KPMG hosts 17th Audit Committee Forum

Suren Rajakarier, Partner and Head of Audit at KPMG

With the amendments to the Corporate Governance Code in Sri Lanka, focused, yet flexible agendas – exercising judgement about what does and, does not belong on the audit committee’s agenda, and when to take deep dives – will be more critical. This was the focus of the 17th Audit Committee Forum hosted by KPMG recently. There was much interest by the participants, all respected members of audit committees, of various public companies in the country. 

Code of Best Practice on Corporate Governance

The revised code which was launched by CA Sri Lanka in December 2017 addresses the importance of Board Governance and the responsibilities of the Board in a changing environment. In addition brings in new focus areas for the audit committees and these were presented by Suren Rajakarier, Partner and Head of Audit at KPMG as “Key Changes to the revised code of Best Practice on Corporate Governance”.

Financial reporting, compliance, risk and internal control environment will continue to be put to the test in 2018 – by slow growth, economic uncertainty, technology advances and business model disruption, cyber risk, greater regulatory scrutiny and investor demands for transparency, as well as dramatic policy changes. However, audit committees have to stay focused on the primary job of ensuring financial reporting integrity.

Globally most audit committee members feel it is increasingly difficult to oversee the major risks on the audit committee’s agenda in addition to the committee’s core responsibilities. The revised code recommends that the Board meet regularly, while providing information to the board on a structured and regular basis; ideally monthly, on information including financial and operational performance, forecasts and issues of noncompliance. The expectation is that there would be better transparency with the increased reporting frequency and increased disclosure to the Board.

A key change is the minimum number of non-executive directors which has been increased to three (from two in the past) with the requirement of a Senior Independent Director to be appointed when the chairman is not an independent director or is the immediately preceding CEO. Further, directors who resign (other than at expiry of their terms) are expected to advise the Board the reasons for such resignation which eliminates the prior absolution of malpractice simply on the basis of resignation. Further, it is essential to closely monitor the tone at the top and culture throughout the organisation, and be particularly sensitive to early warning signs. A process of evaluation is recommended to be in place prior the re-election of a Director which would take into consideration their active input during the tenor which would be recorded under the new guidelines.

A renewed focus by the Code on Integrated Reporting requires the Company’s annual report to contain sufficient information to enable investors and other stakeholders to assess how ESG risks and opportunities are recognised, managed, measured and reported. Another new area articulated by Rajakarier was the requirement in the Code for the Board to have a process to identify how in the organisation’s business model, IT devices within and outside the organisation can connect to the organisation’s network and the board meeting agenda allocate adequate time for discussions about cyber security.

Focus internal audit on the company’s key risks, beyond financial reporting and compliance

The second half of the presentation focused on the importance of internal audit and how internal auditors can help audit committees to improve internal controls. As recent headlines demonstrate, failure to manage key risks – tone at the top, culture, legal/regulatory compliance, incentive structures, cyber security, data privacy, global supply chain and outsourcing risks, and environmental, social and governance risks, etc. – can potentially damage corporate reputations and impact financial performance.

It was noted that there is a significant disparity between the causes of significant losses in enterprise market value and the proportion of time spent by internal auditors in evaluating these risks, said the presenter Prasenna Balachandran, President of the Institute of Internal Auditors (IIA) Sri Lanka. He cited for example, strategic risks account for 86% of losses while auditors spend only 6% of their time on review.

He went on to clarify that to ensure the effectiveness of the internal audit, it should be conducted in line with the Standards and Guidance published by the IIA which consist of 19 Attribute standards and 33 Performance standards. The value of internal audit is enhanced in certain organisations where the internal audit function also reviews strategic and operational decision-making processes (e.g.: decision making process prior to an acquisition), said Balachandran.

The presentations were followed by an active discussion moderated by Suren Rajakarier which primarily focused on sharpening audit committee members’ focus, in practice and helping audit committees to function more effectively to improve integrity of financial reporting.