Effective Internal Control in Ensuring Good Governance

COSO’s five components of internal control and questions for basis of audit assessment

1

Hazimi Kassim President, Institute of Internal Auditors Malaysia Group Chief Internal Auditor Telekom Malaysia Berhad 24 October 2017

Strong Governance is always

Supported by Strong and Effective

Internal Control Systems.

2

3

Governance in Corporate/ Private Sector

Malaysian Code of Corporate Governance

Key features of the new approach

4

• Updated in 2017, new approach to promote greater internalisation of corporate governance culture.

• Reflects global principles and internationally recognised practices & are above and beyond the minimum required by statute, regulations or Bursa.

• Permits constructive and flexible response to raise standards of corporate governance.

• Recognises self regulations & opportunity to explain for inability for non-compliance.

Corporate Governance Definition

The process and structure used to direct and

manage the business and affairs of the

company towards promoting business

prosperity and corporate accountability with

the ultimate objective of realising long-term

shareholder value while taking into account the

interest of other stakeholders

5

Source : Malaysian Code of Corporate Governance 2017

Why Governance Matter ?

6

Long

Term

Value

Sust

ain

abili

ty

Eth

ical

Be

hav

iou

r

Provide framework of control mechanisms that support the company in achieving its

goals, while preventing unwanted conflicts.

Identifies the distribution of

rights and responsibilities

among different

participants in the company and outlines

among others the rules and

procedures for decision-making,

internal control and risk

management.

Balanced the needs of shareholder interests but requires balancing the needs of other stakeholders such as employees,

customers, suppliers, society and the communities in which the companies conduct their business.

Structure of MCCG

3 key principles of good corporate governance

• Board leadership and effectiveness;

• Effective audit and risk management; and

• Integrity in corporate reporting and meaningful relationship with stakeholders.

7

Source : http://www.kmf.com.my

“Doing the Right Things, Right, in the Right Way.”

choosing the appropriate

mandate and objective;

executing it in the most

efficient manner

doing things with the proper ethical and

governance considerations.

8

Tan Sri Azman Mokhtar, Khazanah Nasional’s Managing Director.

General Governance Structure – 3 Lines of Defense

9

Responsibility for Corporate Governance

The primary responsibility rests with the governing body and

management.

Management’s responsibilities:

• Creating a strong Corporate Governance environment.

• Ensure Management of Risks and implementation Systems of

Internal Control, and

• Taking appropriate actions & ensure that effective and efficient

controls systems.

The Governing Body is responsible for:

• ensuring that management is

carrying out the implementation of

risk and internal control systems,

• understanding the environment

to determine if management can

override or influence the controls in

place.

Source : International Auditing Standard

11

Governance in Public Sector

Governance in Malaysian Public Sector

12

Constitution,

Statutes,

Legislation ,

Regulations, &

Guidelines,

Circulars,

Agreements, etc.

Governance in Public Sector – Best Practices Relationships between the Principles for Good Governance in the Public Sector

13 Source : International Framework for Good Governance in the Public Sector - Developed jointly by the Chartered Institute of Public Finance and Accountancy (CIPFA) and the International Federation of Accountants® (IFAC®).

Governance comprises the arrangements put in

place to ensure that the intended outcomes for

stakeholders are defined and achieved.

Acting in the Public Interest

A & B

14

International Professional Practices Framework (IPPF) The Framework for IA Effectiveness

• Demonstrates integrity.

• Demonstrates competence and due

professional care.

• Objective and free from undue influence

(independent).

• Aligns with the strategies, objectives, and

risks of the organization.

• Appropriately positioned and adequately resourced.

• Demonstrates quality and continuous improvement.

• Communicates effectively.

• Provides risk-based assurance.

• Insightful, proactive, and future-focused

• Promotes organizational improvement

Core Principles that every internal auditor must meet

New Mission

To enhance and protect organizational value by providing risk-based and objective

assurance, advice, and insight.

15

Internal Control Framework as a Tool

Where does Internal Controls sit in Overall Governance ?

Governance

Enterprise

Risk Management

Internal

Control

Why we need and Internal Control Framework ?

• Hence, Internal Control Framework is required because :

Enable organizations to effectively and efficiently develop and

maintain systems of internal control, agile to changes in the

business and operating environments.

Guide to designing, implementing, and conducting internal

control and assessing the effectiveness of internal control.

Emphasize the importance of management judgment in designing,

implementing, and conducting internal control.

Assists stakeholders interacting with the entity in their respective

duties regarding internal control without being overly prescriptive.

17

Strong Governance is always supported by strong

and effective Internal Control Systems.

18

What is COSO ? It’s a Internal Control Framework

What is COSO? Committee of Sponsoring Organizations of the Treadway Commission

National Commission on Fraudulent Financial Reporting formed with James C. Treadway, Jr., former SEC Commissioner and General Counsel, Paine Webber as its Chairman – becoming known as the:

“Treadway Commission”

a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.

• Source: SEC historical.

19

• The Institute of Internal Auditors

• American Accounting Association

• Institute of Management Accountants

• Financial Executives Institute

• American Institute of Certified Public Accountants

Private Sector initiative established in 1985 by five financial professional associations.

COSO Mission

“To provide thought leadership through the

development of comprehensive frameworks and

guidance on enterprise risk management,

internal control and fraud deterrence

designed to improve organizational performance

and governance and to reduce the extent of

fraud in organizations.”

20

Why COSO was introduced ?

COSO’s goal is

“to improve the quality of financial

reporting through a focus on corporate

governance, ethical practices, and

internal control.”

21

COSO’s Fundamental Principle

Good risk management and internal

control are necessary for long term

success of all organizations

Evolution of COSO

22

2013

Internal Control-Integrated Framework (2013 Edition)

Consists of 3 Volumes:

• Executive Summary

• Framework and Appendices

• Illustrative Tools for Assessing

Effectiveness of a System of

Internal Control

Sets out:

• Definition of internal control

• Categories of objectives

• Components and principles of

internal control

• Requirements for effectiveness

23

What Drives the Change ?

Since the inception of the original Framework:

• Business has changed dramatically –Increasingly global

More complex

Driven by technology

• Investors are more engaged –Seeking greater transparency

• Demand greater accountability for the integrity of internal control systems that support organizations’ operations, governance and external communications

• Regulatory Regimes have expanded –

Additional forms of external reporting are emerging

• The COSO Board decided to update the original Framework to make it more relevant to investors and other stakeholders.

24

COSO 2013 Framework –Summary of Changes

25

COSO Internal Control

Internal control is a process effected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations Reporting Compliance

Core definition of internal control

26

Components

represent the rows

Objectives represent

the columns

Objectives may

be set at the

entity, division,

operating unit

or functional

levels

Concepts from COSO Definition

• Internal control is a process. It is a means to an end, not an end in itself.

• Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization.

• Internal control only provides reasonable assurance – not absolute assurance.

• Internal control objectives may address single or overlapping categories of internal control components.

27

1992 vs. 2013 Framework

28

2013

Framework

1992

Framework 5 Components

17 Principles

82 Point of Focus

Components and principles

Under the 2013 COSO Framework, effective internal control requires the

following:

• Each of the 5 components and 17 principles must be present and functioning.

• The 5 components must operate together in an integrated manner to reduce

risks at an acceptable manner.

• All 77 points of focus are considered, but are not required to be present.

29

4 4 3 4 5

5 5 4 3

6 4 6

5 4 5

7 3

Point Of Focus Principles Components

How COSO Can Help

30

Relationship of ERM Components to Contextual Business Model

31 Source : How the COSO Frameworks Can Help ? By : James DeLoach & Jeff Thomson CMA, CA

Relationship of Internal Control Components to Contextual Business Model

32 Source : How the COSO Frameworks Can Help ? By : James DeLoach & Jeff Thomson CMA, CA

33

• Evaluating internal control is a generally accepted field standard in government auditing, auditors can use the guidelines as an audit tool.

• Evaluating internal control is a generally accepted field

• The guidelines for internal control standards comprising the COSO Framework can therefore be used by :

by government management to design a solid internal control framework

for their organisation, and

by auditors as a tool to assess internal control.

• However, these guidelines are not intended as a substitute for INTOSAI Auditing Standards or other relevant auditing standards.

standard in government auditing, auditors can use the guidelines as an audit tool.

INTOSAI 9100

What Does the Updated Guidance Mean to Internal

Auditor?

34

What Does the Updated Guidance Mean to IA?

1. Reporting Objective

2. Supplemental Guidance for Internal Control Over Financial Reporting.

3. Increased emphasis on Compliance and Operational Objectives.

4. Full Adoption of a principle and points of focus (attributes) approach.

5. More Explicit Evaluation Criteria

35

What Does the Updated Guidance Mean to IA?

6. Must Consider Fraud Risk

7. IT reinforced in a new principle.

Recognizes expanded organizational

relationship

8. Updating of Governance Concepts

9. More Effective Monitoring

10. Higher Expectation of Knowledgeable IA

Personnel

36

Assessment Criteria

Each of the Five COSO and its related17 Principles Components must be “present and functioning”

• Are they present?

The components and relevant principles exist in the design and implementation of the system of internal control (“Design”)

• Are they functioning?

The components and relevant principles continue to exist in the conduct of the system of internal (“Operating Effectiveness”)

37

Assessment Criteria

The Five COSO Components must “operate together in an integrated manner collectively reducing the risk to an acceptable level

Management can demonstrate by

• “The components are present and functioning, and

• Internal control deficiencies aggregated across components do not result are not significant.

38

39

Governance, Risk

Management and Internal

Control in TM

TM has a Formal Structure to Define Roles & Accountability

41

42

TM Organising Principles

IT Security

Policy

Internal Control Policy

Integrity Pledge

Policies in Place TM in supporting Transparency and Governance

Scope of Policy The policy applies to any irregularity, or suspected irregularity, involving employees as well as shareholders, consultants, vendors, contractors, outside agencies doing business with employees of such agencies etc

The Code sets forth the standards that guide our every action at TM and its Group of Companies, and applies to the BOD, Management, Employees and all representatives of the Company. A commitment

to uphold the Anti-Corruption Principles

TM

Fraud

Policy

Policies

& Procedures

Business Policies &

Governance

Risk Management

Policy

Code of Business

Ethics

Procurement

Ethics Rules

& Practices

Whistle Blowing Policy

The BOD & Management are committed to internal whistle-blowing program by introducing a safe and acceptable platform for Employees to channel concern about illegal, unethical, improper business conduct affecting the Company and about business improvement opportunities.

Integrity Pact

To enhance transparency in TM Procurement approach which will reduce and eradicate corrupt practices.

This is non exhaustive

Integrity Pledge

45

TM declares that : “it will not commit corrupt acts”, will work toward creating a business environment that is free from corruption and will uphold the Anti-Corruption Principles for Corporations in Malaysia in the conduct of its business and in its interactions with its business partners and the Government.

46

Risk Management and Internal Control Policy

CEO And the

Management

is accountable

Procurement Ethics….

To avoid bidders from

offering or giving bribes

To avoid TM

employees from receiving bribes;

To require bidders to report any

bribery/act of corruption to the

authorities;

Objectives of TM Integrity Pact

To prohibit unauthorized use of TM’s proprietary information by

employees and suppliers … and ensure TM will not incur unnecessary

costs in carrying out TM procurement.

Governance & Integrity Policies in TM

Address these issue :-

`TM has a comprehensive Governance & Integrity Policies

Awareness and internalization of the principles are lacking.

Resulting in procedural and KPI/Results driven, governance secondary.

People will naturally take advantage when monitoring, performance and consequence management is less than desired optimal level.

Corporate Gov Score : 2012- 81.5 moved to 2017-110.56 (By MSWG)

Awards

51

Page 121 of the Annual Report

Our Declaration of TM Internal Control Systems

Page 127 of the Annual Report

Statement On Risk Management & Internal Control Guideline For Directors Of Listed Issuer

• Para 26 of the guideline which further describes the Management Role :

• Management is responsible for implementing the processes for identifying, evaluating, monitoring and reporting of risks and internal control, taking appropriate and timely corrective actions as needed, and for providing assurance to the board that the processes have been carried out.

• In this regard, at least annually, the Board should receive assurance from the CEO and CFO on whether the company’s risk management and internal control system is operating adequately and effectively, in all material aspects, based on the risk management model adopted by the company. “

• Audit is to provide Independent Assurance to TM Board that Management have put in place the necessary Risk Management and Internal Control Framework and Systems.

Statement of Risk Management & Internal Control 2016 Assurance Letter by Management

The Board of Directors 27 February 2017

Telekom Malaysia Berhad.

Dear Sirs

Assurance Letter from the Group Chief Executive Officer and Group Chief Financial Officer

We acknowledge that Management of TM Group is responsible for implementing the processes for

identifying, evaluating, monitoring and reporting of risks and internal control, taking appropriate and timely

corrective actions as needed, and for providing assurance to the board that the processes have been carried

out.

The Responsibilities of the Management in respect of risk management and internal control include:

• Identify the risks relevant to the business of TM Group and the achievement of objectives and

strategies;

• Design, implement and monitor the risk management framework in accordance with the TM Group’s

strategic vision and overall risk appetite;

• Identify changes to risk or emerging risks including Fraud, take actions as appropriate, and promptly

bring these to the attention of the Board; and

• Taking appropriate and timely corrective actions as needed.

55

• In this regard, to the best knowledge and based on the continuous review and assessment done by the

management, for the Financial Year 2015 under review that TM Group’s risk management and internal

control systems are operating adequately and effectively, in all material aspects, based on the risk

management model adopted by the company. There has not been in any material loss, contingency or

uncertainty other than those that have been recorded and disclosed in the Financial Statements of TM

Group for the financial year ended 31 December 2016.

• We consider the system of risk management and internal controls described in the Directors’ Statement

on Risk Management and Internal Control to be adequate and effective and the risks to be at an

acceptable level within the context of the TM Group’s business environment and risk appetite set by the

Board. The Management will continue to take measures to strengthen the risk management processes

and internal control environment and monitor the health of the risks and internal controls framework.

• TM Group’s risk management and internal control system does not apply to its associate companies,

which fall within the control of their majority shareholders. Nonetheless, TM Group’s interests are served

through representation on the Board of Directors and senior management posting(s) to the associate

companies as well as through the review of management accounts received. These provide the Board

with performance-related information to enable informed and timely decision-making on the TM Group’s

investments in such companies.

Statement of Risk Management & Internal Control - Assurance Letter by Management to the Board

56

Directors Statement of Risk Management & Internal Control

Management Assurance Letter to the Board

Evaluation and Review performed by each of the LOBs , Support Units and Subsidiary

Company. (CEOs, LOB & Support Heads)

Annual Internal Control Assurance Self Assessment

Survey (input from all GMs)

Risk Management and Assessment

(Input from Risk Management, GBA)

Trending of Internal Control Incident (ICI)

and summary of cases reported

Key risks findings observed

during the execution of Annual Audit plan

Investigations carried out by Corp Inv Unit

Internal Control Health

Check Report and Conclusion

To be distributed in December of the Financial Year

To support the assurance that the Management is providing to the Board,

the following evaluation and review processes need to be carried out

Assurance from the LOBs and Operations

In assessing the effectiveness of the company’s risk and internal control processes… GMs & LOBs + Support unit …..

Assessment of Internal Control based on COSO –

• Control Environment and Control Activities ,

• Information and Communication and Monitoring.

• Assessment of the Risk Management Framework.

• Understanding and Communicating Risk Appetite.

The following declaration are required to be made in December 2016

“To support the assurance that the GCEO and GCFO have to provide to the Board, I acknowledge that the evaluation and review processes have been carried out, and Risk Management and Internal Control Systems within my area of accountability, and TM’s Group as a whole, are operating adequately and effectively, in all material aspects, based on the risk management model adopted by TM Group.

Signed by Head of All Business and Operations Units

Challenges in Implementing COSO

• Buy-in and Support from the Board and Management

• Bringing COSO Component and Principles down to

Lay-men Level to be understood across organisation

• Continuous Training, Knowledge Sharing and

Communication

• Coordinating the Governance Work done by each of

the governance units

59

Concluding Remarks…

60

Extremely

Challenging, but

worth the Efforts.

Thank You

61