This document discusses risk-based auditing and corporate governance. It covers:
- The five key elements of good corporate governance including board practices, control environment, disclosure, shareholder rights.
- The board's role in governing risk, including evaluating risks, crisis management, and communicating with stakeholders.
- Best practices for boards like independence, role definition, and evaluation.
- The role of the CEO and CFO in governance and required disclosures around internal controls, accounting policies, and fraud.
- How external auditors assess risk and focus their audit based on the risk of material misstatements and internal control deficiencies.
- The role of internal auditors in assisting with risk management.
1. By Huzeifa I. Unwala, FCA, CISA
Sessions on Risk based Auditing
27 April 2013
2. 01 Linkage of Risk to Governance Processes
-Five Elements of Governance
- Board’s role in Governance of Risk
- Board Best Practices
- Role of CEO/ CFO
- Role of External Auditors in Risk Management
2
3. 3
Strong Corporate Governance attracts investors/
investments
Capital will flow elsewhere if:
– A country does not have a reputation for strong corporate
governance practices
– Investors are not confident of the level of disclosure
– A country opts for lax accounting and reporting standards
4. 4
Competing Tensions
“If management is
about running business,
governance is about seeing
that it is run properly. All
companies need governing
as well as managing.”
Prof. Bob Tricker, 1984
(IFC, Washington)
5. Strong commitment to corporate governance reforms
Goodboardpractices
Appropriatecontrol
environmentandprocesses
Strongregimeof
disclosureandtransparency
Protectionof(minority)shareowner
rights
The five key elements of
good corporate governance
Five elements of corporate governance
5
6. 6
How the mighty fall?
History shows, repeatedly, that the mighty can fall. The Egyptian Old Kingdom, the
Chou Dynasty, the Hittite Empire—all fell. Athens fell. Rome fell. Even Britain, which
stood a century before as a global superpower, saw its position erode. Is that the
U.S.'s fate? Or will America always find a way to meet Lincoln's challenge to be the
last best hope of Earth? – Jim Collins
• Hubris born of Success
• Undisciplined pursuit of more
• Denial of risk or peril
• Grasping for salvation
• Capitulation to irrelevance or death
7. GOOD BOARD PRACTICES
Clearly defined roles and authorities
Duties and responsibilities of directors understood
Board is well structured
Appropriate composition and mix of skills
Appropriate board procedures
Director remuneration in-line with best practice
Board self-evaluation and training conducted
CONTROL ENVIRONMENT
Independent audit committee established
Risk-management framework present
Internal control procedures
Internal audit function
Independent external auditor conducts audits
Management information systems established
Compliance function established
BOARD COMMITMENT
The board discusses corporate governance issues and has
created corporate governance committee
The company has a corporate governance champion
A corporate governance improvement plan has been
created
Appropriate resources are committed
Policies and procedures have been formalized and
distributed to relevant staff
A corporate governance code has been developed
The company is publicly recognized as a corporate
governance leader
TRANSPARENT DISCLOSURE
Financial information disclosed
Non-financial information disclosed
Financials prepared according to IFRS
High-quality annual report published
Web-based disclosure
WELL DEFINED SHAREOWNER RIGHTS
Minority shareowner rights are formalized
Well-organized general assembly conducted
Policy on related-party transactions
Policy on extraordinary transactions
Clearly defined and explicit dividend policy
Five elements of corporate governance
(IFC, Washington)
7
8. The board should know about and evaluate the:
• Most significant risks facing the company
• Possible effects on shareowners
• Company’s management of a crisis
• Importance of stakeholder confidence in the organization
• Communications with the investment community
The board should ensure that:
• Sufficient time is devoted to discuss risk strategy
• Appropriate levels of awareness exist throughout the organization
• Risk-management processes work effectively
• A clear risk-management policy is published
• Establish codes of conduct
Board’s role in governance of risk
(IFC, Washington)
8
9. 9
Context for change
Setting up Risk Infrastructure
Initial Buy in
Launch
Integration into organisation’s culture
Retrospect & Process Maturity
Turning Risk into Opportunity
10. • The members need to recognize that it is not only the independence that they feel
they possess but also what their conduct tells others. Members who have social
relationships with the controlling shareholder or management would give out a
clear signal to executives and auditors that they are not wholly independent and
that would deter the latter from freely expressing their concerns to those members.
• Scope of discussions and participations should be within the boundary of the
primary role. No participation in the executive decision making discussions.
(Nawshir Mirza)
Board Best Practices
10
11. “The independent audit committee fulfills a vital role in
corporate governance. The audit committee can be a
critical component in ensuring quality reporting and
controls, as well as the proper identification and
management of risk”
- Report of National Association of Corporate Directors (NACD) Blue Ribbon Commission on
Audit Committees
Board Best Practices
11
12. “To assess the performance of an organization, it is important to assess the
quality of the audit Committee” – S. K. Goel, Chairman, IIFCL.
“Tough minded audit committees represent the most reliable guardians of
the public interest” - Arthur Levitt, Former SEC Chairman.
“As the proportion of independent, outside directors on a board and
its oversight committees increases, the likelihood of corporate fraud
decreases” – Study of US Companies published in Financial Analysts Journal.
Board Best Practices
12
13. EXISTING REQUIREMENTS OF CLAUSE 49 (V) CLAUSE 134 (5) OF THE COMPANIES BILL 2012 SOX REQUIREMENTS
a. The CEO, i.e. the Managing Director or Manager
appointed in terms of the Companies Act, 1956
and the CFO i.e. the whole-time Finance Director
or any other person heading the finance function
discharging that function shall certify to the Board
that they have reviewed financial statements and
the cash flow statement these statements do not
contain any materially untrue statement or omit
any material fact or contain statements that might
be misleading. Further, these statements together
present a true and fair view of the company’s
affairs and are in compliance with existing
accounting standards, applicable laws and
regulations. There are, to the best of their
knowledge and belief, no transactions entered into
by the company during the year which are
fraudulent, illegal or violative of the company’s
code of conduct.
b. They accept responsibility for establishing and
maintaining internal controls for financial reporting
and that they have evaluated the effectiveness of
internal control systems of the company pertaining
to financial reporting and they have disclosed to
the auditors and the Audit Committee, deficiencies
in the design or operation of such internal controls,
if any, of which they are aware and the steps they
have taken or propose to take to rectify these
deficiencies.
The Directors’ Responsibility Statement referred to in
clause (c) of sub-section (3) shall state that—
(a) in the preparation of the annual accounts, the
applicable accounting standards had been followed
along with proper explanation relating to material
departures;
(b) the directors had selected such accounting policies
and applied them consistently and made judgments
and estimates that are reasonable and prudent so as
to give a true and fair view of the state of affairs of the
company at the end of the financial year and of the
profit and loss of the company for that period;
(c) the directors had taken proper and sufficient care
for the maintenance of adequate accounting records in
accordance with the provisions of this Act for
safeguarding the assets of the company and for
preventing and detecting fraud and other irregularities;
(d) the directors had prepared the annual accounts on
a going concern basis; and
(e) The directors, in the case of a listed company,
had laid down internal financial controls to be
followed by the company and that such internal
financial controls are adequate and were operating
effectively.
Summary of Section 302
Periodic statutory financial reports are to include
certifications that:
• The signing officers have reviewed the report
• The report does not contain any material untrue
statements or material omission or be considered
misleading
• The financial statements and related information
fairly present the financial condition and the results in
all material respects
• The signing officers are responsible for internal
controls and have evaluated these internal controls
within the previous ninety days and have reported on
their findings
• A list of all deficiencies in the internal controls and
information on any fraud that involves employees
who are involved with internal activities
• Any significant changes in internal controls or
related factors that could have a negative impact on
the internal controls
Summary of Section 401
Financial statements are published by issuers are
required to be accurate and presented in a manner
that does not contain incorrect statements or admit to
state material information.
Role of CEO/ CFO in Governance & Disclosures
13
14. EXISTING REQUIREMENTS OF CLAUSE 49 (V)
CLAUSE 134 (5) OF THE COMPANIES BILL
2012
SOX REQUIREMENTS
i. They have indicated to the auditors and the Audit
committee significant changes in internal control
over financial reporting during the year;
ii. significant changes in accounting policies during
the year and that the same have been disclosed
in the notes to the financial statements; and
Instances of significant fraud of which they have
become aware and the involvement therein, if
any, of the management or an employee having a
significant role in the company’s internal control
system over financial reporting.
Explanation. For the purposes of this clause, the
term “internal financial controls” means the
policies and procedures adopted by the company
for ensuring the orderly and efficient conduct of
its business, including adherence to company’s
policies, the safeguarding of its assets, the
prevention and detection of frauds and errors, the
accuracy and completeness of the accounting
records, and the timely preparation of reliable
financial information; (f) the directors had devised
proper systems to ensure compliance with the
provisions of all applicable laws and that such
systems were adequate and operating effectively.
These financial statements shall also include all
material off-balance sheet liabilities, obligations or
transactions.
Summary of Section 404
Issuers are required to publish information in their
annual reports concerning the scope and adequacy
of the internal control structure and procedures for
financial reporting. This statement shall also assess
the effectiveness of such internal controls and
procedures.
The registered accounting firm shall, in the same
report, attest to and report on the assessment on the
effectiveness of the internal control structure and
procedures for financial reporting.
Role of CEO/ CFO in Governance & Disclosures
14
[IIA Bombay Chapter Research Foundation]
15. Auditors concerns in financial statement reporting
Frauds
Cash dealings example real estate
transactions, out of book purchase and
sales, etc
Adjustments in revenue and expenditure
Adjustment of Capex to understate profits
Related party transactions
Valuations
A company's internal control cannot be considered effective if one or more material
weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and
perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable
assurance about whether material weaknesses exist as of the date specified in
management's assessment. A material weakness in internal control over financial reporting
may exist even when financial statements are not materially misstated.
16. Risk assessment underlies the entire audit process described by this standard
(AS 5), including the determination of significant accounts and
disclosures and relevant assertions, the selection of controls to test, and the
determination of the evidence necessary for a given control.
A direct relationship exists between the degree of risk that a material weakness
could exist in a particular area of the company's internal control over financial
reporting and the amount of audit attention that should be devoted to that area. In
addition, the risk that a company's internal control over financial reporting will fail
to prevent or detect misstatement caused by fraud usually is higher than the risk
of failure to prevent or detect error. The auditor should focus more of his or her
attention on the areas of highest risk. On the other hand, it is not necessary to
test controls that, even if deficient, would not present a reasonable possibility of
material misstatement to the financial statements.
The complexity of the organization, business unit, or process, will play an
important role in the auditor's risk assessment and the determination of the
necessary procedures.
Role of External Auditors in Risk Assessment
16