insights on adaa resolution no. 1 of 2017 and role of internal audit · 1. testing the...
TRANSCRIPT
1© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Insights on ADAA Resolution No. 1 of 2017 and role of Internal AuditIIA Conference
April 2019
2© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Today’s agendaInternal Controls related enactments across the globe
About ADAA Resolution No. 1 of 2017
About COSO Internal Control Framework
Insights from Year 1 (2018) of implementing COSO across Abu Dhabi entities
Role of Internal audit in COSO on an ongoing basis
Questions on your mind
1
2
3
4
5
6
3© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Your Presenter
KPMG in the Lower Gulf
— Siddharth is a Partner in the Internal Audit, Risk & Compliance Services Practice and he also heads the KPMG Lower Gulf Managed Services practice.
— Siddharth has over 20 years of experience in consulting and risk management. He is a rank holder Chartered Accountant from the Institute of Chartered Accountants of India and is also a Certified Public Accountant, USA. Siddharth has been leading the ADAA resolution no. 1 initiative for KPMG in Abu Dhabi and has worked with 10+ entities in Abu Dhabi in assisting them to implement the COSO Internal Controls framework in 2018.
— He has worked with 30+ companies globally in implementing internal controls frameworks to comply with Sarbanes Oxley requirements, requirements of the Indian Companies Act 2013 etc.
Siddharth BehalPartner I Risk Consulting
4© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
1.Similar enactments across the globe
5© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Similar enactments across the globe
1999-2000Enron
2002Sarbanes Oxley
2013Companies Act
amendment in India
2002Public Company Accounting Oversight Board (PCAOB)
2014EU Audit Reforms
2016Decree No.7 R.M of 2016 - Standards of Institutional Discipline
and Governance of Public Shareholding Companies
2017ADAA Resolution No.1
6© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
2. About ADAA Resolution No. 1 of 2017
7© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
About the ADAA resolution No.1Entity and the Statutory Auditor contract to include :
1. Testing the effectiveness of internal control and compliance with laws
2. Compliance with law number (1) of 2017
3. Compliance with laws, circulars and resolutions.
4. Compliance with laws, resolutions and circulars organizing its operations, having financial impact.
Separate report by Statutory auditor on the effectiveness of the internal control systems:
1. Prevent and timely detect unauthorized acquisition, use, or disposition of assets.
2. Transactions in accordance with approved P&P
3. Transactions in accordance with the approved DOA.
4. Transactions recorded in accordance with applied accounting principles.
5. Maintains records accurately and fairly reflect the transactions and dispositions of the assets of the Entity.
Statutory Auditor opinion to include Entity’s compliance with the legal and regulatory requirements:
1. Law number (1) of 2017 pertaining to annual budget and supporting resolutions/circulars.
2. Entity’s law of establishment and circulars /resolutions.
3. Laws, circulars and resolutions organizing the Entity’s operations, if they have financial impact.
Article 3 Article 4 Article 5
8© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
ApplicabilityApplies to all Subject
Entities, and their subsidiaries, wherever
located, that are material, in providing the assurance opinion for the entity or group reporting in Abu
Dhabi.
About the ADAA resolution No.1
Effective DateEffective for audits of
Subject Entities contracted after the date published in
the Official Gazette (15 August 2017).
Relevance for year -ending 2018
If Subject Entities contracted their audit engagements for 2017
before 15 August 2017, then the Resolution will apply for the first
time in 2018.
9© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
PCAOBPublic Company Accounting Oversight
Board
GuidanceAuditing Standard 5
Establishes Auditing Standards for Internal Control
COSOCommittee of Sponsoring
OrganizationsMonitoring
Control ActivitiesInformation & Communication
Risk AssessmentControl Environment
Establishes Internal Control Framework for Financials
ImplementationSOX Section 404 Implementation
1. Plan & Scope2. Documentation3. Testing controls4. Identify & remediate control deficiencies5. Report on Internal Control6. Independent Audit of Internal Control
6 Step Approach
SOX
Section 404
Sarbanes Oxley
Establishes Requirements for Internal Control
IAASBInternational Auditing and Assurance
Standards Board
International Standards of Auditing
Establishes Auditing Standards for Internal Control
COSO (Not mandated but allowed)
Committee of Sponsoring Organizations
Monitoring Control ActivitiesInformation & Communication
Risk AssessmentControl Environment
Establishes Internal Control Framework for Financials
ImplementationResolution No. 1 of 2017
ImplementationKPMG View- (As no framework is defined, COSO is allowed)1. Plan & Scope2. Documentation3. Testing controls4. Identify & remediate control deficiencies5. Report on Internal Control6. Independent Audit of Internal Control
6 Step Approach
ADAA
Articles 3 & 4
Resolution No. 1
Establishes Requirements for Internal Control
Sox vs ADAA Resolution No. 1
10© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
11© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
3. About COSO Internal Control Framework
12© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Objectives
Com
pone
nts
The Committee of Sponsoring
Organizations of the Treadway Commission (COSO 2013)
Framework has been the most
widely accepted internal control framework and hence may be
adopted to address ADAA’s
requirements relating to Internal
Control Framework.
Components Entity Level & process level controls
1.Control environment
1. Demonstrates commitment to integrity and ethical values.2. Exercises oversight responsibility.3. Establishes structure, authority and responsibility.4. Demonstrates commitment to competence.5. Enforces accountability.
2.Risk assessment
6. Specifies suitable objectives.7. Identifies and analyzes risk.8. Assesses fraud risk.9. Identifies and analyzes significant change.
3. Control activities
10. Selects and develops control activities.11. Selects and develops general controls over technology.12. Deploys through policies and procedures.
4. Information and communication
13. Uses relevant information.14. Communicates internally.15. Communicates externally.
5. Monitoring activities
16. Conducts ongoing and/or separate evaluations.17. Evaluates and communicates deficiencies.
COSO Internal Control Framework
13© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Knowing the Cube
1st DimensionThe three categories of objectives are represented by the columns
3rd DimensionThe organizational structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions,processesto which internal control applies.
2nd DimensionThe five components of the Internal Controls are represented by the rows.
The three facets of the Cube can be illustrated as follows Key elements of COSO
5
17
81Supporting seventeen principles are eighty-one attributes, representing characteristics associated with the principles.
There are seventeen principles representing the fundamental concepts associated with components.
The Framework consists of five components of internal control.
14© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Controls related to the COSO components can be found at the entity level and transaction level.
Control Environment Risk Assessment Information and Communication Monitoring Activities Control Activities
Entity-Level Controls (ELCs)
Process-Level Controls (PLCs)
Controls that do not specifically relate to an assertion (indirect)
Controls that specifically relate to an assertion (direct)
GITCs
Testing of Internal Control Framework
15© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
— Delegation of Authority— Policies and Procedures— Segregation of Duties
— Enterprise Risk Management— Budgeting and MIS
— Accounting policy compliance
— Accounting estimates— Disclosure controls
— IT System and Infrastructure— IT Risk Management— Disaster Recovery Planning
— Organisational Structure— Third party relationships –
Legal, Investor relations, External Auditors
— Composition, Roles and responsibilities, Agenda
— Independent Directors— Communication including
information provided to the Board/AC
— Board/AC oversight and monitoring — Effectiveness Evaluation
Board and Audit Committee Operations
Integrity and Ethical Values
Assignment of Authority and Responsibility
Organization Structure
Management’s Philosophy Financial Reporting and Disclosures
Oversight and Monitoring
IT Entity Controls
— Code of Conduct— Whistle Blower
Mechanism
— Internal Audit — Control Self Assessment— Continuous control monitoring
and assurance — Financial review and
oversight
Key sub-elements – Entity level Controls
16© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Operational
SupportProcesses
Revenue, Procurement, Travel & Admin Expenses, Direct & Indirect Taxes
Finance & Accounts, Human Resource, Information Technology
RatingRisk Classification Material / significant / control deficiencies on the basis of discussed and agreed criteria
Process Level Controls (ICOFR, Operation controls including
safeguarding of assets and IT controls)
Controls
Process driven manual controls like Requisitions preparation, PO creation
Automated IT controls like restricted user rights, invoice validation, etc.
Categorization Financial Reporting; Operational; Preventive/ Detective; Frequency
Fraud Risk Control Controls mitigating inherent key fraud risks within business processes
Key sub-elements – Process Controls
17© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key sub-elements – Information Technology Controls
IT General Controls (ITGC)
Internal Controls over Financial Reporting (ICOFR)
Controls related to organizational oversight
framework
Controls embedded within business processes to mitigate
various business risks
Entity Level Controls Business Process Controls
Manual Controls
IT Environment Assurance
Application based controls can be relied upon only if there is reasonable assurance that the environment
hosting these applications is secureProgram Change (PC)
Program Development (PD)
Computer Operations (CO)
Access to Program and Data (APD)
Controls for provisioning and de-provisioning necessary access in financially critical applications
Controls to obtain assurance on authenticity and integrity of changes being incorporated into financially critical applications
Controls over adequate testing of new applications or new modules in existing applications to ensure that risks are identified and addressed
Controls over problem management, information security and data & system availability
Application Based Controls
18© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
4. Insights from Year 1 (2018) of implementing COSO across Abu Dhabi entities
19© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key teething issues in Year 1 of ADAA Resolution No. 1
Teething issues – Year 1 of implementation of ADAA Resolution No. 1
Delay in initiation of implementation of the resolution
Remediation for gaps identified in 2018 not initiated by most entities
Lack of internal clarity on who
should lead the internal controls
project
Delay in initiation of implementation of the resolution
20© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key entity level issuesKey entity level issues noted across entities in Abu Dhabi
Non-implementation of a fraud risk management framework
Non-implementation of a compliance
framework
Need for strengthening
Corporate governance framework
Need for strengthening IT
Disaster recovery and business
continuity framework
Need for strengthening
Enterprise Risk Management Framework
Overdue Internal audit
issues
Redundant policies,
procedures and delegation
of authority
Need for strengthening
the board evaluation process
Inadequate controls over
employee background
checks and COI declarations
COI- Conflict of interest
21© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Control status snapshot – Percentage failuresBelow is the control status snapshot detailing the percentage of controls failures across entities analyzed
Top areas with improvement or significant improvement needed:
Adherence to defined policies and procedures
Controls over segregation of duties
Monitoring controls for mitigation of key process risks
Controls over documentation of review and approvals
Approximately 15% of the financial controls have failed due to inadequate or no controls at design level
~15% Failure
% F
ailu
re
39%
17%9%
22%
34% 31%
4%
Entity A Entity B Entity C Entity D Entity E Entity F Entity G
22© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Percentage Failures at Entity and Process LevelBelow is the entity and process level control status detailing the percentage of controls failures noted
15%
85%
Entity Level Controls
33%
67%
IT GeneralControls
7%
93%
Order to Cash
17%
83%
Financial Book
Closure
12%
88%
Procurement and
Inventory
14%
86%
Treasury
8%
92%
Taxation
19%
81%
Payroll
13%
87%
Budgeting
8%
92%
Fixed Assets
% Failure% Passed
Overall average Failure – 15%
23© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Control status snapshot – Manual ControlsBelow is the control status snapshot detailing the percentage of manual controls across entities analyzed
Top areas with improvement or significant improvement needed:
Controls over asset tagging and verification
Controls over access rights within system
Controls over payroll process
Approximately 76% controls noted are manual despite ERPs like SAP and Oracle –
~76% Manual
% M
anua
l Con
trol
s
64%
82%
53%69%
85%
49%
83%
Entity A Entity B Entity C Entity D Entity E Entity F Entity G
24© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Manual Controls at Entity and Process LevelBelow is the entity and process level controls status detailing the percentage of manual controls noted
92%
7%
Entity Level Controls
59%
20%
21%
IT GeneralControls
75%
23%
Order to Cash
78%
15%7%
Financial Book
Closure65%
24%
11%
Procurement and
Inventory
92%
7%
Treasury
79%
13%8%
Taxation
74%
17%
8%
Payroll
68%
13%
19%
Budgeting
76%
17%
7%
Fixed Assets
Overall Average Manual Controls – 76%% Manual% Automated% Semi Automated
25© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Assessment of Internal Audit Function
Presence of independent non-executive member in the Audit Committee needs to be ensured
Requirement for review and updating of Internal Audit Charter on a periodic basis
Follow up process for remediation of Internal Audit observation should be improvised
Overdue Internal Audit observation and delays in its resolution
Need to strengthen independence of internal audit function / team
26© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
5. Role of Internal audit in COSO on an ongoing basis
27© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Three Lines of Defense
Risk & control
identification
Risk & control
assessment
Quantification &
measurement
Monitoring,testing,
& verification
Reporting
StakeholdersSenior Management
Board/Audit Committee
Internal Audit3rd Line
BU’s
1st Line
Divisions2nd Line
Internal Controls
Test controls periodically throughout the year Disseminate test results to respective risk and control groups
Implement Internal Control Framework
Independent testing
Develop Internal audit plan
Report on Internal Control Framework deficiencies /
non compliance
Assess the changes to processes and IT controls
post last review and update the flowcharts/
process narratives
Work with external auditors to demonstrate
the effectiveness of internal controls
Perform assessment of processes and controls not covered in IA scope
Internal Control team to provide inputs to the internal audit team to come up with the internal audit plan for the year.
— Perform risk and control self assessment
— Remediate the gaps identified in self assessment and through the internal control review/ Audit review
— Develop Policies and Procedures
— Develop Delegation of Authority
— Identify risk and controls — Develop KRIs and KPIs
Provide assurance
28© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
ICOFR – Lead Responsibilities and Recommended Role of IA
Activity Lead Responsibility Recommended role of Internal Audit
Planning— Project Planning — Scoping exercise to identify
the in scope areas
Execution
— Document of the as-is process
— Evaluation & Testing— Identification of Findings— Remediation Plan
Reporting— Management Reporting— External Audit Reporting
Monitoring — Ongoing monitoring— Periodic assessment
01
02
03
04
— Project Sponsor (Head of Financial Reporting)
— Project Team
— Head of Units/ Divisions and /or Project Team
— Head of Units/ Divisions and /or Project Team
— Head of Units/ Divisions — Senior Management
— Senior Management and Head of Units/ Divisions
— External Auditor
— Senior Management— Head of Units/ Divisions and /or Line
Managers
— Provide advice and recommendations— Participate in project team planning
— Advise management regarding processes to be used
— Independent assessor of management’s documentation and testing or Perform effectiveness testing (for highest reliance by external auditors)
— Identify control gaps— Facilitate management discussions
— Facilitate determinations (to report) & Provide advice
— Act as a coordinator between management and the external auditor
— Perform follow-up reviews— Perform periodic audits
29© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
9. Questions on your mind
30© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
QUESTIONS?
kpmg.com/social media kpmg.com/app
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Arab Emirates.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Thank you