Enforcing Transparency and best practices in

Corporate Governance Focus on Internal

Control Reporting
www.pwc.com/ng
Presentation at ICAN forum of firms
Uyi Akpata Partner PwC
26 January 2011
Agenda
- Page
Corporate governance on the radar
The triggers
Global response
The Nigerian context
Principles of the Nigerian Codes
3 - 6
Requirements of ISA 2007
Overview of ISA 2007 sections 60(2), 61(2) and 63
Objectives
7 - 9
Main issues that have prevented compliance with requirements of ISA 2007 10
PwC
Main issues that have prevented compliance with requirements of ISA 2007 10
Implementation challenges
Significant changes in processes and systems required
Information gaps
11 - 12
Actions needed for timely compliance
Overview
Key factors for consideration by SEC and market participants
13 - 23
Conclusion 24
Corporate governance on the radar
Corporate governance defined
Corporate governance is defined as rules
and practices by which the Board of
Directors of a corporation ensure
accountability, fairness and transparency
in the companys relationship with the
companys management, employees,
customers, suppliers, government and the
community at large.
The triggers
Series of corporate financial scandals that caused loss of public confidence
in the capital markets and public listed companies. Notably amongst these
are the :
1997 East Asian Financial Crisis which saw the collapse of
economies of Thailand, Indonesia, South Korea, Malaysia and
Philippines
2000 massive corporate bankruptcies in America involving Enron
and WorldCom
2008 global financial crisis.
1993/94 and 2009 financial crisis in Nigeria
Regulators desire to be seen to be responding to crisis of confidence that
The triggers
Regulators desire to be seen to be responding to crisis of confidence that
pervades the capital market in Nigeria
Need to strengthen the governance structures that are deemed to be weak
in most companies in Nigeria
Companies need to reinforce public trust in capital markets by acting
responsibly, creating value for their shareholders and being seen to do so
Globally, business risk management and related disclosures to investors
have become best practice for companies
3
Global response
Top Global Capital Markets and corporate governance reporting driver
Continent Country Reporting Driver
North
America
US* Sarbanes Oxley Act , 2002 with SEC
and PCAOB rules
Canada Canada Business Corporate Act 2010
Europe UK* Combined code 2003
North America
Europe & UK
Asia
Japan
Many countries have adopted governance and internal control reporting, more are pursuing
adoption
Corporate governance on the radar
PwC
Europe UK* Combined code 2003
France Corporate Governance Code 2008
Germany German Corporate Governance Code
2002
Spain Unified code of good governance 2006
Switzerland Swiss federal of obligations 2006
Australia Australia ASX principles of good corporate
governance practice and best practices,
2007
Asia Hong Kong Code on Corporate Governance
practices 2009
Japan Principle of Corporate Governance for
listed companies, 2004
Africa South Africa Kings Code 2002
Africa
Australia
Japan
Hong Kong
4
The Nigerian context
2003 Code of Corporate Governance recommendations by Committee
chaired by Atedo Peterside
2003 Central Bank of Nigerias Code of Corporate Governance for banks and
other financial institutions in Nigeria
Investment and Securities Act (ISA) 2007
Sections 60(2d f), 61(2) and 63
Corporate governance on the radar
5
CBN Scope, conditions and minimum standards for Commercial Banks
Regulations No. 01, 2010.
Section 5 (f) through its Board of Directors report on the implementation
and effectiveness of its internal control framework to the CBN within four
months after the year end.
1 Board to have rigorous controls
control over financial audit and
internal control, and compliance
with the law
2 Companies to disclose its corporate
governance/internal controls status
3 Rigorous procedures for appointment,
training & evaluation of boards
4 Separate chairman and chief executive
5 An effective and well informed board
6 Audit Committee & Auditors
The expected reward
The principles of the Nigerian code
Corporate governance on the radar
6 Audit Committee & Auditors
independence
7 Board to be responsible for setting the
strategic direction of the business
8 Fair and responsible remuneration for
directors and senior executive
9 Board to communication with
shareholders and encourage their
participation
10 The directors and officers to have full
loyalty to the company
Does your reporting system convey an organisation that is well connected to the governance
principles and reward ?
6
Requirements of ISA 2007
A statement from the CEOs and CFOs that:
1. They have reviewed the audited financial statements and such other prescribed returns;
2. Based on their knowledge the audited financial statements or returns do not contain any untrue
statement of a material fact or omit to state a material fact that would make the statement misleading
in the light of the circumstance in which the statement was made;
3. Based on their knowledge the financial statements and other financial information included in the
report fairly present in all material respects the financial condition and results of operation of the
company as of, and for the periods presented in the report;
4. They are responsible for establishing and maintaining internal controls; have designed the controls to
ensure that material information relating to the company and its subsidiaries is made known to them
Overview of ISA 2007 sections 60(2), 61(2) and 63
7
ensure that material information relating to the company and its subsidiaries is made known to them
by others within the entities for the period in which the financial statements or returns are being
prepared; have evaluated the effectiveness of the internal controls as of X (a date within 90 days prior
to the financial statements or returns date), have presented their conclusion about the effectiveness of
internal controls based on their evaluation as of X;
5. They have disclosed to the auditors of the company and the audit committee: i) all significant
deficiencies in the design or operation of internal controls which would adversely affect the companys
ability to record, process, summarise and report financial data and have identified for the auditors
any material weakness in internal controls; ii) any fraud, whether material or not that involve
management or other employees who have significant role in the companys internal controls;
6. They have identified whether or not there were significant changes in internal controls or other
factors that could significantly affect internal controls subsequent to the date of their evaluation,
including any corrective action relating to the significant deficiencies and material weaknesses
Requirements of ISA 2007
Auditors involvement
An Auditor of a public company shall in his audit report to the company issue a statement as to the
existence, adequacy and effectiveness or otherwise of the internal control of the public company
Board responsibility
A statement from the board on the effectiveness of internal controls
Overview of ISA 2007 sections 60(2), 61(2) and 63 (contd.)
8
A statement from the board on the effectiveness of internal controls
COSO Framework/USA Turnbull guidance /UK Coco Objectives /Canada ISA 2007
A defined process, effected
by an entitys board of
directors, management
and other personnel,
designed to provide
reasonable assurance
A sound system of internal
controls would:
Facilitate effective
and efficient
operations,
The three objectives of
internal control include:
Effectiveness and
efficiency of operation
Reliability of internal
Policies, procedures and
practices put in place by
management to ensure:
Safety of assets,
accuracy of financial
Matters to re-iterate : Effective Internal has three main objectives
Requirements of ISA 2007
Objectives
PwC
reasonable assurance
regarding the achievement
of objectives in the
following categories:
Effectiveness and
efficiency of operation
Reliability of
financial reporting
Compliance with
applicable laws and
regulations
Help ensure quality of
internal and external
reporting, and
Held ensure
compliance with
applicable laws and
regulations
Reliability of internal
and external reporting
Compliance with
applicable laws and
regulations and
internal policies
accuracy of financial
records and reports,
Achievement of
corporate objectives
(operational &
strategic)
Compliance with laws
and regulations
9
Main issues that have prevented compliance with requirements of ISA 2007
No guidelines and absence of a recommended framework such as COSO
Policies, procedures and practices in place to set the tone at the top
Policies, procedures and functions in place to ensure that the business
objectives & the business risks are effectively & efficiently identified
Internal control objectives
10
SECs response - In April 2010, SEC inaugurated a committee charged with the mandate to develop the
guideline. We understand that the development of the guideline is work in progress.
Processes and functions in place to ensure that the performance of the
internal control system is effectively monitored and improved upon
Policies and procedures in place to prevents, detects and addresses risks
Processes in place to ensure that risks and control activities are
effectively communicated to the relevant parties
Information gap
Despite efforts by organisations to demonstrate their commitment to good corporate governance practices, information
available indicates that the corporate governance practices in companies generally do measure up against competition and
best practices. One of the critical cause is poor quality of information. Presented below is the result of our survey on the
challenges of corporate governance reporting for FTSE 350 companies.
Implementation challenges
11
The situation in Nigeria may even be worse than this
Processes
System
New systems required
Governance Risk Management &
Process changes required
Management reporting
Financial and non-financial processes
Data gaps
Implementation challenges
Significant changes in processes and systems required
System
People
Governance Risk Management &
Compliance (GRC) function,
GRC documentation and reporting tools
GRC knowledge management system
Change management will be required
High levels of commitment in terms of time and
money
Communication strategy
Training strategy
Project process support
Launch & buy-in activities
Resource / skills to manage the change
Embedding knowledge new policies & processes
Training & performance support
Your organisation
12
These need to be addressed to provide
good platform for a successful and
sustainable implementation of the ISA
2007
Actions needed for timely compliance
Overview
The recent queries auditors and some market participants had received from SEC for non-compliance
with the Act reiterates the urgency for the development of an implementation guideline.
The primary objectives of the guideline should be:
To ensure common definition and interpretation by market participants and other interested parties
To provide a basis for the design, execution, evaluation and reporting of internal control systems by
market participants
Ultimately, allowing organisations to have better visibility of the risks (strategic, operational
reporting and compliance) impacting their business, the associated controls, improvements needs,
and facilitate better alignment to the overall business objectives
13
# Point of focus Suggested response
1 What Auditing framework will be
used?
ENHANCED Standards on auditing which typically includes
for example all ISAs and controls standards over financial
reporting. For instance, consider PCAOB AS5 in the USA
Or
International Standards on Assurance Engagements (ISAE
3000)
Or
International Standards on Related Services (ISRS 4400)
2 What Reporting format is required
for filing to SEC
Mix of ISA 700 and ISAE 3000
Or
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
for filing to SEC Or
No opinion - provide only report of findings
Or
No opinion provide Management Controls Report
3 What is the Level of assurance
required?
Reasonable assurance on historical financial information and
controls over financial reporting
or
Limited or Reasonable assurance on internal controls over
financial reporting
Or
No assurance
14
# Point of focus Suggested response
4 Is there a clear understanding of the
requirements of the ISA 2007 and the
fundamental principles of internal
control?
What constitutes effective
internal controls?
What constitutes an evaluation of
internal controls?
Does disclosure on the
effectiveness of compliance
programmes reflect the actual
Many concepts may be foreign to key non-accountant . As a
result, education may be needed to ensure that concepts such as
financial statement assertions are fully understood.
For example, for financial internal controls, a good starting
point for the risk assessment is an evaluation of all significant
account balances or disclosures in the financial statements and
the underlying processes and/or locations that generate them.
Some key points of focus for examples include:
The determination of significant locations.
The identification of significant accounts and disclosures
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
programmes reflect the actual
position in a business?
The identification of significant accounts and disclosures
Determining relevant assertions and risks
Determining significant processes and locations
Determining key internal financial controls
Design effectiveness
Operating effectiveness
15
# Point of focus Suggested response
5 What control framework should
govern the design and evaluation of
internal controls over the 4
dimensions (financial reporting,
strategic, operational and
compliance)?
A well established internal control framework such as:
COSO for internal control over financial reporting
ISO 9001 and HIPAA for compliance with regulation; and
SIX sigma for operational
Or
Agreed upon procedures (AUP)
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
16
# Key area of focus Suggested response
6 How does an organisation conduct an
assessment of internal controls and evidence
supporting the performance of the controls?
Have all the risks to the preparation of
the financial statements in accordance
with the applicable financial reporting
framework (such as IFRS), including
where relevant, their fair presentation
been identified and documented?
It is difficult to provide guidance and have that
guidance consistently applied for qualitative
judgments. It is more effective to have these decisions
made by a small core of senior individuals for the
company as a whole
Internal audit function is responsible for maintaining
reasonable support for the assessment or assurance of
internal control system. The extent of support required
will vary based on the reporting risks identified and
other factors, such as the size and complexity of the
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
Are there controls (manual and
automated) in place to address these risks
and are they adequately designed to
prevent or detect material misstatements
in the financial statement results and
disclosures?
Who assures these compliance
programmes and the impact of legislative
changes on the business/organisation etc?
What reporting format is appropriate?
other factors, such as the size and complexity of the
entity.
Evaluations should begin with a top-down risk based
approach rather than a bottom-up to ensure that only
key risks impacting on the internal control dimension
are evaluated and efficiencies achieved. Application of
bottom up approach most times leads to many non-
key controls evaluated.
Therefore, Internal audit, together with management,
should decide what the nature and extent of support
required to validate its decision and the reporting
format
17
# Key area of focus Suggested response
7 What can the audit committee expect from
the results of the evaluation?
The audit committees first inclination may be to have all
control deficiencies reported to it at least for the first year.
Excessive audit committee involvement with relatively
minor control deficiencies could compromise the
learning that management may benefit from in the first
year and may well result in an inefficient use of the audit
committees time and resources
It is important to balance the volume of reporting from
management to avoid the risk of overloading the audit
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
management to avoid the risk of overloading the audit
committee and to avoid adding an extra layer of judgment
onto decisions about significance.
The audit committee will have all significant control and
material deficiencies reported to it. Control deficiencies
that do not rise to the level of significant or material, will
be discussed with management but will most likely not be
reported to the audit committee.
8 How does the audit committee know if its
oversight is appropriate?
The evaluation of the audit committee should be
performed every year.
18
# Key area of focus Suggested response
9 How does the evaluation of internal
controls address the risk of fraud ?
In the past, fraud in relation to material misstatement of the
financials statements was most commonly thought of in terms
of misappropriation of assets. More recently, manipulation of
financial reporting has been the more common fraud.
The risk of fraud must be considered by internal management
as part of the internal financial control project. Key
considerations should include explicit assessment of fraud risk
and identification of relevant controls, and the development of
appropriate approach to testing those controls.
Actions needed for timely compliance
Key factors for consideration by SEC and market participants
19
Actions needed for timely compliance
Developing the implementation guideline around the four dimensions of internal control objectives requires
huge investment by SEC in terms of commitment, time and money.
In view of the urgency of implementation guide and the need for the market to fully comply by the end of
guideline 2011, SEC will be required to undertake the following critical activities:
Strategy for developing implementation guideline for ISA 2007
Project management
Priotise the four dimensions of the internal
control objectives and focus on the high
priority areas, for example financial reporting,
and the assess the possible implications to
public acceptance.
Capacity building
Evaluate its current capacity to receive reports
and test the adequacy and effectiveness of the
compliance by market participants
Invest in capacity building and establish the
20
public acceptance.
Actively engage with key stakeholders in the
industry such as ICAN and NASB and
professional to leverage knowledgebase in the
industry
Engage public listed companies to update
them with developments and plans to facilitate
compliance
Invest in capacity building and establish the
appropriate infrastructure such technology,
internal methodology /checklist and processes
Establish functions and processes to handle
Frequently Asked Questions (FAQ) from the
public
Establish functions and processes to
communicate feed of compliance assessment
and actions to the market
Public companies
Comply with the ISA 2007 by undertaking the following actions:
Strategy for developing implementation guideline for ISA 2007
Actions needed for timely compliance
Implement awareness education and readiness assessment ISA 2007 Act sections relating to
internal control with focus on financial reporting
Implement a control framework incorporating the four dimensions of internal controls
(strategic, operational, financial and compliance) that is documented and achieves fair
presentation of the financial statement results and disclosures in accordance with generally
accepted accounting principles
Follow a risk-based approach by identifying likely sources of material errors in the financial
statements and disclosures. These risks should then be mitigated by controls that are
adequately designed and are operating effectively to ensure fair presentation of the financial adequately designed and are operating effectively to ensure fair presentation of the financial
statements and disclosures.
Have Internal audit evidence an annual assessment of the design adequacy and operating
effectiveness of internal financial controls and maintaining relevance over time by taking into
consideration any changes to both internal and external factors impacting the company.
Identify the laws and regulatory obligations that are applicable, including the non-binding
rules and standards to which an entity/organisation wishes to comply
Implement a comprehensive compliance policy and regularly monitoring compliance to the
policy through the governance structures and inclusion on the board agenda.
21
ICAN
Establish auditing standards which will guide audits of financial statements in conjunction with an
audit of internal control . Consider for example PCAOB AS5 for USA.
Strategy for developing implementation guideline for ISA 2007
Actions needed for timely compliance
Audit firms
Continue engaging SEC and the public to educate them on the implications of the Act and required
actions.
Invest in capacity building through education and recruitment of subject matter experts
22
Auditors intervention
Auditors should immediately engage their clients and be asking them the following questions:
Do you have clear understanding of the requirements of the ISA 2007 and the fundamental principles
of internal controls?
What constitutes effective system of internal controls?
What constitutes an evaluation of the system of internal controls
Do you have approved and effective compliance programmes?
Who assures these compliance programmes and the impact of legislative changes on the
business/organisation etc?
To which management or board committee is the assurance provided?
Are you satisfied that this assurance is reliable?
How will control deficiencies be evaluated and reported?
Actions needed for timely compliance
How will control deficiencies be evaluated and reported?
Does your disclosure on the effectiveness of compliance programmes reflect the actual position in your
business/organisation?
What project management protocols have been established to facilitate an efficient and effective
assessment?
What Auditing framework will be used?
What Reporting format is required for filing to SEC
What Level of assurance is required?
Should an audit opinion be given by a separate firm?
What procedures are in place in evaluating procedures of service organisations?
23
Auditors would continue to have a key role to play
in Corporate Governance systems. With regulations
evolving all over the world, we should be at the
forefront in determining how compliance can be
effective.
Conclusion
effective.
24