Report of the Audit, Risk and Compliance Committee

for the year ended 31 March

Mandate and terms of reference

The Group’s Audit, Risk and Compliance Committee (ARC Committee) operates within a Board-approved mandate and terms of reference. In line with the Companies Act of 2008, as amended (the Companies Act), the members of the ARC Committee were appointed at the annual general meeting held on Tuesday 18 July 2017.

The ARC Committee’s responsibilities include the following:

  • Reviewing the Group’s consolidated interim results, consolidated preliminary results, integrated report and consolidated annual financial statements;
  • Monitoring compliance with statutory requirements and the JSE Listings Requirements;
  • Reporting to the Board on the quality and acceptability of the Group’s accounting policies and practices, including, without limitation, critical accounting policies and practices;
  • Providing oversight of the integrated reporting process;
  • Considering the appointment and/or termination of the external auditors, including their audit fee, independence and objectivity and determining the nature and extent of any non-audit services;
  • Approving the internal audit plan for the year;
  • Receiving and dealing appropriately with any complaints, internally and externally, relating either to the accounting practices and internal audit or to the content or auditing of all entities within the Group’s annual financial statements or related matters;
  • Reviewing and monitoring the management and reporting of tax-related matters;
  • Monitoring the risk management function and processes and assessing the Group’s most significant risks;
  • Monitoring the internal financial control compliance combined assurance enterprise risk management effectiveness; 
  • Monitoring the technology governance framework and associated risks; and
  • Monitoring the effectiveness of the processes to create awareness and develop an understanding of relevant legislation and regulation to ensure compliance by management.


Members: DH Brown (Chairman), BP Mabelane, SJ Macozoma

The Chief Executive Officer and Chief Financial Officer, the head of internal audit, the Chief Risk Officer and the external auditors, attend ARC Committee meetings by invitation. The primary role of the ARC Committee is to ensure the integrity of the financial reporting and the audit processes and that a sound risk management and internal control system is maintained. In pursuing these objectives the ARC Committee oversees relations with the external auditors and reviews the effectiveness of the internal audit function.

The internal and external auditors have unlimited access to the Chairman of the ARC Committee. The internal audit department reports directly to the ARC Committee and is also responsible to the Chief Financial Officer on day-to-day administrative matters.

Four ARC Committee meetings and one teleconference meeting is scheduled per financial year. Additional ARC Committee meetings may be convened when necessary.

Attendance for the year ended March 2018 was as follows:

Name of director 8 May
2 June
  1 Sep
  8 Nov
  26 March
DH Brown
BP Mabelane
PJ Moleketi1
SJ Macozoma2    

1. PJ Moleketi stepped down on 19 July 2017.
2. SJ Macozoma appointed on 19 July 2017.

Statutory duties

In terms of Section 94(7) of the Companies Act, the ARC Committee discharged all of those functions delegated to it in terms of the ARC Committee mandate, the Companies Act and the JSE Listings Requirements. In the year the ARC Committee:

  • Considered and satisfied itself that the external auditors are independent;
  • Nominated the external auditors for appointment for the 2018 financial year;
  • Reviewed the nature of non-audit services that were provided by the external auditors during the year; 
  • Determined the fees paid to the external auditors for the 2018 financial year;
  • Confirmed the payment of non-audit services which the external auditors performed during the year under review; 
  • Approved the internal audit plan for the year;
  • Monitored and provided oversight of the internal audit function;
  • Held separate meetings with management and the external auditors to discuss any reserved matters;
  • Ensured the ARC Committee complied with the membership criteria as set out in the Companies Act;
  • Considered the appropriateness and experience of the Chief Financial Officer as required by the JSE Listings Requirements; 
  • Reviewed the consolidated and Company annual financial statements of Vodacom Group Limited;
  • Reviewed the appropriateness of any amendments to accounting policies and internal financial controls;
  • Monitored Vodacom’s technology governance framework and processes including that of information security. Further details of this may be found in the corporate governance statement included in the Integrated report;
  • Considered the appropriateness of the firm and partner in respect of the external auditor as required by JSE Listings Requirements; 
  • Updated the Committee charter to accommodate King IV; and
  • Reviewed the integrated reporting process.

The King IV report on Corporate Governance for South Africa 2016

The Group has applied the principles of King IV, the details of which is set out in the corporate governance statement included in the integrated report.

Significant matters considered in relation to the consolidated annual financial statements and how these were addressed by the ARC Committee

After discussion with management and the external auditor, being PricewaterhouseCoopers Inc. (PwC), the ARC Committee concurred with the key audit matters as set out in PwC’s report on the audit of the consolidated annual financial statements for the year ended 31 March 2018.

After reviewing the presentation and reports from management and consulting, where necessary, with PwC, the ARC Committee was satisfied that the consolidated annual financial statements appropriately address the critical judgements and key estimates pertaining to the key audit matters contained in PwC’s audit report referred to above, in respect of both amounts and disclosure. The ARC Committee noted that both the consolidated and separate annual financial statements were presented fairly in all material respects.

Other significant matters identified and considered by the ARC Committee

The significant areas of focus considered and actions taken by the ARC Committee in relation to the 2018 annual report were discussed with the external auditor during the year and, where appropriate, these have been addressed as key audit matters as outlined in the external audit report in the consolidated annual financial statements for the year ended 31 March 2018.

External audit

The ARC Committee has primary responsibility for overseeing the relationship with, and performance of, the external auditor. This includes making the recommendation on the appointment, re-appointment and removal of the external auditor, assessing their independence on an ongoing basis and for negotiating the audit fee.

Auditor appointment and tenure of the audit firm

PwC has been the Group’s external auditor since July 2014. At the 2017 annual general meeting, PwC was re-appointed as the Group’s independent external auditor, to hold office until the conclusion of the 2018 annual general meeting. It is noted that the individual registered auditor who undertook the audit during the financial year ended 31 March 2018 was Mr DB von Hoesslin. Further information regarding the tenure of Mr DB von Hoesslin is contained in PwC’s report on the audit of the consolidated annual financial statements for the year ended 31 March 2018. In addition, PwC will be required to rotate the audit partner responsible for the Group audit every five years and, as a result, the current lead audit partner will be required to change from the 2020 financial year onwards.

For the financial year ending 31 March 2019, the ARC Committee has recommended to the Board that PwC be re-appointed as the Group’s independent external auditor, to hold office until the conclusion of the 2019 annual general meeting and the directors will be proposing the re-appointment of PwC at the annual general meeting in July 2018.

Audit risk

At the start of the audit cycle for each financial year the ARC Committee receives a detailed audit plan from PwC, detailing their audit scope, planning materiality and their assessment of significant and elevated risk areas sensitive to fraud, error or judgement. The audit risk identification process is considered a key factor in the overall effectiveness of the external audit process, and the significant key risks for the 2018 financial year are capsulated in their report on the audit of the consolidated annual financial statements for the year ended 31 March 2018.

The detailed audit plan was reviewed by the ARC Committee to ensure the external auditor’s areas of audit focus remain appropriate.

Working with the auditor

The ARC Committee holds private meetings with the external auditor at each ARC Committee meeting to provide additional opportunity for open dialogue and feedback from the ARC Committee and the auditor without management being present. Matters typically discussed include the external auditor’s assessment of business risks, the transparency and openness of interactions with management, confirmation that there has been no restriction in scope placed on them by management, the independence of their audit and how they have exercised professional scepticism. The Chairman of the ARC Committee also meets with the external lead audit partner, Mr DB von Hoesslin, outside the formal ARC Committee process, throughout the year.

Effectiveness of the external audit process

The ARC Committee reviewed the quality of the external audit process throughout the year and considered the performance of PwC, taking into account the ARC Committee’s own assessment, the results of a detailed survey of senior finance personnel across the Group, focusing on a range of factors they considered relevant to audit quality and feedback from PwC on their performance against their own objectives. Based on this review, the ARC Committee concluded that there had been appropriate focus and challenge on the primary areas of audit and that PwC had applied robust challenge and scepticism throughout the audit.

Independence and objectivity

In its assessment of the independence of the auditor, the ARC Committee receives details of any relationships between the Group and PwC that may have a bearing on their independence and receives confirmation that they are independent of the Group within the meaning of the JSE Listings Requirements. As one of the ways in which it seeks to protect the independence and objectivity of the external auditor, the ARC Committee has a policy governing the engagement of the external auditor to provide non-audit services. This precludes PwC from providing certain services such as valuation work or the provision of accounting services and also sets a presumption that PwC should only be engaged for non-audit services where there is no legal or practical alternative supplier.

Non-audit function policy

Per the Group’s policy for non-audit services, the external auditors may only be considered as a supplier for such service where:

  • There is no other alternative supplier for these services;
  • Where there is no other commercially viable alternative; or
  • Where the non-audit service is related to and would add value to the external audit.

The nature and extent of such services rendered during the financial year include:

  • Fulfilment of obligatory JSE submissions R976 540;
  • Review of responses to regulators R5 300;
  • Taxation symposiums and training events R2 150; and 
  • Directors’ remuneration benchmarking R110 300.

The total fees earned during the year by the external auditors for non-audit services were R1 094 290.

Internal audit

Internal controls comprise systematic measures, policies, procedures and business rules adopted by management to provide reasonable assurance that: assets are safeguarded; error is prevented and detected and accounting records are accurate and complete. The internal audit function is governed by the internal audit charter, as approved by the ARC Committee. The internal audit function serves management and the Board by performing independent evaluations of the adequacy and effectiveness of the Group’s internal controls, financial reporting mechanisms and records, information systems and operations.

Monitoring and review of the scope, extent and effectiveness of the activity of the Group’s internal audit department is an agenda item at each ARC Committee meeting. The ARC Committee approves the annual audit plan prior to the start of each financial year and receive updates from the head of internal audit on audit activities, progress against the approved Group audit plan, the results of any unsatisfactory audits and the action plans to address these areas. The ARC Committee plays a major role in setting the internal audit annual objectives and the Chairman of the ARC Committee regularly meets with the head of internal audit to discuss the team’s activities and any significant issues arising from their work. The level of skill and experience of the internal auditors are presented to the ARC Committee on an annual basis.

Effectiveness of the Chief Audit Executive and arrangements of the internal audit

In accordance with King IV requirements, the ARC Committee has concluded that Ms J Naidoo, the current Group head of internal audit, possesses the appropriate expertise and experience to meet the responsibilities of this position and that arrangements of the internal audit are adequately resourced with technically competent individuals, and that it is effective.

Design and implementation of internal financial control

The internal audit department assessed the key internal financial controls by using the internal financial controls framework. Key controls assessed were based on the financial statement account balances and disclosures that are deemed quantitatively and qualitatively significant to the Group. The key controls in place to mitigate the risk of material misstatement of these balances in the financial statements were reviewed as at 31 December 2017. Based on the review performed nothing has come to our attention that would indicate a material breakdown of internal financial controls. The internal financial controls reviewed appeared to be adequately designed and are operating as intended.

Compliance with section 404 of the US Sarbanes-Oxley Act

Vodafone Group Plc (Vodafone) is required to comply with section 404 of the Sarbanes-Oxley Act (SOX) due to its listing on the NASDAQ stock exchange. With combined efforts between the Group and Vodafone, specific processes were identified that had to be brought in line with SOX requirements as part of the Group’s South African SOX compliance efforts. To be SOX compliant, the processes, systems and controls identified were reviewed for adequacy and tested to prove the effectiveness and ongoing operation thereof. Management has concluded that overall, as at 31 March 2018, these internal controls over financial reporting were effective.

Risk management

Reviews of the Group’s risk management, enterprise risk management programmes, business continuity and forensic services are performed by the Group’s Risk Management Committee, which reports to the ARC Committee through the Chief Risk Officer. The top principal risks, those risks that will prevent the Group from achieving its strategic objectives in the short and medium term, are presented to the ARC Committee twice a year and reported to and considered by the Board. Critical and high macro strategic risks, those risks that will affect the strategic objectives in the long term, are also presented to the ARC Committee twice a year and reported to and considered by the Board. All principal risks are currently managed within the risk appetite statements. The key focus areas, risk appetite and further details of the Group’s principal risks are reported in the risk management report included in the Group’s integrated report and online at

The internal audit department has conducted a review on the effectiveness of the risk management function in accordance with the approved risk management framework. The results of the review indicated that the risk management process was satisfactory as at 31 March 2018. There has been further development on the risk appetite framework that facilitates quantification of principal risks for the organisation.

From 1 April 2017 to 31 March 2018, the Group’s corporate security divisions investigated over 13 723 cases of potential fraud, of which 13 322 related to external cases and 401 to internal cases. These cases were reported through various channels, including direct reports received from customers, service providers, online reports, referrals from business and external whistleblowing. Over the same period, 164 reports were received via the formal whistleblowing line.

The ARC Committee has satisfied itself that the risk management function operates effectively.

Combined assurance

The Group assessed risks based on principal risks. These are a high level category of risks, made up of macro and sub risks. The current combined assurance model in place is representative of how the risks are currently being managed between the three lines of defence. Vodafone Group Risk Management and Vodafone Group Internal Audit have implemented a coordinated structure for planning, executing and reporting on internal audit, compliance and risk activities. The committee is satisfied that the Group has optimised the assurance obtained from the three lines of assurance in accordance with the approved combined assurance model and that the model is effective in achieving the following objectives:

  • coordinates assurance and reporting to provide management and the Board with a clear view on what our risks are; 
  • effective risk mitigation; and
  • an acceptable level of residual risks.

Effectiveness of the finance function

In accordance with King IV requirements, the ARC Committee has concluded that the finance function is resourced with appropriately skilled and technically competent individuals, and that it is effective.

Effectiveness of the design and implementation of financial controls

In alignment with King IV, the ARC Committee has satisfied itself that the following areas have been appropriately addressed: 

  • Financial reporting risk;
  • Internal financial controls;
  • Fraud risk as it relates to financial reporting; and
  • Information technology and legal risk as it relates to financial reporting.

Compliance activities

The ARC Committee is responsible for the oversight of the Group’s compliance programme and held a number of deep dive sessions on compliance related matters in the year. These focused on:

  • changes to the control environment and a redefined finance operating model providing greater clarity of roles and responsibilities; 
  • updates to the Group’s Code of Conduct, which is reviewed every three years;
  • the establishment and maintenance of an effective Legal Compliance Program to be familiar with laws and regulations that apply to respective local markets including compliance-related monitoring function to help evaluate on-going compliance with our compliance-related applicable laws;
  • the results from the annual policy compliance review which tests the extent to which local markets and other entities within the Group are compliant with our high risk policies;
  • the results from our Doing What’s Right employee awareness and e-learning programmes and other measures designed to assess the culture of the organisation;
  • the results of the use of Speak Up channels in place to enable employees to raise concerns about possible irregularities in financial reporting or other issues and the outputs of any resulting investigations; and
  • the methodology for fraud reporting and investigations into known or suspected fraudulent activities by both third parties and employees.

Appropriateness and experience of Chief Financial Officer

The ARC Committee confirms that it is satisfied that Dr T Streichert, the current Chief Financial Officer, possesses the appropriate expertise and experience to meet the responsibilities of this position.

Integrated report

The ARC Committee has overseen the integrated reporting process, reviewed the report and has recommended the 2018 integrated report and consolidated annual financial statements for approval by the Board on 1 June 2018.

DH Brown
Audit, Risk and Compliance Committee