Combined assurance model

Combined assurance receives deliberate and focused attention at Bidvest. The audit committee ensures that our combined assurance model adequately addresses Bidvest's risks and material matters through the aggregated efforts of assurance providers.

Continually optimising our combined assurance model avoids duplication, rationalises collaboration efforts upstream amongst assurance providers, coupled with effectively managing assurance costs.

The activities are coordinated to maximise the depth and reach of assurance achieved by each of the assurance providers. This enables an effective control environment and ensures the integrity of information used for reporting and decision making.

Internal audit

The Internal audit (IA) function is an independent, value-adding, progressive and responsive service to Bidvest shareholders. It fulfils a role of objectively evaluating the business processes and controls so as to appropriately manage the risk and support management's commitment to a strong control environment and operational excellence.

The agility and responsiveness of the IA function was demonstrated during COVID-19 where the scope, approach and timing of audit efforts were recalibrated to align to the emerging risks of the businesses coupled with requests prioritized by management and the external auditors. Optimal use of technology has, and will continue to, play a pivotal role in IA enablement going forward.

A risk-based IA plan is approved by the divisional and group audit committees on an annual basis and is re-calibrated quarterly in order for the IA function to provide assurance services against the relevant and elevated risks of the business. The IA function is well-constituted with a professional audit staff (in excess of 25 Chartered Accountants in managerial positions) with sufficient knowledge, skill-set and experience to execute on the board approved IA Charter that is consistent with the Institute of International Auditors' definition of IA as well as the principles of King IV.

Given the ever-increasing dependencies of the business on IT, specialised IT audit and consulting skills have become a necessity in the function. Analytics and automation are well-entrenched into the mechanisms of the IA functions with further disruptive robotic initiatives being the focus for the future of IA.

An example of such initiatives is ALICE, Bidvest's digital auditor. She combines robotics and cognitive intelligence to provide audit-as-a-service to the Group companies. Much effort has been afforded to the digital assurance roadmap for Bidvest using the ALICE platform and this paid off during lockdown. The appetite for ALICE to connect remotely into data sources across the Group coupled with the uptake to build remote monitoring and continuous testing capabilities on ALICE increased significantly because of COVID-19.

In response to COVID-19, the ALICE team developed a Remote Workforce Self-Assessment to assist IT management in understanding their cyber risk exposures associated with managing a work-form-home workforce. Based on their responses, ALICE provided a customised report for each IT environment to assist management in their understanding of cyber risks posed by a remote workforce. Best practice recommendations helped them mitigate these risks.

IT Governance - The board acknowledges technology as a mechanism to access, protect and manage information. In relation to the Group's IT Governance Framework adjacent, the board governs both technology and information so that these support the organisation in achieving its strategic objectives. The IT Forum is represented by CIOs from each division and is a platform within which to:

  • Share knowledge, research and experience
  • Leverage digitalisation strategies and technology trends
  • Harness the economies of scale and Group purchasing power
  • Establish subject matter expert and centers of excellence surrounding topical technology issues
  • Benchmark vendor services delivery and price


Each IT environment across Bidvest is subjected to an IT audit as part of the IA Plan. The IT audit assesses the design and effectiveness of the IT environments from a control perspective coupled with providing a view on the strategic enablement of the businesses by technology.

IT resources
  Fit-for-purpose in-house operational IT skills, with the necessary strategic IT oversight, are in place. These are complemented by outsourced vendors with specialist networking, telecommunications, and cyber security skillsets.
 
Business resilience
  Business resilience controls (including technical controls) are appropriately implemented by the individual companies, based on the needs of the company.
 
Technology investment
  The IT functions generally run lean with a common philosophy to sweat IT-related assets. However, significant investment continues to be made in the IT modernisation and innovation spaces across Bidvest.
 
Project assurance
  Major IT projects are well-governed, with input from the necessary stakeholders. Major projects are timeously implemented.
 
IT dependency
  Business and IT are continuously enhancing alignment, through IT representation on the various board and executive committees, and in recognition of the key role IT plays in the various businesses.
 
Management of IT
risk exposure
  Significant attention is given to this across the IT environments, with an increasing focus on the management of IT risk exposure related to any new acquisitions.
 
Cyber security
  Significant attention has been given to the identification and management of cyber security risks across Bidvest. Implementation and enhancement of the necessary controls are being performed on a case-by-case basis, dependent on the risks identified.
 
Vendor management
  Vendor relationships are effectively managed by the company IT departments. Economies of scale are leveraged where appropriate.
 
Data governance
  Data governance, including the necessary supporting IT architecture, is receiving attention by the various companies, especially those with the greatest exposure to data risks.

Companies have identified the need for leveraging existing data assets to enable business intelligence insights. Understanding the impact of POPI and GDPR on the relevant businesses is work in progress.