Control Reporting www.pwc.com/ng Presentation at ICAN forum of firms Uyi Akpata Partner PwC 26 January 2011 Agenda - Page Corporate governance on the radar The triggers Global response The Nigerian context Principles of the Nigerian Codes 3 - 6 Requirements of ISA 2007 Overview of ISA 2007 sections 60(2), 61(2) and 63 Objectives 7 - 9 Main issues that have prevented compliance with requirements of ISA 2007 10 PwC Main issues that have prevented compliance with requirements of ISA 2007 10 Implementation challenges Significant changes in processes and systems required Information gaps 11 - 12 Actions needed for timely compliance Overview Key factors for consideration by SEC and market participants 13 - 23 Conclusion 24 Corporate governance on the radar Corporate governance defined Corporate governance is defined as rules and practices by which the Board of Directors of a corporation ensure accountability, fairness and transparency in the companys relationship with the companys management, employees, customers, suppliers, government and the community at large. The triggers Series of corporate financial scandals that caused loss of public confidence in the capital markets and public listed companies. Notably amongst these are the : 1997 East Asian Financial Crisis which saw the collapse of economies of Thailand, Indonesia, South Korea, Malaysia and Philippines 2000 massive corporate bankruptcies in America involving Enron and WorldCom 2008 global financial crisis. 1993/94 and 2009 financial crisis in Nigeria Regulators desire to be seen to be responding to crisis of confidence that The triggers Regulators desire to be seen to be responding to crisis of confidence that pervades the capital market in Nigeria Need to strengthen the governance structures that are deemed to be weak in most companies in Nigeria Companies need to reinforce public trust in capital markets by acting responsibly, creating value for their shareholders and being seen to do so Globally, business risk management and related disclosures to investors have become best practice for companies 3 Global response Top Global Capital Markets and corporate governance reporting driver Continent Country Reporting Driver North America US* Sarbanes Oxley Act , 2002 with SEC and PCAOB rules Canada Canada Business Corporate Act 2010 Europe UK* Combined code 2003 North America Europe & UK Asia Japan Many countries have adopted governance and internal control reporting, more are pursuing adoption Corporate governance on the radar PwC Europe UK* Combined code 2003 France Corporate Governance Code 2008 Germany German Corporate Governance Code 2002 Spain Unified code of good governance 2006 Switzerland Swiss federal of obligations 2006 Australia Australia ASX principles of good corporate governance practice and best practices, 2007 Asia Hong Kong Code on Corporate Governance practices 2009 Japan Principle of Corporate Governance for listed companies, 2004 Africa South Africa Kings Code 2002 Africa Australia Japan Hong Kong 4 The Nigerian context 2003 Code of Corporate Governance recommendations by Committee chaired by Atedo Peterside 2003 Central Bank of Nigerias Code of Corporate Governance for banks and other financial institutions in Nigeria Investment and Securities Act (ISA) 2007 Sections 60(2d f), 61(2) and 63 Corporate governance on the radar 5 CBN Scope, conditions and minimum standards for Commercial Banks Regulations No. 01, 2010. Section 5 (f) through its Board of Directors report on the implementation and effectiveness of its internal control framework to the CBN within four months after the year end. 1 Board to have rigorous controls control over financial audit and internal control, and compliance with the law 2 Companies to disclose its corporate governance/internal controls status 3 Rigorous procedures for appointment, training & evaluation of boards 4 Separate chairman and chief executive 5 An effective and well informed board 6 Audit Committee & Auditors The expected reward The principles of the Nigerian code Corporate governance on the radar 6 Audit Committee & Auditors independence 7 Board to be responsible for setting the strategic direction of the business 8 Fair and responsible remuneration for directors and senior executive 9 Board to communication with shareholders and encourage their participation 10 The directors and officers to have full loyalty to the company Does your reporting system convey an organisation that is well connected to the governance principles and reward ? 6 Requirements of ISA 2007 A statement from the CEOs and CFOs that: 1. They have reviewed the audited financial statements and such other prescribed returns; 2. Based on their knowledge the audited financial statements or returns do not contain any untrue statement of a material fact or omit to state a material fact that would make the statement misleading in the light of the circumstance in which the statement was made; 3. Based on their knowledge the financial statements and other financial information included in the report fairly present in all material respects the financial condition and results of operation of the company as of, and for the periods presented in the report; 4. They are responsible for establishing and maintaining internal controls; have designed the controls to ensure that material information relating to the company and its subsidiaries is made known to them Overview of ISA 2007 sections 60(2), 61(2) and 63 7 ensure that material information relating to the company and its subsidiaries is made known to them by others within the entities for the period in which the financial statements or returns are being prepared; have evaluated the effectiveness of the internal controls as of X (a date within 90 days prior to the financial statements or returns date), have presented their conclusion about the effectiveness of internal controls based on their evaluation as of X; 5. They have disclosed to the auditors of the company and the audit committee: i) all significant deficiencies in the design or operation of internal controls which would adversely affect the companys ability to record, process, summarise and report financial data and have identified for the auditors any material weakness in internal controls; ii) any fraud, whether material or not that involve management or other employees who have significant role in the companys internal controls; 6. They have identified whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective action relating to the significant deficiencies and material weaknesses Requirements of ISA 2007 Auditors involvement An Auditor of a public company shall in his audit report to the company issue a statement as to the existence, adequacy and effectiveness or otherwise of the internal control of the public company Board responsibility A statement from the board on the effectiveness of internal controls Overview of ISA 2007 sections 60(2), 61(2) and 63 (contd.) 8 A statement from the board on the effectiveness of internal controls COSO Framework/USA Turnbull guidance /UK Coco Objectives /Canada ISA 2007 A defined process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance A sound system of internal controls would: Facilitate effective and efficient operations, The three objectives of internal control include: Effectiveness and efficiency of operation Reliability of internal Policies, procedures and practices put in place by management to ensure: Safety of assets, accuracy of financial Matters to re-iterate : Effective Internal has three main objectives Requirements of ISA 2007 Objectives PwC reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operation Reliability of financial reporting Compliance with applicable laws and regulations Help ensure quality of internal and external reporting, and Held ensure compliance with applicable laws and regulations Reliability of internal and external reporting Compliance with applicable laws and regulations and internal policies accuracy of financial records and reports, Achievement of corporate objectives (operational & strategic) Compliance with laws and regulations 9 Main issues that have prevented compliance with requirements of ISA 2007 No guidelines and absence of a recommended framework such as COSO Policies, procedures and practices in place to set the tone at the top Policies, procedures and functions in place to ensure that the business objectives & the business risks are effectively & efficiently identified Internal control objectives 10 SECs response - In April 2010, SEC inaugurated a committee charged with the mandate to develop the guideline. We understand that the development of the guideline is work in progress. Processes and functions in place to ensure that the performance of the internal control system is effectively monitored and improved upon Policies and procedures in place to prevents, detects and addresses risks Processes in place to ensure that risks and control activities are effectively communicated to the relevant parties Information gap Despite efforts by organisations to demonstrate their commitment to good corporate governance practices, information available indicates that the corporate governance practices in companies generally do measure up against competition and best practices. One of the critical cause is poor quality of information. Presented below is the result of our survey on the challenges of corporate governance reporting for FTSE 350 companies. Implementation challenges 11 The situation in Nigeria may even be worse than this Processes System New systems required Governance Risk Management & Process changes required Management reporting Financial and non-financial processes Data gaps Implementation challenges Significant changes in processes and systems required System People Governance Risk Management & Compliance (GRC) function, GRC documentation and reporting tools GRC knowledge management system Change management will be required High levels of commitment in terms of time and money Communication strategy Training strategy Project process support Launch & buy-in activities Resource / skills to manage the change Embedding knowledge new policies & processes Training & performance support Your organisation 12 These need to be addressed to provide good platform for a successful and sustainable implementation of the ISA 2007 Actions needed for timely compliance Overview The recent queries auditors and some market participants had received from SEC for non-compliance with the Act reiterates the urgency for the development of an implementation guideline. The primary objectives of the guideline should be: To ensure common definition and interpretation by market participants and other interested parties To provide a basis for the design, execution, evaluation and reporting of internal control systems by market participants Ultimately, allowing organisations to have better visibility of the risks (strategic, operational reporting and compliance) impacting their business, the associated controls, improvements needs, and facilitate better alignment to the overall business objectives 13 # Point of focus Suggested response 1 What Auditing framework will be used? ENHANCED Standards on auditing which typically includes for example all ISAs and controls standards over financial reporting. For instance, consider PCAOB AS5 in the USA Or International Standards on Assurance Engagements (ISAE 3000) Or International Standards on Related Services (ISRS 4400) 2 What Reporting format is required for filing to SEC Mix of ISA 700 and ISAE 3000 Or Actions needed for timely compliance Key factors for consideration by SEC and market participants for filing to SEC Or No opinion - provide only report of findings Or No opinion provide Management Controls Report 3 What is the Level of assurance required? Reasonable assurance on historical financial information and controls over financial reporting or Limited or Reasonable assurance on internal controls over financial reporting Or No assurance 14 # Point of focus Suggested response 4 Is there a clear understanding of the requirements of the ISA 2007 and the fundamental principles of internal control? What constitutes effective internal controls? What constitutes an evaluation of internal controls? Does disclosure on the effectiveness of compliance programmes reflect the actual Many concepts may be foreign to key non-accountant . As a result, education may be needed to ensure that concepts such as financial statement assertions are fully understood. For example, for financial internal controls, a good starting point for the risk assessment is an evaluation of all significant account balances or disclosures in the financial statements and the underlying processes and/or locations that generate them. Some key points of focus for examples include: The determination of significant locations. The identification of significant accounts and disclosures Actions needed for timely compliance Key factors for consideration by SEC and market participants programmes reflect the actual position in a business? The identification of significant accounts and disclosures Determining relevant assertions and risks Determining significant processes and locations Determining key internal financial controls Design effectiveness Operating effectiveness 15 # Point of focus Suggested response 5 What control framework should govern the design and evaluation of internal controls over the 4 dimensions (financial reporting, strategic, operational and compliance)? A well established internal control framework such as: COSO for internal control over financial reporting ISO 9001 and HIPAA for compliance with regulation; and SIX sigma for operational Or Agreed upon procedures (AUP) Actions needed for timely compliance Key factors for consideration by SEC and market participants 16 # Key area of focus Suggested response 6 How does an organisation conduct an assessment of internal controls and evidence supporting the performance of the controls? Have all the risks to the preparation of the financial statements in accordance with the applicable financial reporting framework (such as IFRS), including where relevant, their fair presentation been identified and documented? It is difficult to provide guidance and have that guidance consistently applied for qualitative judgments. It is more effective to have these decisions made by a small core of senior individuals for the company as a whole Internal audit function is responsible for maintaining reasonable support for the assessment or assurance of internal control system. The extent of support required will vary based on the reporting risks identified and other factors, such as the size and complexity of the Actions needed for timely compliance Key factors for consideration by SEC and market participants Are there controls (manual and automated) in place to address these risks and are they adequately designed to prevent or detect material misstatements in the financial statement results and disclosures? Who assures these compliance programmes and the impact of legislative changes on the business/organisation etc? What reporting format is appropriate? other factors, such as the size and complexity of the entity. Evaluations should begin with a top-down risk based approach rather than a bottom-up to ensure that only key risks impacting on the internal control dimension are evaluated and efficiencies achieved. Application of bottom up approach most times leads to many non- key controls evaluated. Therefore, Internal audit, together with management, should decide what the nature and extent of support required to validate its decision and the reporting format 17 # Key area of focus Suggested response 7 What can the audit committee expect from the results of the evaluation? The audit committees first inclination may be to have all control deficiencies reported to it at least for the first year. Excessive audit committee involvement with relatively minor control deficiencies could compromise the learning that management may benefit from in the first year and may well result in an inefficient use of the audit committees time and resources It is important to balance the volume of reporting from management to avoid the risk of overloading the audit Actions needed for timely compliance Key factors for consideration by SEC and market participants management to avoid the risk of overloading the audit committee and to avoid adding an extra layer of judgment onto decisions about significance. The audit committee will have all significant control and material deficiencies reported to it. Control deficiencies that do not rise to the level of significant or material, will be discussed with management but will most likely not be reported to the audit committee. 8 How does the audit committee know if its oversight is appropriate? The evaluation of the audit committee should be performed every year. 18 # Key area of focus Suggested response 9 How does the evaluation of internal controls address the risk of fraud ? In the past, fraud in relation to material misstatement of the financials statements was most commonly thought of in terms of misappropriation of assets. More recently, manipulation of financial reporting has been the more common fraud. The risk of fraud must be considered by internal management as part of the internal financial control project. Key considerations should include explicit assessment of fraud risk and identification of relevant controls, and the development of appropriate approach to testing those controls. Actions needed for timely compliance Key factors for consideration by SEC and market participants 19 Actions needed for timely compliance Developing the implementation guideline around the four dimensions of internal control objectives requires huge investment by SEC in terms of commitment, time and money. In view of the urgency of implementation guide and the need for the market to fully comply by the end of guideline 2011, SEC will be required to undertake the following critical activities: Strategy for developing implementation guideline for ISA 2007 Project management Priotise the four dimensions of the internal control objectives and focus on the high priority areas, for example financial reporting, and the assess the possible implications to public acceptance. Capacity building Evaluate its current capacity to receive reports and test the adequacy and effectiveness of the compliance by market participants Invest in capacity building and establish the 20 public acceptance. Actively engage with key stakeholders in the industry such as ICAN and NASB and professional to leverage knowledgebase in the industry Engage public listed companies to update them with developments and plans to facilitate compliance Invest in capacity building and establish the appropriate infrastructure such technology, internal methodology /checklist and processes Establish functions and processes to handle Frequently Asked Questions (FAQ) from the public Establish functions and processes to communicate feed of compliance assessment and actions to the market Public companies Comply with the ISA 2007 by undertaking the following actions: Strategy for developing implementation guideline for ISA 2007 Actions needed for timely compliance Implement awareness education and readiness assessment ISA 2007 Act sections relating to internal control with focus on financial reporting Implement a control framework incorporating the four dimensions of internal controls (strategic, operational, financial and compliance) that is documented and achieves fair presentation of the financial statement results and disclosures in accordance with generally accepted accounting principles Follow a risk-based approach by identifying likely sources of material errors in the financial statements and disclosures. These risks should then be mitigated by controls that are adequately designed and are operating effectively to ensure fair presentation of the financial adequately designed and are operating effectively to ensure fair presentation of the financial statements and disclosures. Have Internal audit evidence an annual assessment of the design adequacy and operating effectiveness of internal financial controls and maintaining relevance over time by taking into consideration any changes to both internal and external factors impacting the company. Identify the laws and regulatory obligations that are applicable, including the non-binding rules and standards to which an entity/organisation wishes to comply Implement a comprehensive compliance policy and regularly monitoring compliance to the policy through the governance structures and inclusion on the board agenda. 21 ICAN Establish auditing standards which will guide audits of financial statements in conjunction with an audit of internal control . Consider for example PCAOB AS5 for USA. Strategy for developing implementation guideline for ISA 2007 Actions needed for timely compliance Audit firms Continue engaging SEC and the public to educate them on the implications of the Act and required actions. Invest in capacity building through education and recruitment of subject matter experts 22 Auditors intervention Auditors should immediately engage their clients and be asking them the following questions: Do you have clear understanding of the requirements of the ISA 2007 and the fundamental principles of internal controls? What constitutes effective system of internal controls? What constitutes an evaluation of the system of internal controls Do you have approved and effective compliance programmes? Who assures these compliance programmes and the impact of legislative changes on the business/organisation etc? To which management or board committee is the assurance provided? Are you satisfied that this assurance is reliable? How will control deficiencies be evaluated and reported? Actions needed for timely compliance How will control deficiencies be evaluated and reported? Does your disclosure on the effectiveness of compliance programmes reflect the actual position in your business/organisation? What project management protocols have been established to facilitate an efficient and effective assessment? What Auditing framework will be used? What Reporting format is required for filing to SEC What Level of assurance is required? Should an audit opinion be given by a separate firm? What procedures are in place in evaluating procedures of service organisations? 23 Auditors would continue to have a key role to play in Corporate Governance systems. With regulations evolving all over the world, we should be at the forefront in determining how compliance can be effective. Conclusion effective. 24