When negative assurance over system of internal controls is not enough
Has the Board’s responsibility changed?
Looking at the responsibilities of the Board and the AC over risk management and internal controls, with the amendments to the SGX listing rules and the revised 2012 Code (Guidelines 11 and 12.4(b)), has the scope changed drastically before and after the issuance of the 2012 Code, and the amended SGX listing rules? Or is it part of the journey to achieve a more mature corporate governance environment, including risk management and internal controls?
The Board's responsibility over the system of internal controls should not change substantially. The disclosure requirements relating to the assessment of internal controls in the latest SGX listing rules is a more specific and clearer version of the commentary that is required under the revised 2012 Code. In addition, the new section on 'Risk Management and Internal Controls' in the 2012 Code draws part of its content from the section 'Internal Controls' of the 2005 Code.
Nevertheless, we have to acknowledge that the Board's responsibility over risk management has become more explicit now. Under the 2005 Code, the Board's responsibility is limited to ensuring management maintains a sound system of internal controls and reviewing (via the AC) the adequacy of the internal controls and risk management policies and systems. Now, the responsibility of risk governance has been added as part of the Board's responsibilities in the 2012 Code.
Bigger issuers will continue with the existing formal corporate governance practices, albeit the need for enhancement to develop an integrated risk management and controls framework, making reference to the Guidance, to provide greater clarity to third parties (e.g., shareholders and legislators).
For the smaller issuers where resources are harder to come by, initial effort is required to take stock of existing risk management activities, align them with the business objectives and complement the existing activities with additional risk management measures (including the related mitigating controls), if necessary. Finally, the issuer should develop an integrated risk management framework similar to that recommended for bigger issuers above.
The amendments to the SGX listing rules 1207(10) and 1204(10) for Mainboard and Catalist respectively in September 2011 now require the Board to provide opinion on the adequacy of internal controls, addressing financial, operational, and compliance risks of their companies. Recently, several companies were rapped by the SGX when they wrote in their annual report "contrary to the absence of evidence" on their system of internal controls a clear indication that "negative assurance" or opinions with disclaimers are no longer adequate to comply with the listing rules. The Board can no longer make a cursory comment on the internal controls for the business operations as a whole without specifying the assessment basis, or the key weakness areas.
Now that the Board needs to express an explicit opinion about the Group’s internal controls, many of them are concerned if their internal controls are truly adequate, and whether they will shoot themselves in the foot in the event they express a positive opinion, and breakdown in controls happen shortly after.
How should the Board arrives at the opinion on the adequacy of internal controls?
“If there has been no fraud or major controls breakdown reported, then the system of internal controls should be working as well.” Does this sound familiar?
More often than not, the Board relies heavily on internal audit to provide assurance over internal controls. As for the statutory auditors, their consideration of internal controls is only limited to those addressing financial reporting risks. These are some of the sources where the Board can derive information to form a basis of the opinion.
However, are there other avenues where internal controls are assessed and can provide the Board with a comprehensive view of the state of internal controls? Will the accolades by professional bodies for good corporate governance practice provide additional assurance that the system of internal controls is working well? Do the audit results of quality management system shed some light on how well internal controls are recorded, communicated, executed and monitored?
There are in fact many sources the Board can gain comfort or discomfort over the system of internal controls. To facilitate the assessment of the adequacy of internal controls, addressing financial, operational and compliance risks, the Board and AC should seek support from management, internal audit, compliance team and risk management function (if applicable) to take stock of the existing activities and records relating to risk management and internal controls. Organise them into a structured framework and process, taking into consideration the above mentioned three components (i.e., financial, operational, and compliance risks), pointers from Guidebook for ACs in Singapore, the advisory notes issued by the SGX, the relevant international standards (e.g., the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework), the Code, and the Council's Guidance for Board on risk governance.
This framework should be reviewed and refreshed periodically to take into account changes in regulators' requirements (e.g., amendments to the SGX listing rules, and the revised 2012 Code), company‟s business operations, structure, environment and international/ professional standards. In addition, this framework and the basis (i.e., assessing internal controls, addressing financial, operational and compliance risks) to arrive at the opinion should be adequately documented and substantiated.
However, one should always bear in mind that internal controls exist to mitigate key risks, and not all risks. Internal controls should never be proliferated into a self-fulfilling scheme of excessive controls resulting in unwarranted use of scarce resources. Nevertheless, it is not always clear to many on the perimeter of adequacy of internal controls before the situation turns excessive. This is partly due to limited access to industry risk profile and leading practices where new risks and innovative controls can be found respectively.
Salient points from the SGX advisory note on 16 April 2012
In the first wave of annual reports being published by companies with 31 December 2011 year end where the listing rule amendments are applicable from then onwards, the SGX has raised queries on the disclosure made by companies under listing rule 1207(10) [Mainboard]/ 1204(10) [Catalist]. The queries touched on the existence of opinion to the type of opinion as well as the wordings used. These queries and the subsequent remediation by the listed companies would have been avoided if guidance was provided at the onset when amendments were introduced. However, the SGX was quick to issue the advisory note which addressed the following salient points:
- There must be an opinion. Disclaimer or negative assurance such as 'absence of evidence to the contrary' and the use of the words 'believe' or 'is satisfied' are not acceptable.
- Disclosure on opinion on internal controls must include 'financial, operational and compliance risks.
- Opinion on internal controls should be formed at the Group's level instead of Company level only.
- Proper documentation should be maintained for the assessment of internal controls, addressing financial, operational and compliance risks.
- Factors considered and deliberated by the Board and AC in arriving at the opinion should be disclosed.
- Areas of concerns or control deficiencies and remediation should be disclosed.
- Opinion is recommended to be disclosed in the Directors' Report.
Who should be supporting the Board in arriving at the opinion?
Many would have thought that the internal audit function is the most appropriate candidate to own the responsibility of establishing, introducing and maintaining a system to help the Board and the AC identify sources, and collate assessment results of internal controls. This is partially correct. Whilst internal audit can help administer the system, there must be prominent executive sponsorship to ensure the right positioning of this system in the organization's priority list to make this work.
Going forward, the Board will need to work more closely with management and internal audit to identify all sources where internal controls are assessed and report the results to the Board on a timely basis. It is inevitable that the Board will be presented with more information and the real challenge is to sieve out those that matter.
The changes to the SGX Listing Rules to foster greater disclosures are part of a continual journey to achieve a more mature corporate governance environment in Singapore. While the goal for Boards is to express an explicit opinion to satisfy regulatory requirements, the process of arriving at the opinion – and ensuring that a robust risk management, and internal controls systems is in place via that process – is where the real value lies.
How EY can help
Our diagnostic checklist can facilitate the Board and AC in making a quick assessment of the company's current risk management process and internal controls system. Following the assessment, we can support the Board and the AC in formalizing and assessing the risk management, and other necessary reviews in supporting the Board and the AC in forming the basis to assess the internal controls system. For more information, please contact Neo Sing Hwee (+65 6309 6710 or Sing-Hwee.Neo@sg.ey.com) or Adrian Ang (+65 6505 2354 or firstname.lastname@example.org).
Extracts of internal controls requirements for Singapore listed companies
|Listing rule 719(1)||An issuer should have a robust and effective system of internal controls, addressing financial, operational and compliance risks. The AC (or such other committee responsible) may commission an independent audit on internal controls for its assurance, or where it is not satisfied with the systems of internal control.|
|Companies Act Section 201B(5)(a)(ii)||The functions of an AC shall be to review with the auditor, his evaluation of the system of internal accounting controls.|
|Code of Corporate Governance 2012||Guideline 11.1: “The Board should determine the company's levels of risk tolerance and risk policies, and oversee Management in the design, implementation and monitoring of the risk management and internal control systems.” |
Guideline 11.2: “The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Such review can be carried out internally or with the assistance of any competent third parties.”
Guideline 11.3: “The Board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems, in the company's Annual Report. The Board's commentary should include information needed by stakeholders to make an informed assessment of the company's internal control and risk management systems.”
Guideline 12.4 (b):“The duties of the AC should include reviewing and reporting to the Board at least annually the adequacy and effectiveness of the company‟s internal controls, including financial operational, compliance and information technology controls (such review can be carried out internally or with the assistance of any competent third parties).”
<< Previous | Next >>