a new decree on internal audit – towards international ... · roles and responsibilities of bod...
TRANSCRIPT
PwC Vietnam NewsBrief
2019
www.pwc.com/vn
A new decree on Internal Audit –Towards international best practices
PwC 2
Introduction
Objective
1 Key points about
Decree
05/2019/NĐ-CP
2 Key challenges
imposed by the new
Decree
3 PwC’s points of
view about the new
Decree in the
media
4 Contact us
Hoang HungPwC Partner
Mr. Hoang Hung took the role of an international expert in
the project to establish the legal framework for IA in
Vietnam. This project was led by the Ministry of Finance
(MoF), and funded by the World Bank. During 2015 –
2018, Hung worked with the MoF and other experts to
conduct as-is assessment of IA in Vietnam; provide
technical input; organize workshops to consult and
elaborate on the content of the draft decree; develop the
IA handbook with implementing guidance; translate the
international IA standards into Vietnamese; and organize
seminars to introduce the decree and handbook. Hung will
continue to collaborate with related parties to support the
implementation and strengthening of IA activities at
different target groups of the decree.
BoD: Board of Directors
BoM: Board of Management
BoS: Board of Supervision
IA: Internal Audit
MoF: Ministry of Finance
VND: Vietnamese Dong
Abbreviations
This newsbrief is to update you about the main content of
Decree No.5/2019/ND-CP on Internal Audit (IA) and to
share our points of view about the key challenges
imposed by this new regulation that enterprises should be
aware of to better prepare for the establishment of their IA
function and implementation of IA activities.
Content
PwC 3
Introduction to the DecreeDecree No.05/2019/ND-CP provides a legal framework for the establishment and
implementation of IA, as well as roles and responsibilities of the IA function and other related
stakeholders. The requirements in this regulation are set to reach international best practices on
IA, enhancing the transparency of information in the marketplace and the efficiency and
effectiveness of corporate governance.
The scope and objective of IA
Performs independent reviews, assessments and consultancy in the following areas:
The internal control system of the organization is operated appropriately to address risks.
Accomplishment of operational objectives, plans and strategies of the organization.
The corporate governance and risk management processes of the organization are highly
effective and efficient.
01
02
03
Effective date
This Decree shall come into effect on April 1, 2019;
Within 24 months from the effective date, the target groups of this Decree must complete
necessary preparation tasks and be ready for the implementation of IA in accordance with
this Decree.
Target groups of the Decree
People’s Committees of centrally-affiliated cities and provinces, their specialized departments and
affiliated public service units;
Ministries, Ministry-level bodies, Governmental agencies;
State-owned public service units covering recurrent and capital expenditures on their own, and
those covering recurrent expenditures on their own, which set aside at least Vietnamese Dong
(VND) 20 billion per year for the total fund of wages, salaries, allowances and other salary-based
contributions, or hire at least 200 employees;
Enterprises including: Listed companies; Enterprises with 50% of their charter capital held by the
State, which are parent companies operating in a parent-subsidiary business model; and State
enterprises which are parent companies operating in a parent-subsidiary business model;
Organizations and individuals conducting IA activities.
PwC 4
Key challenges imposed by the requirements in the Decree
The Decree prescribes the IA carried out by state regulatory
authorities, state-owned public service units and enterprises.
Enterprises should be clear whether IA should be formed as a
function or a department; and the position of IA in the organization
structure.
The independence of IA can be represented when the following
matters are clearly defined in the IA charter and policy:
The Governance structure of the enterprise and the position of IA
within such Governance structure;
IA Reporting mechanism to the Board of Directors (BoD)/Board of
Supervision (BoS) and Board of Management (BoM);
The appointment and remuneration of the Internal Auditor – the
Head of Internal Audit should not be under the BoM’s authority;
The Internal Auditors must be independent, objective, and have no
conflict of interest with the assigned audit tasks.
The principle of the
Independence of IA
(Article 5. Fundamental
principles of IA; Article 6.
Requirements for assuring
compliance with
fundamental principles of IA)
Enterprises maintaining a BoS function as per Enterprise Law need
to clearly define:
Roles and responsibilities between the BoD and BoS on IA;
IA reporting mechanism to BoD vs. to BoS;
The differences between the BoS and Audit Committee.
Enterprises should assess which organization model could best
fit with the company’s operation and prepare for the Audit
Committee transformation if required.
Internal Audit
Roles and
responsibilities
of BoD on IA
(Article 26. Responsibilities
of BoD)
IA roles to provide
consultancy services
when required
(Article 20. Duties of IA
departments)
When IA is required to provide consultation, recommendations for
improvement and remediation of errors, enterprises should pay
attention to the requirements to ensure the independence and
objectivity of internal auditors for conducting audit tasks afterwards.
The roles of IA when providing assurance services and consultation
services should be clearly defined in the IA charter and IA strategy.
PwC 5
The Decree provides basic eligibility standards for Internal Auditors
such as: having three to five years experience, acquiring general
knowledge and understanding about laws and business operations of
audited units; and having competence in analysing data, knowledge
and skills related to IA. Enterprises should pay attention to
recruitment and capacity building for the IA department.
To meet the IA objective in assessing and reviewing the Internal
Control system, Governance and Risk Management, Internal Auditors
should acquire knowledge and understanding about these areas,
about IT audit and industry operations. If the IA department does not
have sufficient resources with the required knowledge and
experience, enterprises can consider outsourcing and/or co-sourcing
IA with a professional firm.
To develop the risk-based approach for IA, enterprises should:
Provide training on risk identification and assessment
methodology, and the risk management framework;
Develop the risk management strategy aligned with the business
strategy;
Build the risk universe for the enterprise and conduct periodic risk
assessment;
Collaborate between Risk Management and IA;
Develop the IA strategy, IA annual plan and IA program based on
the company’s risk management strategy and risk universe.
IA “risk-based approach”
(Article 13. IA approaches)
Internal Auditor
competency and
experience
(Article 11. Eligibility
standards of internal
auditors)
Article 23 sets the key rights and responsibilities of the Head of IA.
The Decree do not have specific requirements about competency
and skills of the Head of IA. Enterprises should clearly define the
criteria for competence, expertise and skills when developing the job
description and recruiting the Head of IA in accordance with the
characteristics and requirements of the business.
The Head of IA
(Article 24. Rights and
responsibilities of the
Head of IA)
The rights of IA
(Articles 22, 23 and 24,
The rights of IA
departments, Internal
Auditors and Head of IA)
The Decree highlights the importance of setting the rights of the IA
department and Internal Auditors, particularly the rights to have
unlimited access to the audited units to perform audit tasks. To meet
these requirements:
The rights of the IA department should be clearly defined in the IA
charter;
The IA department and Internal Auditors need support from the
BoD, BoM and related stakeholders in performing audit tasks;
Communications about the rights of IA should be circulated within
the organization, and sanction for obstructing IA activities should
be considered.
Key challenges imposed by the requirements in the Decree (cont.)
PwC 6
As stipulated in the Decree, the MoF is responsible for adopting
regulations on application of IA standards and ethics; and enterprises
are encouraged to adopt international IA standards if these practices
are not contradictory to the provisions of this Decree and other
legislative documents.
Though no specific standards are required to be followed, enterprises
should start to study international best practices.
As stipulated in the Decree, enterprises are required to carry out the
internal assessment of IA activities, including the self-assessment of
IA activities after completion of an IA, and the annual self-assessment.
Enterprises should identify the assessment content and develop
criteria for assessment. As a common practice, the assessment
content and criteria refer to international standards.
There is no obligation to have independent assessment by a third
party. However, enterprises can consider obtaining support from a
professional firm to conduct or develop criteria for the assessment.
Quality Assurance
(Article 19. Assurance of
quality of IA activities)
The application of IA
standards and ethics
(Article 12. IA rules and
processes and Article 29.
State management of IA)
Article 12 regulates the main steps in the IA process and requests
enterprises to develop their own detailed procedures that are aligned
with the business characteristics. This requires the IA department to
have understanding about the business vision, mission, core values
and operation strategy.
Currently, there is no detailed guidance to develop an annual IA plan,
execute IA engagement and IA reporting. Enterprises should
understand the Decree and refer to the best practices when
elaborating the IA manual, in order to provide detailed guidance to
internal auditors in the implementation of IA in accordance with the
regulations.
IA execution and
reporting
(Article 12. IA rules
and processes; Article
16. Audit report)
Resources for IA
(Article 26.
Responsibilities of the
BoD)
Article 26 sets out the responsibilities of the BoD to provide necessary
resources for IA departments. The resources include:
Human resources: actively recruit, train and mobilize staff to have
sufficient competency, knowledge and skills to conduct IA,
including IT audit;
Finance: IA has sufficient budget to carry out the work and
maintain sufficient staffing or collaboration with professional
consultancy firms.
The mobilization and development of resources for IA should be
specified in the IA strategy.
Key challenges imposed by the requirements in the Decree (cont.)
Contact usThis publication has been prepared for general guidance on matters of interest only, and
does not constitute professional advice. For further information, please contact us.
Pham Thi Minh Huong
Senior Manager
T: +84 24 3946 2246 (Ext: 3315)
M: +84 917 81 7188
Email: [email protected]
Hoang Hung
Partner
T: +84 24 3946 2246 (Ext: 4555)
M: +84 904 688 998
Email: [email protected]
PwC Vietnam helps organisations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 158 countries with more than 250,000
people. We are committed to delivering quality in assurance, tax, legal and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/vn.
© 2019 PwC (Vietnam) Ltd. All rights reserved. PwC refers to the Vietnam member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal
entity. Please see www.pwc.com/structure for further details.
facebook.com/pwcvietnam youtube.com/pwcvietnam
www.pwc.com/vn
linked.com/company/pwc-vietnam
PwC’s points of view about Decree No.05 in the media (in Vietnamese)
Decree 05 on Internal
Audit: Fostering
transparent governance
(Source: Thời báo Tài
chính Việt Nam)
A new driving force for
enhancing corporate
governance
(Source: Đầu tư Chứng
khoán)
PwC: Decree 05 – a new
driving force for
enhancing transparency
in corporate governance
(Source: CafeF)