In the September 2011 issue of Board Matters Quarterly, we highlighted some of the key amendments to the SGX listing rules that took effect from 29 September 2011, and are applicable for listed companies with financial year ending on or after 31 December 2011. Two of the amendments relating to the state of internal controls were as follows:
- Rule 719 (1) was changed where "An issuer should have a robust and effective system of internal controls, addressing financial, operational and compliance risks. The Audit Committee (AC) (or such other committee responsible) may commission an independent audit on internal controls for its assurance, or where it is not satisfied with the systems of internal control.
- Rule 1207 (10) now requires the board to provide an opinion, with the concurrence of the AC, on the adequacy of the internal controls, addressing financial, operational and compliance risks.
On 7 March 2012, EY, RHT Law LLP, and about 30 directors shared and discussed views on these amendments in a roundtable session.
We highlight some of the views and challenges shared by the speakers and participants of the panel discussion.
We believe that the amendments to the two listing rules have not significantly changed the responsibilities of the board and the AC over the adequacy of the internal controls system. Additional steps may be required to establish a formal risk management framework, and integrate the risk assessment results to the existing internal controls and checking mechanism. However, this should not be a major undertaking as risk management activities would have existed vis-à-vis the operations and decision making processes, albeit in a less structured and formal manner.
What is the basis the board and AC can use to assess adequacy of the internal controls, addressing financial, operational and compliance risks?
We suggest the following approaches that take into considerations the three key components:
- Enterprise risk management (ERM) - the purpose of an internal controls system is to manage key risks to a level that is acceptable by the company. As part of ERM, enterprise risk assessments will be performed. The result is a starting point to identify key risks, and matching them to existing controls to assess the adequacy of the controls.
- Internal audit, compliance and other internal controls programs - internal audit helps to provide reasonable assurance on the effectiveness of internal controls system. Thus, an internal audit plan should be aligned to results of periodic enterprise risk assessment to ensure that controls surrounding key risks are checked. Also, assessment of the internal audit function should be performed to review the structure, methodology, and resources. Other internal compliance programs such as compliance reviews and whistle blowing system are also means to identify risks and control gaps.
- External sources - this involves reviewing the results and action of third parties (e.g., the management letter raise by the statutory auditors, ISO audits, accolades or disciplinary actions by professional or regulatory bodies).
The three components should be able to provide the board and the AC a reasonable basis to assess the internal controls system, addressing financial, operational and compliance risks.
In addition, we have developed a diagnostic checklist to help the board and the AC to assess the "as-is" situation, and identify potential areas where additional steps can be taken to check the adequacy of internal controls. The components of the diagnostic checklist are aligned with the approaches discussed above.
What are the practical implications?
Whilst the requirements for the board to comment on the adequacy and effectiveness of the internal controls used to be found only in the Code of Corporate Governance (Code), which is not mandatory, and may be departed from on a "comply or explain" basis, the mandatory requirement by listing rules 719 and 1207(10) entails the board, with the concurrence of the AC, to opine on the adequacy of internal controls. Currently, the SGX has not provided any guidance or framework that can be used to perform the assessment to reach an opinion. There were also several concerns and practical implications that were shared during the roundtable:
- What type of opinion can the board and the AC give, i.e., negative or positive opinion?
- How many, and what kind of control lapses and non-compliance can occur before concluding the assessment as "inadequate"?
- Can the board and the AC only opine on the areas that they feel the systems of internal controls are adequate?
- If control lapses and non-compliance were remediated before the year end, can the assessment result still be stated as "adequate"?
In the absence of guidance or framework, the board and the AC may adopt different approach in arriving at their opinion on the adequacy of the internal controls.
|The roundtable concluded with most participants echoing the view that the board and the AC should not opine with a one-liner statement. The board and the AC should elaborate on the assessment process and key areas that they have assessed in forming the opinion, and share remediation status of key areas where there can be room for improvement.|
How EY can help
We have developed a diagnostic checklist to facilitate the board and AC in making a quick assessment of the company’s current risk management process and internal controls system. Following the assessment, we can support the board and the AC in formalizing and assessing the risk management, and other necessary reviews in supporting the board and the AC in forming the basis to assess the internal controls system. For more information, please contact Neo Sing Hwee (+65 6309 6710 or Sing-Hwee.Neo@sg.ey.com) or Adrian Ang (+65 6505 2354 or email@example.com).
<< Previous | Next >>