corporate governance internal control reporting

8/11/2019 Corporate Governance Internal Control Reporting

1/24

Enforcing Transparency and best practices inCorporate Governance Focus on InternalControl Reporting

www.pwc.com/ng

Presentation at ICAN forum of firms

Uyi Akpata Partner PwC

26 January 2011


2/24

Agenda

- PageCorporate governance on the radar The triggers Global response The Nigerian context

Principles of the Nigerian Codes

3 - 6

Requirements of ISA 2007 Overview of ISA 2007 sections 60(2), 61(2) and 63 Objectives

7 - 9

PwC

Main issues that have prevented compliance with requirements of ISA 2007 10Implementation challenges

Significant changes in processes and systems required Information gaps

11 - 12

Actions needed for timely compliance Overview Key factors for consideration by SEC and market participants

13 - 23

Conclusion 24


3/24

Corporate governance on the radar

Corporate governance defined

Corporate governance is defined as rulesand practices by which the Board ofDirectors of a corporation ensureaccountability, fairness and transparencyin the companys relationship with the

companys management, employees,customers, suppliers, government and thecommunity at large.

The triggers

Series of corporate financial scandals that caused loss of public confidencein the capital markets and public listed companies. Notably amongst theseare the : 1997 East Asian Financial Crisis which saw the collapse of

economies of Thailand, Indonesia, South Korea, Malaysia and

Philippines 2000 massive corporate bankruptcies in America involving Enron

and WorldCom 2008 global financial crisis. 1993/94 and 2009 financial crisis in Nigeria

The triggers

pervades the capital market in Nigeria

Need to strengthen the governance structures that are deemed to be weakin most companies in Nigeria

Companies need to reinforce public trust in capital markets by actingresponsibly, creating value for their shareholders and being seen to do so

Globally, business risk management and related disclosures to investorshave become best practice for companies

3


4/24

Global response

Top Global Capital Markets and corporate governance reporting driver

Continent Country Reporting Driver

North

America

US* Sarbanes Oxley Act , 2002 with SECand PCAOB rules

Canada Canada Business Corporate Act 2010

North America

Europe & UKAsia

Many countries have adopted governance and internal control reporting, more are pursuingadoption


PwC

urope om ne co e

France Corporate Governance Code 2008

Germany German Corporate Governance Code2002

Spain Unified code of good governance 2006

Switzerland Swiss federal of obligations 2006

Australia Australia ASX principles of good corporategovernance practice and best practices,2007

Asia Hong Kong Code on Corporate Governancepractices 2009

Japan Principle of Corporate Governance forlisted companies, 2004

Africa South Africa Kings Code 2002

Africa

Australia

Hong Kong

4


5/24

The Nigerian context

2003 Code of Corporate Governance recommendations by Committeechaired by Atedo Peterside

2003 Central Bank of Nigerias Code of Corporate Governance for banks and

other financial institutions in Nigeria

Investment and Securities Act (ISA) 2007Sections 60(2d f), 61(2) and 63


5

CBN Scope, conditions and minimum standards for Commercial BanksRegulations No. 01, 2010.Section 5 (f) through its Board of Directors report on the implementationand effectiveness of its internal control framework to the CBN within four

months after the year end.


6/24

1 Board to have rigorous controlscontrol over financial audit andinternal control, and compliancewith the law

2 Companies to disclose its corporategovernance/internal controls status

3 Rigorous procedures for appointment,training & evaluation of boards

4 Separate chairman and chief executive

5 An effective and well informed board

6 Audit Committee & Auditors

The expected rewardThe principles of the Nigerian code


independence7 Board to be responsible for setting the

strategic direction of the business

8 Fair and responsible remuneration fordirectors and senior executive

9 Board to communication with

shareholders and encourage theirparticipation

10 The directors and officers to have fullloyalty to the company

Does your reporting system convey an organisation that is well connected to the governanceprinciples and reward ?

6


7/24

Requirements of ISA 2007

A statement from the CEOs and CFOs that:1. They have reviewed the audited financial statements and such other prescribed returns;

2. Based on their knowledge the audited financial statements or returns do not contain any untruestatement of a material fact or omit to state a material fact that would make the statement misleadingin the light of the circumstance in which the statement was made;

3. Based on their knowledge the financial statements and other financial information included in thereport fairly present in all material respects the financial condition and results of operation of thecompany as of, and for the periods presented in the report;

4. They are responsible for establishing and maintaining internal controls; have designed the controls to

Overview of ISA 2007 sections 60(2), 61(2) and 63

7

ensure a ma er a n orma on re a ng o e company an s su s ar es s ma e nown o em

by others within the entities for the period in which the financial statements or returns are beingprepared; have evaluated the effectiveness of the internal controls as of X (a date within 90 days priorto the financial statements or returns date), have presented their conclusion about the effectiveness ofinternal controls based on their evaluation as of X;

5. They have disclosed to the auditors of the company and the audit committee: i) all significant

deficiencies in the design or operation of internal controls which would adversely affect the companysability to record, process, summarise and report financial data and have identified for the auditorsany material weakness in internal controls; ii) any fraud, whether material or not that involvemanagement or other employees who have significant role in the companys internal controls;

6. They have identified whether or not there were significant changes in internal controls or other

factors that could significantly affect internal controls subsequent to the date of their evaluation,including any corrective action relating to the significant deficiencies and material weaknesses


8/24


Auditors involvement

An Auditor of a public company shall in his audit report to the company issue a statement as to theexistence, adequacy and effectiveness or otherwise of the internal control of the public company

Board responsibility

A statement from the board on the effectiveness of internal controls

Overview of ISA 2007 sections 60(2), 61(2) and 63 (contd.)

8


9/24

COSO Framework/USA Turnbull guidance /UK Coco Objectives /Canada ISA 2007

A defined process, effectedby an entitys board ofdirectors, managementand other personnel,designed to provide

A sound system of internalcontrols would:

Facilitate effectiveand efficientoperations,

The three objectives ofinternal control include:

Effectiveness andefficiency of operation

Reliabilit of internal

Policies, procedures andpractices put in place bymanagement to ensure:

Safety of assets,accurac of financial

Matters to re-iterate : Effective Internal has three main objectives


Objectives

PwC

reasona e assurance

regarding the achievementof objectives in thefollowing categories:

Effectiveness andefficiency of operation

Reliability of

financial reporting

Compliance withapplicable laws andregulations

Help ensure quality ofinternal and externalreporting, and

Held ensurecompliance withapplicable laws andregulations

and external reporting Compliance with

applicable laws andregulations andinternal policies

records and reports,Achievement of

corporate objectives(operational &strategic)

Compliance with laws

and regulations

9


10/24

Main issues that have prevented compliance with requirements of ISA 2007

No guidelines and absence of a recommended framework such as COSO

Policies, procedures and practices in place to set the tone at the top

Policies, procedures and functions in place to ensure that the businessobjectives & the business risks are effectively & efficiently identified

Internal control objectives

10

SECs response - In April 2010, SEC inaugurated a committee charged with the mandate to develop the

guideline. We understand that the development of the guideline is work in progress.

Processes and functions in place to ensure that the performance of theinternal control system is effectively monitored and improved upon

Policies and procedures in place to prevents, detects and addresses risks

Processes in place to ensure that risks and control activities areeffectively communicated to the relevant parties


11/24

Information gap

Despite efforts by organisations to demonstrate their commitment to good corporate governance practices, informationavailable indicates that the corporate governance practices in companies generally do measure up against competition and

best practices. One of the critical cause is poor quality of information. Presented below is the result of our survey on thechallenges of corporate governance reporting for FTSE 350 companies.

Implementation challenges

11The situation in Nigeria may even be worse than this


12/24

Processes

New systems required

Process changes required

Management reporting

Financial and non-financial processes

Data gaps

Implementation challenges

Significant changes in processes and systems required

People

Compliance (GRC) function,

GRC documentation and reporting tools

GRC knowledge management system

Change management will be required

High levels of commitment in terms of time andmoney

Communication strategy Training strategy Project process support Launch & buy-in activities Resource / skills to manage the change

Embedding knowledge new policies & processes Training & performance support

Your organisation

12

These need to be addressed to providegood platform for a successful and

sustainable implementation of the ISA2007


13/24

Actions needed for timely compliance

Overview

The recent queries auditors and some market participants had received from SEC for non-compliancewith the Act reiterates the urgency for the development of an implementation guideline.

The primary objectives of the guideline should be: To ensure common definition and interpretation by market participants and other interested parties To provide a basis for the design, execution, evaluation and reporting of internal control systems by

market participants

Ultimately, allowing organisations to have better visibility of the risks (strategic, operationalreporting and compliance) impacting their business, the associated controls, improvements needs,and facilitate better alignment to the overall business objectives

13


14/24

# Point of focus Suggested response

1 What Auditing framework will beused?

ENHANCED Standards on auditing which typically includesfor example all ISAs and controls standards over financialreporting. For instance, consider PCAOB AS5 in the USAOrInternational Standards on Assurance Engagements (ISAE3000)OrInternational Standards on Related Services (ISRS 4400)

2 What Reporting format is required Mix of ISA 700 and ISAE 3000


Key factors for consideration by SEC and market participants

No opinion - provide only report of findingsOrNo opinion provide Management Controls Report

3 What is the Level of assurancerequired?

Reasonable assurance on historical financial information andcontrols over financial reportingor

Limited or Reasonable assurance on internal controls overfinancial reportingOrNo assurance

14


15/24


4 Is there a clear understanding of therequirements of the ISA 2007 and thefundamental principles of internalcontrol? What constitutes effective

internal controls? What constitutes an evaluation of

internal controls? Does disclosure on the

effectiveness of compliancero rammes reflect the actual

Many concepts may be foreign to key non-accountant . As aresult, education may be needed to ensure that concepts such asfinancial statement assertions are fully understood.

For example, for financial internal controls, a good starting

point for the risk assessment is an evaluation of all significantaccount balances or disclosures in the financial statements andthe underlying processes and/or locations that generate them.Some key points of focus for examples include: The determination of significant locations. The identification of si nificant accounts and disclosures



position in a business?

Determining relevant assertions and risks Determining significant processes and locations Determining key internal financial controls Design effectiveness Operating effectiveness

15


16/24


5 What control framework shouldgovern the design and evaluation ofinternal controls over the 4dimensions (financial reporting,strategic, operational andcompliance)?

A well established internal control framework such as: COSO for internal control over financial reporting ISO 9001 and HIPAA for compliance with regulation; and SIX sigma for operationalOr

Agreed upon procedures (AUP)



16


17/24

# Key area of focus Suggested response6 How does an organisation conduct an

assessment of internal controls and evidencesupporting the performance of the controls?

Have all the risks to the preparation of

the financial statements in accordancewith the applicable financial reportingframework (such as IFRS), including

where relevant, their fair presentationbeen identified and documented?

It is difficult to provide guidance and have thatguidance consistently applied for qualitative

judgments. It is more effective to have these decisionsmade by a small core of senior individuals for thecompany as a whole

Internal audit function is responsible for maintainingreasonable support for the assessment or assurance ofinternal control system. The extent of support required

will vary based on the reporting risks identified and



Are there controls (manual andautomated) in place to address these risksand are they adequately designed toprevent or detect material misstatementsin the financial statement results anddisclosures?

Who assures these complianceprogrammes and the impact of legislativechanges on the business/organisation etc?

What reporting format is appropriate?

,

entity.

Evaluations should begin with a top-down risk basedapproach rather than a bottom-up to ensure that onlykey risks impacting on the internal control dimensionare evaluated and efficiencies achieved. Application of

bottom up approach most times leads to many non-key controls evaluated.

Therefore, Internal audit, together with management,should decide what the nature and extent of supportrequired to validate its decision and the reportingformat

17


18/24

# Key area of focus Suggested response7 What can the audit committee expect from

the results of the evaluation?The audit committees first inclination may be to have allcontrol deficiencies reported to it at least for the first year.

Excessive audit committee involvement with relativelyminor control deficiencies could compromise the

learning that management may benefit from in the firstyear and may well result in an inefficient use of the auditcommittees time and resources

It is important to balance the volume of reporting from



committee and to avoid adding an extra layer of judgmentonto decisions about significance.

The audit committee will have all significant control andmaterial deficiencies reported to it. Control deficienciesthat do not rise to the level of significant or material, will

be discussed with management but will most likely not bereported to the audit committee.

8 How does the audit committee know if itsoversight is appropriate?

The evaluation of the audit committee should beperformed every year.

18


19/24

# Key area of focus Suggested response9 How does the evaluation of internal

controls address the risk of fraud ?In the past, fraud in relation to material misstatement of thefinancials statements was most commonly thought of in termsof misappropriation of assets. More recently, manipulation offinancial reporting has been the more common fraud.

The risk of fraud must be considered by internal managementas part of the internal financial control project. Keyconsiderations should include explicit assessment of fraud riskand identification of relevant controls, and the development ofappropriate approach to testing those controls.



19


20/24


Developing the implementation guideline around the four dimensions of internal control objectives requireshuge investment by SEC in terms of commitment, time and money.

In view of the urgency of implementation guide and the need for the market to fully comply by the end ofguideline 2011, SEC will be required to undertake the following critical activities:

Strategy for developing implementation guideline for ISA 2007

Project management

Priotise the four dimensions of the internalcontrol objectives and focus on the highpriority areas, for example financial reporting,and the assess the possible implications to

Capacity building

Evaluate its current capacity to receive reportsand test the adequacy and effectiveness of thecompliance by market participants

20

.

Actively engage with key stakeholders in theindustry such as ICAN and NASB andprofessional to leverage knowledgebase in theindustry

Engage public listed companies to updatethem with developments and plans to facilitatecompliance

appropriate infrastructure such technology,internal methodology /checklist and processes

Establish functions and processes to handleFrequently Asked Questions (FAQ) from thepublic

Establish functions and processes tocommunicate feed of compliance assessmentand actions to the market


21/24

Public companies Comply with the ISA 2007 by undertaking the following actions:

Strategy for developing implementation guideline for ISA 2007


Implement awareness education and readiness assessment ISA 2007 Act sections relating tointernal control with focus on financial reporting

Implement a control framework incorporating the four dimensions of internal controls

(strategic, operational, financial and compliance) that is documented and achieves fairpresentation of the financial statement results and disclosures in accordance with generallyaccepted accounting principles

Follow a risk-based approach by identifying likely sources of material errors in the financialstatements and disclosures. These risks should then be mitigated by controls that are

statements and disclosures. Have Internal audit evidence an annual assessment of the design adequacy and operating

effectiveness of internal financial controls and maintaining relevance over time by taking intoconsideration any changes to both internal and external factors impacting the company.

Identify the laws and regulatory obligations that are applicable, including the non-bindingrules and standards to which an entity/organisation wishes to comply

Implement a comprehensive compliance policy and regularly monitoring compliance to thepolicy through the governance structures and inclusion on the board agenda.

21


22/24


23/24

Auditors intervention

Auditors should immediately engage their clients and be asking them the following questions:

Do you have clear understanding of the requirements of the ISA 2007 and the fundamental principlesof internal controls?

What constitutes effective system of internal controls?

What constitutes an evaluation of the system of internal controls

Do you have approved and effective compliance programmes?

Who assures these compliance programmes and the impact of legislative changes on thebusiness/organisation etc?

To which management or board committee is the assurance provided?

Are you satisfied that this assurance is reliable?


How will control deficiencies be evaluated and reported?

Does your disclosure on the effectiveness of compliance programmes reflect the actual position in yourbusiness/organisation?

What project management protocols have been established to facilitate an efficient and effectiveassessment?

What Auditing framework will be used?

What Reporting format is required for filing to SEC

What Level of assurance is required?

Should an audit opinion be given by a separate firm?

What procedures are in place in evaluating procedures of service organisations?

23


24/24

Auditors would continue to have a key role to playin Corporate Governance systems. With regulations

evolving all over the world, we should be at theforefront in determining how compliance can be

Conclusion

24

corporate governance internal control reporting

Documents