Where in the world is Internal Audit in the revised Code?
Where in the world Internal Audit in the revised Code?
This is first published in The Business Times on 10 May 2018.
Singapore’s Code of Corporate Governance, last revised in 2012, will soon be updated to reflect the rapidly changing business landscape.
A first glance at the proposed revised Code may suggest that role of internal audit is diminished. To start, Principle 13 of the current Code on internal audit has disappeared, along with almost all its five guidelines, save one carried forward into the revised Code (as Provision 10.4).
However, a closer examination of the Corporate Governance Council’s recommendations reveals that the very opposite is true.
Under the revised structure, there will be increased scrutiny of and enhancements to internal audit. In particular, there is greater emphasis on the criticality and independence of internal audit, and the Board’s role in overseeing the adequacy and effectiveness of risk management and internal controls.
Criticality of internal audit
Under the new structure, the “comply-or-explain” requirement for each company to establish an effective internal audit function that is adequately resourced and independent (Principle 13 of the existing Code) is proposed to be shifted to the listing rules (SGX Mainboard Rule 719(3)).
This means that internal audit will become mandatory for all listed companies. This is not as draconian as it may sound because more than 95 per cent of companies already comply.
Of course, the sourcing of the internal audit function can vary. These options (in-house, outsourced or co-sourced), together with how the function can be adequately resourced and staffed, formerly in the Code guidelines, have been shifted to the less prescriptive Practice Guidance.
Independence of internal auditors
The independence of the internal auditor receives greater focus in the new structure in several places.
Here, it is useful to draw the distinction between the independence of the internal auditor versus that of the external auditor.
The external auditor’s independence is usually defined in regulatory terms of whether it is free from any business or relationship with the auditees that could materially interfere with its ability to act with integrity and objectivity. Threats to auditor independence include provision of other services, financial interests, business relationships, gifts and litigation.
For the internal auditor, independence relates to its ability to carry out the assigned role freely, in an unbiased manner, without fear or favour.
Under the new structure, the audit committee is now required to comment on whether the internal audit function is independent, as well as whether it is effective and adequately resourced (SGX Mainboard Rule 1207 (10C)).
To bolster the independence of the internal audit function, Provision 10.4 of the revised Code retains the guidelines (from the current Code) that:
- The internal audit function has unfettered access to all the company’s documents, records, properties and personnel.
- It has appropriate standing within the company.
- Its primary line of reporting is to the audit committee, which also decides on the appointment, termination and remuneration of the head of internal audit.
Interestingly, the guidance in the current Code guideline that “the internal auditor would also report administratively to the CEO” has been removed. Presumably, this is to emphasise the primary reporting line of internal auditor to the audit committee, and to avoid any misconception that the administrative reporting could result in conflict with the work and functioning of internal audit.
Effectiveness of internal controls and risk management
The Council’s recommendations seek to align the listing rules and the Code with regards to internal controls and risk management systems.
Revisions to the listing rules will require the board to comment on “the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems”.
Previously, boards were required to provide an opinion only on “the adequacy of internal controls”. The change in the mandatory reporting requirement has been to require only “comments” as opposed to “an opinion”, but to increase the scope to “effectiveness” and to “risk management systems”.
Compliance with the expanded scope will increase now that it will be mandated in the listing rules. The KPMG-SGX Review of Mainboard Companies’ Code of Corporate Governance Disclosures 2016 showed that almost all companies made disclosures relating to adequacy of internal controls (as required by the Listing Rules) but only 53 per cent made disclosures relating to the effectiveness of internal controls (then only required by the Code).
The distinction and gap between perceived adequacy and effectiveness should be noted. “Adequacy” means that the internal controls and risk management systems are designed appropriately. “Effectiveness” means that they are operating as intended.
To fulfil its responsibilities, boards, with the concurrence of their audit committees or such other committees that are responsible, will need to pay more attention to the evidence they are relying upon to be able to conclude that the internal controls and risk management systems are effective.
In this respect, internal audit is key. The board and audit committee must continue to ask challenging questions of internal audit, particularly in relation to the function’s position, people, scope, coverage and control deficiency management.
In summary, the Corporate Governance Council has recognised that in today’s increasingly complex world, boards need to see the importance of adequate and effective internal controls and risk management systems, and the critical role played by an independent internal audit function.
The article is contributed by Irving Low is a member of the Board Risk Committee Guide Working Committee of the Singapore Institute of Directors. Views expressed are his own.