Public Protector Kholeka Gcaleka has emphasised that internal auditors serve as essential early warning systems for governance failures and corruption, moving beyond mere compliance roles. (Photo: AFIIA Conference 2026) Public Protector Kholeka Gcaleka has warned that corruption in South Africa is not usually a single act of misconduct, but a system that often begins with irregular appointments, weak controls and procurement abuse before hardening into institutional failure.
Speaking at the African Federation of Institutes of Internal Auditors conference in Cape Town, Gcaleka said external bodies such as the Public Protector, the Auditor-General and public service commissions usually arrive after the event: after a complaint has been lodged, after an audit cycle has closed, or after the financial year has ended.
“In the language of governance, we are a lagging indicator. Internal auditors are the leading indicator,” she said.
Gcaleka described internal audits as the institution’s “own conscience”, the internal mirror that shows an organisation what it actually looks like rather than how it wishes to appear.
Her message to boards, audit committees and executives was clear: if internal audits are ignored, weakened or punished, organisations lose one of their most important early warning systems.
Gcaleka said Public Protector investigations in SA frequently revealed a broader ecosystem that enabled corruption, including irregular appointments, procurement failures, maladministration, financial misconduct and weak governance systems. These failures, she said, often started long before an external watchdog was called in.
When red flags are ignored
Gcaleka’s warning lands in a year when the role of internal audits is expanding well beyond traditional financial controls.
The European Confederation of Institutes of Internal Auditing’s Risk in Focus 2026 report, highlighted by PwC Malta, found that while cybersecurity remains high, the risks that increased most sharply were digital disruption, including AI, and geopolitical uncertainty.
For SA and the rest of the continent, those global risks collide with old governance wounds: corruption, procurement abuse, weak consequence management, poor record-keeping, underfunded institutions and, in some cases, threats to those who raise alarms.
Gcaleka said the country’s accountability architecture was deliberately layered. Internal auditors, external auditors, the Auditor-General, the Public Protector, public accounts committees and other oversight bodies should not be seen as competitors. They were part of the same accountability chain.
But the chain broke when one link was weakened.
She cited the example of procurement failures during Covid-19, saying internal audit functions had raised red flags in some cases, but the warnings were not always acted on. In one example she referenced, internal audits identified irregular procurement involving verbal orders, untraceable suppliers, contracts without competitive bidding and inflated prices. The lesson, she said, was not that internal audits failed, but that the broader accountability ecosystem failed to respond.
Whistleblowers in the machine room
Gcaleka also raised concern about the vulnerability of internal auditors and whistleblowers.
She said internal auditors were sometimes “walking whistleblowers embedded in institutions”, because they were often the first people to identify problems but had to continue working inside the same organisation after raising the alarm.
Unlike an external whistleblower who may report wrongdoing and leave, internal auditors often have to face the professional and personal consequences of exposing failures from within.
This made the independence and protection of internal audit functions essential.
In an interview with Daily Maverick after her address, Gcaleka said audit committees must do more than receive reports. They must support and protect internal auditors when red flags were raised.
“Audit committees are important because they are independent, they are external, they are not of that organisation,” she said. “Audit committees must support internal auditors, and where there is a need they must protect them.”
She said internal audit reports should not disappear into a management drawer. In some cases, she argued, there should be clearer rules requiring reports to go beyond the chief executive to boards, executive authorities and annual reporting processes, creating more layers of transparency and accountability.
The whistleblower issue was especially urgent in SA, where the Protected Disclosures Act did not, in Gcaleka’s view, go far enough.
She said SA had legislation that allowed institutions such as the Public Protector to investigate protected disclosures, but not enough power to protect whistleblowers from retaliation, suspension, dismissal, financial ruin or threats.
Proposed amendments to the Protected Disclosures Act and the Public Protector Act were expected to strengthen protection, including the ability to stop retaliation, provide legal aid, financial assistance and psychosocial support.
The AI and cyber test
If corruption and procurement abuse are familiar risks, AI and cybersecurity are fast becoming the new danger zone.
The Risk in Focus 2026 work shows that digital disruption, new technologies and AI are climbing up the risk agenda, while cybersecurity and data security remain core concerns for internal audit functions.
Gcaleka said the relationship between advancing technology and cybersecurity was one of the emerging risks that oversight bodies and internal auditors may still be underestimating.
“You can’t put in a system and not protect it,” she said. The concern, she added, was not only whether policies existed, but whether the system itself had integrity.
Questions she raised included:
Can actions be traced to the individual who performed them?
Is information protected?
Can the organisation account for what a system, including an AI-enabled system, has generated?
Audit functions will increasingly have to test whether organisations understand the risks inside their technology systems: data quality, cyber resilience, access controls, automated decision-making, AI-generated outputs and the ethical use of digital tools.
For African institutions, that challenge is uneven. Gcaleka noted that the continent must grapple with digitalisation and AI while also dealing with areas that still lacked basic connectivity.
Africa wants one voice
“When institutions and professionals speak with one voice, influence is strengthened, governance frameworks mature and stakeholders’ confidence grows,” African Federation of Institutes of Internal Auditors chairperson Thokozile Kuwali said.
Kuwali said the federation had concluded its 2026-2030 strategy, which set out a roadmap for strengthening the internal audit profession and governance capacity across Africa. The strategy focused on building professional capability, expanding certification and improving inclusion across the continent.
That inclusion included language access. Kuwali said the federation had invested in live translation in French and Portuguese to improve participation, describing this as part of its commitment to representation and equal participation across Africa.
She said Africa’s voice in the global internal audit profession was becoming more prominent through participation in initiatives such as the Model Internal Audit Act, Risk in Focus and Vision 2035.
Boards cannot outsource accountability
The combined message from Gcaleka, Kuwali and the Risk in Focus 2026 work is that internal audits are being pulled into the centre of boardroom risk.
For SA, the stakes are especially high.
From hospital infrastructure failures to procurement scandals and whistleblower retaliation, many of the country’s governance breakdowns have not been caused by a lack of formal rules. They have been caused by poor implementation, weak consequence management and the failure to act when warning signs appeared. DM