Corporate Governance

BBBD 3014
Lecture 9
Internal Control Systems
▶ Internalaudit function
▶ Risk management
The Turnbull Committee
▶ Guidance for Directors on the Combined Code:
◦A sound system of internal control is
established and maintained; and
◦The system is reviewed regularly to check
that it operates effectively.
The role of Internal Audit
▶ The role of Internal Audit
◦Investigation of internal controls
◦The objectivity and independence of internal
auditors
◦The need for an internal audit function
Internal Control system
▶ Segregation of duties
▶ Physical controls
▶ Authorisation & Approval
▶ Management control
▶ Supervision
▶ Organisation
▶ Accounting Control
▶ Personnel
◦ SPAMSOAR
The Board’s statement on Internal
Control
▶ Minimum content of Board’s statement on Internal
control pursuant to Bursa Malaysia’s listing
requirement:
◦ There is an ongoing process for identifying, evaluating and
managing significant risks;
◦ This process has been in place for the year under review;
◦ The state of internal control is reviewed regularly by the
board;
◦ If the listed company is unable to establish an internal audit
department, alternative ways of ensuring appropriate internal
control is in place and evaluated by out-sourced professional
firm.
The Board’s statement on Internal
Control
▶ Scope of internal control report, the board should:
◦ Consider what are the significant risks and assess how they have
been identified, evaluated and managed;
◦ Assess the effectiveness of the related system of internal control in
managing the significant risks, having regard, in particular, to any
significant failings or weaknesses in internal control that have been
reported;
◦ Consider whether necessary actions are being taken promptly to
remedy any significant failings or weaknesses; and
◦ Consider whether the findings indicate a need for more extensive
monitoring of the system of internal control.
Risk management & CG

▶ Toprotect the assets of the

company
▶ Ensure adequate risk management
measures
Risk Management
▶ Risk –the probability of results deviating from
expectations.
▶ Categories of risk:
◦ Financial – credit, foreign exchange, interest rates
◦ Strategic – competition, customer demands, industry changes
◦ Operational – regulations, culture, board composition
◦ Hazard – contracts, natural events, suppliers, environment
▶ Basic elements of risk management:
◦ Risk identification;
◦ Risk evaluation & assessment;
◦ Risk management measures;
◦ Risk control & review
 nd
The 2 King’s Report & Risk
Management

▶ Decide the risk tolerance;

▶ Identify, measure & management of risk
Internal Control systems / framework

The Malaysian Code on Corporate Governance 2017:

▶ Principle A, Practice 9.1 of the Code states that the
board should establish an effective risk management
and internal control framework.
Internal Control systems / framework

▶ The system of internal control is defined as “the

actions taken by the board and management to
manage risk and increase the likelihood that
established goals will be achieved”.
▶ Internal control encompasses all types of control
including those of a financial, operational,
environmental and compliance nature.
Understanding Internal Control
The process of ensuring the following through the
efficient and effective adherence to internal control
systems / framework within an organisation:
▶ Adherence to laws and regulations;
▶ The safeguard of corporate assets;
▶ The prevention and detection of fraud;
▶ The accuracy and completeness of the accounting
records
▶ Timely availability of reliable financial information
What is the aim in implementing
Internal Control systems
▶ To ensure adherence to domestic and international
laws and regulations;
▶ Protection of shareholders’ investment;
▶ Ensuring transparent, accurate and timely financial
information is communicated internally as well as to
regulators, investors and the public;
▶ Better risk assessment & management;
▶ Stability of industry and overall market.
Internal Control & Risk Management

Transparent, accurate and timely financial

information LEADS to improved risk assessment &
management

Nature & extent of Extent and categories Reduce the incidence Considerations of
Likelihood of risks
risk of risk and impact on the biz costs
Internal Control expectations with
regards to PLCs in Malaysia
▶ Guidelines for Directors of Listed Issuers provides guidance
regarding on the Statement on Risk Management & Internal
Control that is required by Bursa Malaysia in the company’s
Annual Report.
▶ The guidelines require the Chief Executive Officer (CEO) and
Chief Financial Officer (CFO) to provide assurance to the board
stating whether the company’s risk management and internal
control system is operating adequately and effectively.
▶ A CFO is defined as the person primarily responsible for the
management of the financial affairs of the company (such as
record keeping, financial planning and financial reporting), by
whatever name called.
Internal Audit Function
▶ MCCG 2017 Principle A 10.0:
▶ Companies have an effective governance, risk
management and internal control framework and
stakeholders are able to assess the effectiveness of
such a framework
Internal Audit Evaluation
▶ Paragraph 15.20 of the Listing Requirements states that the board of
directors of a listed issuer must review the term of office and performance
of the audit committee and each of its members at least once every three
years. This is to assess whether the audit committee and its members have
carried out their duties in accordance with their terms of reference.
▶ A formal evaluation of the performance of all committee members should
be undertaken by the nominating committee.
▶ Assessment of the audit committee’s effectiveness helps to ensure the
committee members’ expectations are continuously met.
▶ Upon completion of the evaluation, the board should deliberate the
outcome to undertake appropriate remedial actions (if any), for example
relevant training / education to be recommended for the committee
members, etc., to effectively discharge their responsibilities.
Oversight of Financial Reporting

Paragraph 15.12 (1)(g) of the Listing Requirements

requires the audit committee to review the quarterly
results and year-end financial statements prior to
approval by the board, focusing particularly on:
(a) changes in or implementation of major accounting
policy changes;
(b) significant and unusual events; and
(c) compliance with accounting standards and other
legal requirements.
Assessing risks & controls
▶ An audit committee should make enquiry as to whether each category
of risks is adequately monitored and addressed by the company’s risk
management procedures.
▶ The audit committee should be sensitive to both “red flags” and
“yellow flags”. Such warning signs must trigger the audit committee to
assess, inquire and investigate as appropriate.
▶ A “yellow flag” serves as an indicator to “stop, look both ways and
proceed with caution”. Further investigation may reveal the yellow
flag to be nothing at all or it could also be something that warrants
further probing.
▶ The “red flag” means there could very well be financial danger ahead
and good probing questions should be asked and the issue should be
pursued until answers given are satisfactory.
Internal Auditors
▶ Each listed issuer by virtue of Paragraph 15.27 of the Listing
Requirements is required to establish an internal audit function that
reports directly to the audit committee.
▶ Recommendation 6.2 of the Code commented that the audit
committee should determine if internal audit is conducted according
to the standards set by recognised professional bodies and conduct
regular reviews and appraisals of the effectiveness of the governance,
risk management and internal control processes within the company.
▶ Paragraph 15.12 (1)(e) of the Listing Requirements stipulates that the
audit committee must, amongst others, review the competency of the
internal audit function. Accordingly, the audit committee should
consider the need for a Quality Assurance review by external parties on
its internal audit function.
Audit Committee Report
▶ Pursuant to Paragraph 15.15 of the Listing
Requirements, a listed issuer must ensure that its
board of directors prepares an audit committee report
at the end of each financial year with the relevant
information, which must be clearly set out in the
annual report.
Internal Control & Audit
▶ Q: what is the link between Audit & Internal Control?
◦ Both are processes
◦ Both are linked to the efficient and effective management of
funds within an organisation
◦ Objectives?
Internal Control & Audit
▶ The process of audit is to methodically ▶ Adherence to laws and regulations;
& formally examine the financial ◦ The prevention and detection of fraud;
statements of an organisation. ▶ The safeguard of corporate assets;
▶ The aim of an internal audit is to ◦ The accuracy and completeness of the
ensure that the process of auditing is accounting records
conducted in accordance to the ◦ Timely availability of reliable financial
standards set by recognised information
professional bodies, reviews and
appraisals of the effectiveness of the
governance, risk management and
internal control processes are
conducted regularly within the
company .

▶ The objective of ▶ The objective of

Auditing Internal Control
In Summary
▶ The objective of the a sound internal control system is
◦ Adherence to the law & regulations
◦ The efficient and effective management of corporate funds to
achieve the company’s goals.
▶ Q: how can the this be achieved?
◦ Establish a sound auditing system
In Summary
▶ Q: What is a sound auditing system?
◦ Process of audit that is conducted to ensure that the
financial, operational and environmental activities of the
company in accordance to the company’s internal control
system; which in turn should be in accordance to:
⚫ standards set by recognised professional bodies;
◦ And regular reviews and appraisals of the effectiveness of the
governance, risk management and internal control processes
are conducted within the company .
In Summary

▶ The outcome of the reviews and appraisals are then

reported to the Audit Committee;
▶ Based on this report, the Audit Committee makes its
recommendations on various aspects of the report to
the Board of Directors;
In Summary

▶ The Board in turn reviews the internal audit report and

the recommendations of the Audit Committee and
makes decisions regarding the various
recommendations of the Committee.
▶ Where necessary, changes or modifications are also
made to the Internal Control system to be in line with
the goals and expectations of the stakeholders.
Internal Control & Audit
Sound Internal Control
System

Objective of Internal Control System:

Based on the report, the Audit Adherence to law
Committee makes its
recommendations to the BoD Efficient management of corporate funds

Prepares its report through

regular auditing, reviewing Effective internal Audit
and appraisal process – audit framework – internal audit
committee