Auditing Theory 2 Summary Notes I. II. III. Overview of Corporate Governance Code of Corporate Governance for Public Companies and Registered Issuers Philippine Stock Exchange Corporate Governance OVERVIEW OF CORPORATE GOVERNANCE Corporate governance - various perspectives, including: i. Legal structures ii. Business controls; check and balances iii. Wider concept of how a business is led and managed *Not an official definition; operating def. of PWC UK 4. Management Information and Controls (Remuneration) - Information systems for collecting, analyzing, reporting information - Reward and recognition processes to encourage desired behavior - Requires that info is managed accurately and effectively - Measurement of performance thru KPIs 5. Transparency and Reporting (Relations with shareholders) - Interested parties gain a clear understanding of the business’ purpose/ board mandate and the alignment of strategies to such purpose - There is an obligation to report and be transparent Five Pillars of Corporate Governance Why it matters - Several drivers for better governance, but not all are of equal importance - FRC highlights the ff: Management of external risks Right tone from the top Culture of ethical values - Most effective drivers focus on doing the right thing - Ultimate benefit of effective governance: higher trust (internal/external) Drivers – landscape 1. Leadership Strategy and Culture (Leadership) - Setting business’ tone from the top (intangible) through leaders’ exhibition of ethics and values - Such tone shapes actions, decisions, relationships across the organization 2. Structure and Performance Oversight (Effectiveness) - Tone must be infused in all levels of the organization thru structures thru various mechanisms s.a. monitoring, internal audit, contingency plans for crisis management - Permeating leadership 3. Risk (Accountability) - Heart of corporate governance - Components must be designed in the context of its overall risk appetite shapes the Benefits - value - Stakeholder oversight and performance expectations - Critical need to manage business complexity, volatility, change - Increased global risk - Cost of FRC - Corporate governance code and regulations - Need to secure investment - Enhanced performance and decision-making - Strategic/competitive advantage - All stakeholder confidence and trust - Cost efficiency & improved ROI - Market value and reputation - Increased enterprise resilience - Compliance and transparency *Governance is the bridge, the key to create value (benefits) Auditing Theory 2 Summary Notes CODE OF CORPORATE GOVERNANCE FOR PUBLIC COMPANIES AND REGISTERED ISSUERS Non-executive director – no executive responsibility; no work related to day-to-day operations Ref: SEC MC No. 24 Non-Proprietary Right – interest, participation, or privilege over a specific property of the corporation; holder is not entitled to dividends and assets upon liquidation Essential Points: - The code is not a one-size-fits-all framework Smaller companies may decide that some costs of provisions outweigh benefits Board of Directors – elected governing body that exercises the powers of the corporation; may refer to Trustees Corporate Governance - system of stewardship and control to guide organizations’ fulfillment of obligations; - system of direction, feedback, and control that uses: regulations performance standards ethical guidelines - Purpose: maximization of long-term success; sustainability for shareholders and the nation Enterprise Risk Management – process designed to identify and manage risks to be within the risk appetite, and to provide reasonable assurance re: achievement of objectives Executive director – day-to-day operations of a part or whole of the corporation Independent director – independent of management and the controlling shareholder; free from relationships that would interfere independent judgment Internal control – process designed and effected by BOD, management, and all levels of personnel to achieve the objectives: 1. Effective and efficient operations 2. Reliable financial accounting 3. Compliance with laws, regulations, policies and procedures Management – executives given authority by BOD to implement policies Members – members of non-stock corps. Proprietary Right – interest, participation, or privilege giving the holder right to use facilities and to receive dividends and assets upon liquidation Public Company - Assets: > 50 million - Shareholders: > 200 holding > 100 shares each of equity securities - Registered Issuer - Issues non/proprietary shares - Issues equity securities not listed in an Exchange - issues debt securities required to be registered to the SEC, whether listed or not Related parties – covers entity directors, officers, substantial shareholders, and their spouses and relatives within the fourth civil degree of consanguinity or affinity, legitimate or common-law, and others if they have control, joint control, significant influence over the entity Related party transactions – transfer of resources between reporting entity and a related party regardless of whether a price is charged; interpreted broadly to include transactions with unrelated parties that subsequently become related parties Significant influence – power to participate in financial and operation decisions, but no control or joint control Stakeholders – any individual/org/society that either affects or are affected by a company’s strategies, policies, decisions, operations. Auditing Theory 2 Summary Notes The Board’s Governance Responsibilities *Refer to material for further information 1. COMPETENT BOARD 1.1. Directors must be competent Competence: working knowledge, experience, expertise relevant to industry board should set qualification standards 1.2. Headed by a competent and qualified Chairperson 1.3. Orientation program (first-timers) & continuing training (all) for directors 1.4. Board diversity 2.5. Formal and transparent board nomination and election policy (see qualifications and disqualifications) Qualifications Knowledge, skills, experience for NEDs Independence of mind Integrity record Good rep Sufficient time Smooth interaction with members avoid groupthink: individual members of small cohesive groups accept viewpoint that represents consensus ensure that optimal decision-making is achieved 1.5. Corporate secretary Separate from Compliance officer Not a member of the Board Attends annual training on corporate governance Responsible to the corporation and shareholders 1.6. Compliance officer Rank of Senior VP or equivalent Not a member of the Board Attends annual training on corporate governance Responsible to the corporation and shareholders Roles 2. CLEAR ROLES AND RESPONSIBILITIES OF THE BOARD 2.1. Board should act in good faith with due diligence, serving the best interest of company and shareholders Two elements: 1. duty of care 2. duty of loyalty 2.2. Board should oversee, approve, monitor strategy 2.3. Effective succession planning program for continuous growth; includes retirement policy 2.4. Policy specifying relationship of performance and remuneration Remuneration must be commensurate to responsibilities No director should participate in determining own compensation Pay-out schedules should be sensitive to risk outcomes over a multi-year horizon Independent determination of remuneration for those in control functions Disqualifications Convicted of final judgment of a crime Judicially declared insolvent Temporary: Absence in more than 50% of regular and special meetings Dismissal as director in any company (may clear himself) Beneficial equity of more than 2% of subscribed capital stock Judgments in grounds of permanent disqualification not yet final - 2.6. Policy governing related party transactions 2.7. Selection and performance assessment of Management led by the CEO 2.8. Effective performance evaluation framework 2.9. Appropriate internal control system 2.10. Enterprise Risk Management framework for managing key business risks board is responsible for defining risk tolerance 2.11. Board Charter guide to all directors; publicly available 3. BOARD COMMITTEES 3.1. Establish board committees for specific board functions composed only of board members (including chairperson) 3.2. Audit Committee 3.3. Corporate Governance Committee 3.4. Board Risk Oversight Committee 3.5. Committee Charters 4. Commitment 4.1. Directors should attend and participate all meetings (in person or thru tele-conferencing unless w/ justifiable excuse) 4.2. Maximum concurrent directorships in public companies and/or registered issuers: 10 5 if sitting in 3 publicly-listed companies 4.3. Director must notify board where he is an incumbent director before accepting directorship in another company 5. Board independence 5.1. Board must be composed of majority of NEDs Auditing Theory 2 Summary Notes 5.2. At least 2 or 1/3 of member must be independent directors, whichever is higher 5.3. Independent directors must possess all qualifications and none of the disqualifications 5.4. Independent directors serve for maximum term of 9 years (may be retained if there is justification) 5.5. Chairperson of the Board and CEO are separate - - - Chairperson of the Board Makes sure meetings focus on strategic matters Guarantees receipt of information that would enable sound decisionmaking Foster environment of constructive debate Challenge and inquire representations by management Proper orientation and trainings for directors Evaluation of the board at least annually - - CEO Implement corporate strategic plan Communicate and implement VMG, values, strategy Oversee operations Manage human and financial resources Good working knowledge of the industry Directs key officers Manage resources prudently Provide Board with timely info Build corporate culture Motivate employees Serve as link between internal operations and external stakeholders 5.6. Designate a lead director among independent directors if Chairperson is not independent Intermediary between chairperson and other directors Convenes meetings of NEDs Contributes to performance evaluation of chairperson 5.7. Directors w/ material or potential interest in any transaction should: disclose such abstain in deliberations recuse from voting approval of transaction 5.8. NEDs should have separate periodic meetings with external auditor and internal audit, compliance and risk function 6. BOARD PERFORMANCE ASSESSMENT 6.1. Annual self-assessment 6.2. Place a system that provides, at minimum, criteria and process to determine performance 7. STRENGTHENING BOARD ETHICS 7.1. Adopt a Code of Business Conduct and Ethics 7.2. Ensure proper implementation and monitoring of compliance with the Code 8. ENHANCE DISCLOSURE POLICIES AND PROCEDURES 8.1. Establish corporate disclosure policies and procedures to ensure that shareholders are given accurate picture of company’s condition 8.2. Require directors and officers to disclose dealings with shares within 5 business days 8.3. Manual on Corporate Governance Submitted to the Commission Posted on website 8.4. Annual Corporate Governance Report 9. STRENGTHENING INDEPENDENCE OF EXTERNAL AUDITOR & IMPROVING AUDIT QUALITY 9.1. Audit Committee must have robust process for appointment, reappointment, removal, fees of external auditor If there is a change, reason must be disclosed 9.2. Audit Committee is responsible for assessing integrity and independence of external auditors 9.3. Disclose nature of non-audit services performed by external auditor 10. FOCUS ON NON-FINANCIAL AND SUSTAINABILITY REPORTING 10.1. Clear and focused strategy on disclosure Strategic goals (long-term) Operational objectives (short-term) Impacts of sustainability issues 11. COMPREHENSIVE AND COST-EFFICIENT ACCESS TO RELEVANT INFO 11.1. Website 12. Internal control and risk management 12.1. Internal control system and ERM framework 12.2. Independent internal audit function May be in-house or outsourced 13. SHAREHOLDER/MEMBER RIGHTS 13.1. Disclosed in Manual on Governance Rights - Approval of material corporate acts - Propose holding of meetings and inclusion of agenda items - Nominate candidates to BOD - Information to nomination and removal process - Information of voting procedures Corporate Additional Rights - Preemptive right - Right to dividends - Appraisal rights Auditing Theory 2 Summary Notes 13.2. Notice of Annual and Special Shareholders’/Members’ Meeting given at least 21 days before the meeting 13.3. Results of votes on matters taken publicly available the next working day; Minutes should be posted on the website within 5 business days 13.4. Alternative dispute mechanism for intracorporate disputes 13.5. Investor Relations Office (IRO) and Customer Relations Office (CRO) Both should be present at ever SH meeting 14. RESPECTING RIGHTS AND EFFECTIVE REDRESS FOR VIOLATIONS OF STAKEHOLDERS’ RIGHTS 14.1. Promote cooperation between stakeholders Customers, employees, Suppliers, Shareholders, Non-proprietary rights holders, Investors, Creditors, Community in which it operates, Society, government, Regulators, Competitors, etc. 14.2. Mechanism on the fair treatment, protection, enforcement of rights of stakeholders 15. EMPLOYEES’ PARTICIPATION 15.1. Encourage employees to actively participate in the realization of goals and governance 15.2. Anti-corruption policy 15.3. Whistleblowing framework 16. Sustainability and social responsibility 16.1. Place importance on interdependence, promote mutually beneficial relationship, contribute to advancement of society Auditing Theory 2 Summary Notes PSE Corporate Governance Corporate Governance as per PSE Philippine Stock Exchange (PSE) - - The only stock exchanged in the Philippines One of the oldest in Asia Operating since the establishment of the Manila Stock Exchange (1927) Currently in BGC, Taguig 15 BOD; Chairman: Jose T. Pardo Main index: PSEi Trading sessions: 9:30AM to 3:30PM Daily recess: 12:00PM to 1:30PM - PSEi - - Fixed basket of 30 listed companies; selection based on specific set of: public float; liquidity; and market capitalization criteria Measured relative changes in the free floatadjusted market capitalization of 30 largest and most active common stocks - - https://www.investopedia.com/terms/f/freefloatmethodology.asp The free-float method - - better way of calculating market capitalization provides a more accurate reflection of market movements and stocks actively available for trading in the market. resulting market capitalization is smaller than what would result from a full market capitalization method. equity's price X number of shares readily available in the market excludes locked-in shares such as those held by insiders, promoters and governments. Inversely correlated to volatility CG and the PSE - Corporate Governance Guidelines for Companies Listed on the PSE (CG Guidelines handbook) - - One key initiative to carry out the strategy Designed for benchmarking CG practices and guiding companies in improving their standards Not a source of enforceable legal rights & do not have the force and effect of law; no penalties, but companies are required to explain non-compliance (“adopt or explain” system) Framework of rules, systems, processes that governs the performance by the BOD and management of their respective duties to the stockholders, with due regard to stakeholders System of directing and managing a corporation which involves: development and achievement of corporate goals function of the Board and its relationship with management control, risk, performance management systems compliance with laws and best practices corporate self-restraint and ethics sustained value creation as it should ultimately create long-term value for the SHs while considering the rights of the stakeholders Benefits: Corporate efficiency; positive impact on profitability and growth Improves access to external financing Lowers cost of capital and raises firm’s value Enhances relationships with stakeholders; improves labor and community relations Reduces risk of financial crises PSE actively supports efforts to adopt world-class CG practices. Includes CG it its 5-year strategic program LEVEL UP - Value and enforce CG standards Corporate Governance Improvement Program (CGIP) – underscores implementation Disclosure Requirements - - - All listed companies are to submit a compliance report to PSE’s disclosure dept. on or before Jan. 30; indicating level of compliance submitted under oath by the President or Chairman or a duly authorized representative attested by independent director only recommendations not met shall be disclosed compliance reports should be available in website report or summary of deviations shall be included in the corporate governance sec. of the annual report disclosure period = reporting period Auditing Theory 2 Summary Notes Guidelines 1. DEVELOPS AND EXECUTES A SOUND BUSINESS STRATEGY 1.1. Clearly defined vision, mission, core values 1.2. Well-developed business strategy 1.3. Strategy execution process that facilitates effective performance management 1.4. Continued discussion by the Board of strategic business issues 2. ESTABLISHES A WELL-STRUCTURED AND FUNCTIONING BOARD 2.1. Competence and integrity 2.2. Led by a chairman (ensures that board functions effectively) 2.3. At least 3 or 30% (whichever is higher) independent directors 2.4. Written manual, guidelines, issuances that outline procedures and processes 2.5. Committees: Audit Risk Governance Nomination and Election 3. MAINTAINS A ROBUST INTERNAL AUDIT AND CONTROL SYSTEM – Board is responsible for selection/evaluation/removal of CAE 3.1. Internal Audit as a separate unit, overseen at the Board level 3.2. Comprehensive enterprise-wide compliance program; reviewed annually 3.3. Institutionalize quality service programs for the IA function 3.4. Have a mechanism that allows employees, suppliers, stakeholders to raise valid issues 3.5. Have the CEO and Chief Audit Executive attest in writing that a sound internal audit, control, and compliance is in place 4. RECOGNIZES AND MANAGES ENTERPRISE RISKS 4.1. Board to oversee risk management function 4.2. Formal risk management policy (guide) 4.3. Design and undertake ERM activities, in accordance with internationally recognized framework 4.4. Unit at management level headed by a Risk Management Officer (RMO) 4.5. Disclose info about risk management procedures and processes + key risks and how they are managed 4.6. External technical support in risk management when competencies not available internally 5. ENSURES THE INTEGRITY OF ITS FINANCIAL REPORTS AS WELL AS ITS EXTERNAL AUDITING FUNCTION 5.1. Audit Committee approves all non-audit services conducted by the internal auditor; non-audit fees should not outweigh fees earned from external audit 5.2. Ensure credibility and competence of external auditor; must be able to understand complex RP transactions, counterparties, valuations 5.3. Ensure that EA has adequate control procedures 5.4. Disclose relevant information to external auditors 5.5. Ensure that EA firm is selected fairly and transparently 5.6. Audit committee to conduct regular meetings with EA team without management 5.7. Financial reports to be attested to by CEO and CFO 5.8. Rotate lead audit partner every 5 years 6. RESPECTS AND PROTECTS THE RIGHTS OF SH, PARTICULARY THOSE THAT BELONG TO THE MINORITY OR NON-CONTROLLING GROUP 6.1. Adopt “one share, one vote” principle 6.2. Ensure that all SH of same class are treated equally (voting, subscription, transfer rights) 6.3. Effective, secure, efficient voting system 6.4. Effective voting mechanisms Supermajority/ “majority of minority” requirements to protect minority SH from controlling SH 6.5 Provide all SH notice of agenda of annual general meeting: Regular meeting: at least 30 days before Special meeting: at least 20 days before 6.6 Allow SH to call a special shareholders meeting. Submit a proposal for consideration at the annual general meeting or special meeting, ensure attendance of EA or other relevant individuals 6.7 Ensure that all relevant questions during AGM are answered 6.8 Have clear and enforceable policies with respect to treatment of minority SH 6.9 Avoid anti-takeover measures that may entrench ineffective management or the existing controlling SH group 6.10 Provide all SH with accurate and timely info re: no. of shares of all classes held by controlling SH and affiliates Auditing Theory 2 Summary Notes 6.11 Have a c communications strategy to promote effective communication 6.12 Have at least 30% public float ton increase liquidity in the market 6.13 Transparent dividend policy 7. ADOPTS AN INTERNATIONALLY-ACCEPTED DISCLOSURE AND TRANSPARENCY REGIME 7.1. Written policies and procedures to ensure compliance with SEC and PSE disclosure rules + other disclosure requirements under existing laws 7.2. Disclose existence, justification details on agreements (SH, voting rights, confidentiality) that impact control, ownership, strategic direction 7.3. Disclose director and executive compensation policy 7.4. Disclose names of groups or individuals who: hold 5% or more ownership interest significant cross-holding relationship and cross guarantees nature of company’s other companies if belonging to a corporate group 7.5. Disclose annual & quarterly reports, CF statements, special audit revisions Consolidated FS – within 90 days from end of financial year Interim reports – within 45 days from end of reporting period 7.6. Disclose to SH and Exchange any changes to corporate governance manual and practices, and extent of conformity to SEC and PSE 7.7. Publish to SH timely info and materials relevant to corporate actions that require shareholder approval 7.8. Disclose the trading of shares by directors, officers, controlling SH; purchases of shares from market by the company 7.9. Disclose in annual report: Principal risks to minority SH associated with identity of controlling SH Degree of ownership concentration Cross-holdings among company affiliates Imbalances between controlling SH voting power and overall equity position in the company 8. RESPECTS AND PROTECTS THE RIGHTS AND INTERESTS OF EMPLOYEES, COMMUNITY, ENVIRONMENT, AND OTHER STAKEHOLDERS for long-term sustainable value 8.1. Policy statement that articulate company’s recognition and protection of the rights and interests of key stakeholders 8.2. Workplace development program 8.3. Merit-based performance incentive system s.a. employee stock option plan (ESOP) 8.4. Community involvement program 8.5. Environment-related program 8.6. Clear policies that guide in dealing with market participants 9. DOES NOT ENGAGE IN ABUSIVE RELATED-PARTY TRANSACTIONS AND INSIDER TRADING – transactions should not benefit a particular group 9.1. Policy for RPTs 9.2. Clear definition of thresholds for disclosure and approval of RPTs, e.g.: de minimis transactions – those that need not be reported those that need to be disclosed those that need prior SH approval Aggregate amount of RPT within any 12-month period should thresholds be considered in applying 9.3. Voting system where majority of non-RP shareholders approve specific types of RPTS 9.4. Independent directors or audit committee to play important role in reviewing sig. RPTs 9.5. Transparency & consistency in reporting RPTs; summary to be published in annual report 9.6. Clear policy with material non-public info by company insiders 9.7. Clear policy and practice of full and timely disclosures of material transactions with affiliates of controlling SH, directors, management 10. DEVELOPS AND NURTURES A CULTURE OF ETHICS, COMPLIANCE, & ENFORCEMENT 10.1. Adopt a code of ethics that guides individual behavior & decision-making, clarify responsibilities, and informs stakeholders of expected conduct 10.2. Formal comprehensive compliance program; includes training and awareness of initiative 10.3. Not seek exemption from application of law when referring to a corporate governance issue; disclose reasons should it do so 10.4. Clear and stringent policies and procedures on penalizing involvement in bribes 10.5. Designated officer for ensuring compliance 10.6. Respect intellectual property rights 10.7. Alternative dispute resolution system to settle conflicts and differences with counter parties Auditing Theory 2 Summary Notes Committee of Sponsoring Organizations of the Treadway (COSO) - - 1985 Joint initiative of 5 private orgs: AICPA AAA FEI IMA Institute of Internal Auditors Mission: provide though leadership through development of frameworks on ERM, IC, fraud deterrence to improve organizational performance and governance 2013 Framework for Effective Internal Control (COSO) 1. Achievement of objectives relating to 1, 2, or all 3 categories (reasonable assurance) 2. All 5 components and relevant principles present and functioning Present – exists in design and implementation of IC Functioning – continues to exist in conduct of IC Presumption: All 17 principles are relevant to all entities. In rare instances where management determines that a principle is irrelevant, give rationale as to how related component can be present and functioning. 3. 5 components and relevant principles operating together in an integrated manner Objectives of Internal Control *direct relationship bet. objectives (top), components (front), and org structure (side) Operating together – all 5 components collectively reduce risk of not achieving an objective; can be demonstrated when: Components are present and functioning IC deficiencies aggregated across components do not result in the determination that 1 or more major deficiencies exist Additional considerations: Objectives of IC – provide reasonable assurance of achievement re: 1. Operations – effectiveness and efficiency of operations, including safeguarding of assets 2. Reporting – reliability, timeliness, transparency, etc. 3. Compliance – regulations adherence to laws and 1. Judgment Effective IC demands more than rigorous adherence; requires use of judgment 2. Points of focus 87 important characteristics help in design, implementation, evaluation of IC, but they are not required to be assessed separately when evaluating effectiveness of IC 3. Controls to effect principles No prescribed controls Controls used is a function of management judgment Internal control deficiency – absence of controls necessary to effect relevant principles Management may consider other controls (whether or not related to component or principle) that compensate for a deficiency 4. Organizational boundaries Significant addition to 2013 framework: considerations relating to outsoutced service providers (OSPs) Auditing Theory 2 Summary Notes - 5. 6. 7. 8. Dependency on OSPs changes risks, increases importance of info quality, creates challenges of overseeing activities and controls Management retains responsibility for IC Technology “all computerized systems, including applications running on a computer and operational control systems” Principles do not change with the application of technology Larger vs. smaller entities IC components and principles are applicable for both Implementation approaches may vary Benefits and costs of IC Management must weigh costs to strike right balance of making right use of entity’s resources, mitigating areas of greatest risk, and meeting objectives Documentation Some level is necessary to assure that each component and relevant principles are present and functioning, and operating together NEW COSO ERM Framework - - - Greater insight into role of ERM in setting and executing strategy Enhances alignment between performance and ERM Accommodates expectations for governance and oversight Recognizes globalization and the need to apply a common, albeit tailored, approach across geographies Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity Expands reporting to address expectations greater than stakeholder transparency Accommodates evolving technology and data analytics in supporting decision-making Does not replace 2013 IC – Integrated Framework; they are complementary Aspects of IC common to ERM are not repeated Some aspects of IC are further developed Basic Definitions Risk – possibility that events will (or will not) occur and affect achievement of strategy and objectives ERM – culture, capabilities, practices integrated with strategy and execution that organizations rely on to manage risk in c.p.r. value Risk appetite – amount of risk (broad level) that org is willing to accept in pursuit of value Acceptable variation in performance – boundaries of acceptable outcomes related to achieving objectives Why implement sound ERM principles - Improves decision-making in governance, strategy, objective-setting, and operations Link strategy and objectives to both risk and opportunity; enhances performance Provides clear path to creating, preserving, realizing (c.p.r.) value *Strategy is put in the context of vision, mission, core values, desired performance along with the risks *ERM focuses on integration with other processes: 1. 2. 3. 4. Governance processes Strategy setting Objectives setting Performance management ERM and Innovation Likenesses 1. Risk appetite statement and tolerance discussions 2. Both integrated in existing processes to create sustainable value 3. Linked to strategy & objectives and execution & optimization for maximum value ERM and Innovation Leverage Points 1. Looking at risks to drive internal and external value (make money by taking risk to deliver value) 2. Using ERM as a source for innovation (innovating with strategic intent) 3. ERM already has the C-suite engaged 4. ERM is traditionally tied into governance and audit; extend ERM & innovation discussions with the full board especially the executive committee Auditing Theory 2 Summary Notes INTERNAL AUDIT IPPF: The Framework for Internal Audit Effectiveness (Video) - - - - Auditors protect and enhance Evolving risk due to changing technology, comms, global economics, geopolitics, etc.; auditors adapt to speed of risk IPPF provides direction to auditors to keep up with change The framework adapts as well Enhanced professionalism, proficiency, effectiveness New IPPF Mission: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, & insight” Assurance – bedrock of any internal audit function Advise – informed view offered Insight – objective and independent perspective to help see risk New emerging challenge: cybercrime. Can auditors keep up? Characteristics of IA: Integrity, objectivity, competence New principles: IA to be insightful, productive, futurefocused Promote organizational improvement Provide further direction to what makes us effective Further changes in the new IPPF: Mandatory Recommended Implementation Supplemental guidance Definition of Internal Auditing - Independent, objective, assurance, and consulting activity Designed to add value and improve organization’s operations Helps accomplish objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of Risk management Control Governance processes Core Principles for the Professional Practice of Internal Auditing 1. Integrity 2. Competence and due professional care 3. Objective and free from undue influence (independent) 4. Alignment with strategies, objectives, risks of the organization 5. Appropriately positioned and adequately resourced 6. Quality and continuous improvement 7. Effective communication 8. Risk-based assurance 9. Insightful, proactive, future-focused 10. Promotes organizational improvement For IA function to be considered effective, ALL principles should be present and operating effectively. Code of Ethics – Principles 1. Integrity – establish trust and provide basis for reliance on their judgement 2. Objectivity – highest level of professional objectivity in gathering, evaluation, communicating info; make a balanced assessment of all relevant circumstances; not unduly influenced by own interests or by others in forming judgment 3. Confidentiality – respect and value ownership of info; do not disclose w/o proper authority unless there is a legal/professional obligation to do so 4. Competency – apply knowledge, skills, experience needed in performing IA services 3 Lines of Defense Senior Management 1st line: Operational Management Mgmt. Control and Internal Control Ownership, responsibility, accountability for assessing, controlling, mitigating risks nd 2 line: Risk Management and Compliance Function Financial control, security risk management, quality, inspection, compliance Oversight function Governing Body/Board/Audit/Committee 3rd line: Internal Audit Reports to BOD/Audit Comm Independent of BOD/Audit Comm & Senior Management Auditing Theory 2 Summary Notes - Provides objective assurance on effectiveness of compliance risk management Internal Audit’s Stakeholder Groups a) Operational and Executive Management - Decision-making core responsible for overall performance of the org b) Board and Audit Committee - Monitors overall performance on behalf of shareholders/owners - Audit Committee: provides oversight of financial reporting, risk management, internal control, compliance, ethics, internal auditors, external auditors c) Other Assurance Providers - Quality audit (ISO) - Health, safety, and environment functions - Compliance functions - Risk management functions - Legal and/or general counsel functions d) External Stakeholders - Reside outside the org structure, but have important role in overall governance and control structure Relevant Standards Organizations a) Institute of Internal Auditors (IAA) - IA and risk management guidancesetting body - Serves in 190 countries - Largest professional org of IA - IPPF: mandatory for IAA members and IA organizations claiming to complete audits to IAA technical standards b) Information Systems Audit and Control Association (ISACA) - Focused on IT governance and IT internal audit - Serves in 180 countries - COBIT (Control Objectives for Information and Related Technology) - Standards, Guidelines, and Procedures for information system auditing c) Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Joint initiative to combat corporate fraud - Established in the US by 5 private orgs - Common internal control model - Supported by IMA, AAA, AICPA, IIA, FEI Eight Attributes of Excellence 1. Business Alignment - Documented goals and objectives focusing on key internal improvement dimensions - Process level KPIs in place - Strategy addresses short- and long-term vision - Quantitative and qualitative metrics 2. Risk Focus - Encompasses all applicable areas of the org - Risk assessment based on top-down, strategic view of business risks - Produces a risk profile - Identified risks are mapped to activities within ERM 3. Talent Model - Proficient in financial internal audit, ICFR, ITGCs - Offer industry and technical expertise - Rotational program developed for management to work in IA for some period to provide holistic understanding & to integrate specialized knowledge 4. Stakeholder Management - Focus: reporting and resolving audit issues. Limited, non-audit interactions occur and stakeholder insight is NOT obtained to identify or validate risks - SH view IA as a key business partner that provides appropriate and strategic support 5. Cost Effectiveness - Includes those incurred by core staff, specialists, third party consultants - Take corrective action on a timely basis - Measure overall productivity for all audits, which would serve as a guide in creating most cost-effective mix of services offering most risk coverage 6. Technology - Audit Management System: working papers, engagement management, issue tracking functionality - Use integrated AMS that links fata from risk assessment through audit results to maximize efficiency and effectiveness 7. Service Culture Auditing Theory 2 Summary Notes - Communication strategy to provide management with info about planned audit - Formal kick-off meeting with auditees and subset of senior management to provide insight on how audit was selected and to collaborate with auditees 8. Quality & Innovation - All members trained in the concept and application of methodology to ensure consistency - Continual improvement processes developed to ensure that tools are adequately designed - - 2000: Managing the Internal Audit Activity - International Standards for the Professional Practice of Internal Auditing - 1000: Purpose, Authority and Responsibility - Chief Audit Executive discusses IA Charter to Board for approval Signature/approval on actual IA Charter CAE reviews IA Charter with Senior Management and the Board I and O Statement in the Charter Reporting lines in org chart Policies on I, O, addressing performance evaluation - conflicts, 1200: Proficiency and Due Professional Care - Policies communicated to and acknowledged by IA staff Annual declaration related to IIA’s Code of Ethics and org’s Code of Conduct Sufficient and appropriate allocation of IA staff Evident in procedures and processes during audit engagement Results of feedback from engagement reviews and client surveys Performance of regular external assessments 1300: Quality Assurance and Improvement Program - A QAIP is an ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the organization's internal audit activity Evidence of how well IA has been managed and whether it has added value to the org exists in surveys Results of both internal and external assessments evidence how well the IA was managed 2100: Nature of Work 1100: Independence and Objectivity - 1310: Requirements of QAIP 1311: Internal Assessment - Ongoing Monitoring - Periodic self-assessment 1312: External Assessments 1320: Reporting on QAIP. CAE communicated QAIP results to Board or Senior Management 1321: Use of “Conforms with the ISPPIA” 1322: Disclosure of Nonconformance Actions are taken to improve IA efficiency and effectiveness External assessment or self-assessment with independent validation - IA roles and responsibilities related to governance, risk management, control are documented in IA charter Elements of the standards are discussed among CAE, Board, SM Disciplines, systematic, risk-based approach documented in Engagement Plan Outcome of relevant and value-added results are documented in the engagement reports 2200: Engagement Planning - - Planning considerations, engagement scope, objectives, resource allocations, approved engagement work program Discussion of engagement objectives and scope to client Approved documentation templates related to planning the engagement 2400: Communicating Results - Policies and procedures for guidance on communication of noncompliance, sensitive info within and outside chain of command, outside the org 2500: Monitoring Progress Auditing Theory 2 Summary Notes - - Prior audit observations, associated corrective action plan, status, internal audit’s confirmation documented in an updated exception tracking system Status of corrective actions are communicated to senior management and the board 2600: Communicating the Acceptance of Risks - - Significant risked discussed with executive management team, Board, or Risk Committee Steps taken to alert mgmt and the Board are documented in a memo file for communication made through one-on-one meetings during private sessions Detailed P&P in reporting significant risks in compliance with standards Internal Audit Process 1. Foundation Understand IA value drivers Mission and Charter Develop a strategic plan 2. Planning Understand objectives Assess risks Audit plan Update risk assessment 3. Fieldwork Understand area under review Determine approach: Value protection Value enhancement 4. Reporting Outline major issues and findings Outline recommendations Outline management’s action plans to identified issues 5. Quality To be embedded in each stage Performance metric measurement Internal quality review/assessment Auditing Theory 2 Summary Notes Internal vs. External Audit Auditing Theory 2 Summary Notes Tests of Controls - Considerations: Effectiveness of other elements of IC Risks arising from characteristics of control Webinar Notes Relevant Standards ISA 330 Planning and Audit of FS ISA 500 Audit Evidence ISA 530 Audit Sampling Process vs Control Process. What is done to initiate, record, authorize, sage custody - Establish continuing relevance by obtaining evidence Control. Gives management assurance that processes will work of significant changes using inquiry + observation/inspection With changes. Test controls in CURRENT audit No changes. Test at least 1once in every third audit; test 2some controls in each audit; include audit 3documentation of conclusions in reliance of controls tested in previous audit _________________________________________ Audit sampling. Application of procedures to less than 100% of items Population. Entire set of data from which conclusions are drawn Sampling risk. Risk that results from sample is different from results from population Expected deviation rate. Rate of deviations found during ToC Tolerable deviation rate. Tolerable rate of deviations in populations NOT found during ToC Tests of Controls Practice 1. Design Consider purpose of audit procedure & characteristics of the population in selecting sample Select size sufficient to reduce sampling risk to an acceptable low level Walkthrough. Provides evidence re: - design and implementation - operational effectiveness - adequacy of performance; - only provides evidence at point of conduct Document the basics: - Objective of test - Account - Assertion - Period - Extent of reliance (high or low risk) - Sample size - Frequency/ no. of operations during acc period - Significant risk - Appropriateness of reliance on prior period evidence. ISA 330.13 (manual/automated) Effectiveness of general IT controls Effectiveness of the control and its application; nature & extent of deviations in previous audits; personnel changes that affect control application Whether lack of change in control poses risk due to changing circumstances Risks of MM and extent of reliance on control Describe 1control attributes to be tested and what would constitute a 2control deviation 2. Selection Sample size and selection method 3. Testing & Evaluation May be performed at interim + top up testing at final visit If actual deviation rate > expected: (options) Test an alternative/mitigating control Place reliance on substantive audit - procedures Increase sample size i. ABSENT from a high risk area 4. Documentation Reference to work papers documenting the test Document conclusions Consider impact on other audit areas s.a.: Other audit procedures Reporting to TCWG i. Report on a timely basis if controls cannot be identified, are not designed effectively, are not operating effectively ii. Report as soon as practicable if key mitigating controls are Material weaknesses in controls The PCAOB defines a material weakness as, “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Auditing Theory 2 Summary Notes merit attention by those responsible for oversight of the company’s financial reporting,” according to the PCAOB. Some of the most common causes of material weaknesses include deficiencies in a company’s control environment. These may be related, but not limited, to the following: Inadequate segregation of duties: An example is an individual who performs incompatible tasks, such as a controller who approves his or her own purchase requisitions. Ineffective risk assessments: For instance, failing to assess risk on a continuous basis could lead to new and unidentified exposures or risk categories as business practices change (e.g., the company adopts a new ERP or acquires another business). Insufficient management review procedures: Inappropriately designed or executed management review controls (controls over subjective, complex areas such as goodwill impairments) can lead to material misstatements; for example, this can manifest as controls that are not designed precisely enough to address all relevant risks or inadequate documentation supporting the execution of the controls. Inappropriate reliance on accounting software or third-parties: An example would be using thirdparty service organizations that do not provide a SOC 1, type II report, or leveraging accounting software that does not have sufficient functionalities like audit logs or the ability to implement change controls. All of the above can lead to the “reasonable possibility” that a material financial misstatement will not be detected in a timely manner, which is the very definition of a material weakness. Material weaknesses must be reported to the public via SEC filings in the period in which they were identified, which makes early and timely detection a top priority. If a previously unidentified material weakness is discovered, the SEC may issue a comment letter questioning whether the material weakness was present (and should have been reported) in a previous period. The sooner you detect a potential material weakness, the faster you can remediate it, the better it will reflect on your company. Material weakness vs. significant deficiency: How to tell the difference A significant deficiency is less severe than a material weakness in that it is unlikely to have a material impact on financial statements, but it is, “important enough to An example of a significant deficiency, as stated by the SEC, would be if a company’s accounting function reviews significant or unusual modifications to the sales contract terms but does not review changes in the standard shipping terms. Presuming individual sales transactions are not material to the company – and since the accounting function has compensating controls in place to detect more severe modifications – the SEC determined that any effect on revenue recognition would be “more than inconsequential, but less than material.” Once you identify a control deficiency, you must assess its importance and determine whether it rises to the level of a significant deficiency or material weakness. When assessing the magnitude of a control deficiency, many factors are relevant to this conclusion: The presence of compensating controls that mitigate the risk of a potential misstatement. In order to be reliable, compensating controls must be operating effectively. The potential magnitude of the misstatement that could result from the deficiency (e.g., the total monthly transaction amounts exposed to the deficiency). Risk factors such as the nature of the account, susceptibility of the related asset to fraud or loss, relationship of the control in question to other controls and possible future consequences of the deficiency. Whether the control deficiency is important enough to merit the attention of whoever is responsible for overseeing the company’s financial reporting. Whether the deficiency would prevent a prudent official from concluding that the transaction would ensure financial statements conform with GAAP. Whether specific indicators of material weakness exist, such as identification of fraud on the part of senior management or ineffective oversight of the company’s external financial reporting and internal control over financial reporting by the audit committee. Auditing Theory 2 Summary Notes Whether there is a “reasonable possibility” that the controls will fail to prevent a material misstatement of the account balance or disclosure. Remember: The SEC has regularly reiterated that the existence of a material weakness does not depend on the actual magnitude of an error or misstatement but rather on the reasonable possibility that a material weakness could occur and not be detected or prevented. Therefore, even immaterial misstatements could lead to a material weakness conclusion. Auditing Theory 2 Summary Notes Code of Ethics Adoption of the 2016 Ed. Of the International Ethics Standards Board For Accountants CoE - Resolution no. 263 December 18, 2015 Changes from 2014 & 2015 editions 1. TCWG definition revision to align with ISA 260 by IAASB 2. Withdrawal of exception provisions that permit audit firm to provide bookkeeping and taxation services to public interest entity (PIE) audit clients in emergency or unusual situations 3. Strengthening of provisions addressing management responsibility + additional guidance + clarification of what constitutes MR 4. Clarification of “routine or mechanical” services relating to prep. of accounting records and FS for audit clients that are not PIEs NOCLAR (non-compliance with laws and regulations) - Potential illegal act by client or employer 5. Sec 291.2 Refer to PFAE, PSAs, PSREs, PSAEs 6. Sec 225. 38 Professional Accountant: individual who holds a valid CoR and current PIC issued by BOA and PRC… (revised def) BOA Resolution 2016 s2 - BOA Resolution #3 - - Ethics - Changes in 2016 ed. provisions to fit PH setting 1. Sec 290.12 no prescription for specific responsibilities related to independence, PSQC req.: establish P&P to provide reasonable assurance of its independence PSA req.: form conclusion on compliance with independence requirements 2. Sec 290.152 Audit client becomes a PIE # 𝒐𝒇 𝒚𝒓𝒔 𝒕𝒊𝒍 𝒓𝒐𝒕𝒂𝒕𝒊𝒐𝒏 = 7𝑦𝑟𝑠 − # 𝑦𝑟𝑠 𝑠𝑒𝑟𝑣𝑒𝑑 3. If 6 or more years, max 2 years before rotation 4. Sec 290.153 Rotation of key audit partners (KAP) may not be an available safeguard if only a few people in the firm have necessary knowledge and experience Independent regulator may allow KAP to serve beyond max years; alternative safeguards must be specified Requiring the submission of engagement reports by individual certified public accountant, firms and partnerships of certified public accountants engaged in the practice of public accountancy - Requiring the submission of certificate by the responsible CPAs (should not be the CPA performing the attest service) on the compilation services for the preparation of financial statements and notes thereto Attached to DS with gross sales exceeding 10 million pesos set of principles that guides professional accountants in appropriately conducting and portraying themselves to help fulfill the responsibility of the profession to act in the public interest Ref. Code of Ethics Focus Notes
