Governance –
combined assurance model

 

Combined assurance receives deliberate and focused attention at Bidvest.
The audit committee ensures that our combined assurance model adequately addresses Bidvest's risks and material matters through the aggregated efforts of assurance providers.

Each IT environment across Bidvest is subjected to an IT audit as part of the IA Plan.
The IT audit assesses the design and effectiveness of the IT environments from a control perspective coupled with providing a view on the strategic enablement of IT by the businesses.

 

Continually optimising our combined assurance model avoids duplication, rationalises collaboration efforts upstream amongst assurance providers, coupled with effectively managing assurance costs. The activities are coordinated to maximise the depth and reach of assurance achieved by each of the assurance providers. This enables an effective control environment and ensures the integrity of information used for reporting and decision making.

Internal audit

The Internal audit (IA) function is an independent, value-adding, progressive and responsive service to Bidvest shareholders. It fulfils a role of objectively evaluating the business processes and controls so as to appropriately manage the risk and support management's commitment to a strong control environment and operational excellence.

A risk-based IA plan is approved by the divisional and group audit committees on an annual basis and is re-calibrated quarterly in order for the IA function to provide assurance services against the relevant and elevated risks of the business.

The IA function is well-constituted with a professional audit staff (in excess of 25 Chartered Accountants in managerial positions) with sufficient knowledge, skill-set and experience to execute on the board approved IA Charter that is consistent with the Institute of International Auditors' definition of IA as well as the principles of King IV. Given the ever-increasing dependencies of the business on IT, specialised IT audit and consulting skills have become a necessity in the function. Analytics and automation are well-entrenched into the mechanisms of the IA functions with further disruptive robotic initiatives being the focus for the future of IA.

IT Governance – The board acknowledges technology as a mechanism to access, protect and manage information. In relation to the IT Framework adjacent, the board governs both technology and information so that these support the organisation in achieving its strategic objectives. The IT Forum is represented by CIOs from each division and is a platform within which to:

• Share knowledge, research and experience
• Leverage digitalisation and technology trends
• Harness the economies of scale and Group purchasing power
• Establish subject matter expert and centers of excellence surrounding topical technology issues
• Benchmark vendor services delivery and price

IT resources			Fit-for-purpose in-house operational IT skills, with the necessary strategic IT oversight, are in place. These are complemented by outsourced vendors with specialist networking, telecommunications, and cyber security skillsets.
Business resilience			Business resilience controls (including technical controls) are appropriately implemented by the individual companies, based on the needs of the company.
Technology investment			The IT functions generally run lean with a common philosophy to sweat IT-related assets. However, significant investment continues to be made in the IT innovation and digitisation space across Bidvest.
Project assurance			Major IT projects are well-governed, with input from the necessary stakeholders. Major projects are timeously implemented.
IT dependency			Business and IT are continuously enhancing alignment, through IT representation on the various board and executive committees, and in recognition of the key role IT plays in the various businesses.
Management of IT risk exposure			Significant attention is given to this across the IT environments, with an increasing focus on the management of IT risk exposure related to any new acquisitions.
Cyber security			Significant attention has been given to the identification and management of cyber security risks across Bidvest. Implementation and enhancement of the necessary controls are being performed on a case-by-case basis, dependent on the risks identified.
Vendor management			Vendor relationships are effectively managed by the company IT departments. Economies of scale are leveraged where appropriate.
Data governance			Data governance, including the necessary supporting IT architecture, is receiving attention by the various companies, especially those with the greatest exposure to data risks. Companies have identified the need for leveraging existing data assets to enable business intelligence insights. Understanding the impact of POPI and GDPR on the relevant businesses is work in progress.

Innovation to improve governance and manage risks

At future Bidvest board meetings there may be an extra presence at the boardroom table, in the form of ALICE, who'll be there to answer questions about the Group's IT risk. But ALICE isn't Bidvest's latest executive hire; rather, she's a bot who has been created by Bidvest's internal audit team to carry out IT audits across the Group's IT environments.

There is no shared infrastructure or common domains across Bidvest. Every environment differs in size, in security posture, in complexity and in maturity. What this meant for the small IT audit team was multiple "clients" operating across 29 sub-industries in over 900 sites, with more than 250 key financial systems and a multitude of other systems. IT is also outsourced, co-sourced or part of strategic partnerships, in spaces that range from a fully regulated banking environment to the relatively simplistic systems supporting a toothpick manufacturer.

"As a result, there are complex aggregation and consolidation structures, and with everything being so different, it was difficult to get a Group view. We also had multiple audiences, so we had to rehash the same information to accommodate the different views required for the audit committee, for the board, for IT operations management, for external auditors and for ourselves. We were able to provide the various stakeholders with a robust view of IT environments across the Group at the end of two and a half years, but the problem was that this view was two and a half years old in very evolving and dynamic IT environments." says Lauren Berrington, Bidvest chief audit executive.

In 2016, the go ahead was given to build a bot

ALICE was built to de-risk Bidvest with the intent of commercialising her in the long run. Her IP is held in Bidvest Advisory Services. She was launched internally in beta phase in 2017. ALICE's job description is to facilitate the collection, storage, orchestration, analysis and reporting of IT environmental data against best practice standards.

Essentially, ALICE is an IT governance tool, and her purpose is to equip those charged with governance with visibility into the risks in the IT environment. She has unintended benefits in that she also serves as a management monitoring tool, but that's not the purpose she was designed for.

It is taking petabytes of training data to make ALICE intelligent, and that's the journey that the team are currently on. ALICE has an interactive, intuitive dashboard that allows management to interrogate their results in real time, allowing them to mitigate and manage IT risks better. ALICE is based in the cloud, which makes her scalable and gives her global reach. Her current skills set includes technical security, business resilience, user administration, cloud security and SQL hardening. There is a roadmap to increase her current capabilities.

ALICE currently audits 159 IT environments across the Group on a daily basis. She has digitised an IT audit workforce. ALICE has been recognised for what she has achieved and for the massive potential she holds. Once beta testing has been completed, she will be commercialised. This is envisaged for early 2019.