Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Effective Internal Control in Ensuring Good Governance
COSO’s five components of internal control and questions for basis of audit assessment
1
Hazimi Kassim President, Institute of Internal Auditors Malaysia Group Chief Internal Auditor Telekom Malaysia Berhad 24 October 2017
Strong Governance is always
Supported by Strong and Effective
Internal Control Systems.
2
3
Governance in Corporate/ Private Sector
Malaysian Code of Corporate Governance
Key features of the new approach
4
• Updated in 2017, new approach to promote greater internalisation of corporate governance culture.
• Reflects global principles and internationally recognised practices & are above and beyond the minimum required by statute, regulations or Bursa.
• Permits constructive and flexible response to raise standards of corporate governance.
• Recognises self regulations & opportunity to explain for inability for non-compliance.
Corporate Governance Definition
The process and structure used to direct and
manage the business and affairs of the
company towards promoting business
prosperity and corporate accountability with
the ultimate objective of realising long-term
shareholder value while taking into account the
interest of other stakeholders
5
Source : Malaysian Code of Corporate Governance 2017
Why Governance Matter ?
6
Long
Term
Value
Sust
ain
abili
ty
Eth
ical
Be
hav
iou
r
Provide framework of control mechanisms that support the company in achieving its
goals, while preventing unwanted conflicts.
Identifies the distribution of
rights and responsibilities
among different
participants in the company and outlines
among others the rules and
procedures for decision-making,
internal control and risk
management.
Balanced the needs of shareholder interests but requires balancing the needs of other stakeholders such as employees,
customers, suppliers, society and the communities in which the companies conduct their business.
Structure of MCCG
3 key principles of good corporate governance
• Board leadership and effectiveness;
• Effective audit and risk management; and
• Integrity in corporate reporting and meaningful relationship with stakeholders.
7
Source : http://www.kmf.com.my
“Doing the Right Things, Right, in the Right Way.”
choosing the appropriate
mandate and objective;
executing it in the most
efficient manner
doing things with the proper ethical and
governance considerations.
8
Tan Sri Azman Mokhtar, Khazanah Nasional’s Managing Director.
General Governance Structure – 3 Lines of Defense
9
Responsibility for Corporate Governance
The primary responsibility rests with the governing body and
management.
Management’s responsibilities:
• Creating a strong Corporate Governance environment.
• Ensure Management of Risks and implementation Systems of
Internal Control, and
• Taking appropriate actions & ensure that effective and efficient
controls systems.
The Governing Body is responsible for:
• ensuring that management is
carrying out the implementation of
risk and internal control systems,
• understanding the environment
to determine if management can
override or influence the controls in
place.
Source : International Auditing Standard
11
Governance in Public Sector
Governance in Malaysian Public Sector
12
Constitution,
Statutes,
Legislation ,
Regulations, &
Guidelines,
Circulars,
Agreements, etc.
Governance in Public Sector – Best Practices Relationships between the Principles for Good Governance in the Public Sector
13 Source : International Framework for Good Governance in the Public Sector - Developed jointly by the Chartered Institute of Public Finance and Accountancy (CIPFA) and the International Federation of Accountants® (IFAC®).
Governance comprises the arrangements put in
place to ensure that the intended outcomes for
stakeholders are defined and achieved.
Acting in the Public Interest
A & B
14
International Professional Practices Framework (IPPF) The Framework for IA Effectiveness
• Demonstrates integrity.
• Demonstrates competence and due
professional care.
• Objective and free from undue influence
(independent).
• Aligns with the strategies, objectives, and
risks of the organization.
• Appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Insightful, proactive, and future-focused
• Promotes organizational improvement
Core Principles that every internal auditor must meet
New Mission
To enhance and protect organizational value by providing risk-based and objective
assurance, advice, and insight.
15
Internal Control Framework as a Tool
Where does Internal Controls sit in Overall Governance ?
Governance
Enterprise
Risk Management
Internal
Control
Why we need and Internal Control Framework ?
• Hence, Internal Control Framework is required because :
Enable organizations to effectively and efficiently develop and
maintain systems of internal control, agile to changes in the
business and operating environments.
Guide to designing, implementing, and conducting internal
control and assessing the effectiveness of internal control.
Emphasize the importance of management judgment in designing,
implementing, and conducting internal control.
Assists stakeholders interacting with the entity in their respective
duties regarding internal control without being overly prescriptive.
17
Strong Governance is always supported by strong
and effective Internal Control Systems.
18
What is COSO ? It’s a Internal Control Framework
What is COSO? Committee of Sponsoring Organizations of the Treadway Commission
National Commission on Fraudulent Financial Reporting formed with James C. Treadway, Jr., former SEC Commissioner and General Counsel, Paine Webber as its Chairman – becoming known as the:
“Treadway Commission”
a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.
• Source: SEC historical.
19
• The Institute of Internal Auditors
• American Accounting Association
• Institute of Management Accountants
• Financial Executives Institute
• American Institute of Certified Public Accountants
Private Sector initiative established in 1985 by five financial professional associations.
COSO Mission
“To provide thought leadership through the
development of comprehensive frameworks and
guidance on enterprise risk management,
internal control and fraud deterrence
designed to improve organizational performance
and governance and to reduce the extent of
fraud in organizations.”
20
Why COSO was introduced ?
COSO’s goal is
“to improve the quality of financial
reporting through a focus on corporate
governance, ethical practices, and
internal control.”
21
COSO’s Fundamental Principle
Good risk management and internal
control are necessary for long term
success of all organizations
Evolution of COSO
22
2013
Internal Control-Integrated Framework (2013 Edition)
Consists of 3 Volumes:
• Executive Summary
• Framework and Appendices
• Illustrative Tools for Assessing
Effectiveness of a System of
Internal Control
Sets out:
• Definition of internal control
• Categories of objectives
• Components and principles of
internal control
• Requirements for effectiveness
23
What Drives the Change ?
Since the inception of the original Framework:
• Business has changed dramatically –Increasingly global
More complex
Driven by technology
• Investors are more engaged –Seeking greater transparency
• Demand greater accountability for the integrity of internal control systems that support organizations’ operations, governance and external communications
• Regulatory Regimes have expanded –
Additional forms of external reporting are emerging
• The COSO Board decided to update the original Framework to make it more relevant to investors and other stakeholders.
24
COSO 2013 Framework –Summary of Changes
25
COSO Internal Control
Internal control is a process effected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations Reporting Compliance
Core definition of internal control
26
Components
represent the rows
Objectives represent
the columns
Objectives may
be set at the
entity, division,
operating unit
or functional
levels
Concepts from COSO Definition
• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization.
• Internal control only provides reasonable assurance – not absolute assurance.
• Internal control objectives may address single or overlapping categories of internal control components.
27
1992 vs. 2013 Framework
28
2013
Framework
1992
Framework 5 Components
17 Principles
82 Point of Focus
Components and principles
Under the 2013 COSO Framework, effective internal control requires the
following:
• Each of the 5 components and 17 principles must be present and functioning.
• The 5 components must operate together in an integrated manner to reduce
risks at an acceptable manner.
• All 77 points of focus are considered, but are not required to be present.
29
4 4 3 4 5
5 5 4 3
6 4 6
5 4 5
7 3
Point Of Focus Principles Components
How COSO Can Help
30
Relationship of ERM Components to Contextual Business Model
31 Source : How the COSO Frameworks Can Help ? By : James DeLoach & Jeff Thomson CMA, CA
Relationship of Internal Control Components to Contextual Business Model
32 Source : How the COSO Frameworks Can Help ? By : James DeLoach & Jeff Thomson CMA, CA
33
• Evaluating internal control is a generally accepted field standard in government auditing, auditors can use the guidelines as an audit tool.
• Evaluating internal control is a generally accepted field
• The guidelines for internal control standards comprising the COSO Framework can therefore be used by :
by government management to design a solid internal control framework
for their organisation, and
by auditors as a tool to assess internal control.
• However, these guidelines are not intended as a substitute for INTOSAI Auditing Standards or other relevant auditing standards.
standard in government auditing, auditors can use the guidelines as an audit tool.
INTOSAI 9100
What Does the Updated Guidance Mean to Internal
Auditor?
34
What Does the Updated Guidance Mean to IA?
1. Reporting Objective
2. Supplemental Guidance for Internal Control Over Financial Reporting.
3. Increased emphasis on Compliance and Operational Objectives.
4. Full Adoption of a principle and points of focus (attributes) approach.
5. More Explicit Evaluation Criteria
35
What Does the Updated Guidance Mean to IA?
6. Must Consider Fraud Risk
7. IT reinforced in a new principle.
Recognizes expanded organizational
relationship
8. Updating of Governance Concepts
9. More Effective Monitoring
10. Higher Expectation of Knowledgeable IA
Personnel
36
Assessment Criteria
Each of the Five COSO and its related17 Principles Components must be “present and functioning”
• Are they present?
The components and relevant principles exist in the design and implementation of the system of internal control (“Design”)
• Are they functioning?
The components and relevant principles continue to exist in the conduct of the system of internal (“Operating Effectiveness”)
37
Assessment Criteria
The Five COSO Components must “operate together in an integrated manner collectively reducing the risk to an acceptable level
Management can demonstrate by
• “The components are present and functioning, and
• Internal control deficiencies aggregated across components do not result are not significant.
38
39
Governance, Risk
Management and Internal
Control in TM
TM has a Formal Structure to Define Roles & Accountability
41
42
TM Organising Principles
IT Security
Policy
Internal Control Policy
Integrity Pledge
Policies in Place TM in supporting Transparency and Governance
Scope of Policy The policy applies to any irregularity, or suspected irregularity, involving employees as well as shareholders, consultants, vendors, contractors, outside agencies doing business with employees of such agencies etc
The Code sets forth the standards that guide our every action at TM and its Group of Companies, and applies to the BOD, Management, Employees and all representatives of the Company. A commitment
to uphold the Anti-Corruption Principles
TM
Fraud
Policy
Policies
& Procedures
Business Policies &
Governance
Risk Management
Policy
Code of Business
Ethics
Procurement
Ethics Rules
& Practices
Whistle Blowing Policy
The BOD & Management are committed to internal whistle-blowing program by introducing a safe and acceptable platform for Employees to channel concern about illegal, unethical, improper business conduct affecting the Company and about business improvement opportunities.
Integrity Pact
To enhance transparency in TM Procurement approach which will reduce and eradicate corrupt practices.
This is non exhaustive
Integrity Pledge
45
TM declares that : “it will not commit corrupt acts”, will work toward creating a business environment that is free from corruption and will uphold the Anti-Corruption Principles for Corporations in Malaysia in the conduct of its business and in its interactions with its business partners and the Government.
46
Risk Management and Internal Control Policy
CEO And the
Management
is accountable
Procurement Ethics….
To avoid bidders from
offering or giving bribes
To avoid TM
employees from receiving bribes;
To require bidders to report any
bribery/act of corruption to the
authorities;
Objectives of TM Integrity Pact
To prohibit unauthorized use of TM’s proprietary information by
employees and suppliers … and ensure TM will not incur unnecessary
costs in carrying out TM procurement.
Governance & Integrity Policies in TM
Address these issue :-
`TM has a comprehensive Governance & Integrity Policies
Awareness and internalization of the principles are lacking.
Resulting in procedural and KPI/Results driven, governance secondary.
People will naturally take advantage when monitoring, performance and consequence management is less than desired optimal level.
Corporate Gov Score : 2012- 81.5 moved to 2017-110.56 (By MSWG)
Awards
51
Page 121 of the Annual Report
Our Declaration of TM Internal Control Systems
Page 127 of the Annual Report
Statement On Risk Management & Internal Control Guideline For Directors Of Listed Issuer
• Para 26 of the guideline which further describes the Management Role :
• Management is responsible for implementing the processes for identifying, evaluating, monitoring and reporting of risks and internal control, taking appropriate and timely corrective actions as needed, and for providing assurance to the board that the processes have been carried out.
• In this regard, at least annually, the Board should receive assurance from the CEO and CFO on whether the company’s risk management and internal control system is operating adequately and effectively, in all material aspects, based on the risk management model adopted by the company. “
• Audit is to provide Independent Assurance to TM Board that Management have put in place the necessary Risk Management and Internal Control Framework and Systems.
Statement of Risk Management & Internal Control 2016 Assurance Letter by Management
The Board of Directors 27 February 2017
Telekom Malaysia Berhad.
Dear Sirs
Assurance Letter from the Group Chief Executive Officer and Group Chief Financial Officer
We acknowledge that Management of TM Group is responsible for implementing the processes for
identifying, evaluating, monitoring and reporting of risks and internal control, taking appropriate and timely
corrective actions as needed, and for providing assurance to the board that the processes have been carried
out.
The Responsibilities of the Management in respect of risk management and internal control include:
• Identify the risks relevant to the business of TM Group and the achievement of objectives and
strategies;
• Design, implement and monitor the risk management framework in accordance with the TM Group’s
strategic vision and overall risk appetite;
• Identify changes to risk or emerging risks including Fraud, take actions as appropriate, and promptly
bring these to the attention of the Board; and
• Taking appropriate and timely corrective actions as needed.
55
• In this regard, to the best knowledge and based on the continuous review and assessment done by the
management, for the Financial Year 2015 under review that TM Group’s risk management and internal
control systems are operating adequately and effectively, in all material aspects, based on the risk
management model adopted by the company. There has not been in any material loss, contingency or
uncertainty other than those that have been recorded and disclosed in the Financial Statements of TM
Group for the financial year ended 31 December 2016.
• We consider the system of risk management and internal controls described in the Directors’ Statement
on Risk Management and Internal Control to be adequate and effective and the risks to be at an
acceptable level within the context of the TM Group’s business environment and risk appetite set by the
Board. The Management will continue to take measures to strengthen the risk management processes
and internal control environment and monitor the health of the risks and internal controls framework.
• TM Group’s risk management and internal control system does not apply to its associate companies,
which fall within the control of their majority shareholders. Nonetheless, TM Group’s interests are served
through representation on the Board of Directors and senior management posting(s) to the associate
companies as well as through the review of management accounts received. These provide the Board
with performance-related information to enable informed and timely decision-making on the TM Group’s
investments in such companies.
Statement of Risk Management & Internal Control - Assurance Letter by Management to the Board
56
Directors Statement of Risk Management & Internal Control
Management Assurance Letter to the Board
Evaluation and Review performed by each of the LOBs , Support Units and Subsidiary
Company. (CEOs, LOB & Support Heads)
Annual Internal Control Assurance Self Assessment
Survey (input from all GMs)
Risk Management and Assessment
(Input from Risk Management, GBA)
Trending of Internal Control Incident (ICI)
and summary of cases reported
Key risks findings observed
during the execution of Annual Audit plan
Investigations carried out by Corp Inv Unit
Internal Control Health
Check Report and Conclusion
To be distributed in December of the Financial Year
To support the assurance that the Management is providing to the Board,
the following evaluation and review processes need to be carried out
Assurance from the LOBs and Operations
In assessing the effectiveness of the company’s risk and internal control processes… GMs & LOBs + Support unit …..
Assessment of Internal Control based on COSO –
• Control Environment and Control Activities ,
• Information and Communication and Monitoring.
• Assessment of the Risk Management Framework.
• Understanding and Communicating Risk Appetite.
The following declaration are required to be made in December 2016
“To support the assurance that the GCEO and GCFO have to provide to the Board, I acknowledge that the evaluation and review processes have been carried out, and Risk Management and Internal Control Systems within my area of accountability, and TM’s Group as a whole, are operating adequately and effectively, in all material aspects, based on the risk management model adopted by TM Group.
Signed by Head of All Business and Operations Units
Challenges in Implementing COSO
• Buy-in and Support from the Board and Management
• Bringing COSO Component and Principles down to
Lay-men Level to be understood across organisation
• Continuous Training, Knowledge Sharing and
Communication
• Coordinating the Governance Work done by each of
the governance units
59
Concluding Remarks…
60
Extremely
Challenging, but
worth the Efforts.
Thank You
61