Mondo Visione Worldwide Financial Markets Intelligence
Track all markets on TradingView

FTSE Mondo Visione Exchanges Index:

BT_Radianz_468x60_Jul23

Regulator’s Column: What SGX RegCo Expects Of Issuers’ Internal Audit Function

Date 14/06/2021

COVID-19 has brought on unprecedented challenges and uncertainties for many listed issuers. Nevertheless, issuers should continue to maintain good governance practice and this must start at home, with the Internal Audit (“IA”) function.


The Institute of Internal Auditors (“The IIA”) defines IA as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

A strong IA function therefore serves as the compass to help companies stay on course even during these times.

The SGX Listing Rules also codify the establishment of an IA function, following the revision of the Code of Corporate Governance (“CG Code”) effective 1 January 2019. In addition to recognizing the value of IA in promoting governance from within the company, our rules acknowledge that IA provides an independent check and assurance on the company’s governance, risk management and control processes. 

The relevant rule, Listing Rule 719(3), requires issuers to establish and maintain on an ongoing basis, an effective IA function that is adequately resourced and independent of the activities it audits. Issuers would have the discretion to determine if its IA function can be supported by adequate internal resources or provided by an external service provider or a combination of both.

While IA is recognized as important, it lacks the regulatory guidance as compared with that for external audit. SGX RegCo is thus publishing this Regulator’s Column to provide some guidance on our expectations of the IA function of listed issuers.

The IIA sets out the Three Lines Model (previously known as the Three Lines of Defence) which includes the role of IA function as follows:

  1. a Governing Body which retains accountability to stakeholders, sets strategic directions and maintains oversight from regular reporting to ensure that governance, risk management and internal control processes are effective;
  2. a Management which maintains the appropriate internal structure for governance and process to manage operational and compliance risks, in support of the delivery of company’s objectives; and
  3. an IA function, being the third line role, which is accountable to the Board and provides assurance that the company’s governance structures and risk management procedures continue to be effective and adequate. 

The IIA has also provided authoritative guidance for IA professionals worldwide via the International Professional Practices Framework (“IPPF”).

The 10 Core Principles of the IIA’s IPPF are as follows:

  1. Demonstrate integrity.
  2. Demonstrate competence and due professional care.
  3. Is objective and free from undue influence (independent).
  4. Align with the strategies, objectives, and risks of the organization.
  5. Is appropriately positioned and adequately resourced.
  6. Demonstrate quality and continuous improvement.
  7. Communicate effectively.
  8. Provide risk-based assurance.
  9. Is insightful, proactive, and future-focused.
  10. Promote organizational improvement.

Turning to the Singapore context, Practice Guidance 10 of the CG Code states that the Audit Committee (“AC”) should ensure that the IA function is adequately resourced and staffed with persons with the relevant qualifications and experience. The AC should also ensure that their internal auditors comply with the standards set by nationally or internationally recognized professional bodies. Issuers should strive to disclose more information about their IA function in their annual reports, particularly the standards adopted.

Our Listing Rule 719(3) and Practice Guidance 10 of the CG Code also echo Principles 2, 3 and 5 of the IPPF. Following is an elaboration on these three principles in the light of our rules:

Core Principle 2: Demonstrate competence and due professional care

As with other market professionals, the internal auditors must perform their engagements with due care, proficiency and in accordance with professional standards. Doing so requires internal auditors to have the necessary knowledge, skills, and experience to discharge their responsibilities. They must also seek to continuously improve their competence and the effectiveness and quality of their services.  

Accomplishing this requires structuring the IA activity and creating job descriptions, taking an inventory of the skills needed to achieve the IA plan, and developing a strategy to recruit and/or train internal auditors with specific competencies.

Core Principle 3: Is objective and free from undue influence

The IA function reports directly to the AC. In this positioning, AC must ensure that the IA is free from any undue influence including the influence of the auditees, and any conflict of interests, either of which would impair their ability to discharge their responsibilities objectively. 

In the case of an outsourced IA function, the AC should review the qualifications of the external service provider to ensure that such outsourcing will not compromise the quality of work.

The Head of IA (or equivalent) should continue to maintain open communication with the AC and be able to report any risks or control issues to the AC Chairman. The IA function’s independent reporting to the AC should be direct and have unrestricted access without the presence of CEO or senior management, at least annually.

Core Principle 5: Is appropriately positioned and adequately resourced

The IA must have sufficient authority and standing to discharge its responsibilities as defined in the Internal Audit Charter. It is difficult for the IA function to maintain integrity, independence, and objectivity and to demonstrate the Core Principles without being correctly positioned and authorized within the organization.

If the IA function reports to the CEO, CFO, or other senior manager directly instead of the AC, it may impair the IA function’s ability to independently report unsatisfactory or critical IA observations. The AC should assess whether the IA function’s annual work plan, operating budget and other resources are sufficient for the IA function to achieve its mandate. One way is to periodically benchmark the IA function’s resources against those organizations in comparable industry and size.

SGX RegCo will continue to provide guidance and work closely with IIA Singapore, an affiliate of the the global IIA, and the only professional body dedicated to the advancement and development of the internal audit profession in Singapore. The focus of this collaboration will be on enhancing the state of internal audit for listed companies in Singapore. Issuers should tap on the resources which IIA Singapore has provided in matters relating to IA activities.

Tan Boon Gin
CEO
SGX RegCo

June Sim
Head of Listing Compliance
SGX RegCo

 

Confinity_sky1-min.gif BT_Radianz_120x600_Jul23.jpg