"Role of Corporate Financial Management"
Developing the Auditing Role: Corporate and Financial Reporting Richard Archer CEO CG Management Solutions Agenda • Establishing the Control Function • Implementing a System of Internal Controls • Assessment: monitoring, accountability and responsibility • Adopting International Financial Reporting Standards (IFRS) • Stakeholder involvement • Reporting and public disclosure Establishing a Control Function • Should the organisation have an internal control or internal audit function? – Regulatory requirements and listing rules • Generally internal audit is either required or a recommended best practice • UAE Code is unique is specifically designating the “control” function – Size and complexity of the organisation – Type of organisation – Nature of the business/industry • If need established, recruit the right person to lead the function Establishing a Control Function • Internal Control vs. Internal Audit – Internal Control is a process effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • reliability of financial reporting, • effectiveness and efficiency of operations, and • compliance with applicable laws and regulations.1 – Most common view is that management has primary responsibility for establishing and maintaining a system of internal controls 1 “Internal Control – Integrated Framework”, page 13. Committee of Sponsoring Organisations of the Treadway Commission, 1992 Establishing a Control Function • Internal Control vs. Internal Audit – Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.2 – Critical concern for internal audit is how high in the organisation it is allowed to monitor and report on internal control practices, effectiveness of risk management, and improper actions by personnel 2 Institute of Internal Auditors Establishing a Control Function • Assurance and consulting roles for Internal Audit create conflict that can compromise independence • Creation of separate Control Function – Reports to management – Responsible for design, implementation, operation, and improvement in system of internal control and risk management • Internal Audit provides independent assurance – Reports to Board of Directors, usually through Audit Committee – Responsible for monitoring effectiveness of management’s implementation and operation of proper system of internal control and risk management Establishing a Control Function • Critical elements of the IIA’s 16 step process for establishing internal audit – Step 1: Determine the assigned authority of the internal audit or internal control activity – Step 2: Ensure clear understanding of expectations and limitations for the function through discussions with Board and Senior Management – Step 3: Understand Audit Committee Charter – Step 5: Understand Management’s Control Policy – Step 10: Develop the formal Charter for the function – Step 15: Develop best practices reporting relationships by working with Board, Senior Management, and relevant stakeholders – Step 16: Establish a quality assurance program Internal Control Systems • Internal control systems existing in many organisations are not the result of conscious, planned design – Not associated with an accepted framework – Internal controls not effectively integrated/adapted as organisation structure changed – One-off responses to control failures (i.e., things going wrong) or identified gaps in internal control – Organisational policy and regulatory compliance changes added to existing system without change in previous requirements – Internal controls not evaluated in relation to changing objectives and risks Internal Control Systems • Traditional internal control system implementation in 8 steps – Facilitate management discussions to identify organisational objectives – Determine effectiveness of the control environment (management culture, methods, organisation structure) – Facilitate management identification of risks the organisation faces in achieving its objectives – Design the internal controls based on identified risks, risks responses, and control objectives – Evaluate the coverage of the designed controls – Implement the designed controls – Test operational effectiveness of implemented controls – Apply revisions where designed controls are not performing as intended or do not integrate as designed Internal Control Systems • Traditional internal control design concerns – Auditor driven – Checklist approach going directly to detailed design – Focused on minimising risks (what can go wrong) – Little emphasis on controls to ensure opportunities are exploited – Relies heavily on a top-down, command and control structure, rather than organisation-wide information sharing and flexibility of action – Risk and uncertainty, once identified, can be controlled – Conceptually approached as independent of organisational processes – Relies on single scenario (i.e., most likely outcome) as basis for control of risk and setting controls Internal Control Systems • “Intelligent controls” design – Identify objectives based on actions that need to be taken to meet the needs of organisational stakeholders, especially customers – Identify risks and uncertainties • Risks associated with organisational objectives • Risks organisation may not be able to exploit range of opportunities for improvement • Team-based, multiple scenario risk and response analysis for flexibility of controls in changing conditions • Assume planning based on rolling forecasts, rather than “most likely” outcomes – Develop a reference database of generic controls focused on organisational specific control needs Internal Control Systems • “Intelligent controls” design (continued) – Design the controls • Design top-down – High level control architecture – Define control types on which reliance will be heaviest – Define essential controls likely to be included • Adapt generic internal control schemes • Fabricate control schemes from relevant components of proven controls for similar responses to other risks – Continuously monitor results and refine the control design based on experience – Measure results against a flexible plan • Establish alternative paths in the plan to reflect the range of conditions and outcomes • Plan to do more planning (i.e., rolling plans or forecasts reflecting changes in conditions) Internal Control Systems • Advantages of intelligent controls design – Intelligent control design is integrated into design of organisational structure and operations processes emphasising organisational performance, rather than audit driven compliance – Critical control feature of intelligent control systems becomes the proven, demonstrable ability of the personnel to adapt control activities as necessary to respond to uncertainty and change on a timely basis, rather than on adherence to a single fixed control – Most effective under a participative, sharing-learning management philosophy – Depends heavily on the availability of qualified personnel (either by hiring or by training) Assessing Internal Controls • Annual assessment of internal control and risk management effectiveness is required in most governance codes – Assessing and reporting on effectiveness of management’s approach to internal control system design and operation, risk management practices, and governance compliance is primary role of internal audit – Audits planned and conducted to cover all critical areas identified in annual controls risk analysis – Management design of continuous monitoring procedures into internal control system – Control self-assessment programs effective in overall evaluation and assessment of non-critical areas IFRS – Convergence Trends • Significant progress toward harmonisation of accounting standards in 2007 – FASB and IASB continue to work jointly to revise standards in key areas to a common approach – SEC adapts filing rules for IFRS • December 2007: FPIs no longer required to provide reconciliation to US GAAP if financials prepared following standard IFRS • Concept statement on US companies using IFRS for SEC filings released for comment in August 2007 – January 2008: Chairman of FASB acknowledges US GAAP unlikely to become global reporting standard – January 2008: CEOs of 6 largest global accounting firms support move to a single global reporting standard – US GAAP harmonisation with IFRS targeted for 2009; Canada harmonisation for 2011 IFRS – Convergence Trends • Conversion to IFRS – Determine objectives • Meet periodic financial reporting requirements • Integrate financial reporting standards into operational, planning, compensation, and management decision making processes – Identify differences in reporting standards • Determine conformity with home country standards • Define reporting requirements under IFRS • Compare and catalog differences – Restate closing balance sheet • Analyse final differences and calculate adjustments • Apply adjustments IFRS – Convergence Trends • Conversion to IFRS (continued) – Evaluate effect on operational areas – Implement new accounting systems • Revised accounting manual • Revised charts of accounts to incorporate regulatory, statutory/external, and management reporting • Revise procedures and controls with emphasis on intercompany and tax compliance activities • Modify or create conforming accounting applications – Test system design • Test runs • Training • Modifications – Implement fully developed system IFRS – Convergence Trends • Conversion to IFRS (continued) – Time frame • Periodic reporting objective: 3 to 4 months • Full integration: 18 to 24 months – Will usually require support of consultants/advisors expert in the new accounting standards, accounting application design, and project management – Internal Audit roles • Consulting role participating in new controls design • Monitoring role tracking progress of conversion and effectiveness of project techniques • Assessment role evaluating effectiveness of planned controls and management’s overall effectiveness in accomplishing the conversion Stakeholder Involvement • Stakeholders in the financial reporting and internal audit process generally consist of: – Board of Directors: principal responsibility – Senior management: operational responsibility – Financial management: reporting responsibility – Internal audit: monitor and assess controls for the Board – Regulatory and/or exchange listing officials – Investors / owners (current or potential) • Blockholder (insider) governance systems common in the region result in the same people having overlapping roles, assuring involvement in financial reporting and controls • Minority investor interests Governance Reporting • All governance systems require some level of reporting on internal control and risk management practices – Existence of a system of internal controls and risk management – Results of annual review of effectiveness of internal controls and risk management • Basic control elements • Changes in controls • Nature and extent of significant risks • Internal control failures or substantial weaknesses having a material effect on performance or financial position – Procedures followed in evaluating and managing risk and the system of controls – Need for and existence of a control or internal audit function or justification why it is not necessary