Corporate Governance 2026

SOUTH AFRICA Law and Practice Contributed by: Professor Michael Katz, Matthew Morrison, Madison Liebmann and Sinovuyo Damane, ENS

6. Audit, Risk and Internal Controls 6.1 External Auditors It is mandatory for public and state-owned companies to appoint an auditor and have their financial state - ments audited. The appointment must occur upon incorporation or within 40 business days of incorpo - ration. The first auditors hold office until the first AGM and are re-appointed annually. An appointed auditor may not be a: • director, prescribed officer, employee or consultant of the company; • director, officer or employee of the company sec - retary; • person who habitually performs accountant or bookkeeper duties for the company; or • person appointed as auditor in the immediately preceding five years. Pursuant to current amendments, a period of two years (previously five) must lapse before an auditor with certain prior involvement can be appointed. Audi - tors of private companies required to be audited can now be appointed at a shareholders’ meeting, not only at an AGM. It is not mandatory for a private or per - sonal liability company to appoint an auditor unless it is required to produce audited financial statements (see 5.1 Financial Reporting Requirements ). The Regulations provide that a private profit compa - ny’s financials must be audited if: • it holds assets in a fiduciary capacity exceeding ZAR5 million in aggregate value; • its PI Score is 350 or more; or • its PI Score is at least 100 (but less than 350) and its AFS were internally compiled. If a company is not required to be audited but is not exempt in terms of the Companies Act, its AFS must be independently reviewed. 6.2 Risk Management and Internal Controls Geopolitical Risk Management King V does not explicitly address geopolitical risk as a separate category. However, Principle 8 states that governing bodies should govern risk in a manner

a prescribed threshold for cash and electronic trans - fers, and all transactions above it must be reported. FICA requires that companies maintain records of cli - ent identities, business relationships and transactions for a minimum of five years from the date the business relationship is terminated or the transaction conclud - ed. The GLAA has amended the Companies Act to require significant beneficial ownership transparency (see 4.5 Shareholders in Publicly Traded Companies for further details). FICA further requires that companies maintain records of clients identities, the nature of the business rela - tionships as well as the transactions and accounts involved in the transaction. The minimum record keep - ing period is five years from the date on which the business relationship is terminated or the transaction is concluded. For listed companies there are additional record- keeping and disclosure requirements which are set out in the Listing Requirements. Board Oversight of AML-Related Matters FICA places responsibility on the Board to ensure AML and counter-terrorist financing governance and compliance with FICA and its Risk Management and Compliance Programme. Failure to ensure compli - ance is subject to an administrative sanction. King V reinforces Board accountability through principles requiring compliance with all applicable law in a man - ner promoting ethics and responsible corporate citi - zenship. The Board may delegate compliance over - sight to a risk governance committee. Personal Liability of Directors in Relation to AML Non-Compliance Directors face personal liability under FICA and the Companies Act. The duty to act with care, skill and diligence (see 3.6 Legal Duties of Directors/Offic - ers ) is central to liability in all contexts, including AML compliance. A Board that fails to ensure appropriate governance, oversight and resourcing for compliance may be in breach of its fiduciary duties. Conversely, where a director can demonstrate informed, good- faith judgement, personal liability is less likely to arise.

634 CHAMBERS.COM

Powered by