Internal Audit - Nexia TS · 2017-12-01 · the minds of most Audit Committee (ÒACÓ) and Board...

How Much is EnoughInternal Audit:Singapore Accountancy Commission and Nexia TS Roundtable Discussion

1

S/N NAME

2

Uantchern Loh

Chin Chee Choon

COMPANY

Nexia TS Public Accounting Corporation

Singapore Accountancy Commission

DESIGNATION

Chief Executive

Director, Assurance, Corporate Governance and Risk Management

1

S/N NAME

2

3

4

5

6

7

Derrick Lim

Antonio Martinez

Henry Tan

Karen Tan

Laval Wong

Yoong Ee Chuan

Professor Teo Chee Khiang

COMPANY

Singapore Airlines Ltd

DKSH Management Pte Ltd

Nexia TS Public Accounting Corporation

Singapore University of Technology andDesign

ABN AMRO Bank

Ngee Ann Polytechnic

National University of Singapore

DESIGNATION

Divisional Vice President, Internal Audit

Vice President, Head of Internal Audit

Managing Director

Head of Internal Audit

Head of Group Audit Asia

Director, Internal Audit

Professor (Practice),Department of Accounting

From left to right: Antonio Martinez, Derrick Lim, Henry Tan, Professor Teo Chee Khiang,

Yoong Ee Chuan , Laval Wong, Karen Tan, Chin Chee Choon, Uantchern Loh.

PANELLISTS

MODERATORS

1 Internal Audit: How Much Is Enough?

CONTENT


Introduction.

Code of Corporate Governance 2012 (Extracts)

:KDW�LV�WKH�ULJKW�VL]H�IRU�DQ�RUJDQLVDWLRQ·V�,$�IXQFWLRQ�DQG�KRZ�PXFK�VKRXOG�EH�WKH�,$�EXGJHW"

Being aware of industry norms of dollars and cents

Scope of the IA function

Knowing what needs to be audited

How often do you meet with CEOs, CFOs and AC members to discuss on scoping?

Assurance is not just about IA

Positioning of IA

+RZ�PXFK�FDQ�EH�RXWVRXUFHG�DQG�VKRXOG�WKHUH�EH�D�PLQLPXP�LQ�KRXVH�LQWHUQDO�DXGLW�IXQFWLRQ"

In-house, outsource or co-source? Great Thoughts, the Way Forward

Conclusion and Next steps

3

4

5

5

7

7

8

9

11

12

12

16

18


Through this roundtable discussion, the organisers hope to put together a melting pot of perspectives UIBU� XJMM� SFnFDU� UIF� WJFXT� PG� UIF� *"� QSPGFTTJPO� JO�Singapore from both practitioners and service providers alike.

This report sets out the key points in discussing several hot questions relating to how much companies should invest in their internal audit function and the scope of the internal audit function.

The SAC and Nexia TS thank all the participants for taking their precious time off to contribute to the roundtable discussion. We hope that by embarking on an industry-led dialogue amongst experienced practitioners, we can do our part to set the tone to create a platform where Singapore could take the reins to continue this pertinent conversation on a topic that is growing with considerable interest over the years.

The views and opinions expressed in this white paper are those of the participants and do not necessarily SFnFDU� UIBU� PG� UIF�PSHBOJTBUJPOT� UIFZ�BSF�BTTPDJBUFE�with.

However, companies are always under cost QSFTTVSFT�BOE�IBWF�UP�CBMBODF�CFUXFFO�UIF�CFOFmUT�of an IA function and the costs of maintaining one. Outsourcing and co-sourcing IA have to some extent eased the concerns over costs but ultimately companies will still have to decide on how much is enough.

INTRODUCTION

The Internal Audit (“IA”) profession has grown in prominence as companies recognise the importance and value of internal auditors. This is evidenced by the growing demand for IA professionals, modules on IA offered at the accountancy programmes at the National University of Singapore and Singapore Management University, and for the continuing education of the head of internal audit, the launch of the Asia Internal Audit Leadership Programme in 2015 .


that the financial records have been properly maintained and the financial statements give a true and fair view of the company’s operations and finances; and

regarding the effectiveness of the company’s risk management and internal control systems.

RISK MANAGEMENT AND INTERNAL CONTROLS

Principle:11

Guidelines:11.4

The Board is responsible for the governance of risk. The Board should ensure that Management maintains a sound system of risk management and internal controls to safeguard shareholders' interests and the company's assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives.

The Board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems, in the company's Annual Report. The Board's commentary should include information needed by stakeholders to make an informed assessment of the company's internal control and risk management systems.

The Board should also comment in the company's Annual Report on whether it has received assurance from the CEO and the CFO:

(a)

(b)

AUDIT COMMITTEE

Principle:12

Guidelines:12.5

The Board should establish an Audit Committee ("AC") with written terms of reference whichclearly set out its authority and duties.

The AC should meet (a) with the external auditors, and (b) with the internal auditors, in each case without the presence of Management, at least annually.

INTERNAL AUDIT

Principle:13

Guidelines:13.1

The company should establish an effective internal audit function that is adequately resourced and independent of the activities it audits.

The Internal Auditor's primary line of reporting should be to the AC Chairman although the Internal Auditor would also report administratively to the CEO.

The AC approves the hiring, removal, evaluation and compensation of the head of the internal audit function, or the accounting / auditing firm or corporation to which the internal audit function is outsourced. The Internal Auditor should have unfettered access to all the company's documents, records, properties and personnel, including access to the AC.

CODE OF CORPORATE GOVERNANCE 2012 (EXTRACTS)

However, drawing a parallel to the disclosure of auditor fees for statutory audit, the roundtable panellists felt that this could help level the playing field for IA, in addition to providing more data in relation to listed companies and how much they spend on IA. Other organisations could draw on the data disclosed as a basis for determining the approximate size of the IA function.

Caution has to be given on how this requirement is being imposed, in terms of consistency of information that needs to be disclosed. This would avail to listed companies data that is relevant for their decision-making purposes, while still making sure sensitivities over granular remuneration details are adequately considered. Time would also be necessary for the information to reach a steady state to form an updated and relevant database that provides for sufficient filtering and segmentation.

There could still be a tendency for organisations to improperly justify IA budget by working retrospectively (i.e working backwards) to determine the amount of IA resources.

It is commonly known that this question is what plays in

the minds of most Audit Committee (“AC”) and Board

members, and is applicable across all organisations,

whether they are commercial businesses or non-profit

entities. This is further supported by the Guidebook for

Audit Committees in Singapore (“Guidebook”) under

Frequently Asked Question (“FAQ”) 24: How much

should a company spend on IA activities, which states

that the appropriate level of spending on IA activities

depends on the level of risk, complexity and scale of the

business operations. The AC should use benchmarks

carefully, ensuring that they are appropriate.

BEING AWARE OF INDUSTRY NORMS OF DOLLARS AND CENTS

In a somewhat bold move, participants suggested that organisations could be required to disclose their annual spend on IA. This has always been a sensitive topic as organisations are frequently tight-lipped about the amount spent; which could stem from the need for confidentiality over the remuneration of IA personnel. This is especially for organisations that employ only one or two in its IA function.

WHAT IS THE RIGHT SIZE FOR AN 25*$1,6$7,21·6�,$�)81&7,21"�$1'�+2:�08&+�6+28/'�%(�7+(�,$�%8'*(7"


In my opinion, there are two main areas in consideration. Firstly, as an AC Chairman, if things happened on the ground, such as whistleblowing reports, lapses in control and risk management, we will have to respond to these incidents decisively by ensuring that we resolve them in a swift and effective manner.

That’s also a good indicator for us to strengthen the internal audit team to cover more ground.

“My recent focus has been less on the exact headcount number and more on the team’s strength and experience. My assessment has been that a stronger team with a good mix of audit (internal and external) and operational experience can prove more valuable than bigger but less experienced and diverse teams. At the same time, financial resources are of course limited and CAEs need to carefully consider a quantity vs. quality trade-off.

In my case, I currently prioritise recruiting more experienced team members even if it means that I need to somewhat reduce the size of my team to keep the overall cost at a similar level.”

“Indeed. It is also quite common to experience a knee-jerk reaction when there is a ground incident – more often than not, the importance of IA will only sink in when something actually happens.”

“I’m speaking in the context of a relatively new start up. What I observed is that we tend to do too much to the extent that the auditees feel that they cannot cope, hence they delay the implementation. The question of how much is enough has to align with an organisation’s level of control maturity. We may need to adapt and tweak our approach and coverage along the way. In this regard, bite-size audits may be necessary but to be balanced with the challenge in completing the audit cycle.

- Henry Tan, Managing Director, Nexia TS Public Accounting Corporation

- Antonio Martinez, Vice President, Head Internal Audit, DKSH

- Chin Chee Choon, Director, Nexia TS Public Accounting Corporation

- Karen Tan, Head of Internal Audit, Singapore University of Technology and Design

“The question of how much is enough? We have to look at the risk management process, especially at how companies identify their risks and relate them to the internal audit programme. If the company has identified a whole portfolio of risks and if the internal audit programme generally looks at these risks once every 3 years and perform an annual review for more important/higher risk areas, then they are in a better position to decide what is enough. Risk becomes the driving force. Also, has the company complied with legal requirements for it to feel comfortable that the audit unit has done enough. Where a trade-off is needed, we would still be better off if we are over auditing than to face a situation where the internal audit function is not properly structured to handle key risk areas.”

“I think the best approach is to do a risk assessment and then determine the scope to tell us how many headcounts are needed, what level of technical competencies and in addition to these parameters, we should also determine the focus areas.

These would determine the costs. But currently, I think we are the opposite where the cost comes first then the scope.”

- Professor Teo Chee Khiang, Professor (Practice)Department of Accounting, National University of Singapore



“My experience with the AC is that the AC plays a critical role in determining how much to audit and what to audit. They do expect me to have rather specific advice and be ready to facilitate the discussion; but they are the ones that ultimately endorse or adjust my proposed audit plan. I do gather inputs from senior management in our risk assessment process; but the direct relationship with the AC allows me to preserve the team’s independence. In this context, the balance of time allocated to risk assessment vs. execution of audits is another topic we are currently calibrating. The focus is oftentimes on making sure ‘to execute audits right’; but I believe that making sure ‘to execute the right audits’ is at least equally important.

The relevance of the risk assessment methodology and allocation of internal audit mandays to such activity should not be underestimated.”

Roundtable participants were of the view that an average of 40 hours should be spent on risk assessment, with at least an annual review to ensure that the risks are still relevant to the organisation and if new risks have emerged that need to be considered and addressed. Additionally, in refreshing the risk assessment, IA would also need to update its audit universe and scope in tandem, to ensure that IA continues to stay relevant to the business in addressing and mitigating its risks.

- Antonio Martinez, Vice President, Head of Internal Audit, DKSH

The Guidebook FAQ 25 recommends that, in assessing the adequacy of coverage, the AC could consider whether these factors have been addressed:

A robust audit risk assessment process is

in place to identify key risk areas

Key risk areas are included in the audit

plan

Group internal controls, addressing

financial, operational, compliance risks

and IT risks have been addressed in the

audit plan

There is regular and adequate audit

coverage over high risk activities and

significant operations

Where there are areas that the internal

auditors may not have the expertise to

audit effectively or do not have access to

information or Management (e.g. information technology, biological assets, mining concessions and foreign operations), such audits are outsourced to relevant

specialists

The disposition of prior year findings has

been reviewed

The above suggest that the AC could play a pivotal role in determining how much needs to be doneor “how long the string needs to be”.

In deciding the scope, what is considered inadequate, sufficient or excessive should form the preamble for determining the size of the IA function and its budget.

KNOWING WHAT NEEDS TO BE AUDITED

Useful ideas were generated through the discussion on how organisations can begin setting the scope of IA, among which the foremost task involves performing a risk assessment to identify the organisation’s risks. The audit universe that is consequently derived from the risk assessment would form the basis of the IA scope. Although it may not be possible for IA to cover BMM�JEFOUJmFE�SJTLT �UIF�SJTL�BTTFTTNFOU�FYFSDJTF�XPVME�invariably form a strong starting base for IA to work out its audit scope and therefore the resources necessary UP�GVMmM�UIF�TDPQF�PWFS�B�DFSUBJO�UJNF�XJOEPX�

SCOPE OF THE IA FUNCTION


“ In my case, there was a change in CEO. We usually meet during the AC meetings as the function is quite mature and the AC Chairman is quite comfortable with this arrangement.”

“Officially there are three meetings. For unofficial meetings, we meet bi-monthly and that’s when I fill the AC Chair on what’s happening.”

- Yoong Ee Chuan, Director, Internal Audit, Ngee Ann Polytechnic


“I think every CAE needs to have a clear communication plan to secure continuous engagement of key stakeholders. This can detail a prioritization of the stakeholders to keep engaged, along with some thought about the frequency and form of communications and the topics to cover (e.g. risk assessment, audit outcomes, remediation progress). This can prove challenging in many ways… like when the stakeholders are spread over a vast geography and timezones; but it is nevertheless very important.”


“Another important question related to CAE communication is whether we have created informal communication opportunities to complement the more official occasions. In my case, I provide formal updates every quarter but I have regular more informal interactions with the AC Chairman and senior management to ensure continued alignment.”


“It is very important to engage the board and stakeholders, formally and informally. What is most important is that the internal audit role can add value by acting as a catalyst where we gather best practices from one company to be applied to other companies within the group/network.”

- Laval Wong, Head of Group Audit Asia, ABN AMRO Bank

HOW OFTEN DO YOU MEET WITH CEOS, CFOS $1'�$&�0(0%(56�72�',6&866�21�6&23,1*"

Under Principle 12.5 of the Code of Corporate

Governance (“Code”), the AC should meet with the

internal auditors and external auditors, without

0DQDJHPHQW·V�SUHVHQFH��DW�OHDVW�RQFH�D�\HDU��IRU�WKHP�to communicate matters of mutual concern.

The IA function should work closely with management to provide the AC with timely feedback on control gaps, compliance lapses and where appropriate, management performance. Through personal anecdotes, participants at the roundtable shared how the IA function could improve the value proposition of IA, first by increasing awareness of their activities and work. Beyond the formal quarterly AC meetings that tend to be agenda-heavy, it may be worth for IA to be more proactive in arranging informal discussions with the AC Chair or key members of management, to keep them informed of IA’s work and the value that they bring to the organisation. These informal discussions, freed from the formal agenda of the quarterly meetings, could be a more conducive and effective platform for better takeaway by the intended audience of what IA has to share.

The objective is to gain the trust and buy-in of management and garner greater support from the AC Chair. IA could then leverage on their support when the proverbial tone-at-the-top is appropriately set, to ensure that IA can function effectively and be adequately staffed to address key risks of the organisation.

“An important point to note is that there are no legislative and regulatory requirements that helps to determine the IA scope. However, there are some guidelines to follow. For example, the Code of Corporate Governance and SGX listing requirements, especially SGX Listing Rule 1207 which does not refer directly to internal audit but talks about internal controls.

So, we can use internal controls as a starting point and then decide what else needs to be done. The focus here is that we must do sufficient work in internal control so that the audit committee can sleep in peace. Risk management is another area to start with.”

- Professor Teo Chee Khiang, Professor (Practice)Department of Accounting, University of Singapore


ASSURANCE IS NOT JUST ABOUT IA

It is important to understand the roles of IA and communicate these well especially since risk management and internal audit are intertwined. As described by the Guidebook, AC members should also make enquiries regarding the roles and functions embedded within and across the Board Assurance Framework. In particular, they should take into account the key roles and responsibilities and level of communication (i.e. nature and frequency) between and within: first line of defense (risk owners/managers); second line of defense (risk management and compliance functions); third line of defense (independent assurance providers e.g. IA); fourth line of defense (Board oversight).

This was also pointed out during the discussion that in discharging its oversight responsibility over internal controls, the AC should not just rely on the work of IA. Assurance over internal controls can be delivered by a variety of functions as enumerated in the Board Assurance Framework, amongst which IA is just one of them. How the AC can better leverage on IA for support would be to consider appointing IA as secretary to the AC. Having the benefit of owning a holistic view of the internal controls processes of an organisation, IA is able to set the agenda for AC meetings in proposing an assurance framework that reports on activities and results of the three lines of defense that contribute towards overall assurance of internal controls.

As provided by Guideline 11.3 of the Code, AC should undertake an annual assessment for the purpose of assisting the Board to make its public statement in the Annual Report on the adequacy and effectiveness of the company’s risk management and internal control systems, e.g. extent and frequency of the communication of the results of the monitoring to the Board or appropriate committee(s) which enables it to build up a cumulative assessment of the state of internal controls in the company and the effectiveness with which risk is being managed. The AC could use the Board Assurance Framework and obtain regular updates from IA, who through the course of their work,would be in a vantage position to ascertain the adequacy and effectiveness of risk management and internal control systems.

“Well, ABN AMRO has the 3 lines of defense. It provides a clear division of activities and responsibilities in risk management at different levels in the bank and at different stages in the lifecycle of risk exposures. It aims to provide clarity for every employee within the bank, with regard to their role and the level of risk awareness that is expected. The first line of defense is the Business. Management within each business is primarily responsible for the risk that it takes, the results, execution, compliance and effectiveness of risk control. The second line of defense is the risk control functions. They are responsible for setting frameworks, rules and advice, and monitoring and reporting on execution, management, and risk control. The second line ensures that the first line takes risk ownership and has final approval authority on credit proposals above a certain threshold. The third line of defense is Audit. Group Audit evaluates both the design and effectiveness of the governance, risk management and control processes and recommends and initiates solutions and monitors follow-up.

The Managing Board is ultimately responsible for a balanced assessment between the commercial interests of the bank and the risks to be taken within the boundaries of the risk appetite. The Managing Board establishes clear lines of responsibility and authority within the bank to ensure sound risk governance.


“Typically the internal audit function is the third line of defense but sometimes, it might end up being the first line of defense. How we function depends very much with the tone at the top and corporate cultural differences.”


In the risk decision framework, the Managing Board is supported by three executive risk committees: Group Risk Committee, Central Credit Committee and Asset & Liability Committee, each of which is (jointly) chaired by a member of the Managing Board. In addition, the Managing Board itself takes decisions that are of material significance to the risk profile, capital allocation and liquidity of ABN AMRO.

In general, banking has a more mature structure in place with various regulations to be complied with. Internal audit see the whole picture in the organisation. The challenge then is, how can we help the organisation follow standard or better practices which is practical for the overall good of the organisation? This is where we play a very important role.”


Consideration should also be given to the appropriateness of activities according to the size, nature, and complexity of the company’s operations. Regardless of size of the company, it is still critical for AC members to understand the existing Board, Board Committees and Management structures and clarify roles and responsibilities in relation to risk governance.

“It depends on the maturity of the organisation. In our case, we are just embarking on risk management and it is set up as a separate unit to minimise conflict of interests between the risk management role and the IA role. Our institution is more than 50 years old and it is at a stage whereby internal audit has been around for more than 20 years whereas risk management is relatively new. The current role of IA is providing secretarial support in setting up the risk management function.”

“Sometimes we find that internal auditors do not link business and risk management well. The AC would like to see internal auditors fully on top of risk management and their work streams should reflect relevancy to the risks challenges. In this way, internal auditors can play a more significant role. I have sat in ACs where the internal auditors were excused after their presentation, in which I think internal auditors should be present for the full duration of the meeting to take note of all the details.”



“Regarding the issue of internal auditors supporting ACs, the key questions are: what do we want the internal auditors to do and what are the terms of reference for them? If the terms of reference are for internal auditors to look at compliance with 1207 then they should do that as a basic function. In an organisation, some of the risks are very far reaching, such as reputational risks and the internal auditors may not likely be able to do anything about it. And even if we need internal auditors just to perform basic internal control review, the internal audit team should have the staff structure equipped for it.

In a mature organisation, internal controls are normally present and the audit findings will be those such as non-compliance of procedures resulting from human errors. Here, we will have to assess whether the root cause is systemic or an isolated incident. Reporting an isolated incidence of non-compliance to the auditee can be important as it can create a deterrent effect. If the finding is not brought up, the auditee will see it as an acceptable norm and eventually he or she will exploit that.”



POSITIONING OF IA

In order for the IA function to be effective, the Chief Audit Executive (“CAE”) or the Head of IA should be of a certain position or hierarchy in an organisation. With that, the CAE could scope the IA work strategically, understand the company’s priorities and discuss how much IA work is actually enough with the Board and management. This is reflected through the provision of the Code, which states that IA’s primary line of reporting should be to Chairman of the AC, and for administrative purposes, to the CEO or any executive with sufficient authority and stature who can provide the IA function with appropriate support. This shows that the IA function has to be well-placed in the organisation to access the proper flow of information and key executives and managers needed to carry out its duties effectively.

“ The heads of internal audit are usually not in a senior management position. Because of their organisational status, it is very difficult for them to go to the CEOs to get them to do certain things.

Ideally, internal auditors should be at the second or third top-most level in an organisational hierarchy. Besides organisational status, the other related issue is that the job grades of internal auditors are not senior enough, hence their audit findings may be taken lightly, resulting in less audit effectiveness.”


“In ABN AMRO, hierarchically the CAE directly reports to the Chairman of the Managing Board and functionally to the Chairman of the Audit Committee. For certain countries, the regulations are quite specific as to who the CAE reports to. On whether internal auditors can become CEOs, COO, etc., it depends. In some companies, one has to spend some time (about 2 years) in the internal audit team to be groomed to be join the board. People join the internal audit team to get the experience across the whole organisation.”



Complications start when a full-outsourced model is adopted, as all IA activities would then be conducted by the appointed service provider. The consensus on this model is the need for an in-house coordinator who is responsible to manage the IA activity and ensure everything is in place, acting also as the liaison between the outsourced IA and the AC.

Even as debate remains on the benefits and drawbacks of outsourcing as compared against an in-house IA function, there is agreement that specific guidance is lacking for organisations that choose the full outsourcing model, though broad guidelines are available from several position papers and Practice Advisory of the Institute of Internal Auditors. The consequence of this has led to the commoditisation of outsourced IA, where in the absence of any specific guidelines, dollars and cents may have become a convenient determinant of who could be appointed and how much should be covered.

Some factors that the AC could consider when deciding whether to outsource or keep IA in-house include: scale of operations, culture, complexity of the business and rights given to the company, in cases of joint venture. The key challenge for the AC in managing an outsourced IA function is to ensure that the service provider is knowledgeable about the company’s business. Furthermore, it has to be willing to commit adequate resources and offer its expertise at a cost that represents the best value to the company.

Though envisaged through the pronouncements of the Companies Act that each listed company has in place an IA function, which is echoed by the Code, there is no explicit mention of this need. How then do companies know if there is a need for IA?

There was no doubt from the discussions of the need for IA, particularly in helping the AC discharge its oversight responsibilities. The discussion instead is on the model of IA function that would be suitable for the organisation, which depends on the suggested factors enumerated above that would vary from organisation to organisation.

,1�+286(��2876285&(�25�&2�6285&("

In a relatively small organisation, it may be difficult to attract or hire a CAE with seniority level comparable to that of the CFO. In many small and even medium-sized enterprises, the person leading the IA function may report to the CFO, which is not ideal for reasons of independence and objectivity. In this case, the organisation may consider adopting the full-outsourced model instead. In contrast, a larger organisation could well afford to have a fully in-house IA function. Depending on the needs for specific expertise and skills that the team could be lacking in as demands on the IA function and therefore skills required continue to grow and change, co-sourcing would be a viable option.

Co-sourcing is quite straightforward in execution as it is generally an extension of the IA resources with control over the scope and review of results being retained in-house.

HOW MUCH CAN BE OUTSOURCED AND SHOULD THERE BE A MINIMUM ,1�+286(�,17(51$/�$8',7�)81&7,21"


“There are professional guidelines whereby any company that outsources internal audit, it is still ultimately responsible. Oversight and responsibility for the internal audit activity cannot be outsourced. There is a need to appoint somebody senior and independent enough in-house to be responsible in overseeing internal audit activities.

Outsourcing or co-sourcing in certain areas in financial organisations can happen where the skill sets are rare. For example the audit of financial models for risk management.”


“Well, there is no full time person to manage the internal audit activity in the companies which have outsourced IA. They are usually managed by the CFOs, which is not ideal. But typically as the AC will agree to the scope and the fees will be discussed with management. Hence in those situations, the CFO is the default CAE.”


“It depends on the size of the organisations. Out of the five boards that I am in, two of them have in-house internal auditors and three have outsourced the internal audit function. The two in-house IA functions are big organisations, thus, have the budget to employ internal auditors. For small SMEs, due to cost constraint, the IA function is outsourced. When companies decide to outsource their IA function, usually, companies will choose the cheapest quote. At the end of the day, the Board with the concurrence of AC has to sign off on SGX Listing Rule 1207. As far as I’m concerned, as an AC Chairman, I will not sign off unless all those things mentioned have been covered. One point for consideration is the establishment of the scope, and the other point is that we need to bring in the person who is actually doing the job to participate in the proposal meeting as well because the head of the team will usually be the main presenter and when it comes to the findings, it is usually not exactly clear on what they are presenting.”



“In addition to coming up with a guide for outsourcing scope, the IIA Singapore should also advise on the minimum of what should we do.

“The other challenge is the independence question. When the outsourced firm runs the IA shop, the outsourced firm’s revenue is dependent on how much “assurance” work is done. Therefore, there has to be somebody in between that manages this independence question. Pre-determined (i.e. at the point of engagement) audit methodology assists to a certain extent towards independence of outsourced audits.”

“The challenge of outsourcing is that the local knowledge is not there. One of the aspects of auditing your own entities is knowing the culture and that risks are highly correlated with culture. For the public sector, in obtaining three quotes, we cannot set our quality criteria too high otherwise we will get questioned. Sometimes the outsourced internal auditor will report back with superficial and obvious basic findings. However, to assess the culture, one might have to be in the organisation for some time.”

“Singapore Airlines (“SIA”) do co-source under two circumstances. Under the first circumstance is when we don’t have the expertise, for example assurance on the security of the website. Second is when there are a lot of partners such as mega partners, whom SIA operates with. The internal audit team will then set the agenda on what SIA is interested in knowing about these outsourced arrangements with the mega partners.

Many years ago, when SIA tended to be the dominant party in an outsourced arrangement, the right to perform internal audits of the outsourced operations was usually included in the contract. These days, with the existence of mega outsource service providers, the right to audit their operations is a challenge and is usually not given. Usually these mega-sized outfits do not allow for individual partners/customers the right of audit because of privacy of information of all customers and the disruptive nature of individual customers auditing their operations. Hence there is a need for customers collaborating with each other to design audits of their outsourced partner or for the outsourced party to provide such independent reviews similar to a SAS 70 type of arrangement.”

- Derrick Lim, Divisional Vice PresidentInternal Audit, Singapore Airlines Ltd



- Uantchern Loh, Chief Executive,Singapore Accountancy Commision



“For outsourcing arrangements, usually the tender is split into two parts. One is the risk assessment and the other, the internal audit execution. The person doing the execution cannot be the same person doing the risk assessment.”

“If it is $5,000 and the AC is bringing someone in just for show, it will indicate that the AC is trying to mislead people and that is a red flag.”

“An interesting opportunity could be introducing a requirement for public companies to disclose the money spent on Internal Audit. Disclosing external audit fees is already common practice and similar disclosures for Internal Audit could become another pillar of the organisation’s corporate governance strength and the related disclosures.”

“There are two parts to outsourcing – first part is the outsourcing of a particular job, and the other part is the outsourcing of the whole internal audit function. In the latter arrangement, it cannot be viewed as a job. It has to build in the methodology of what the outsourcing firm stands for, including prioritising the products, to replicate an internal audit department.

We also have to convince the AC of the methodology of the firm in carrying out the internal audit function.”

“How about the one third of companies who don’t have any internal audit functions. If it is very hard to convince the owner or management to setup an internal audit function, the AC might therefore start with the lowest internal audit fee so that management can be familiar with what internal audit is about and so that they can see the value in it.”


“What is the bare minimum? Risk assessment for example?”





“In China, there is a requirement from the regulators for the internal auditors of a banking financial institution to be staffed at 1% of the total number of employees.

One of the lessons learnt from the Enron case, it is not about the lack of internal audit, but the lack of follow up on the internal audit reports issued. Internal auditors need to ensure that there is a good tracking mechanism to monitor progress as per the Institute of Internal Auditors Standards 2500 - the CAE ensures that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. It is not unusual, if the internal audit function is spending more than 20% on tracking audit issues.”



“It is important to have some standards on minimum coverage that could include the type of internal audit, the size and the minimum internal auditors should do.

I think even though the Corporate Governance Code spells out who should be AC Chairman, there are a few ACs out there where there are not enough accounting-trained members. It’s not lack of guidance but the responsibility of the individual.”

“Work should always start with risk assessment and that should determine the scope and the fees. Not the other way round.”



“ACs should be aware of the risks and what has to be done. Within the areas of risk and priority, they have to ensure that the top 10 risks are being addressed every year and then the next 50 and 60 risks once every 3 years. Risk assessment is important as it determines where the audit universe is and where the IA scope should address.”


“Internal auditors will have to look at the context of the risk environment and culture. Different cultures will reflect a different control risk. Generally when your risk is higher, your resources will need to be commensurated with the risk level. Before we determine the size of the internal audit scope, we need to understand the organisation first. Guidance is helpful but it is not the deal breaker. Organisationally, it will need to reflect as a whole, which areas are risky and why.


In summary, how much IA work should be performed is closely linked to the risk assessment and making the key decision-makers aware of this.

It is also important for IA to make a big effort to interact with the AC and key management on an informal basis so as to move away from the hard controls to soft controls and to allow the AC and management to understand and remember the activities of IA and the consequent value they bring.

The wish list of participants suggested that while regulations and guidelines currently exist, there is still JOTVGmDJFOU�HVJEBODF�BWBJMBCMF�GPS�DMBSJUZ�PO�UIF�TDPQF�of IA, and ultimately, how much really is enough. These BSF� UIF� BSFBT� UIBU� UIFZ� XJTI� UP� TFF� NPSF� TQFDJmD�guidance or requirements on:

Minimum coverage, including type of IA,

size and minimum scope of IA work;

Requirements of AC Chair, including the

need to be aware of risks and prioritizing

them to determine the scope for IA;

Requirements (through the Code) to

disclose IA budget;

IA process to include an annual risk

assessment as the basis for developing

the audit plan;

Full outsourcing of IA;

Consequence management by IA,

knowing how to discharge their

responsibilities while still protecting

themselves

GREAT THOUGHTS, THE WAY FORWARD


“Elevating the importance of the internal audit function and disclosing the budget for IA will help elevate the position of internal audit. Just like how external auditors’ fees are disclosed in the annual report.”

“Singapore could lead the world in corporate governance requirements for listed companies to disclose the internal audit expense. This could be game changing.”

“ACs should look into the governance aspects of a company. This does not necessarily equate only to internal audit and their review. There are other aspects towards governance including the mechanisms that result in support of the SGX 1207 or CG Code opinion on controls, including the audit methodology, matters to report, the fraud/whistle-blowing framework, and other considerations of controls-relevant matters.

Audit shops also owe their customers a systematic approach in deriving their assurance models. This would include an adoption of a sound methodology to cover questions on how resources would be deployed in relation to the state of controls/risk environment. This may require audit outfits to avoid being a “one-trick pony” act by developing a “menu of audit services” that are applied proportionately to risks. Management’s interest and buy-in should be enhanced knowing that IA’s methodology rewards functions with strong control and operating efforts/environment. The audit model would then allow for the determination and balancing of the three parts of the audit equation: Risks, Audit Effort and Long-term Audit Structure/Size.

There is a theme that I have been trying to push, which is that IA should move towards a bigger picture of Governance Assurance rather than Control Assurance. One part of the equation is for IA heads to be Secretaries to Audit Committees that assist them in driving good governance agendas, the AC’s education needs, agenda for AC meetings and really bridge the gaps.


“SAC and the profession could come up with guidelines how internal audit not only discharges their responsibilities but also how they can protect themselves professionally. In the end, if you are taken to court, you need to demonstrate that you had followed international standards in order to be protected.”

that exist when AC members change (time gap), gaps between an insider’s (employee) view of the company and an outsider’s (director) view.





CONCLUSION AND NEXT STEPS

The participants of the roundtable have unanimously agreed that risk assessments are vital for determining how much internal audit resources are needed. The guidance for performing risk assessments can be found in the COSO Internal Control – Integrated Framework, first released in 1992 and updated in 2013. The COSO Internal Control-Integrated Framework (“Framework”) is a leading framework for designing, implementing, conducting, as well as assessing the effectiveness of internal control. The Guidebook for Audit Committees in Singapore recommends the COSO Frameworks (both the Internal Control Framework and the Enterprise Risk Management Framework).

Source: Chapter 2 of the 2013 COSO Internal Control – Integrated Framework

The Framework has a total of 17 principles that need to be present and functioning for an organization to conclude that it has effective internal controls. Principles 6 to 9 relate to risk assessment, which include several points of focus to help users understand the principles. These principles and points of focus include detailed discussions on risk management concepts, and considers the potential for fraud risk when assessing risks to the achievement of organisational objectives. Organisations should adopt these 4 principles on risk assessment as a key step in determining how much internal audit resources are needed.

COMPLIANCE

REPORTING

OPERATIONSE

NT

ITY

LE

VE

L

DIV

ISIO

N

OP

ER

AT

ING

UN

IT

FU

NC

TIO

N

CONTROL ENVIRONMENT

RISK ASSESSMENTS

CONTROL ACTIVITIES

INFORMATION & COMMUNICATIONS

MONITORING ACTIVITIES


CONTACT US

Singapore Accountancy CommissionViolet KohAssociate Director, Centre of Excellence, SACTel: +65 6326 0526Email: [email protected]

ABOUT SAC

Established in April 2013 as a statutory body of theSingapore Government, the Singapore Accountancy Commission (SAC) is the lead agency in spearheading the development of the Accountancy Sector in Singapore.

The SAC’s Vision is for Singapore to be the Leading Global Accountancy Hub. This will be achieved through developing for Singapore a vibrant Accountancy Sector that enables the economy to HSPX � CVTJOFTTFT� UP� UISJWF� BOE� UBMFOU� UP� nPVSJTI�� *O�GVMmMMJOH� UIJT� NJTTJPO � UIF� 4"$� TFFLT� UP� VQIPME� UIF�values of being relevant, insightful, collaborative and advocative.

ABOUT NEXIA TS

Nexia TS was founded in 1993 by two experienced chartered accountants – Henry Tan and Sitoh Yih Pin. After working as managers for one of the international BDDPVOUJOH�mSNT �UIFZ�TBX�B�WJTJPO�BOE�BO�PQQPSUVOJUZ�to establish their own organisation – not any BDDPVOUJOH� mSN� o� CVU� POF� XIJDI� JT� VOJRVF� JO� UIFJS�QFSTPOBMJTFE�BOE�XFMM�RVBMJmFE�FYQFSUJTF��

To date, Nexia TS is recognised as an established NJE�UJFS� MPDBM� BDDPVOUJOH� mSN�� 8F� IBWF� HSPXO�TJHOJmDBOUMZ� JO� TJ[F� PWFS� UIF� ZFBST�� #FJOH� BO�JOEFQFOEFOU� NFNCFS� mSN� PG� /FYJB� *OUFSOBUJPOBM � XF�BSF�BGmMJBUFE� UP�BDDPVOUJOH�mSNT� JO�NBOZ�QBSUT�PG� UIF�world. This means that our clients will get to enjoy personalised, comprehensive and quality services at competitive rates in Singapore and globally. Our reputation for quality has been recognised by clients and accounting professionals. As testimony to this, we BSF� BNPOH� UIF� mSTU� GFX� MPDBM� BDDPVOUJOH� mSNT� UP� CF�accredited by the Institute of Chartered Accountants in Australia to provide supervision of professionals undergoing traineeship to qualify as Chartered Accountants. Headquartered in Singapore, Nexia TS has established a strong presence in various countries across the region. Nexia China is a one-stop centre providing advisory services for foreign-invested enterprises in China. NTS Malaysia and NTS Myanmar provide a full suite of corporate advisory services for our clientele with operations and new foreign investments in the respective countries.

Nexia International is an international network of BDDPVOUJOH� BOE� DPOTVMUJOH� mSNT� XJUI� PSJHJOT� HPJOH�back to 1971 making Nexia one of the longest FTUBCMJTIFE� mSNT�� $VSSFOUMZ � XJUI� NPSF� UIBO� �� QSPGFTTJPOBM�TUBGG�TFSWJOH�PVS�DMJFOUT�BU�PWFS��PGmDFT�in 100 countries, we are ranked as the top 10 largest JOUFSOBUJPOBM� BDDPVOUJOH� BOE� DPOTVMUJOH� mSNT�worldwide. For more details, please visit www.nexiats.com.sg.

For Enquiries regarding this report, please contact:

The information contained in this publication is provided for general purposes only. While every effort has been made to ensure that the information is accurate and up-to-date at the time of going to press, the Singapore Accountancy Commision and Nexia TS accept no responsibility for any loss which may arise from information contained in this publication. Quotes from participants may be paraphrased. No part of this publication may be reproduced in any format without the prior written permission of the Singapore Accountancy Commission and/or Nexia TS.

© Singapore Accountancy Commision and Nexia TS, Jun 2015.

Nexia TSDaniel ChenMarketing Communications Manager, Nexia TSTel: +65 6534 5700Email: [email protected]


6

7

Operations Objectives

External Financial ReportingObjectives

External Non-Financial ReportingObjectives

Internal Reporting Objectives

Compliance Objectives

The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed

8 The organisation considers the potential for fraud in assessing risks to the achievement of objectives

9 The organisation identifies and assesses changes that could significantly impact the system of internal control

The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

5HIOHFWV�PDQDJHPHQW·V�FKRLFHV

Considers tolerances for risk

Includes operations and financial performance goals

Forms a basis for committing of resources

Complies with applicable accounting standards

Considers materiality

Reflects entity activities

Complies with externally established standards and frameworks

Considers the required level of precision







Includes entity, subsidiary, division, operating unit, and functional levels

Analyses internal and external focus

Involves appropriate levels of management

Estimates significance of risks identified

Determines how to respond to risks

Considers various types of fraud

Assesses incentives and pressures

Assesses opportunities

Assesses attitudes and rationalisations

Assesses changes in external environment

Assesses changes in the business model

Assesses changes in leadership

21a

22a

23

24

21b

22b

25

21c

22c

25

21a

22c

25

21d

22a

26

27

28

29

30

31

32

33

34

35

36

37

PRINCIPLES POINTS OF FOCUS

Singapore Accountancy Commission10 Anson Road#05-18 International Plaza Singapore 079903+65 6325 0532

Nexia TS100 Beach Road Shaw Tower, #30-00 Singapore 189702

Internal Audit - Nexia TS · 2017-12-01 · the minds of most Audit Committee (ÒACÓ) and Board...

Documents

Transcript of Internal Audit - Nexia TS · 2017-12-01 · the minds of most Audit Committee (ÒACÓ) and Board...