On August 6, 2018, a revised Code of Corporate Governance was released by the Monetary Authority of Singapore (MAS) and certain corporate governance practices were made mandatory for all listed companies through changes to the listing rules of the Singapore Exchange (SGX). Starting from January 1, 2019, the SGX Rulebooks for both Mainboard and Catalist companies require that all companies “must establish and maintain on an ongoing basis, an effective internal audit function that is adequately resourced and independent of the activities it audits”. This follows enhancements in the guidelines on internal audit (IA) in earlier revisions of the Code of Corporate Governance.
The IA function is a critical part of the third line of defence in a company’s internal control and risk management system. An adequately resourced IA function which is functionally independent of management and has the appropriate stature can provide independent assurance about the adequacy and effectiveness of the internal control and risk management system and help the board discharge its fiduciary responsibilities. Yet, despite its importance, IA has received far less attention from companies, investors and regulators compared to external audit.
IA TRENDS AND IMPACT
A study of SGX-listed companies by Mak Yuen Teen, Zhu Zinan and Low Chin Yang found that between 2011 and 2014, the percentage of companies that disclosed that they have an IA function increased and averaged about 92 per cent over the years. Between 26.2 and 28.5 per cent of companies that disclosed having an IA function had it in-house, while those having an outsourced IA function increased from slightly more than 65 per cent to just below 70 per cent over the years. The remaining companies did not disclose whether it was in-house or outsourced. Companies having an in-house IA function may complement it with some outsourcing in order to tap on competencies that are not available in-house.
There are pros and cons to having an in-house and outsourced IA function. At the risk of over-simplification, it involves a trade-off between specialised knowledge and independence. An in-house IA function may have better knowledge about the company but may also be more likely to be co-opted by management or assigned line or other responsibilities that are incompatible with its independent assurance role.
Outsourcing the IA function to an external service provider can enhance its independence but the service provider may lack the specialised knowledge about the company and its business.
The study found that the size of companies, measured by total assets, was the most important factor in determining whether the IA was in-house or outsourced, with smaller companies much more likely to outsource the IA.
For those that outsourced their IA function and disclosed who they outsourced to, the percentage that outsourced to accounting firms increased from two-thirds to just under 80 per cent over the four-year period. A large majority of these – around 7 out of 10 companies that outsourced their IA function – outsourced to non-Big Four accounting firms for each of the years.
The study also found that, after controlling for company and governance characteristics that affect choice of sourcing arrangement, outsourcing IA is associated with lower external audit fees. For those that outsourced IA, outsourcing to a Big 4 firm is related to lower external audit fees, compared to outsourcing to non-Big 4 firms. The findings are consistent with external auditors placing greater reliance on outsourced IA and particularly when it is outsourced to another Big 4 firm (independence rules do not allow the external auditor to provide IA services to the external audit client).
We decided to assess the state of IA practices before the new SGX rule for IA became effective on 1 January 2019.
One Mainboard-listed Singapore company in the chemical industry said in its FY2018 annual report (AR) that the Audit Committee (AC) “is of the opinion that an internal audit function is considered not necessary in the present circumstances and will review this if circumstances change”. After having been listed for more than 45 years, it seems the circumstances had yet to change. In its latest AR, it said it has engaged an external risk advisory firm on January 2019 – just in time to comply with the new rule.
Another company – an S-chip – also did not have an IA and said that it would “have one not later than 31 December 2019”, even though the SGX rules say by 1 January 2019.
One Singapore company said in its FY2015 and FY2016 ARs that it would look to engage an IA. In the FY2017 AR, it said that it had yet to appoint an IA but would do so for FY2018. In the FY2018 AR, it said that management is in the process of setting up an in-house internal audit department as of the date of this report. Its FY2019 AR and AGM have now been delayed – like its IA.
A Singapore real estate and property developer which has expanded into Cambodia combined its disclosures for the “Audit Committee”, “Internal Audit” and “Risk Management and Internal Controls” sections of its corporate governance report, and listed 13 functions of the AC that look very much like “cut and paste”, including responsibilities relating to the AC’s oversight of IA. However, there was no specific disclosure as to whether there was an IA function, whether it was in-house or out-sourced, or whether it met applicable internal auditing standards.
Speaking of “cut and paste” – or stuck in time – another company disclosed in its 2016 and 2017 ARs that the AC had reviewed the IA plan – for FY2015.
One S-chip said that it recognises the responsibility of the Board to maintain an IA function and that the AC has the responsibility to oversee the IA – but did not actually say whether there was one.
Some companies disclosed that IA was outsourced without disclosing who it was outsourced to. One Singapore company said that it outsources its IA to “external professional firms”. However, not only did it not disclose the identity of the outsourced IA, but it also gave the impression that different firms may be used. Frequent changes in the outsourced IA service provider are likely to compromise the effectiveness of the IA.
AD HOC IA
One S-chip disclosed that it did not have an “ongoing” IA function. Instead, the AC will “as and when necessary, make an assessment and then recommend to the Board the appointment of internal audit professionals… to undertake the internal audit function of the Group for the relevant financial years.” In the latest financial year, it appointed an external risk advisory firm to undertake an IA for certain business processes for its most significant operating subsidiary, after discussions with management. Interestingly, one of the external auditors’ recommendations is that the Group’s IA systems be strengthened – which is hardly surprising.
One oil and gas company with substantial business in Malaysia, and which has diversified into property construction, business and management consultancy services and agriculture management businesses, disclosed that due to “the Company’s major change in business risk profile and its diversification into new business, the Audit Chairman had recommended the internal audit function to be held back till 2019”.
IA PERSONNEL WITH CONFLICTING ROLES
One company which describes itself as a “leading supplier” of equipment and supplies to the printed circuit board (PCB) industry in Asia and which also provides other services to the PCB industry said this under its disclosure of IA: “The current size of operations of the Group does not warrant the establishment of an in-house internal audit function. As the Group has substantial operations overseas, and in particular China, the AC has instructed the CFO to review certain critical areas at the Group’s China and other overseas subsidiaries and enhance the internal controls if necessary.”
It went on to say: “The AC has considered and determined that the CFO was independent and competent to carry out the review of the activities… The findings and recommendations arising from these reviews and testings were discussed with Management and presented to the AC and the Board.”
Another company said it has an in-house IA team which “comprises personnel of the Company’s HR & Admin team” and that “the AC is of the view that such an arrangement would ensure that that internal audit function would have appropriate standing within the company”.
One mining S-chip said it did not engage any internal auditors for the most recent financial year and that “the Group’s accounts department handles the internal audit function to review the internal controls, risk management and compliance systems…” It said that it will outsource its IA function to an external consultancy firm “as and when needed”.
In a recent article on Hyflux written by the first author, it was mentioned that BDO Raffles was providing IA services to the company at least from FY2005 to FY2008, while its then partner, Lee Joo Hai, was chairing the company’s AC. Since the AC is supposed to oversee IA, there was clearly a self-review threat.
Hyflux subsequently moved its IA function in-house. However, during the period from May 2013 to December 2015 when its non-executive director Gary Kee was re-designated to executive director, he had responsibilities for Corporate Finance, Information Technology, IA and Corporate Marketing functions. This may raise doubts about the independence of the IA function during that period, given that he was overseeing various support functions that IA would be expected to review as part of its work. Even if he did not hold the IA and other roles concurrently, these multiple roles were held over a relatively short period of time. A LinkedIn search indicates that a Head of IA was appointed in May 2015.
We also observed that a number of external IA service providers may be providing other services to companies that may lead to threats to the independence of the IA. While IA may provide certain advisory services without compromising its independence, it is a fine line. External service providers must push back if their clients ask them to provide other services that compromise the independence of the IA.
One company disclosed that the risk management advisory affiliate of a mid-tier accounting firm undertaking its IA “has also been commissioned to assist Management in the Group’s enterprise risk management (ERM)… to complement the Group’s existing internal audit plan and thereafter to follow up with the annual Control Self Assessment… based on the risks identified from the ERM exercise”. There is a danger in such cases of the IA crossing into management functions, giving rise to self-review threats.
Another company with significant operations in Malaysia engaged the advisory services of a Big Four accounting firm there to undertake its IA. It also disclosed that the ERM programme was developed with assistance of the IA. Again, there is a question about the extent and nature of the IA involvement in the ERM initiative.
The self-review threat was even more evident for another S-chip based on its disclosures. It said that it had engaged the consulting affiliate of a mid-tier accounting firm “which meets the standards set by internationally recognised professional bodies including the Standards for the Professional Practice of Internal Auditing set by the Institute of Internal Auditors, to conduct an internal audit of the Company as well as to implement enterprise risk management (ERM) initiatives within the Group…” Our view is that engaging the same firm to implement ERM will not be in compliance with the very standards that the company claims the IA complied with. ERM implementation is a responsibility of management and others with risk responsibilities and ERM implementation should be integrated with the company’s strategy and operations. Having an external service provider “implement ERM” would also likely suggest a “desktop” ERM implementation that adds little value.
MORE TRANSPARENCY AND SUBSTANCE NEEDED
It is hardly surprising that most of the companies mentioned above have poor corporate governance and/or are struggling financially.
While making IA mandatory for listed companies is a step in the right direction, how the new rule is implemented is critical. Investors may be misled if companies pay lip service to the new rule. ACs and boards need to recognise the value of a robust IA function.
SGX should ensure that companies provide enough information on their IA function, including whether it is in-house or out-sourced, and if out-sourced, to which firm. Consideration should be given to requiring disclosure of the resources dedicated to IA, including fees paid to external service providers in the case of outsourced IA – as is required by Bursa Malaysia. This will help investors assess whether the IA is more form than substance.
SGX also needs to ensure that the IA is not only actually in place, but that it is maintained on an “ongoing basis”, is “effective”, “adequately resourced” and “independent of the activities it audits” as required by its new rule. Our review of existing IA arrangements, which is by no means exhaustive, suggests that this has not been the case in a number of companies.
- Mak Yuen Teen is an associate professor of accounting at the National University of Singapore who specialises in corporate governance; Zhu Zinan is a senior lecturer of accounting at the Nanyang Technological University; and Chew Yi Hong is an active investor and researcher in corporate governance.