Technology and information
The Board is responsible for IT governance in the Group. The Executive Committee, supported by the IT steering management committee, implements the technology strategy.
The audit committee’s legislated duties, which are set out in Section 94(7) of the Companies Act and the relevant best practice recommendations which are set out in Principle 8 of the King IV Report, outline in detail the oversight responsibilities that the audit committee must carry out to ensure adequate and effective governance is realised within the Group.
In addition, Regulation 27.2.5 of the Treasury Regulations, which states that “Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors”, gives legislative authority to the IPPF of the Institute of Internal Auditors (IIA), and as such makes compliance with the IPPF a legislative requirement for all organisations required to comply with the PFMA and the Treasury Regulations.
The Group Internal Audit Services (GIAS), which carries out its work in line with the mandatory requirements of the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA), exists primarily to enhance and protect Group value through the provision of reliable objective internal audit assurance and trusted advisory services. It achieves this by assessing and evaluating the adequacy and effectiveness of the processes of governance, risk management and internal controls. Through performance of its objective assurance and advisory services, the GIAS serves as an enabler both to the audit committee and, ultimately, to the Board of directors, for achievement of adequate and effective corporate governance within the Group.
Combined Assurance refers to the integration, coordination and alignment of risk management and assurance processes to optimise and maximise the level of governance, control and oversight over the risk landscape. The combined assurance model aims to optimise the assurance coverage obtained from management, internal assurance providers and external assurance providers on the risks facing the Group. Our combined assurance model remains unchanged and supports this centralised approach.
King IV recommends that the audit committee should provide direction for the use of a combined assurance model and should be responsible for establishing and overseeing the combined assurance model that results in combining, co-ordinating and aligning assurance activities across the various lines of assurance, so that assurance has the appropriate depth and reach.
Standard 2050 of the IIA requires that “the chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts”. Thus, according to this standard, the CAE is best placed to be the custodian of effective combined assurance processes within an organisation.
When considering the statutory requirements outlined in paragraph 27.2.5 of the Treasury Regulations, which states that “Internal Audit must be conducted in accordance with the standards set by the Institute of Internal Auditors”, it is a legislative requirement that the GIAS becomes the custodian and coordinator of all combined assurance processes.
The GIAS’s combined assurance processes are aimed at:
- Fostering a shared view and understanding of the Group’s key risks and opportunities;
- Understanding all the assurance providers, their roles and level of assurance they can provide;
- Aligning assurance to the critical risk exposures;
- Maximising risk and governance oversight;
- Maximising control efficiencies;
- Optimising overall assurance to the Audit and Risk Committee and to the Board of directors;
- Reducing assurance costs through elimination of possible duplication of audit effort;
- Promoting collaboration between internal audit and other assurance providers;
- Ensuring that the Group is in line with best practice with regard to improved governance and accountability;
- Enhancing the integrity of internal information and external reports; and
- Provide a basis for identifying, and appropriately responding to, any potential assurance gaps.
In executing its Board-assigned mandate, Internal Audit follows a risk-based audit methodology in compliance with the Institute of Internal Auditors (IIA) and the International Standards for the Professional Practice of Internal Auditing. The main objective of GIAS is to assist the Board and Executive Committee with the effective discharge of their responsibilities by evaluating the adequacy and effectiveness of risk management, the control environment and governance processes. The GIAS maintains its organisational independence by reporting functionally to the Audit and Risk Committee and administratively to the Group CEO.
The Internal Audit function is based at the Corporate Office and provides its services and support to all our airports. This includes services provided to our subsidiaries. Our internal auditors are members of the IIA and in conducting their work, comply with the IIA’s Code of Ethics and International Standards for the Professional Practice of Internal Auditing.
The detailed scope of work of the GIAS is outlined in the three-year strategic and annual internal audit plans, both of which are subject to the Audit and Risk Committee’s review and approval on an annual basis. The GIAS’s scope of work encompasses assessment and evaluation of the adequacy and effectiveness of the governance, risk management and internal control processes. Quarterly feedback on the progress of the annual plan is provided to the Audit and Risk Committee.
The nature of work performed by the GIAS, as is required by the IPPF, includes internal audit assurance and consulting services:
a) Internal audit assurance services involve the GIAS’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the GIAS. Generally, three parties are participants in assurance services: (1) The Group’s executive and operational management — the process owner, (2) GIAS, and (3) the Board and its audit committee — the user.
b) Internal audit consulting services are advisory in nature and are generally performed to the specific request of management. The nature and scope of the consulting engagement are subject to agreement with management, but must be approved or ratified by the Audit and Risk Committee, as circumstances may require.
Consulting services generally involve two parties: (1) the GIAS, and (2) Management. When performing consulting services, the GIAS should maintain objectivity and not assume management responsibility.
Results of internal audit findings
It is the opinion of Internal Audit that processes during the year under review were generally adequate and provide reasonable assurance that the environment shows the implementation of effective controls and requires limited improvement.
The internal audit function hereby declares that there were no instances noted during the 2019 financial year which would have compromised its independence and objectivity in the execution of its charter mandate.
Adherence and compliance to applicable laws and regulations remains a Board responsibility. This includes non-binding rules, codes and standards. Our compliance framework is aligned with ISO 19600, a standard for compliance and best practice. Our alignment and development of the framework yielded the notable developments below.
In effectively providing oversight and guidance to the Group, the Board remains acutely aware of various legislations and relevant codes of best practice, including, but not limited to:
- Airports Company Act, No. 44 of 1993
- Civil Aviation Act, No. 13 of 2009
- King IV
- Protocol on Corporate Governance for the Public Sector 2002
- Treasury Regulations
- Companies Act
- Income Tax Act, No. 58 of 1962
- Value Added Tax Act, No. 89 of 1991
Continuous reporting on non-compliance to the Executive Committee and the Audit and Risk Committee through a quarterly compliance status report escalates issues of non-compliance to the correct level within the Group. Processes exist to report and deal with new instances of non-compliance and to monitor and track completion of previous cases. Compliance processes are subject to internal audit, and the results are reported to the Board through the Audit and Risk and Board Economic Regulatory committees, which oversee the Board’s discharge of its legal and regulatory responsibilities.
We have developed a compliance framework and strategy to strengthen governance over compliance, and monthly legislation updates are provided to affected departments. There were no changes in legislation that substantively affected the achievement of the Group’s objectives in FY2018/19.
Various training programmes on the PFMA, Preferential Procurement Policy Framework Act, No. 5 of 2000, Treasury Regulations, Treasury Practice Notes, supply chain management policies and procedures and competition help to embed a culture of compliance at Airports Company South Africa.
Effectiveness of compliance is monitored through internal audit findings and recommendations made to the Audit and Risk Committee and the Board. No catastrophic audit findings were reported during the year. The Audit and Risk Committee reviewed and recommended for Board approval the implementation of a compliance policy as a mechanism to ensure effective compliance measures.
Strategic initiatives and key activities
During the year under review, we carried out a number of strategic initiatives and activities aimed at helping us to implement our strategy and fulfil our commitment to creating sustainable value for stakeholders:
One of the Group’s KPIs is increasing our reputation through demonstrated business excellence. It is against this backdrop that all the activities and initiatives undertaken by the Group are aimed at improving our reputation index.
The Reputation Index measure consists of the perceptions and the degree to which stakeholders admire, trust, respect and have an overall good feeling towards the Group. Airports Company South Africa uses an international corporate reputation measurement tool called RepTrak® to measure our reputation. The RepTrak® model was created by the Reputation Institute®, a global reputation-based research and advisory firm headquartered in the United States, to provide companies with a standardised framework for benchmarking corporate reputation and to enable the identification of the factors that drive reputation. The reputation survey data is captured in the RepTrak® Pulse, and an outcome score from 0-100, with 100 being the best, is computed. Airports Company South Africa has used RepTrak® Survey in three different cycles of surveys (2013, 2017 and 2019).
The results in the past surveys have been the following:
- 2013 – 57.6 (Vulnerable Score)
- 2017 – 63.1 (Moderate Score)
- 2019 – 67.2 (Moderate Score, but closer to Strong Score)
The improvement in our reputation index of around 10 points since 2013, is a strong signal that stakeholder relations interventions in the business are producing good results.
Some of the initiatives and interventions we have introduced have resulted in positive outcomes and are outlined below. We introduced a five-pillar strategic focus that anchors all activities in stakeholder relations.
The five strategic pillars are:
- Strategic stakeholder engagement plans
- Stakeholder partnerships and events
- Stakeholder communications
- Stakeholder risk intervention portfolio
- Government relations
One of the stakeholder relations projects that is being spearheaded at the Group is a Customer Relations Management tool, an IT-based platform that we will use to manage our relations with stakeholders. This will assist in managing and tracking the implementation of engagement plans by stakeholder owners. The project has passed design and scoping stages and is currently with supply chain management for the procurement of service providers.
There are a number of activities that were carried out under each strategic pillar:
1. Strategic stakeholder engagement plans
The stakeholder engagement plan is a strategic focus aimed at creating a culture of stakeholder engagement in the Group. It is through this pillar that the Group leaders are encouraged to become stakeholder owners and develop a deliberate and systematic mechanism and framework to engage those stakeholders. The engagement plans assist stakeholder owners/Group leaders to prioritise engagements with key stakeholders as well as evaluate the impact of their engagements.
Some of the key strategic engagements that happened in the year under review are as follows:
- Engagement with Department of International Relations and Cooperation (DIRCO).
- This engagement led to the SA ambassador to Ghana facilitating a meeting between the Group and government ministers from Sierra Leone with the aim of exploring business opportunities for us to provide airport management services to the airport in Sierra Leone.
- Organising and managing the 2019 Investor Roadshows and Banks meetings.
- The CEO had engagements with key stakeholders including COMAIR, the Department of Education and Air Traffic Navigation Services (ATNS) with the purpose of establishing an Aviation Academy.
- A number of our Executives had an engagement with IATA’s Africa and Middle East Regional team on strategic collaborations and partnership.
- Engaged with senior government officials from National Treasury on a number of issues such as procurement policies and audit.
- We had engagement with the Black Management Forum (BMF) to discuss partnership on transformation imperatives.
- A strategic planning meeting was held with the CEO of South African Tourism in preparation for the signing of the sister agreement between the Group and the Thailand Airport Authority.
- We had an engagement with Home Affairs to discuss the E-gates initiative for Cape Town International Airport.
- We also had an engagement with minority shareholders. The impact of this initiative was that communication with minority shareholders has improved as issues are being resolved.
2. Stakeholder partnerships and events
The following stakeholder partnerships and events are aimed at creating closer working relationships with external stakeholders. Some of the partnerships and events in the financial year under review are as follows:
- Maiden arrival of Alitalia airline
Coordination of a multi-stakeholder partnership that involved Alitalia, the Embassy of Italy, the Group, Gauteng Tourism, Ekurhuleni Metropolitan Municipality and South African Tourism to celebrate the return of Alitalia after 16 years of absence in South Africa.
- Partnership with BARSA and AASA
The Group continues to play a prominent role in partnerships with airline industry associations such as BARSA and AASA in their various con-ferences and summits.
- ACSA CEO golf day
The Group CEO’s golf day has become a flagship stakeholder event where engagements and interactions happen in a relaxed environ-ment. The golf day has been expanded to accommodate stakeholders from all the nine airports within our network.
- 25th anniversary stakeholder gala dinner
In the year when Airports Company South Africa turned 25, we recognised the stakeholders who contributed to making the business the success it has become. We hosted a gala dinner that was aimed at recognising and appreciating the role played by stakeholders in the 25-year-journey of the Group.
3. Stakeholder communication
One of the key reputation drivers for Airports Company South Africa is communication.
It is against this backdrop that we introduced communication platforms in order to reach stakeholders with news and developments within the Group.
News Flash portal
Currently, we use the News Flash portal, a real-time communication platform that sends stakeholders Group news as it breaks, ensuring that stakeholders receive news ahead of other audiences such as media and the general public.
Ground-Up quarterly external newsletter:
The Group also publishes a quarterly stakeholder newsletter called Ground-Up, which captures all major developments and activities in the business. This digital newsletter has become one of the interesting reads for stakeholders as they anticipate its circulation to keep themselves abreast of the latest news from the Group.
4. Stakeholder risk intervention portfolio
The fourth strategic initiative is the stakeholder risk intervention portfolio. This is a new initiative aimed at addressing high-risk matters affecting the business by employing strategic stakeholder relations and engagements. Through this portfolio we identify matters which require urgent stakeholder intervention to be resolved. This portfolio guards against litigations, negative media publicity and potential reputational damage to the Airports Company South Africa brand. During the year in review, some of the advisory services provided through this portfolio included:
- Top 20 retailers round table breakfast
We met the top 20 retailers across our airports to manage reputational risk following the cancellation of the retail tenders. The engagement was aimed at alleviating uncertainty amongst the current retailers and assuring them of our plans. After the engagement, the retailers were aligned with our approach and were satisfied.
- Airports Company South Africa and IT ESD panel
The Group engaged 23 IT Enterprise and Supplier Development (ESD) appointees who had complained about the lack of “promised” business from the Group. The ESD companies posed a reputational risk to the business as they raised complaints about our apparent failure to provide them with business, which could have led to litigation or negative media publicity. The engagement brought about positive outcomes and assurances from the Group concerning a commitment to work with the service providers.
- Cape Town International Airport and Department of Home Affairs
We are working with the Department of Home Affairs to agree on a plan to increase their staff complement to meet Cape Town International Airport’s operational requirements. The department was required to increase the number of their personnel at the airport through a partnership with the Group and the Western Cape government wherein the costs of the staff would be shared.
5. Government relations
TWe facilitated the following activities:
- Interactions with government on the renaming of airports project.
- Presentation to the Parliamentary Portfolio Committee on Transport (PCOT) on our FY2018/19 strategic direction at the Annual Performance Plans (APP).
- Participated in the budget vote by the Minister of Transport in May 2018. As part of the budget vote, we exhibited and invited five SED beneficiaries to attend the vote. The Minister acknowledged them in his speech.
- We facilitated an airports operations oversight visit by the Joint Standing Committee on Intelligence to O.R. Tambo International Airport. Members of the committee were well received by the Airports Company South Africa team and government agencies based at the airport. This was a follow-up assessment on the Integrated Multi-Disciplinary Tactical Security Plan formalised by the Minister of Police.
- Participated at government/cabinet lekgotla to advance the agenda of aviation within government.
- Presented at the parliament inquiry led by the Portfolio Committee on Home Affairs regarding fixed-base operations at airports.
We monitor sentiments expressed in public or in the media about our areas of business, including employee relations, financial administration, innovation, products and services, corporate social responsibility, trust and corporate governance.
Most sentiment was related to ongoing critical litigation predominantly affecting ground handling services, and information regarding contracting issues divulged at commissions of enquiry during the year. We are satisfied that the Group has taken all necessary action to deal with these issues during the year under review.