As President of the Securities Investors Association (Singapore), Mr David Gerald has been an outspoken voice on investor-related issues since 1999. Delivering the opening address at the Institute of Internal Auditors (IIA) Singapore Conference 2013 on 5 September, he urged that the internal audit function be strengthened via a series of game-changing measures. The text of his speech follows.
The recent global financial crisis exposed a number of governance weaknesses that resulted in firms’ failure to understand the risks they were taking. In the wake of the crisis, numerous reports painted a fairly bleak picture of risk governance frameworks at financial institutions.
If we allow the risk management and internal controls to fail in listed companies, we allow the wrongdoers of at-risk companies to plunder the hard-earned life savings of the ordinary citizens. Even as the company’s business is in the process of collapsing, the Board and the Audit Committee are not kept in the know or are even wilfully deceived by the wrongdoers.
Singapore too has had its fair share of corporate scandals and our citizens have been victimised. China Aviation Oil, Citiraya, Sino-Environment and Ferro China are but some of the local corporate scandals. In the face of miscreant management or Directors, the ordinary citizens are helpless; they cannot stop the wrongdoing or seek recourse. There is no scandal insurance, unfortunately. Who then will be the white knight for them?
Since the financial crisis, many jurisdictions have made regulatory changes to enhance supervisory oversight of risk management and internal controls. In Singapore too, the regulators have risen to the challenge by enhancing the rules that govern the responsibilities of risk management. The recent SGX Listing Rule 1207 (10) and Principle 11 of the revised Singapore Code of Corporate Governance issued in May 2012 have created a greater awareness for the responsibilities of Directors and the senior management.
Since the financial crisis, many jurisdictions have made regulatory changes to enhance supervisory oversight of risk management and internal controls. In Singapore too, the regulators have risen to the challenge by enhancing the rules that govern the responsibilities of risk management.
With these new rules, the Board’s responsibility over risk management has become more explicit now. The amendments to the listing rules now require the Board to provide an opinion on the adequacy of internal controls, addressing financial, operational and compliance risks of their companies. The Board can no longer make a cursory comment on the internal controls for the business operations as a whole without specifying the assessment basis, or the key weakness areas.
Principle 11 of the Code goes further and states: “The Board is responsible for the governance of risk. The Board should ensure that Management maintains a sound system of risk management and internal controls to safeguard shareholders’ interests and the company’s assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives.”
Therefore, in the event of a scandal, neither the senior management nor the Board can claim ignorance and throw the blame onto other parties. So it is in their best interest to absolutely ensure that scandals do not occur during their watch.
Can they do it their own? Are they willing to take the risk of going it alone?
The internal audit function is now emerging as an important safeguard for the Board, senior management and the investors
The role of an internal auditor is now becoming more important with the recent implementation of the SGX Listing Rule 1207 (10). In providing this opinion, the Board and the Audit Committee are required to demonstrate that they have rigorously assessed the internal controls in relation to all three areas of risks, namely financial, operational and compliance. Due to this, management, line departments and external auditors are involved in providing Board assurance on adequacy of controls and thus complying with the listing requirement.
Whilst most corporate leaders are honourable and can be trusted, there will always be a few who, due to greed or selfish motives, cause losses to investors. Investors, therefore, need someone within the organisation to be their eyes and ears. They need the comfort of knowing that a professionally-trained person is in the organisation full-time to point out any wrongdoing or give early warning signal to the CEO and/or the Chairman of Audit Committee.
Most companies that believe in good corporate governance have full-time internal audit function. Indeed the Singapore Code of Corporate Governance, Principle 13, calls for a company to establish an effective internal audit function that is adequately resourced and independent of the activities that it audits, but it does not prescribe for a full-time internal auditor.
Whilst the shareholders get to see the CEO, the CFO and the Directors, they never get to meet or see the internal auditor, who is the conscience of the organisation. Given his importance, should he not have a seat at the table? Why is he hidden, unlike the external auditors?
Whilst the shareholders get to see the CEO, the CFO and the Directors, they never get to meet or see the internal auditor, who is the conscience of the organisation. Given his importance, should he not have a seat at the table? Why is he hidden, unlike the external auditors?
It is now timely that the Chief Audit Executive (CAE) is given the same importance as CEO or CFO in the organisation. The appointment or resignation of these officials is required to be disclosed. Should it not also be a requirement for the disclosure of the appointment or resignation of the CAE? After all, it is a requirement for all financial institutions to disclose of appointment and resignation of CAE. So why don’t all listed companies be required to disclose on the SGXNet?
Between the line departments and internal audit, which function is apt to provide independent and objective views to management and the Board, and has the skill-set and competencies to provide the assurance that the Listing Rule calls for? Naturally, internal auditors should be foremost on the Board’s and management’s mind.
Is this the case? Stakeholders and shareholders may not be fully aware that management and Boards could or would rely on internal auditors in addition to the external auditors and line departments to play a crucial role in protecting the organisation’s interest, leading to maximisation of share value as well as supporting creation of value. The internal auditor’s value is his independence and objectivity in providing assurance to stakeholders that an independent party is guarding their interest in their investments.
The internal auditor’s value is his independence and objectivity in providing assurance to stakeholders that an independent party is guarding their interest in their investments.
Given the complex business environment and stakeholders’ expectations these days, would it not be prudent to have an additional layer of check and balance within the organisation? Especially when the public funds are solicited, should it not be the concern of the organisation as a whole, that strict internal oversight would provide the advantage that is currently missing in many listed companies.
Right now, slightly over half of the listed companies (51%) have internal audit functions that are in-house, according to the SAC and KPMG internal audit survey 2013; I strongly believe that every listed company should have, at least one full-time internal auditor who would report directly to the Audit Committee Chairman. The internal auditor, with his independence, will be in a position to help safeguard shareholder investments and give the senior management and the Board members peace of mind as well.
I’m not alone in this call. Recently, a panel discussion on the internal audit function reported in The Business Times (1 August 2013) highlighting the call by a former CFO, with 15 years of experience, and currently a Board Director, saying: “The internal audit function has become tremendously important… because business nowadays is so complex. A good board will require an internal auditor, whatever the circumstances… I sit on boards, and I always rely on the internal auditor. I hear what they tell (and) I use that to corroborate and check against what the management tells me.”
With the growing demands made on directors and senior management, it is only natural that they would be looking for assurance within the organisation. They will turn more to the internal auditor, especially for compliance with the aforesaid new listing rule. This rule is an important development and it underpins the importance of the role of internal audit function. We need to break barriers and build bridges to move forward. It is our hope that listed companies will move towards establishing full-time internal audit function.
With the growing demands made on directors and senior management, it is only natural that they would be looking for assurance within the organisation. They will turn more to the internal auditor, especially for compliance with the aforesaid new listing rule.
Whilst larger companies have the resources and the means to establish an in-house internal audit department, a significant number of companies outsource this function. Whilst I’m not advocating that external auditors cannot effectively function as internal auditors, it must be accepted that there is an advantage in having a full-time internal auditor to provide eyes and ears for the comfort of all stakeholders. It is, therefore, our position that all listed companies should have internal audit function.
I’m confident that this call by investors will reach the ears of the regulators. Should this happen, we believe more investments will flow into our companies and, consequently, benefit our capital markets. This will assist Singapore in its aspiration to be the leading financial hub in Asia.
An internal audit function is currently not required by law in most parts of the world. Many companies do not appoint a full-time internal auditor because of the ignorance of the significance of having one, or of the cost of doing so. That is a mistake because whilst appointing a full-time internal auditor can be costly, scandals are even more costly. Companies spend millions of dollars in professional fees after a scandal in putting things right with their damaged reputations.
It is disturbing to note that one-third of the listed companies still do not have internal audit function, according to a study by Singapore Management University (SMU). Directors in these companies will be hard put to discharge the duties of care as required under the Listing Rule 1207 and Principle 11 of the Code, if they opine that internal controls are adequate and effective relying on management and not on internal audit function. It would be an uninformed opinion. I urge all directors not to take up positions on boards that do not have an effective and independent internal audit function.
It is disturbing to note that one-third of the listed companies still do not have internal audit function… I urge all directors not to take up positions on boards that do not have an effective and independent internal audit function.
Frederick D Lipman and L Keith Lipman in Corporate Governance Best Practices suggest perhaps management should look at internal audit as a substitute for scandal insurance. “If scandal insurance were available (which it is not), many companies would purchase it if the premium cost were reasonable. Internal audit cost should be viewed as a form of insurance. In fact, effective internal auditing, both operational and strategic, can save the company enormous amount of money in uncovering duplication, waste, errors and wrongdoing in the company.”
Another area where the role of internal audit is crucial is the area of compliance. Non-compliance with law can lead to serious consequences for the senior management and directors.
Are we asking too much from the internal auditor? In the recent SAC and KPMG internal audit survey 2013, 62% of senior managers indicated that the internal audit budget is currently smaller than the external audit budget despite both having the same role, scope and responsibilities. For the internal auditor to succeed as the third line of defence and go beyond being a mere rubber stamp, to genuinely add value to stakeholders, listed companies must furnish them with adequate resources; or else they are set up for failure. At the minimum, every listed company should have at least one full-time internal auditor and should be provided with sufficient resources to carry out his terms of reference.
For the internal auditor to succeed as the third line of defence and go beyond being a mere rubber stamp, to genuinely add value to stakeholders, listed companies must furnish them with adequate resources; or else they are set up for failure.
In view of the above, shareholders will be further assured if the Board of listed companies could report in their annual reports that they have, in fact, integrated the independent report on the adequacy of internal controls addressing operations, compliance and financials by the internal auditor in its corporate governance section of their report.
Some of the listed organisations that have full-time internal audit function have done well in corporate governance. And companies who won the Corporate Governance Awards and the Internal Audit Excellence Awards are testimony to these! We know there are costs of setting up internal audit units but from their roles, we know companies will benefit from it.
However, the fact that a company has full-time internal audit may not necessarily mean that there will never be a lapse in governance. A fine example is the WorldCom debacle, where, the senior management, including the CFO and the CEO were able to side-step the internal audit department, causing tremendous losses to shareholders. They were able to do this because the internal audit department was required to report to senior management and not to the Audit Committee and also because their scope was limited to non-financial audits. What then must happen to avoid that situation?
The internal auditor must be fully independent, objective and report directly to the Audit Committee Chairman. He or she must not be interfered with by management, which occurred at WorldCom. The internal auditor must be brave and be prepared to blow the whistle, like, Cynthia Cooper in WorldCom.
Cynthia Cooper defied management in favour of personal integrity to report WorldCom management’s misdeeds to the police. In other words, she did not compromise her good conscience or integrity for career gains. She did not collude with the management as it happened in the case of Olympus, where the internal auditor ended up in jail for doing just that. I believe every internal auditor should embody the values of Cynthia Cooper and all stakeholders will have the peace of mind. Enlightened CEOs would see such internal auditors as their eyes and ears, and as an advantage to his own position in the company. After all, when a scandal occurs, the CEO is usually the first in the firing line.
On our part, SIAS is committed to increasing the understanding of the role of internal audit among investors. We have put up on our website the “Questions for Shareholders to ask at AGMs” regarding the internal audit function. The questions are drawn from relevant guidelines from the Singapore Code of Corporate Governance and the Guidebook for Audit Committees in Singapore.
In addition, together with IIA and SMU, we confer the Internal Audit Excellence Award to company and the individual with the best internal audit practices and qualities. We aim to raise the level of professionalism and encourage companies to have in place effective internal audit functions.
In conclusion, it is in the interest of all listed companies, Boards, senior management and shareholders to have full-time internal audit function. The internal auditor’s position must be elevated to be of significant importance ensuring his independence to be effective. The appointment or resignation of the CAE must be disclosed on the SGXNet. #
You might also like:
Growth, productivity, talent >>
CDAS and beyond >>
IA as a trusted and respected partner >>
Seeking the high ground >>
Champions of change >>
The value of high-quality IA >>
A responsibility supreme >>