Insights on ADAA Resolution No. 1 of 2017 and role of ... · Entity and the Statutory Auditor contract to include : 1. Testing the effectiveness of internal control and compliance

1© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Insights on ADAA Resolution No. 1 of 2017 and role of Internal AuditIIA Conference

April 2019



Today’s agendaInternal Controls related enactments across the globe

About ADAA Resolution No. 1 of 2017

About COSO Internal Control Framework

Insights from Year 1 (2018) of implementing COSO across Abu Dhabi entities

Role of Internal audit in COSO on an ongoing basis

Questions on your mind

1

2

3

4

5

6



Your Presenter

KPMG in the Lower Gulf

— Siddharth is a Partner in the Internal Audit, Risk & Compliance Services Practice and he also heads the KPMG Lower Gulf Managed Services practice.

— Siddharth has over 20 years of experience in consulting and risk management. He is a rank holder Chartered Accountant from the Institute of Chartered Accountants of India and is also a Certified Public Accountant, USA. Siddharth has been leading the ADAA resolution no. 1 initiative for KPMG in Abu Dhabi and has worked with 10+ entities in Abu Dhabi in assisting them to implement the COSO Internal Controls framework in 2018.

— He has worked with 30+ companies globally in implementing internal controls frameworks to comply with Sarbanes Oxley requirements, requirements of the Indian Companies Act 2013 etc.

Siddharth BehalPartner I Risk Consulting



1.Similar enactments across the globe



Similar enactments across the globe

1999-2000Enron

2002Sarbanes Oxley

2013Companies Act

amendment in India

2002Public Company Accounting Oversight Board (PCAOB)

2014EU Audit Reforms

2016Decree No.7 R.M of 2016 - Standards of Institutional Discipline

and Governance of Public Shareholding Companies

2017ADAA Resolution No.1



2. About ADAA Resolution No. 1 of 2017



About the ADAA resolution No.1Entity and the Statutory Auditor contract to include :

1. Testing the effectiveness of internal control and compliance with laws

2. Compliance with law number (1) of 2017

3. Compliance with laws, circulars and resolutions.

4. Compliance with laws, resolutions and circulars organizing its operations, having financial impact.

Separate report by Statutory auditor on the effectiveness of the internal control systems:

1. Prevent and timely detect unauthorized acquisition, use, or disposition of assets.

2. Transactions in accordance with approved P&P

3. Transactions in accordance with the approved DOA.

4. Transactions recorded in accordance with applied accounting principles.

5. Maintains records accurately and fairly reflect the transactions and dispositions of the assets of the Entity.

Statutory Auditor opinion to include Entity’s compliance with the legal and regulatory requirements:

1. Law number (1) of 2017 pertaining to annual budget and supporting resolutions/circulars.

2. Entity’s law of establishment and circulars /resolutions.

3. Laws, circulars and resolutions organizing the Entity’s operations, if they have financial impact.

Article 3 Article 4 Article 5



ApplicabilityApplies to all Subject

Entities, and their subsidiaries, wherever

located, that are material, in providing the assurance opinion for the entity or group reporting in Abu

Dhabi.

About the ADAA resolution No.1

Effective DateEffective for audits of

Subject Entities contracted after the date published in

the Official Gazette (15 August 2017).

Relevance for year -ending 2018

If Subject Entities contracted their audit engagements for 2017

before 15 August 2017, then the Resolution will apply for the first

time in 2018.



PCAOBPublic Company Accounting Oversight

Board

GuidanceAuditing Standard 5

Establishes Auditing Standards for Internal Control

COSOCommittee of Sponsoring

OrganizationsMonitoring

Control ActivitiesInformation & Communication

Risk AssessmentControl Environment

Establishes Internal Control Framework for Financials

ImplementationSOX Section 404 Implementation

1. Plan & Scope2. Documentation3. Testing controls4. Identify & remediate control deficiencies5. Report on Internal Control6. Independent Audit of Internal Control

6 Step Approach

SOX

Section 404

Sarbanes Oxley

Establishes Requirements for Internal Control

IAASBInternational Auditing and Assurance

Standards Board

International Standards of Auditing

Establishes Auditing Standards for Internal Control

COSO (Not mandated but allowed)

Committee of Sponsoring Organizations

Monitoring Control ActivitiesInformation & Communication

Risk AssessmentControl Environment

Establishes Internal Control Framework for Financials

ImplementationResolution No. 1 of 2017

ImplementationKPMG View- (As no framework is defined, COSO is allowed)1. Plan & Scope2. Documentation3. Testing controls4. Identify & remediate control deficiencies5. Report on Internal Control6. Independent Audit of Internal Control

6 Step Approach

ADAA

Articles 3 & 4

Resolution No. 1

Establishes Requirements for Internal Control

Sox vs ADAA Resolution No. 1





3. About COSO Internal Control Framework



Objectives

Com

pone

nts

The Committee of Sponsoring

Organizations of the Treadway Commission (COSO 2013)

Framework has been the most

widely accepted internal control framework and hence may be

adopted to address ADAA’s

requirements relating to Internal

Control Framework.

Components Entity Level & process level controls

1.Control environment

1. Demonstrates commitment to integrity and ethical values.2. Exercises oversight responsibility.3. Establishes structure, authority and responsibility.4. Demonstrates commitment to competence.5. Enforces accountability.

2.Risk assessment

6. Specifies suitable objectives.7. Identifies and analyzes risk.8. Assesses fraud risk.9. Identifies and analyzes significant change.

3. Control activities

10. Selects and develops control activities.11. Selects and develops general controls over technology.12. Deploys through policies and procedures.

4. Information and communication

13. Uses relevant information.14. Communicates internally.15. Communicates externally.

5. Monitoring activities

16. Conducts ongoing and/or separate evaluations.17. Evaluates and communicates deficiencies.

COSO Internal Control Framework



Knowing the Cube

1st DimensionThe three categories of objectives are represented by the columns

3rd DimensionThe organizational structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions,processesto which internal control applies.

2nd DimensionThe five components of the Internal Controls are represented by the rows.

The three facets of the Cube can be illustrated as follows Key elements of COSO

5

17

81Supporting seventeen principles are eighty-one attributes, representing characteristics associated with the principles.

There are seventeen principles representing the fundamental concepts associated with components.

The Framework consists of five components of internal control.



Controls related to the COSO components can be found at the entity level and transaction level.

Control Environment Risk Assessment Information and Communication Monitoring Activities Control Activities

Entity-Level Controls (ELCs)

Process-Level Controls (PLCs)

Controls that do not specifically relate to an assertion (indirect)

Controls that specifically relate to an assertion (direct)

GITCs

Testing of Internal Control Framework



— Delegation of Authority— Policies and Procedures— Segregation of Duties

— Enterprise Risk Management— Budgeting and MIS

— Accounting policy compliance

— Accounting estimates— Disclosure controls

— IT System and Infrastructure— IT Risk Management— Disaster Recovery Planning

— Organisational Structure— Third party relationships –

Legal, Investor relations, External Auditors

— Composition, Roles and responsibilities, Agenda

— Independent Directors— Communication including

information provided to the Board/AC

— Board/AC oversight and monitoring — Effectiveness Evaluation

Board and Audit Committee Operations

Integrity and Ethical Values

Assignment of Authority and Responsibility

Organization Structure

Management’s Philosophy Financial Reporting and Disclosures

Oversight and Monitoring

IT Entity Controls

— Code of Conduct— Whistle Blower

Mechanism

— Internal Audit — Control Self Assessment— Continuous control monitoring

and assurance — Financial review and

oversight

Key sub-elements – Entity level Controls



Operational

SupportProcesses

Revenue, Procurement, Travel & Admin Expenses, Direct & Indirect Taxes

Finance & Accounts, Human Resource, Information Technology

RatingRisk Classification Material / significant / control deficiencies on the basis of discussed and agreed criteria

Process Level Controls (ICOFR, Operation controls including

safeguarding of assets and IT controls)

Controls

Process driven manual controls like Requisitions preparation, PO creation

Automated IT controls like restricted user rights, invoice validation, etc.

Categorization Financial Reporting; Operational; Preventive/ Detective; Frequency

Fraud Risk Control Controls mitigating inherent key fraud risks within business processes

Key sub-elements – Process Controls



Key sub-elements – Information Technology Controls

IT General Controls (ITGC)

Internal Controls over Financial Reporting (ICOFR)

Controls related to organizational oversight

framework

Controls embedded within business processes to mitigate

various business risks

Entity Level Controls Business Process Controls

Manual Controls

IT Environment Assurance

Application based controls can be relied upon only if there is reasonable assurance that the environment

hosting these applications is secureProgram Change (PC)

Program Development (PD)

Computer Operations (CO)

Access to Program and Data (APD)

Controls for provisioning and de-provisioning necessary access in financially critical applications

Controls to obtain assurance on authenticity and integrity of changes being incorporated into financially critical applications

Controls over adequate testing of new applications or new modules in existing applications to ensure that risks are identified and addressed

Controls over problem management, information security and data & system availability

Application Based Controls



4. Insights from Year 1 (2018) of implementing COSO across Abu Dhabi entities



Key teething issues in Year 1 of ADAA Resolution No. 1

Teething issues – Year 1 of implementation of ADAA Resolution No. 1

Delay in initiation of implementation of the resolution

Remediation for gaps identified in 2018 not initiated by most entities

Lack of internal clarity on who

should lead the internal controls

project

Delay in initiation of implementation of the resolution



Key entity level issuesKey entity level issues noted across entities in Abu Dhabi

Non-implementation of a fraud risk management framework

Non-implementation of a compliance

framework

Need for strengthening

Corporate governance framework

Need for strengthening IT

Disaster recovery and business

continuity framework


Enterprise Risk Management Framework

Overdue Internal audit

issues

Redundant policies,

procedures and delegation

of authority


the board evaluation process

Inadequate controls over

employee background

checks and COI declarations

COI- Conflict of interest



Control status snapshot – Percentage failuresBelow is the control status snapshot detailing the percentage of controls failures across entities analyzed

Top areas with improvement or significant improvement needed:

Adherence to defined policies and procedures

Controls over segregation of duties

Monitoring controls for mitigation of key process risks

Controls over documentation of review and approvals

Approximately 15% of the financial controls have failed due to inadequate or no controls at design level

~15% Failure

% F

ailu

re

39%

17%9%

22%

34% 31%

4%

Entity A Entity B Entity C Entity D Entity E Entity F Entity G



Percentage Failures at Entity and Process LevelBelow is the entity and process level control status detailing the percentage of controls failures noted

15%

85%

Entity Level Controls

33%

67%

IT GeneralControls

7%

93%

Order to Cash

17%

83%

Financial Book

Closure

12%

88%

Procurement and

Inventory

14%

86%

Treasury

8%

92%

Taxation

19%

81%

Payroll

13%

87%

Budgeting

8%

92%

Fixed Assets

% Failure% Passed

Overall average Failure – 15%



Control status snapshot – Manual ControlsBelow is the control status snapshot detailing the percentage of manual controls across entities analyzed

Top areas with improvement or significant improvement needed:

Controls over asset tagging and verification

Controls over access rights within system

Controls over payroll process

Approximately 76% controls noted are manual despite ERPs like SAP and Oracle –

~76% Manual

% M

anua

l Con

trol

s

64%

82%

53%69%

85%

49%

83%

Entity A Entity B Entity C Entity D Entity E Entity F Entity G



Manual Controls at Entity and Process LevelBelow is the entity and process level controls status detailing the percentage of manual controls noted

92%

7%

Entity Level Controls

59%

20%

21%

IT GeneralControls

75%

23%

Order to Cash

78%

15%7%

Financial Book

Closure65%

24%

11%

Procurement and

Inventory

92%

7%

Treasury

79%

13%8%

Taxation

74%

17%

8%

Payroll

68%

13%

19%

Budgeting

76%

17%

7%

Fixed Assets

Overall Average Manual Controls – 76%% Manual% Automated% Semi Automated



Assessment of Internal Audit Function

Presence of independent non-executive member in the Audit Committee needs to be ensured

Requirement for review and updating of Internal Audit Charter on a periodic basis

Follow up process for remediation of Internal Audit observation should be improvised

Overdue Internal Audit observation and delays in its resolution

Need to strengthen independence of internal audit function / team



5. Role of Internal audit in COSO on an ongoing basis



Three Lines of Defense

Risk & control

identification

Risk & control

assessment

Quantification &

measurement

Monitoring,testing,

& verification

Reporting

StakeholdersSenior Management

Board/Audit Committee

Internal Audit3rd Line

BU’s

1st Line

Divisions2nd Line

Internal Controls

Test controls periodically throughout the year Disseminate test results to respective risk and control groups

Implement Internal Control Framework

Independent testing

Develop Internal audit plan

Report on Internal Control Framework deficiencies /

non compliance

Assess the changes to processes and IT controls

post last review and update the flowcharts/

process narratives

Work with external auditors to demonstrate

the effectiveness of internal controls

Perform assessment of processes and controls not covered in IA scope

Internal Control team to provide inputs to the internal audit team to come up with the internal audit plan for the year.

— Perform risk and control self assessment

— Remediate the gaps identified in self assessment and through the internal control review/ Audit review

— Develop Policies and Procedures

— Develop Delegation of Authority

— Identify risk and controls — Develop KRIs and KPIs

Provide assurance



ICOFR – Lead Responsibilities and Recommended Role of IA

Activity Lead Responsibility Recommended role of Internal Audit

Planning— Project Planning — Scoping exercise to identify

the in scope areas

Execution

— Document of the as-is process

— Evaluation & Testing— Identification of Findings— Remediation Plan

Reporting— Management Reporting— External Audit Reporting

Monitoring — Ongoing monitoring— Periodic assessment

01

02

03

04

— Project Sponsor (Head of Financial Reporting)

— Project Team

— Head of Units/ Divisions and /or Project Team

— Head of Units/ Divisions and /or Project Team

— Head of Units/ Divisions — Senior Management

— Senior Management and Head of Units/ Divisions

— External Auditor

— Senior Management— Head of Units/ Divisions and /or Line

Managers

— Provide advice and recommendations— Participate in project team planning

— Advise management regarding processes to be used

— Independent assessor of management’s documentation and testing or Perform effectiveness testing (for highest reliance by external auditors)

— Identify control gaps— Facilitate management discussions

— Facilitate determinations (to report) & Provide advice

— Act as a coordinator between management and the external auditor

— Perform follow-up reviews— Perform periodic audits



9. Questions on your mind



QUESTIONS?

kpmg.com/social media kpmg.com/app

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Arab Emirates.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Thank you

http://kpmg.com/socialmedia

http://kpmg.com/socialmedia

Documents

Insights on ADAA Resolution No. 1 of 2017 and role of ... · Entity and the Statutory Auditor contract to include : 1. Testing the effectiveness of internal control and compliance