhance the understanding of report users about how assurance is provided over the veracity of the disclosures, highlighting the importance of the combined assurance model to both shareholders and stakeholders (Hoang and Phang, 2020; Prinsloo and Maroun, 2020; IoDSA, 2016, 2009).
Diagrammatically modelling the combined assurance process, reveals how concisely organisations have implemented combined assurance and how innovatively their combined assurance practices have been disclosed. However, Table 2 identifies this indicator as having the lowest cumulative mean score (μ = 1.26) of the seven indicators. Table 3 shows that only five of the SOEs (26%), diagrammatically modelled their combined assurance process, albeit not always in sufficient detail. It is submitted that this may be attributed to King Ⅳ not diagrammatically representing the five lines of assurance (IoDSA, 2016), unlike King Ⅲ where the (previous) three lines of defence were graphically illustrated. The ambiguity resulting from the inconsistent requirements of King Ⅲ and King Ⅳ, may also have contributed to the poor conformance, as evidenced by Telkom's diagrammatic modelling of its combined assurance process (depicted in Figure 4), still being based on the three lines of defence presented in King Ⅲ, and not on King Ⅳ's five lines of assurance encapsulated by ESKOM (reflected in Figure 5). Although Telkom should be commended for its diagrammatic presentation, it should be noted that not only is their model based on the outdated three lines of defence, but it also fails to disclose pertinent information required to comprehensively illustrate its combined assurance process.
Interestingly, by comparison, reflecting the evolutionary nature of the quest to constantly improve the quality of the accountability mechanisms and disclosures of organisations, it should be noted that whereas the combined assurance model of ESKOM lauded by Nkonki in 2016 (illustrated in Figure 3), was based on the 'three lines of defence' advocated by King Ⅲ, by 2020, ESKOM had refined their combined assurance model to incorporate the 'five lines of assurance' promoted by King Ⅳ (depicted in Figure 5 below). ESKOM's revised combined assurance model now includes assurance provided by the (1) oversight bodies (including the board and audit committee), (2) assurance providers (including both internal and external auditors), (3) functional management (including those responsible for specialist control functions, and those responsible for management of risk, resilience and compliance), (4) operational management (including those responsible for management and review functions), and (5) those responsible for operational execution and provision of supervisory oversight.
Table 2 reveals that SOEs appear to implement combined assurance differently (μ = 1.37). The majority of SOEs (n = 12), representing 63%, did not report on establishing a separate committee to oversee the adoption and implementation of the combined assurance model. Instead, some SOEs assigned the responsibility for implementation directly to the audit committee, whereas others established forums. Our results indicate that five of the seven SOEs that achieved maximum cumulative mean scores (μ = 2) (reflected in Table 4), established a sub-committee (forum) with a specific mandate to address combined assurance matters. This appears to imply that establishing a special forum to deal with combined assurance is more likely to result in better adoption and reporting of the combined assurance.
| Cumulative mean | 2.00 | 1.86 | 1.71 | 1.43 | 1.29 | 1.14 |
| Sampled SOEs | Broadband Infrastructure Company | ESKOM | DENEL | Alexkor | Air Traffic and Navigation Services | Independent Development Trust |
| Industrial Development Corporation | Development Bank | Armaments Corporation | Airports Company | Transnet | ||
| Land and Agricultural Bank | Trans-Caledon Tunnel Authority | Central Energy Fund | South African Broadcasting Corporation | |||
| Telkom | South African Forestry Company | South African Nuclear Energy Corporation | ||||
| South African Post Office |
DownLoad:
CSV
Table 2 shows that the majority of SOEs disclosed that some assurance was provided over some aspect(s) of the disclosures presented in the reports (μ = 1.89). As reflected in Table 3, 17 of the SOEs (89%) disclosed that their reports were subjected to some form of assurance process. King Ⅳ, the Companies Act, as well as the incorporating legislation of the respective SOEs, require South African publicly-listed companies and SOEs to disclose how they have applied the combined assurance model and to identify which aspects of their reports have been independently and fully assured (IoDSA, 2016; 2009). Although this is a fundamental regulatory requirement with which all SOEs were expected to comply, not all did. For example, neither the Independent Development Trust, nor Transnet appear to have adopted the combined assurance model.
The requirement for reports of organisations in South Africa, including SOEs, to indicate that it has been independently and fully assured, coupled with the King Ⅳ requirement that organisations should explain how they have applied combined assurance, implies that including a combined assurance report provides veracity to the underlying annual report disclosures. The low mean score achieved for this indicator (μ = 1.42), results from only eight SOEs (42%) appearing to recognise the importance of having a separate section dealing with combined assurance, although no SOEs actually referred to it as a report. Five of the eight conforming SOEs that provided a separate section dealing with combined assurance, achieved the maximum mean score (μ = 2) relating to their performance across the seven indicators (as seen in Table 4). It remains disconcerting that none of the combined assurance models of any of the SOEs appear to have sufficiently matured to convince both internal and external stakeholders that the combined assurance model has been properly applied, improving the integrity of the information used for internal operations or to ensure the veracity of external reporting.
The combined assurance report should describe how the audit committee monitored the relationship between the external assurance providers and the organisation, as well as how it has ensured that the combined assurance model addresses all the material risks facing the organisation, or to at least provide a review statement on combined assurance. Although no SOEs adhered with the former, the observed mean score for this indicator (μ = 1.47) suggests that the audit committees of several SOEs did provide some type of review of the combined assurance process, albeit not in sufficient detail. In total only nine SOEs (47%) addressed this indicator. However, these disclosures are not what was envisaged for review statements, as illustrated by ESKOM's Audit and Risk Committee (ARC) revealing that:
"ARC has concluded that the systems and processes of risk management and compliance are adequate, although the effectiveness and application thereof need to be improved. Internal financial controls are considered adequate for Eskom's financial records to be relied upon, and for the preparation of reliable financial statements. Furthermore, ARC is satisfied that A & F is operated effectively and that Eskom has access to adequate resources, facilities and support from Government to be able to continue its operations as a going concern for the foreseeable future. ARC is satisfied with the quality of the external audit as well as the independence and objectivity of the external auditors" (ESKOM Integrated Report, 2020, p.28).
The main difference between the statement by ESKOM and the other eight SOEs, is that only ESKOM presented the statement in a separate combined assurance section. Furthermore, with reference to the other six indicators, it is self-evident that the above review statement itself, falls short of what such a report should entail.
As illustrated in Table 4, the cumulative mean scores for the seven indicators, shows that four SOEs (19%) achieved maximum scores (μ = 2) across the seven indicators. This observation suggests that SOEs have not really conformed to the requirements of the combined assurance model. The lowest mean score (μ = 1.14) was also achieved by four SOEs, with the highest modal score (μ = 1.29) by five SOEs (24%) and the lowest modal score (μ = 1.86) by one SOE (5%). Cumulatively, the scores of more SOEs (13), representing 62%, tend toward the minimum than the maximum, pointing to significant room for improvement by SOEs, on how they report on their combined assurance practices.
Typically utilising public funds in the form of taxpayers' monies, elevates the need for SOEs to account to the public, resulting in the accountability expectations tending to be greater in the public sector than the private sector (Ackers and Adebayo, 2022; Bovens et al., 2014). SOEs should therefore timeously provide the public with complete and credible information about how efficiently, effectively and economically, they have deployed taxpayers' funds to deliver on their respective mandates. As argued by Abishek and Divyashree (2019), since annual reports represent a useful tool for tracking organisational activities and processes, organisations should present credible and comprehensive reports, enabling stakeholders to effectively assess how they have discharged their accountability obligations. Using the indicators in this study to assess SOE adherence to the combined assurance principles, will directly benefit those working in, or advising public sector organisations, such as SOEs. This will enhance their understanding of how SOEs, listed in Schedule 2 of the PFMA, have discharged their accountability obligations. Despite overall low levels of conformance with the CACRQ, a few SOEs had high conformance levels. The combined assurance practices of these high conforming SOEs, could be used to guide lesser conforming SOEs improve their combined assurance practices, improving the confidence of stakeholders about the veracity of their disclosures. The observations emerging from this study, have important implications for management in public sector organisations around the world, to consider where SOE reporting practices are not prescribed. It shows that the combined assurance model places a premium on innovation and creativity in organisational reporting. This paper also offers important insights into the intricate interrelationships required to create effective governance and accountability structures, by meaningfully integrating the knowledge and expertise of various internal and external assurance providers, to achieve organisational objectives. Despite this study focusing on SOEs, it is expected that the observations would be of value to those governing, working in, or engaging with public sector organisations and SOEs, as well as in other sectors and organisations around the world.
An annual report that simply states that a combined assurance approach has been adopted, does not in itself provide users of an organisation's reports with confidence that they have taken due care in their business operations, especially in relation to ensuring that all material risks are adequately mitigated, which ultimately, is the core tenet of combined assurance, while simultaneously improving the integrity of such reports. Hence, by fully disclosing in the annual report how the combined assurance model was applied, underpins the essence of a governance framework and demonstrates the board's commitment to ensuring good corporate governance (CGF Research Institute, 2019). Although demonstrating conformance with the governance principles implicit in the combined assurance model, provides stakeholders with a good understanding of how the principles of combined assurance have been applied, organisations should at a minimum, disclose the following information in the annual report:
● the process by which an organisation has managed risk (assurance strategy, mapping); and
● information about how the organisation has implemented its combined assurance model, including details about the overall assurance measures, providers and reports obtained to verify and substantiate the integrity of internal and external reports relied on by stakeholders for decision-making (diagrammatic modelling, combined assurance forum, assurance provided in the report, combined assurance report and audit committee review) (CGF Research Institute, 2019).
We found that the SOE disclosures of some SOEs, appear to conform to some combined assurance indicators, the extent of this conformance varies. We found that although the combined assurance related disclosures some SOEs appear to suggest high levels of adoption, the majority have not provided sufficient information to adequately explain how they have applied combined assurance, if at all. Despite acknowledging that combined assurance tends to be an internal management tool, we posit that to enhance the quality of the future-orientated organisational reporting, requires the development and promotion of a universal template for the reporting of combined assurance. This standardisation will provide organisations with an opportunity to explain how the principles of combined assurance have been applied, ultimately enhancing the completeness and credibility of externally oriented reports. Aside from enhancing the quality of organisational reports, the template will also have the advantage of improving the comparability of the combined assurance sections of different annual reports.
This study could be replicated using private sector enterprises in the country, but using a different sampling regimen to that used by Prinsloo and Maroun (2021). Additional studies could also be undertaken on SOEs in other countries, such as Namibia where the combined assurance model is incorporated in the NamCode. Taken together, these recommendations for further research promise useful insights.
Since the scope of the study was confined to assessing whether SOEs had adopted and disclosed their combined assurance practices, it is accordingly proposed that future research should be conducted to develop a mechanism to evaluate the quality, completeness and veracity of the combined assurance practices of SOEs. Such a study, which could adapt the conformance index to assess the quality of these disclosures using a Likert scale, would provide deeper insights into the extent to which SOEs complied with the requirement. Furthermore, experimental research could also be undertaken in the public and private sector to understand how investors/stakeholders perceive the usefulness of each of the seven indicators of combined assurance reporting quality proposed in this study.
All authors declare no conflicts of interest in this paper.
| [1] |
Abhishek N, Divyashree MS (2019) Integrated reporting practices in Indian companies. FOCUS: J Int Bus 6: 140–151. https://doi.org/10.17492/focus.v6i1.182825 doi: 10.17492/focus.v6i1.182825
|
| [2] |
Ackers B, Adebayo A (2022) The adoption of integrated reporting by state-owned enterprises (SOEs)—an international comparison. Soc Responsib J 18: 1687–1612. https://doi.org/10.1108/SRJ-05-2021-0194 doi: 10.1108/SRJ-05-2021-0194
|
| [3] |
Ackers B (2017) The evolution of corporate social responsibility assurance—A longitudinal study. Soc Environ Account J 37: 97–117. https://doi.org/10.1080/0969160X.2017.1294097 doi: 10.1080/0969160X.2017.1294097
|
| [4] |
Almquist R, Grossi G, van Helden J, et al. (2013) Public sector governance and accountability. Crit Perspect Account 24: 479–487. https://doi.org/10.1016/j.cpa.2012.11.005 doi: 10.1016/j.cpa.2012.11.005
|
| [5] |
Ampri ANI, Adhariani D (2019) Application of combined assurance as a new approach to integrate internal audit, governance, and risk management: A case study on Indonesia financial service authority. Advances in Economics, Business and Management Research 101: 29–33. https://doi.org/10.2991/iconies-18.2019.5 doi: 10.2991/iconies-18.2019.5
|
| [6] |
Atkins JF, Solomon A, Norton S, et al. (2015) The emergence of integrated private reporting. Meditari Account Res 23: 28–61. https://doi.org/10.1108/MEDAR-01-2014-0002 doi: 10.1108/MEDAR-01-2014-0002
|
| [7] | BDO (2017) Combined assurance in an uncertain world. Available from: https://www.bdo.co.za/en-za/insights/2017/audit/combined-assurance-in-an-uncertain-world. |
| [8] |
Botes V, Sharma U, Botes R, et al (2020) A structured approach to the governance of ethics using the five lines of assurance model. Int J Econ Account 9: 336–352. https://doi.org/10.1504/IJEA.2020.110166 doi: 10.1504/IJEA.2020.110166
|
| [9] |
Bovens M (2010) Two concepts of accountability: Accountability as a virtue and as a Mechanism. West Eur Polit 33: 946–967. https://doi.org/10.1080/01402382.2010.486119 doi: 10.1080/01402382.2010.486119
|
| [10] | Bovens M, Schillemans T, Goodin RE (2014) Public accountability, In: Bovens, M., Goodin, R.E., Schillemans, T. (Eds), The Oxford Handbook of Public Accountability, Oxford: Oxford University Press, 1–20. |
| [11] | CGF Research Institute (2019) Combined assurance: Is your organisation adequately assured? Available from: https://www.cgfresearch.co.za/News-Articles/Articles-Editorials/ArticleId/312/combined-assurance-is-your-organisation-adequately-assured-2019-10-01. |
| [12] |
Chariri A (2019) The patterns of integrated reporting: A comparative study of companies listed on the Johannesburg stock exchanges and Indonesia stock exchanges. Jurnal Reviu Akuntansi dan Keuangan 9: 1–12. https://doi.org/10.22219/jrak.v9i1.8248 doi: 10.22219/jrak.v9i1.8248
|
| [13] | Chikwiri TM, de la Rosa SP (2015) Internal audit's role in embedding governance, risk, and compliance in state-owned companies. So Afr J Account Aud Res 17: 25–39. |
| [14] | Coetzee P, Lubbe D (2011) Internal audit and risk management in South Africa: Adherence to guidance. Acta Acad 43: 29–60. |
| [15] | Daily Maverick (2019) SAA and SA Express fail to land 2018/19 annual report in Parliament. Available from: https://www.dailymaverick.co.za/article/2019-10-02-saa-and-sa-express-fail-to-land-2018-19-annual-report-in-parliament/. |
| [16] | Daly J, Kellehear A, Gliksman M (1997) The public health researcher: A Methodological approach, Oxford University Press, Melbourne. |
| [17] |
De Villiers C, Venter ER, Hsiao PCK (2017) Integrated reporting: background, measurement issues, approaches and an agenda for future research. Account Finance 57: 937–959. https://doi.org/10.1111/acfi.12246 doi: 10.1111/acfi.12246
|
| [18] |
Decaux L, Sarens G (2015) Implementing combined assurance: insights from multiple case studies. Manag Audit J 30: 56–79. https://doi.org/10.1108/MAJ-08-2014-1074 doi: 10.1108/MAJ-08-2014-1074
|
| [19] | Deloitte (2016) King Ⅳ bolder than ever. Available from: https://www2.deloitte.com/za/en/pages/africa-centre-for-corporate-governance/articles/kingiv-report-on-corporate-governance.html. |
| [20] | Devaney L (2016) Good governance? Perceptions of accountability, transparency and effectiveness in Irish food risk governance. Food Policy 62: 1–10. https://doi.org/1016/j.foodpol.2016.04.003. |
| [21] |
Donkor A, Djajadikerta HG, Roni SM (2021) Impacts of combined assurance on integrated, sustainability and financial reporting qualities: Evidence from listed companies in South Africa. Int J Audit 25: 475–507. https://doi.org/10.1111/ijau.12229 doi: 10.1111/ijau.12229
|
| [22] | Ebrahim A, Battilana J, Mair J (2014) The governance of social enterprises: Mission drift and accountability challenges in hybrid organizations. Res Organ Behav 34: 81–100. https://doi.org/1016/j.riob.2014.09.001. |
| [23] | Eccles RG, Krzus MP, Solano C (2019) A Comparative analysis of integrated reporting in ten countries. Available from: http://dx.doi.org/10.2139/ssrn.3345590. |
| [24] | Engelbrecht L, Deegan B (2010) King Ⅲ and "combined assurance", In: Accounting and Auditing. |
| [25] | Forte J, Barac K (2015) Combined assurance: A systematic process. So Afr J Account Aud Res 17: 71–83. |
| [26] |
Gerged AM, Cowton CJ, Beddewela ES (2018) Towards sustainable development in the Arab middle east and north Africa region: A longitudinal analysis of environmental disclosure in corporate annual reports. Bus Strategy Environ 27: 572–587. https://doi.org/10.1002/bse.2021 doi: 10.1002/bse.2021
|
| [27] |
Ghani EK, Jamal J, Puspitasari E, et al. (2018) Factors influencing integrated reporting practices among Malaysian public listed real property companies: A sustainable development effort. Int J Manag Financ Account 10: 144–162. https://doi.org/10.1504/IJMFA.2018.091662 doi: 10.1504/IJMFA.2018.091662
|
| [28] | Guest G, MacQueen K, Namey E (2012) Applied thematic analysis, Sage Publications Inc, Thousand Oaks, CA. |
| [29] |
Hoang H, Phang SY (2020) How does combined assurance affect the reliability of integrated reports and investors' judgments? Eur Account Rev 30: 175–195. https://doi.org/10.1080/09638180.2020.1745659 doi: 10.1080/09638180.2020.1745659
|
| [30] |
Hussain N, Rigoni U, Orij RP (2018) Corporate Governance and Sustainability Performance: Analysis of Triple Bottom Line Performance. J Bus Ethics 149: 411–432. https://doi.org/10.1007/s10551-016-3099-5 doi: 10.1007/s10551-016-3099-5
|
| [31] | Institute of Directors in Southern Africa (IoDSA) (2009) King Report on Governance for South Africa 2009 (King Ⅲ). Available from: https://cdn.ymaws.com/www.iodsa.co.za/resource/resmgr/king_iii/King_Report_on_Governance_fo.pdf. |
| [32] | Institute of Directors in Southern Africa (IoDSA) (2016) King Report on Corporate Governance for South Africa 2016 (King Ⅳ). Available from: https://cdn.ymaws.com/www.iodsa.co.za/resource/collection/684B68A7-B768-465C-8214-E3A007F15A5A/IoDSA_King_IV_Report_-_WebVersion.pdf. |
| [33] |
Keasey K, Wright M (1993) lssues in corporate accountability and governance: An editorial. Account Bus Res 23: 291–303. https://doi.org/10.1080/00014788.1993.9729897 doi: 10.1080/00014788.1993.9729897
|
| [34] | Kılıç M, Kuzey C (2018) Factors influencing sustainability reporting: Evidence from Turkey Available from: http://dx.doi.org/10.2139/ssrn.3098812. |
| [35] |
Klijn E (2008) Complexity Theory and Public Administration: What's New? Key concepts in complexity theory compared to their counterparts in public administration research. Public Manag Rev 10: 299–317. https://doi.org/10.1080/14719030802263954. doi: 10.1080/14719030802263954
|
| [36] | KPMG (2021) Integrated assurance. Available from: https://home.kpmg/za/en/home/services/advisory/risk-consulting/internal-audit-risk/internal-audit-strategic-sourcing/integrated-assurance.html. |
| [37] |
Liu Z, Jubb C, Abhayawansa S (2019) Analysing and evaluating integrated reporting: Insights from applying a normative benchmark. J Intellect Cap 20: 235–263. https://doi.org/10.1108/JIC-02-2018-0031 doi: 10.1108/JIC-02-2018-0031
|
| [38] |
Mackieson P, Shlonsky A, Conolly M (2018) Increasing rigor and reducing bias in qualitative research: A document analysis of parliamentary debates using applied thematic analysis. Qual Soc Work 18: 1–16. https://doi.org/10.1177/1473325018786996 doi: 10.1177/1473325018786996
|
| [39] |
Mansi M, Pandey R, Ghauri E (2017) CSR focus in the mission and vision statements of public sector enterprises: evidence from India. Manag Audit J 32: 356–377. https://doi.org/10.1108/MAJ-01-2016-1307 doi: 10.1108/MAJ-01-2016-1307
|
| [40] |
Maroun W (2019) Exploring the rationale for integrated report assurance. Account Audit Account J 32: 1826–1854. https://doi.org/10.1108/AAAJ-04-2018-3463 doi: 10.1108/AAAJ-04-2018-3463
|
| [41] |
Maroun W, Prinsloo A (2020) Drivers of combined assurance in a sustainable development context: Evidence from integrated reports. Bus Strategy Environ 29: 3702–3719. https://doi.org/10.1002/bse.2606 doi: 10.1002/bse.2606
|
| [42] | Miles M, Huberman A (1994) Qualitative data analysis, Sage Publications, London. |
| [43] | Millichamp A, Taylor J (2018) Auditing (11th ed.), Cengage Learning EMEA. |
| [44] |
Nakib M, Dey PK (2018) The journey towards integrated reporting in Bangladesh. Asian Econ Financ Rev 8: 894–913. https://doi.org/10.18488/journal.aefr.2018.87.894.913 doi: 10.18488/journal.aefr.2018.87.894.913
|
| [45] | Nkonki (2016) Integrated Reporting: A continued journey for public sector entities in South Africa. Available from: http://integratedreportingsa.org/ircsa/wp-content/uploads/2017/05/Nkonki-Public-Sector.pdf. |
| [46] |
Nzewi O, Musokeru P (2014) A Critical Review of the Oversight Role of the Office of the Auditor-General in Financial Accountability. Africa's Public Serv Deliv Perform Rev 2: 36–55. https://doi.org/10.4102/apsdpr.v2i1.42 doi: 10.4102/apsdpr.v2i1.42
|
| [47] | Okhmatovskiy I, Grosman A, Sun P (2021) Hybrid governance of state-owned enterprises, Oxford Handbook of State Capitalism and the Firm. |
| [48] |
Pirson M, Turnbull S (2011) Corporate governance, risk management, and the financial crisis: an information processing view. Corp Gov: An Int Rev 19: 459–470. https://doi.org/10.1111/j.1467-8683.2011.00860.x doi: 10.1111/j.1467-8683.2011.00860.x
|
| [49] |
Pistoni A, Songini L, Bavagnoli F (2018) Integrated reporting quality: An empirical analysis. Corp Soc Responsib Environ Manag 25: 489–507. https://doi.org/10.1002/csr.1474 doi: 10.1002/csr.1474
|
| [50] |
Prinsloo A, Maroun W (2020) An exploratory study on the components and quality of combined assurance in an integrated or a sustainability reporting setting. Sustain Account Manag Policy J 12: 1–29. https://doi.org/10.1108/SAMPJ-05-2019-0205. doi: 10.1108/SAMPJ-05-2019-0205
|
| [51] | PWC (2021) Annual global CEO survey. Available from: https://www.pwc.com/cl/es/publicaciones/pwc-24th-global-ceo-survey.pdf. |
| [52] | PWC (2019) Combined assurance (including governance). Available from: http://www.gardenroute.gov.za/wp-content/uploads/2019/06/PWC-Combined-Assurance.pdf. |
| [53] | PWC (2009) King's counsel: Understanding and unlocking the benefits of sound corporate governance. Available from: https://www.pwc.co.za/en/assets/pdf/executive-guide-to-kingiii.pdf. |
| [54] |
Rivera-Arrubla YA, Zorio-Grima A, García-Benau MA (2017) Integrated reports: Disclosure level and explanatory factors. Soc Responsib J 13: 155–176. https://doi.org/10.1108/SRJ-02-2016-0033 doi: 10.1108/SRJ-02-2016-0033
|
| [55] |
Ruiz-Lozano M, Tirado-Valencia P (2016) Do industrial companies respond to the guiding principles of the Integrated Reporting framework? A preliminary study on the first companies joined to the initiative. Revista de Contabilidad-Spanish Account Rev 19: 252–260. https://doi.org/10.1016/j.rcsar.2016.02.001 11. doi: 10.1016/j.rcsar.2016.02.00111
|
| [56] | Sarens G, Decaux L, Lenz R (2012) Combined assurance: Case studies on a holistic approach to organisational governance. Altamonte Springs, Florida, USA: The Institute of Internal Auditors Research Foundation. |
| [57] | Shortreed J, Fraser J, Purdy G, et al. (2012) The future role of internal audit in (enterprise) risk management, a white paper published on the website of the Manhattanville College. Available from: www.broadleaf.co.nz/pdfs/articles/Future_Role_of_IA_in_ERM.pdf. |
| [58] |
Sierra-García L, Zorio-Grima A, García-Benau MA (2015) Stakeholder engagement, corporate social responsibility and integrated reporting: An exploratory study. Corp Soc Responsib Environ Manag 22: 286–304. https://doi.org/10.1002/csr.1345. doi: 10.1002/csr.1345
|
| [59] | Simnett R, Zhou S, Hoang H (2016) Assurance and Other Credibility Enhancing Mechanisms for Integrated Reporting, In: Mio, C. (eds), Integrated Reporting, London: Palgrave Macmillan, 269–286. |
| [60] |
Smith J, Noble H (2014) Bias in research. Evid Based Nurs 17: 100–101. https://doi.org/10.1136/eb-2014-101946 doi: 10.1136/eb-2014-101946
|
| [61] | South Africa (1999) Public Finance Management Act, no. 1 of 1999. Available from: www.treasury.gov.za/legislation/pfma/act.pdf. |
| [62] | South Africa (2000) Guide for accounting officers. Public Finance Management Act. Available from: http://www.treasury.gov.za/legislation/pfma/guidelines/accounting%20officers%20guide%20to%20the%20pfma.pdf. |
| [63] | South Africa (2002) Protocol on corporate governance in the public sector. Available from: www.gov.za/sites/default/files/gcis_document/201409/corpgov0.pdf. |
| [64] | South Africa (2004) Public Audit Act, no. 25 of 2004. Available from: www.gov.za/sites/default/files/gcis_document/201409/a25-04.pdf. |
| [65] | South Africa (2005) Treasury regulations for departments, trading entities, constitutional institutions and public entities, issued in terms of the PFMA. Available from: www.treasury.gov.za/legislation/pfma/regulations/gazette_27388.pdf. |
| [66] | South Africa (2008) Companies Act, no. 71 of 2008. Available from: www.gov.za/sites/default/files/gcis_document/201409/321214210.pdf. |
| [67] |
Thomas A (2012) Governance at South African state‐owned enterprises: What do annual reports and the print media tell us? Soc Responsib J 8: 448–470. https://doi.org/10.1108/17471111211272057 doi: 10.1108/17471111211272057
|
| [68] | United States of America (USA) Department of State (2021) 2021 Investment Climate Statements. Available from: https://www.state.gov/reports/2021-investment-climate-statements/south-africa/. |
| [69] | Zhou S, Simnett R, Hoang H (2016) Combined assurance as a new assurance approach: is it beneficial to analysts? https://doi.org/10.2139/ssrn.2742010 |
| [70] |
Zhou S, Simnett R, Hoang H (2019) Evaluating combined assurance as a new credibility enhancement technique. Auditing-J Pract Th 38: 235–259. https://doi.org/10.2308/ajpt-52175. doi: 10.2308/ajpt-52175
|
 NAR-05-01-004-s001.pdf |
 |
| 1. | Saoussen Boujelben, Nermine Medhioub, Does the combined assurance model affect tax avoidance? The case of South African companies, 2024, 1472-0701, 10.1108/CG-08-2023-0346 | |
| 2. | Lorenzo Ligorio, Fabio Caputo, Andrea Venturelli, Sustainability reporting in public–private hybrid organisations: a structured literature review, 2024, 0967-5426, 10.1108/JAAR-06-2023-0178 | |
| 3. | Precious T. Ngobeni, Leon Barnard, Mosie C.C. Molate, Enhancing the criteria for financial assistance to state-owned companies, 2023, 16, 2312-2803, 10.4102/jef.v16i1.881 | |
| 4. | Jamie-Leigh Bruce, AC Neethling, J. Dubihlela, Adoption of Combined Assurance Within Supply Chain Management in the Cape Winelands District of South Africa, 2024, 5, 2700-8983, 288, 10.51137/ijarbm.2024.5.1.14 | |
| 5. | Adeyemi Adebayo, Barry Ackers, Olayinka Erin, Examining the Extent of Compliance on Combined Assurance Reporting Quality: Evidence from Namibian State-owned Enterprises, 2024, 28, 1982-7849, 10.1590/1982-7849rac2024240173.en |
Adeyemi Adebayo, Barry Ackers. Adoption of the combined assurance model by South African state-owned enterprises (SOEs)[J]. National Accounting Review, 2023, 5(1): 41-66. doi: 10.3934/NAR.2023004
| SN | Rating categories |
| 1 | Assurance strategy |
| 2 | Assurance mapping |
| 3 | Diagrammatic modelling |
| 4 | Combined assurance forum |
| 5 | Assurance provided in the report |
| 6 | Combined assurance report |
| 7 | Audit committee reviews the effectiveness of combined assurance |
DownLoad:
CSV
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | ||
| N | Valid | 19 | 19 | 19 | 19 | 19 | 19 | 19 |
| Missing | 2 | 2 | 2 | 2 | 2 | 2 | 2 | |
| Mean | 2.0 | 1.42 | 1.26 | 1.37 | 1.89 | 1.42 | 1.47 | |
| Minimum | 2 | 1 | 1 | 1 | 1 | 1 | 1 | |
| Maximum | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
DownLoad:
CSV
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | |
| Relevant disclosure by SOEs | 19 | 8 | 5 | 7 | 17 | 8 | 9 |
| % of Relevant disclosures | 100% | 42% | 26% | 37% | 89% | 42% | 47% |
DownLoad:
CSV
| Cumulative mean | 2.00 | 1.86 | 1.71 | 1.43 | 1.29 | 1.14 |
| Sampled SOEs | Broadband Infrastructure Company | ESKOM | DENEL | Alexkor | Air Traffic and Navigation Services | Independent Development Trust |
| Industrial Development Corporation | Development Bank | Armaments Corporation | Airports Company | Transnet | ||
| Land and Agricultural Bank | Trans-Caledon Tunnel Authority | Central Energy Fund | South African Broadcasting Corporation | |||
| Telkom | South African Forestry Company | South African Nuclear Energy Corporation | ||||
| South African Post Office |
DownLoad:
CSV
| SN | Rating categories |
| 1 | Assurance strategy |
| 2 | Assurance mapping |
| 3 | Diagrammatic modelling |
| 4 | Combined assurance forum |
| 5 | Assurance provided in the report |
| 6 | Combined assurance report |
| 7 | Audit committee reviews the effectiveness of combined assurance |
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | ||
| N | Valid | 19 | 19 | 19 | 19 | 19 | 19 | 19 |
| Missing | 2 | 2 | 2 | 2 | 2 | 2 | 2 | |
| Mean | 2.0 | 1.42 | 1.26 | 1.37 | 1.89 | 1.42 | 1.47 | |
| Minimum | 2 | 1 | 1 | 1 | 1 | 1 | 1 | |
| Maximum | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| Assurance Strategy | Assurance Mapping | Diagrammatic Modelling | Combined Assurance Forum | Assurance Provided in the Report | Combined Assurance Report | Audit Committee review | |
| Relevant disclosure by SOEs | 19 | 8 | 5 | 7 | 17 | 8 | 9 |
| % of Relevant disclosures | 100% | 42% | 26% | 37% | 89% | 42% | 47% |
| Cumulative mean | 2.00 | 1.86 | 1.71 | 1.43 | 1.29 | 1.14 |
| Sampled SOEs | Broadband Infrastructure Company | ESKOM | DENEL | Alexkor | Air Traffic and Navigation Services | Independent Development Trust |
| Industrial Development Corporation | Development Bank | Armaments Corporation | Airports Company | Transnet | ||
| Land and Agricultural Bank | Trans-Caledon Tunnel Authority | Central Energy Fund | South African Broadcasting Corporation | |||
| Telkom | South African Forestry Company | South African Nuclear Energy Corporation | ||||
| South African Post Office |
