Rand Water | Integrated Annual Report 2025

INTEGRATED ANNUAL REPO

COMBINED ASSURANCE Rand Water has formally adopted a Combined Assurance Model to strengthen governance, reinforce the internal control environment, and optimise the assurance obtained from both management and independent assurance providers. A clearly defined Combined Assurance Framework has been institutionalised to support structured implementation across the Group. The framework is operationalised through the Combined Assurance Forum, comprising representatives from key assurance and oversight functions; including Integrity and Probity Assurance, Risk Advisory Services, Group Legal Services, Group Regulatory Compliance Services, Group Internal Audit (GIA), and the Auditor-General of South Africa (AGSA). This structure enables a systematic and coordinated response to strategic and operational risks, aligned with the Five (5) Lines of the Assurance model. The coordination and facilitation of combined assurance activities is delegated to GIA, as mandated in the Internal Audit Charter. Throughout the reporting period, the GARC received quarterly updates on the effectiveness and adequacy of combined assurance efforts, including internal controls relating to strategic risks. As part of the combined assurance model, there were structured engagements between GIA and the AGSA during the year. These engagements covered shared planning intelligence (including the approved GIA three-year rolling plan and annual plan), completed audit reports and working papers, and collaborative assurance where reliance and direct assistance were agreed upon. Internal Controls Rand Water’s system of internal controls is designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, safeguarding of assets, prudent management of liabilities and working capital and compliance with laws and regulations. Key components of internal controls architecture include: • A comprehensive and integrated system of financial planning, budgeting, and reporting that enables ongoing monitoring of financial performance. • An approved framework for assessing materiality and significance. • Clearly defined delegations of authority. • A robust and sustainable funding strategy. • Institutionalised policies and procedures across all areas of the business. These controls are monitored throughout the organisation by management and employees, with the necessary delegation of authority and segregation of duties. The GARC is satisfied that the financial and performance reports submitted during the year were of an acceptable quality and allowed for informed oversight and decision-making. For the current financial year, through review of the various reports of the internal auditors, the GARC noted that there were no material weaknesses in the systems of internal controls. The internal controls were generally adequate and effective, except in the areas of procurement of goods and services and Digital Technology and Information Management (DTIM) where significant findings were raised indicating control deficiencies requiring urgent management attention. These significant findings in the Supply Chain Management (SCM) area were related to contract variations, delays in bid evaluations, non adherence to evaluation criteria in Request for Quotation (RFQ) evaluations and incomplete records. In the DTIM space the significant findings were related to weaknesses in the management of third-party Service Level Agreement (SLA), capacity planning deficiencies and backup and recovery risks. Management has committed to addressing these deficiencies and provided an action plan. The Committee maintains close oversight and continues to track management’s effort to remediate these weaknesses.

7

Rand Water | Integrated Annual Report 2025