Corporate governance services are an extensive list of services that can be provided to clients in Zambia and the East African Region.  3K&L has various tools in place to assist in the review, development and implementation of an appropriate and relevant governance structure. The primary tool used is the Internal Control – Integrated Framework issued in May 2013 by the Committee of Sponsoring Orgranisations (COSO) ©. All rights reserved.

In a snapshot, the framework covers the following areas:


The above five COSO Components on corporate governance are then further broken down into 17 Principles that each organisation has to deal with[1].  In order to provide a tailored and relevant solution, we use these Principles to determine the nature and structure of the assignment.

We highlight that a number of institutions could benefit from the services we provide below. As we demonstrate below, we can carry out reviews on specific areas or on all areas. As such, entities who would like to invest in companies can use our services as an independent and experienced resource to review individual or a combination of reviews.

We also note that such corporate governance services can be of significant benefit to banks and other lending institutions for loans of higher amounts.  An assessment of certain elements of the internal control structures of a borrower gives the lender an independent perspective on the sustainability of the company. While the report is not a guarantee of success, it give clear indicators that shows a higher or lower propensity to succeed.

We set out below the corporate governance principles and how these can be applicable to our target clients in Zambia and the East African region.

Control Environment

Principle 1 – The organisation demonstrates a commitment to integrity and ethical values.

Click here for more details

When dealing with this principle we assess whether the organisation is setting the right tone for all stakeholders who engage with the company. A company would normally delegate to the MD, the critical role of ensuring that all parties to the success of the organisation operate within specific guidelines. For example, employees are expected to keep office hours, work diligently and effectively, maintain etiquette and an appropriate work environment. However, if the senior managers are not attesting to such ideas, staff will rarely follow suit. In a worst case scenario, staff begin to see ‘US’ and ‘THEM’, which leaves the organisation very susceptible to fraudulent actions and activities.

Similarly, engaging with customers to show a commitment to the organisation ideals, always delivers success.  We have all been to restaurants where the owner is absent and the level of commitment to quality that you get from the waiters, chef, etc is very low. Compare that with the experience you walk away with, when the owner is there to welcome you as you walk into the restaurant and is willing to serve you just as any waiter or chef.

This is a simple assessment that we can carry out for your organisation anywhere in Zambia or the East African region, and would go a long way in building better commitment from your staff, customers, vendors, regulators, etc.

Read less

Principle 2 – The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Click here for more details

This principle tends to be overlooked by organisations because it refers to a Board of Directors. Talking to many entrepreneurs about this element of corporate governance, they often say that they do not have the financial depth or resources to engage a board that can contribute to meeting this principle. Similarly, individuals who would form strong directors and provide such oversight, are normally not affordable to all entities.

However, we believe that having this oversight is an important part of strengthening the company. So how do you reconcile the two issues? The idea is to understand the spirit of the principle and interpret it for each organisation. The principle primarily tries to drive the concept of independent feedback, having appropriate skills to be able to provide such feedback and ensuring that senior management are looking at risks of the organisation and responding to them.

3K&L has the capacity to provide this input as a snapshot of the organisation. Such a picture, would go a long way in giving an MD or owner some of the areas that can be dealt with over a period of time. It is important to note, that even the board of large organisations would normally meet 2-4 times in a year.  As such, an annual review, is not an exercise in futility.  It is something that will add to the strength of the entity.

Read less

Principle 3 – Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Click here for more details

This is a simple, yet fundamental principle in the corporate governance of an organisation.  I am yet to encounter a company that does not have structures about who can do what and when, especially when it comes to cash payments.

Where many organisations fall short, is in having these structures 1) formalised and 2) adaptable.  Often, you find that something has not been attended to because new staff are not clear on who is responsible or this is a new item that has not been dealt with before. For example, a retailer may have started the company by running their own deliveries. As the company expands, the CEO decides to outsource certain routes a delivery company. As the outsourced routes increase, you might begin to see orders getting mixed up or omitted altogether, because there is no clarity on who is responsible for allocating orders to delivery teams.

Related to the above, without clarity of what needs to be reported to the entrepreneur and what can be dealt with by others, will result in the owner getting either inundated with information, or frustrated that matters only come to her attention at the last minute, when they are a crisis.

As 3K&L, we would normally carry out an independent assessment of what the entrepreneur reviews and gets communicated and understand WHY. Each CEO is different in their demands for information and therefore you cannot receive a ‘one-size fits-all’ formula.  Documentation of these structures can also be time consuming, but must be flexible enough to change with the company. Levels of authority should be an enabler of the activities, not a bottleneck.

Read less

Principle 4 – The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Click here for more details

This is one of the most powerful, yet widest area of operations. It requires that the organisation consider the following:

  • Recruitment – have we identified the best place from which to look for resources? Should we rely on referrals, open advertisement or head hunting? Are we getting the right people? Are we helping our people settle in properly?
  • Retention – are we doing enough to retain our best people? Are we using innovative ways to keep people or are we trying to use money?
  • Development – How are we developing our people? Is this development relevant to the company? Is development balance between formal training, experience and coaching? How does development prepare individuals for the next promotion?
  • Separation – How do you disengage with your staff? When they leave, do they feel let down or do they act as good ambassadors of the company.

Providing Human Resource consulting services is a strong part of 3K&L. We can carry out an assessment for the CEO and arm him with sufficient information, actions and policies for implementation. We will also walk with the company to ensure that implementation is successful.

Read less

Principle 5 – The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Click here for more details

The strength of a control, a process, or a policy within corporate governance structures is in enforcement. However well a leader engages with his team to drive certain behaviours and actions, many times, this will fall short if they are not enforced.  A good business needs to understand what sort of enforcement is required for different areas. It is also important that such enforcement be seen to be fair, appropriate and relevant.

This is a function that fits in closely with the principles above around setting the tone, having HR policies, and appropriate oversight.

Read less

Risk Assessment

Principle 6 – The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Click here for more details

This generally deals with the process of developing a strategy for the company and ensuring that you can monitor and support those objectives. For the purposes of the COSO framework, it narrows the objectives down to Operating objectives, External financial Reporting Objectives, External Non-Financial reporting, Internal reporting and Compliance objectives.

As with other Principles, an organisation need to critically assess its investment in the various objectives and how much is used in preparing them.  The spirit of the principle will apply across all entities, but 3K&L can assist in determining a focused way in which to achieve this.

See additional details under Risk Assessment and Risk Management

Read less

Principle 7 – The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

Click here for more details

Risk assessment is a fundamental function in any entity.  We are all acutely aware that we face risks every day, whether in our personal lives or within the company that we work.  Because it is such a fundamental area, we all undertake some level of risk assessment and risk mitigation, whether it is part of corporate governance or simple business-sense.

3K&L can assist on three fronts:

  • Assist management in quantifying the strategy into tangible measurable goals. Usually, but not always, in the form of a budget.
  • Facilitate and guide the preparation of a risk assessment of the ogranisation, using various tools to simplify the process. Many managers feel that a risk assessment process needs to detailed and convoluted, but it is output that is important.
  • Work with management to develop mitigation actions and activities against the identified risks.

See additional details under Risk Assessment and Risk Management

Read less

Principle 8 – The organisation considers the potential for fraud in assessing risks to the achievement of objectives.

Click here for more details

We all acknowledge that the risk of fraud is an ongoing area of concern and attention for all entrepreneurs.  As 3K&L, we work with management, not to eliminate all possibilities of fraud, but to enhance their processes to help identify and mitigate fraud.  More often than not, a fraud will occur because management is blind to the indicators of fraud, namely:

  1. Incentive or pressure to commit a fraud – many times, a good employee may become a perpetrator of fraud because of changes in their circumstance. Pressure to spend more money or to achieve certain personal or organizational goals can result in fraud. Processes to maintain an oversight of employees is always critical. Sometimes, the best oversight is setting the right tone and maintaining an open door policy so individual can highlight any new pressures in their workplace or at home.
  2. Attitudes and rationalization of the act – many staff members will rationalise fraud. The easiest frauds to rationalise are those considered ‘victimless’. For example, an employee may engage in ‘teaming and lading’ by using Petty cash for personal expenditure (to be replaced later), because the entrepreneur is consistently asking the accountant to make personal payments out of petty cash ‘to be replaced later’.
  3. Opportunity – opportunity to commit fraud is a factor of controls and processes. It is a sum total of actions taken by the owner/ MD to identify where there is risk and put in place appropriate controls. Sadly, it is not possible to guard or close off all opportunities. So a strong monitoring function and dealing with the first two indicators, can help reduce the risk.

See additional details under Risk Assessment and Risk Management

Read less

Principle 9 – The organisation identifies and assesses changes that could significantly impact the system of internal control.

Click here for more details

In all businesses, change is inevitable. Maybe business struggle to be sustainable, because they are not ready for change. Change can come from disturbances in the political, social or macro environment, or can come from more micro factors such as changes in technology or consumer behaviours.  Lastly, but probably most importantly, changes come from internal sources, such as a change in key personnel, business model, philosophies, etc. Some of the changes come from rapid growth, which should be a favourable thing

Wherever change comes from, it requires and organisation to be prepared. It also means that an organisation cannot be focused on one element of change. For example, a retailer maybe watching changes in consumer behavior to make sure that the company orders the right fashion from their supplier, only to realise that the change is coming from how consumers order using technology. Now consumers can order directly from the internet with an option to return the items if they don’t fit.

3K&L can assist in reviewing the processes in place to assist the CEO identify and prepare for such change. Again, this particular element is a sum total of other controls working together effectively to quickly provide management with information they require.

Read less

Control activities

Principle 10 – The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Click here for more details

Control activities are the day to day actions and processes undertaken by management to run the business. When carrying out a corporate governance review with focus on control activities, some of the fundamental issues that we have identified with SME’s are:

  • Using controls copied from another organisation, which are not applicable for the current environment. For example, stringent cash controls around an environment which is better suited to using cheques and bank transfers
  • Not aligning controls to a clear risk assessment process and therefore not being fully effective in using controls. This is a situation where senior managers have not closely looked at the objectives being pursued and therefore the real risks that the organisation faces. As such, there are loop holes in the controls being implemented
  • Duplication of effort by different managers therefore over-controlling certain areas. A number of times, you might talk to a manager who believes a certain control is important, however, someone else has mitigated a risk of loss by putting another control upstream or downstream.
  • Controls not working in tandem with IT systems in the organisation. Conversely introducing IT systems that work parallel to existing controls, as opposed to complimentary to existing controls.
  • Targeting controls at the wrong level of the organisation, for example, the CEO spending inordinate amounts of time dealing with cash transactions and approving administrative matters (such as leave) instead of providing long term leadership to the company. Conversely are controls that wrongly insulate the CEO from realities on the ground, in which case, important decisions are made by the wrong people or without correct information.
  • Insufficient segregation of duty, usually blamed on the lack of resources, as opposed to lack of appropriate structures.
  • Inappropriate mix of detective controls as opposed to preventive controls and manual controls over automated controls.

At 3K&L, we can review the overall control activities of the organisation or drill down to specific processes in a company. Specific processes include items like sales and trade debtors, expenses and trade payables, inventory, cash, fixed assets, payroll.

Read less

Information and Communication

Principle 11 – The organisation selects and develops general control activities over technology to support the achievement of objectives.
Principle 12 – The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action.

Click here for more details

Under these principles, we take a position that considers technology as a wide range of interacting systems. Many entities only consider a core accounting system or the single email/ website domain as the technology that needs to be considered.  However, it goes well beyond that. Technology will include:

  • The internet and how the organisation utilises it – the internet is a powerful tool, however, once something is on the internet, it is difficult to remove. As such, organisations need to understand how they put information into the net. They also need to understand and manage (not control) what their employees put on Social media as that can be linked back to them;
  • How storage systems for information is used and protected – in this modern age, storage of critical company and personal information is stored on various devices. For example, Microsoft Office provides you access to OneDrive which can be synchronised across all devices on which you log on. This means you can access your files from your phone, tablet, PC. You can log onto another computer and still access the information. While this is a powerful tool, it also creates new risks. Having a password on your laptop and not on your phone means that your information is at risk;
  • Security against malicious attacks – With the linkages that are brought about by the internet, information is more subject to risk than ever before. Companies have tried to discourage the use of flash drives and other external drives because of the ability to pass on viruses and other malware.  More and more entrepreneur are putting cyber-risk as one of the biggest risks being faced by their companies. Many others are ignoring the risk at their own peril.

So what does 3K&L do? We will review the software you are using, the operating systems, hardware and network infrastructure.  We also review how each of these have been implemented, including looking at firewalls, passwords, access rights and authority levels.

For further details of the services we can offer, please see IT Reviews and System Implementation

Read less

Principle 13 – The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control.

Click here for more details

Principle 14 – The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Principles 13 and 14 are closely related, just like 11 and 12. Generally, they expect that an organisation has a way of obtaining data from internal and external sources and converting that data into information. Processing of data into information is not a straight forward task. Whoever receives the final output must be confident that the information reflects the sum total of the data that was collected. As noted above, there is always a risk that data collected is manipulated (either intentionally or erroneously) to give a different picture.

However, having accurate, complete and reliable information, in itself, is not sufficient. That information has to be received by the people who need it, when they need it. That information also has to be kept away from those who don’t need it.

We will review the process of obtaining the information (in conjunction with reviewing IT systems) and how management decide who needs the information and when and how they ensure that this information is delivered promptly.

Principle 15 – The organisation communicates with external parties regarding matters affecting the functioning of internal control.

This is a principle that is important to all organisations, but more so for those with significant third party interest. For example, entities in a banking or financial services sector would need to report to the regulators on how internal controls are working. In other scenarios, banks or investors may demand that an entity provide regular reports on the quality of internal controls.

We can assist organisations develop and improve systems for reporting to external parties. This needs to be transparent, but bears in mind a matter raised above – decide who needs which information and when.

Read less

Monitoring of Controls

Principle 16 – The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Principle 17 – The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Click here for more details

As part of the development of an organisation, it is expected that they will invest more and more in having independent evaluations of the controls in the organisation. We take note that most SME’s cannot afford to have an internal audit or compliance function. As such, we come up with innovative ways of meeting the spirit of this principle without necessarily incur a huge expense.

Critically, having an independent review does is important, but it is only as good as the report that comes from the review and the remedial actions that are taken.  Just as we assist in the coming up with innovative ways to carry out these reviews, we also assist in drafting reports and recommendations and also carrying out follow-up reviews.

[1] Details and additional information can be found on

Read less