corporate governance internal control reporting
TRANSCRIPT
-
8/11/2019 Corporate Governance Internal Control Reporting
1/24
Enforcing Transparency and best practices inCorporate Governance Focus on InternalControl Reporting
www.pwc.com/ng
Presentation at ICAN forum of firms
Uyi Akpata Partner PwC
26 January 2011
-
8/11/2019 Corporate Governance Internal Control Reporting
2/24
Agenda
- PageCorporate governance on the radar The triggers Global response The Nigerian context
Principles of the Nigerian Codes
3 - 6
Requirements of ISA 2007 Overview of ISA 2007 sections 60(2), 61(2) and 63 Objectives
7 - 9
PwC
Main issues that have prevented compliance with requirements of ISA 2007 10Implementation challenges
Significant changes in processes and systems required Information gaps
11 - 12
Actions needed for timely compliance Overview Key factors for consideration by SEC and market participants
13 - 23
Conclusion 24
-
8/11/2019 Corporate Governance Internal Control Reporting
3/24
Corporate governance on the radar
Corporate governance defined
Corporate governance is defined as rulesand practices by which the Board ofDirectors of a corporation ensureaccountability, fairness and transparencyin the companys relationship with the
companys management, employees,customers, suppliers, government and thecommunity at large.
The triggers
Series of corporate financial scandals that caused loss of public confidencein the capital markets and public listed companies. Notably amongst theseare the : 1997 East Asian Financial Crisis which saw the collapse of
economies of Thailand, Indonesia, South Korea, Malaysia and
Philippines 2000 massive corporate bankruptcies in America involving Enron
and WorldCom 2008 global financial crisis. 1993/94 and 2009 financial crisis in Nigeria
The triggers
pervades the capital market in Nigeria
Need to strengthen the governance structures that are deemed to be weakin most companies in Nigeria
Companies need to reinforce public trust in capital markets by actingresponsibly, creating value for their shareholders and being seen to do so
Globally, business risk management and related disclosures to investorshave become best practice for companies
3
-
8/11/2019 Corporate Governance Internal Control Reporting
4/24
Global response
Top Global Capital Markets and corporate governance reporting driver
Continent Country Reporting Driver
North
America
US* Sarbanes Oxley Act , 2002 with SECand PCAOB rules
Canada Canada Business Corporate Act 2010
North America
Europe & UKAsia
Many countries have adopted governance and internal control reporting, more are pursuingadoption
Corporate governance on the radar
PwC
urope om ne co e
France Corporate Governance Code 2008
Germany German Corporate Governance Code2002
Spain Unified code of good governance 2006
Switzerland Swiss federal of obligations 2006
Australia Australia ASX principles of good corporategovernance practice and best practices,2007
Asia Hong Kong Code on Corporate Governancepractices 2009
Japan Principle of Corporate Governance forlisted companies, 2004
Africa South Africa Kings Code 2002
Africa
Australia
Hong Kong
4
-
8/11/2019 Corporate Governance Internal Control Reporting
5/24
The Nigerian context
2003 Code of Corporate Governance recommendations by Committeechaired by Atedo Peterside
2003 Central Bank of Nigerias Code of Corporate Governance for banks and
other financial institutions in Nigeria
Investment and Securities Act (ISA) 2007Sections 60(2d f), 61(2) and 63
Corporate governance on the radar
5
CBN Scope, conditions and minimum standards for Commercial BanksRegulations No. 01, 2010.Section 5 (f) through its Board of Directors report on the implementationand effectiveness of its internal control framework to the CBN within four
months after the year end.
-
8/11/2019 Corporate Governance Internal Control Reporting
6/24
1 Board to have rigorous controlscontrol over financial audit andinternal control, and compliancewith the law
2 Companies to disclose its corporategovernance/internal controls status
3 Rigorous procedures for appointment,training & evaluation of boards
4 Separate chairman and chief executive
5 An effective and well informed board
6 Audit Committee & Auditors
The expected rewardThe principles of the Nigerian code
Corporate governance on the radar
independence7 Board to be responsible for setting the
strategic direction of the business
8 Fair and responsible remuneration fordirectors and senior executive
9 Board to communication with
shareholders and encourage theirparticipation
10 The directors and officers to have fullloyalty to the company
Does your reporting system convey an organisation that is well connected to the governanceprinciples and reward ?
6
-
8/11/2019 Corporate Governance Internal Control Reporting
7/24
Requirements of ISA 2007
A statement from the CEOs and CFOs that:1. They have reviewed the audited financial statements and such other prescribed returns;
2. Based on their knowledge the audited financial statements or returns do not contain any untruestatement of a material fact or omit to state a material fact that would make the statement misleadingin the light of the circumstance in which the statement was made;
3. Based on their knowledge the financial statements and other financial information included in thereport fairly present in all material respects the financial condition and results of operation of thecompany as of, and for the periods presented in the report;
4. They are responsible for establishing and maintaining internal controls; have designed the controls to
Overview of ISA 2007 sections 60(2), 61(2) and 63
7
ensure a ma er a n orma on re a ng o e company an s su s ar es s ma e nown o em
by others within the entities for the period in which the financial statements or returns are beingprepared; have evaluated the effectiveness of the internal controls as of X (a date within 90 days priorto the financial statements or returns date), have presented their conclusion about the effectiveness ofinternal controls based on their evaluation as of X;
5. They have disclosed to the auditors of the company and the audit committee: i) all significant
deficiencies in the design or operation of internal controls which would adversely affect the companysability to record, process, summarise and report financial data and have identified for the auditorsany material weakness in internal controls; ii) any fraud, whether material or not that involvemanagement or other employees who have significant role in the companys internal controls;
6. They have identified whether or not there were significant changes in internal controls or other
factors that could significantly affect internal controls subsequent to the date of their evaluation,including any corrective action relating to the significant deficiencies and material weaknesses
-
8/11/2019 Corporate Governance Internal Control Reporting
8/24
Requirements of ISA 2007
Auditors involvement
An Auditor of a public company shall in his audit report to the company issue a statement as to theexistence, adequacy and effectiveness or otherwise of the internal control of the public company
Board responsibility
A statement from the board on the effectiveness of internal controls
Overview of ISA 2007 sections 60(2), 61(2) and 63 (contd.)
8
-
8/11/2019 Corporate Governance Internal Control Reporting
9/24
COSO Framework/USA Turnbull guidance /UK Coco Objectives /Canada ISA 2007
A defined process, effectedby an entitys board ofdirectors, managementand other personnel,designed to provide
A sound system of internalcontrols would:
Facilitate effectiveand efficientoperations,
The three objectives ofinternal control include:
Effectiveness andefficiency of operation
Reliabilit of internal
Policies, procedures andpractices put in place bymanagement to ensure:
Safety of assets,accurac of financial
Matters to re-iterate : Effective Internal has three main objectives
Requirements of ISA 2007
Objectives
PwC
reasona e assurance
regarding the achievementof objectives in thefollowing categories:
Effectiveness andefficiency of operation
Reliability of
financial reporting
Compliance withapplicable laws andregulations
Help ensure quality ofinternal and externalreporting, and
Held ensurecompliance withapplicable laws andregulations
and external reporting Compliance with
applicable laws andregulations andinternal policies
records and reports,Achievement of
corporate objectives(operational &strategic)
Compliance with laws
and regulations
9
-
8/11/2019 Corporate Governance Internal Control Reporting
10/24
Main issues that have prevented compliance with requirements of ISA 2007
No guidelines and absence of a recommended framework such as COSO
Policies, procedures and practices in place to set the tone at the top
Policies, procedures and functions in place to ensure that the businessobjectives & the business risks are effectively & efficiently identified
Internal control objectives
10
SECs response - In April 2010, SEC inaugurated a committee charged with the mandate to develop the
guideline. We understand that the development of the guideline is work in progress.
Processes and functions in place to ensure that the performance of theinternal control system is effectively monitored and improved upon
Policies and procedures in place to prevents, detects and addresses risks
Processes in place to ensure that risks and control activities areeffectively communicated to the relevant parties
-
8/11/2019 Corporate Governance Internal Control Reporting
11/24
Information gap
Despite efforts by organisations to demonstrate their commitment to good corporate governance practices, informationavailable indicates that the corporate governance practices in companies generally do measure up against competition and
best practices. One of the critical cause is poor quality of information. Presented below is the result of our survey on thechallenges of corporate governance reporting for FTSE 350 companies.
Implementation challenges
11The situation in Nigeria may even be worse than this
-
8/11/2019 Corporate Governance Internal Control Reporting
12/24
Processes
New systems required
Process changes required
Management reporting
Financial and non-financial processes
Data gaps
Implementation challenges
Significant changes in processes and systems required
People
Compliance (GRC) function,
GRC documentation and reporting tools
GRC knowledge management system
Change management will be required
High levels of commitment in terms of time andmoney
Communication strategy Training strategy Project process support Launch & buy-in activities Resource / skills to manage the change
Embedding knowledge new policies & processes Training & performance support
Your organisation
12
These need to be addressed to providegood platform for a successful and
sustainable implementation of the ISA2007
-
8/11/2019 Corporate Governance Internal Control Reporting
13/24
Actions needed for timely compliance
Overview
The recent queries auditors and some market participants had received from SEC for non-compliancewith the Act reiterates the urgency for the development of an implementation guideline.
The primary objectives of the guideline should be: To ensure common definition and interpretation by market participants and other interested parties To provide a basis for the design, execution, evaluation and reporting of internal control systems by
market participants
Ultimately, allowing organisations to have better visibility of the risks (strategic, operationalreporting and compliance) impacting their business, the associated controls, improvements needs,and facilitate better alignment to the overall business objectives
13
-
8/11/2019 Corporate Governance Internal Control Reporting
14/24
# Point of focus Suggested response
1 What Auditing framework will beused?
ENHANCED Standards on auditing which typically includesfor example all ISAs and controls standards over financialreporting. For instance, consider PCAOB AS5 in the USAOrInternational Standards on Assurance Engagements (ISAE3000)OrInternational Standards on Related Services (ISRS 4400)
2 What Reporting format is required Mix of ISA 700 and ISAE 3000
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
No opinion - provide only report of findingsOrNo opinion provide Management Controls Report
3 What is the Level of assurancerequired?
Reasonable assurance on historical financial information andcontrols over financial reportingor
Limited or Reasonable assurance on internal controls overfinancial reportingOrNo assurance
14
-
8/11/2019 Corporate Governance Internal Control Reporting
15/24
# Point of focus Suggested response
4 Is there a clear understanding of therequirements of the ISA 2007 and thefundamental principles of internalcontrol? What constitutes effective
internal controls? What constitutes an evaluation of
internal controls? Does disclosure on the
effectiveness of compliancero rammes reflect the actual
Many concepts may be foreign to key non-accountant . As aresult, education may be needed to ensure that concepts such asfinancial statement assertions are fully understood.
For example, for financial internal controls, a good starting
point for the risk assessment is an evaluation of all significantaccount balances or disclosures in the financial statements andthe underlying processes and/or locations that generate them.Some key points of focus for examples include: The determination of significant locations. The identification of si nificant accounts and disclosures
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
position in a business?
Determining relevant assertions and risks Determining significant processes and locations Determining key internal financial controls Design effectiveness Operating effectiveness
15
-
8/11/2019 Corporate Governance Internal Control Reporting
16/24
# Point of focus Suggested response
5 What control framework shouldgovern the design and evaluation ofinternal controls over the 4dimensions (financial reporting,strategic, operational andcompliance)?
A well established internal control framework such as: COSO for internal control over financial reporting ISO 9001 and HIPAA for compliance with regulation; and SIX sigma for operationalOr
Agreed upon procedures (AUP)
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
16
-
8/11/2019 Corporate Governance Internal Control Reporting
17/24
# Key area of focus Suggested response6 How does an organisation conduct an
assessment of internal controls and evidencesupporting the performance of the controls?
Have all the risks to the preparation of
the financial statements in accordancewith the applicable financial reportingframework (such as IFRS), including
where relevant, their fair presentationbeen identified and documented?
It is difficult to provide guidance and have thatguidance consistently applied for qualitative
judgments. It is more effective to have these decisionsmade by a small core of senior individuals for thecompany as a whole
Internal audit function is responsible for maintainingreasonable support for the assessment or assurance ofinternal control system. The extent of support required
will vary based on the reporting risks identified and
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
Are there controls (manual andautomated) in place to address these risksand are they adequately designed toprevent or detect material misstatementsin the financial statement results anddisclosures?
Who assures these complianceprogrammes and the impact of legislativechanges on the business/organisation etc?
What reporting format is appropriate?
,
entity.
Evaluations should begin with a top-down risk basedapproach rather than a bottom-up to ensure that onlykey risks impacting on the internal control dimensionare evaluated and efficiencies achieved. Application of
bottom up approach most times leads to many non-key controls evaluated.
Therefore, Internal audit, together with management,should decide what the nature and extent of supportrequired to validate its decision and the reportingformat
17
-
8/11/2019 Corporate Governance Internal Control Reporting
18/24
# Key area of focus Suggested response7 What can the audit committee expect from
the results of the evaluation?The audit committees first inclination may be to have allcontrol deficiencies reported to it at least for the first year.
Excessive audit committee involvement with relativelyminor control deficiencies could compromise the
learning that management may benefit from in the firstyear and may well result in an inefficient use of the auditcommittees time and resources
It is important to balance the volume of reporting from
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
committee and to avoid adding an extra layer of judgmentonto decisions about significance.
The audit committee will have all significant control andmaterial deficiencies reported to it. Control deficienciesthat do not rise to the level of significant or material, will
be discussed with management but will most likely not bereported to the audit committee.
8 How does the audit committee know if itsoversight is appropriate?
The evaluation of the audit committee should beperformed every year.
18
-
8/11/2019 Corporate Governance Internal Control Reporting
19/24
# Key area of focus Suggested response9 How does the evaluation of internal
controls address the risk of fraud ?In the past, fraud in relation to material misstatement of thefinancials statements was most commonly thought of in termsof misappropriation of assets. More recently, manipulation offinancial reporting has been the more common fraud.
The risk of fraud must be considered by internal managementas part of the internal financial control project. Keyconsiderations should include explicit assessment of fraud riskand identification of relevant controls, and the development ofappropriate approach to testing those controls.
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
19
-
8/11/2019 Corporate Governance Internal Control Reporting
20/24
Actions needed for timely compliance
Developing the implementation guideline around the four dimensions of internal control objectives requireshuge investment by SEC in terms of commitment, time and money.
In view of the urgency of implementation guide and the need for the market to fully comply by the end ofguideline 2011, SEC will be required to undertake the following critical activities:
Strategy for developing implementation guideline for ISA 2007
Project management
Priotise the four dimensions of the internalcontrol objectives and focus on the highpriority areas, for example financial reporting,and the assess the possible implications to
Capacity building
Evaluate its current capacity to receive reportsand test the adequacy and effectiveness of thecompliance by market participants
20
.
Actively engage with key stakeholders in theindustry such as ICAN and NASB andprofessional to leverage knowledgebase in theindustry
Engage public listed companies to updatethem with developments and plans to facilitatecompliance
appropriate infrastructure such technology,internal methodology /checklist and processes
Establish functions and processes to handleFrequently Asked Questions (FAQ) from thepublic
Establish functions and processes tocommunicate feed of compliance assessmentand actions to the market
-
8/11/2019 Corporate Governance Internal Control Reporting
21/24
Public companies Comply with the ISA 2007 by undertaking the following actions:
Strategy for developing implementation guideline for ISA 2007
Actions needed for timely compliance
Implement awareness education and readiness assessment ISA 2007 Act sections relating tointernal control with focus on financial reporting
Implement a control framework incorporating the four dimensions of internal controls
(strategic, operational, financial and compliance) that is documented and achieves fairpresentation of the financial statement results and disclosures in accordance with generallyaccepted accounting principles
Follow a risk-based approach by identifying likely sources of material errors in the financialstatements and disclosures. These risks should then be mitigated by controls that are
statements and disclosures. Have Internal audit evidence an annual assessment of the design adequacy and operating
effectiveness of internal financial controls and maintaining relevance over time by taking intoconsideration any changes to both internal and external factors impacting the company.
Identify the laws and regulatory obligations that are applicable, including the non-bindingrules and standards to which an entity/organisation wishes to comply
Implement a comprehensive compliance policy and regularly monitoring compliance to thepolicy through the governance structures and inclusion on the board agenda.
21
-
8/11/2019 Corporate Governance Internal Control Reporting
22/24
-
8/11/2019 Corporate Governance Internal Control Reporting
23/24
Auditors intervention
Auditors should immediately engage their clients and be asking them the following questions:
Do you have clear understanding of the requirements of the ISA 2007 and the fundamental principlesof internal controls?
What constitutes effective system of internal controls?
What constitutes an evaluation of the system of internal controls
Do you have approved and effective compliance programmes?
Who assures these compliance programmes and the impact of legislative changes on thebusiness/organisation etc?
To which management or board committee is the assurance provided?
Are you satisfied that this assurance is reliable?
Actions needed for timely compliance
How will control deficiencies be evaluated and reported?
Does your disclosure on the effectiveness of compliance programmes reflect the actual position in yourbusiness/organisation?
What project management protocols have been established to facilitate an efficient and effectiveassessment?
What Auditing framework will be used?
What Reporting format is required for filing to SEC
What Level of assurance is required?
Should an audit opinion be given by a separate firm?
What procedures are in place in evaluating procedures of service organisations?
23
-
8/11/2019 Corporate Governance Internal Control Reporting
24/24
Auditors would continue to have a key role to playin Corporate Governance systems. With regulations
evolving all over the world, we should be at theforefront in determining how compliance can be
Conclusion
24