The public sector is required to meet higher governance standards by complying with national legislation such as the PFMA (Public Financial Management Act) and the MFMA (Municipal Financial Management Act). The Executive Authority is accountable to the legislature / parliament in terms of the achievement of the goals and objectives of the Institution. The Executive Authority should take an interest in risk management to the extent necessary to obtain comfort that properly established and functioning systems of risk management are in place to protect the Institution against significant risks. As risk management is an important tool to support the achievement of this goal, it is important that the Executive Authority should provide leadership to governance and risk management.
Typical business challenges facing public sector institutions include:

  • Compliance with the PFMA and MFMA
  • Service delivery
  • Budget constraints
  • Supply chain management
  • Unauthorised, irregular, fruitless and wasteful expenditure
  • Fraud and corruption
  • Increased social responsibility and social unrest
  • Health & safety (EH&S) risks
  • Skills shortage
  • Operational inefficiencies
  • Infrastructure quality
  • Reputational risk
  • Qualified audits


The following is a brief extract of the sections in the PFMA which refer to risk management and internal control / audit assurance:

38. General responsibilities of accounting officers.—(1) The accounting officer for a department, trading

entity or constitutional institution—

(a) must ensure that, that department, trading entity or constitutional institution has and maintains—

(i) effective, efficient and transparent systems of financial and risk management and internal control;

(ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77;

51. General responsibilities of accounting authorities.—(1) An accounting authority for a public entity—

(a) must ensure that, that public entity has and maintains—

(i) effective, efficient and transparent systems of financial and risk management and internal control; (ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77;

3. Internal control

3.1 Audit committees 3.1.10 The audit committee must, amongst others review the following—

(a) the effectiveness of the internal control systems;

(b) the effectiveness of the internal audit function;

(c) the risk areas of the institution’s operations to be covered in the scope of internal and external audits;

(d) the adequacy, reliability and accuracy of the financial information provided to management and other users of such information;

(e) any accounting and auditing concerns identified as a result of internal and external audits;

( f ) the institution’s compliance with legal and regulatory provisions; and (g) the activities of the internal audit function, including its annual work programme, coordination with

the external auditors, the reports of significant investigations and the responses of management to

specific recommendations.

3.1.13 In addition to the above, an audit committee must, in the annual report of the institution, comment on—

(a) the effectiveness of internal control;

(b) the quality of in year management and monthly/quarterly reports submitted in terms of the Act and

the Division of Revenue Act; and

(c) its evaluation of the annual financial statements.

3.2 Internal controls and internal audit

3.2.1 The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of the institution. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all officials to ensure that the risk management strategy is incorporated into the language and culture of the institution.

3.2.7 An internal audit function must prepare, in consultation with and for approval by the audit committee –

(a) a rolling three year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy;

9. Unauthorised, irregular, fruitless and wasteful expenditure

9.1 General

9.1.1 The accounting officer of an institution must exercise all reasonable care to prevent and detect unauthorised, irregular, fruitless and wasteful expenditure, and must for this purpose implement effective, efficient and transparent processes of financial and risk management.

King IV code (copyrighted to The Institute of Directors Southern Africa) and municipal and public sector entities:

Principle 4: The council / accounting authority should appreciate that the municipality’s / entity core purpose, its risks and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process.

Principle 11: The council / accounting authority should govern risk in a way that supports the municipality / entity in setting and achieving its strategic objectives.

Principle 13: The council / accounting authority should govern compliance with applicable laws and adopted, non- binding rules, codes and standards in a way that support the municipality / entity being ethical and a good corporate citizen.

Principle 15: The council / accounting authority should ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the municipality’s / entity’s external reports.


The Public Sector Risk Management Framework (Framework) has been developed (by National Treasury) in response to the requirements of the Public Finance Management Act and Municipal Finance Management Act for Institutions to implement and maintain effective, efficient and transparent systems of risk management and control. Public sector institutions need an effective way of prioritising and managing risk across the institution in order to comply with the legislation. Proactive risk management involves the documenting and managing of risks, controls, incidents / near misses and the ongoing monitoring of risk mitigation plans.


BarnOwl GRC software streamlines your GRC processes, integrates risk, compliance and assurance information on a centralised platform, standardises risk and control taxonomies and offers the flexibility and scalability required for your changing business environment. BarnOwl:

  • provides a flexible risk management framework for the public sector (in line with the National Treasury framework and the COSO & ISO31000 standards) for you to manage your risk and compliance process as well as facilitate inspections / audits, findings and detailed analysis.
  • enables you to identify and document risks, causes, consequences and related controls.
  • automates risk and control self-assessments.
  • facilitates performance management with the measurement and reporting of KPIs (SDBIP)and KRIs.
  • enables you to record, monitor and report on issues / incidents.
  • provides a centralised repository for all your regulatory compliance requirements (fully integrated 3rd party compliance library) and tracks how you are meeting each compliance requirement.
  • streamlines internal audits, as well as third-party audits and allows you to gain real-time visibility into risk-based auditing, audit findings, root cause analysis and the ongoing monitoring of mitigation actions.
  • brings together risk management, compliance, assurance, as well as all related communication, analysis and reporting under a common platform.
  • provides continuous monitoring of your risk universe with early-warning notifications.
  • drives proactive risk mitigation strategies.
  • provides risk intelligence and trend reporting at all levels of the institution.


The benefits of using BarnOwl include:

  • Improved GRC maturity through an integrated and flexible GRC solution.
  • Optimise and monitor risk-reward outcomes by gaining a comprehensive, real time view of your institution’s risk profile.
  • Simplify regulatory compliance, using a single system to manage your compliance requirements and activities.
  • Enhance GRC productivity and efficiency as well as embed standards across the value chain.
  • Facilitate greater communication and collaboration on GRC tasks across all business units and locations.
  • Drive ownership and accountability for risk management across the institution.
  • Facilitate the principle that an institution’s risk and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process. (King IV™ Principle 4)

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc.t to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.


Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.


Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.


Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.


Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement. with local sub-sahara African distributor


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.


Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information:
Product Support:

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:


You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You