A step towards strengthening governance

Transcription

1 A step towards strengthening governance Resolution No.1, 2017 of the Chairman of ADAA March 2018 kpmg.com/ae kpmg.com/om

2

3 What is the Resolution about? Setting the context GCC regulations are constantly evaluated and re-assessed to reflect latest trends and leading global practices. The introduction of Resolution number 1 by the Abu Dhabi Accountability Authority (ADAA) is one such endeavor which aims to strengthen the governance structure within the entities. Requirements of Resolution number 1 of ADAA Areas covered by Resolution number 1 of ADAA and what it means to subject entities¹ Article 2 Article 3 Article 4 Article 5 Any statutory auditor who intends to provide audit services should comply with the International Standards on Auditing, the Code of Ethics for Professional Accountants and the International Standard on Quality Control. The contract between the entity and the statutory auditor in respect of the financial statements audit services should include: a. Testing the effectiveness of internal control over the financial reporting, which includes policies and procedures relating to significant processes b. Verifying the entity s compliance with law number (1) of 2017 concerning the financial system of the Government of Abu Dhabi and instructions provided by the Department of Finance pertaining to the preparation and implementation of the annual budget and supporting resolutions and circulars. c. Verifying the entity s compliance with the requirements of its law of establishment d. Verifying the entity s compliance with the requirements of laws, resolutions and circulars organizing its operations, to the extent having a financial impact. The statutory auditor will issue a separate report including his or her opinion on the effectiveness of the internal control systems after having obtained reasonable assurance that: a. The entity maintains to prevent and also timely detect unauthorized acquisition, use, or disposition of the entity s assets that could have a material effect on its financial statements b. Transactions included in the accounting records have been made in accordance with the entity s approved policies and procedures c. Compliance with the entity s delegation of authority, and resolution of HH the Chairman of the Executive Council for financial and administrative authority limits d. Recording of transactions to permit preparation of financials is in accordance with applied accounting principles e. Maintenance of adequate records to accurately and fairly reflect transactions and disposition of assets In addition to the statutory auditor s opinion on the financial statements, the audit report will reflect the auditor s opinion on the entity s compliance covering: a. Law number (1) of 2017 concerning the financial system of the Government of Abu Dhabi and the instructions provided by the Department of Finance pertaining to the preparation and implementation of the annual budget and supporting resolutions and circulars. b. The entity s law of establishment and related circulars and resolutions. c. The laws, circulars and resolutions organizing the entity s operations, if these have a financial impact on its financial statements. 1.Entity subject to the Authority s mandate in accordance with law number (14) of 2008 pertaining to the establishment of Abu Dhabi Accountability Authority. A step towards strengthening governance 3

4 Decoding Resolution number 1 of ADAA Applicability and timelines Applicability The Resolution applies to all Subject Entities and their subsidiaries, wherever located, that are material, in providing the assurance opinion for the entity or group reporting in Abu Dhabi. From what date is the Resolution effective? The Resolution is effective for audits of subject entities contracted after the date published in the Official Gazette (15 August 2017). Relevance of resolution for year-ending 2018 If subject entities contracted their audit engagements for 2017 before 15 August 2017, then the Resolution will apply for the first time in Focus areas and considerations Resolution number 1 of ADAA 1. Are employees aware of their roles and responsibilities with respect to processes and? 2. Are within the processes documented and their criticality assessed in terms of materiality? 3. Is adequate and accurate information available for reporting and decision making? 4. Are key preventive or detective in nature? 5. Are design effectiveness and operational efficiency of key tested and control failures identified and remediated? 6. Do the actions and behavior of functional teams reflect the culture of adherence to defined policies, procedures and guidelines? Internal over financial reporting Key focus areas of Regulation 1 of ADAA Monitoring compliance with laws, regulations and circulars 1. Is the DoA specifying authority limits for the transactions defined? Adherence to DoA, policies and procedures 2. Are authority limits relevant and current for the entity s business and scale? 3. Are policies clearly defined, communicated and enforced? 4. Have the procedures for key functions been clearly defined? 1. Are laws, regulations and circulars applicable to the entity identified? 2. Have compliance obligations been identified and responsibilities for ensuring compliance communicated? 3. Have criticality of compliance requirements been assessed and corresponding compliances reported? 4. Does the C-Level Executives Group have visibility on compliance levels and root cause in cases of non compliance? 5. Have updates to laws and regulations been notified to the concerned personnel on a timely basis?

5 Internal control framework The Resolution does not specify a specific framework which has to be followed. In this case, a leading internal control framework such as COSO 2013 (COSO) can be adopted to address the ADAA s requirements relating to Internal Control Framework. Objectives Introduction to COSO and its components As per COSO, internal control is a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations. Components Operations Reporting Control environment Risk assessment Control activities Information and communication Monitoring activities Compliance Entity-level Divison Operational unit Function Structure KPMG s internal control framework based on COSO Compliance framework Entity level elements Management oversight including IT Integrity and ethical values Process level elements Process level elements Asset Controls Assignment of authority and responsibility Financial reporting IT Process level elements Operational financial Fraud risk Organization structure, policies and procedures Enterprise risk management Entity level elements Information Technology Fraud Oversight over financial reporting and disclosures Board and audit committee oversight over internal financial Compliance Compliance framework A step towards strengthening governance 5

6 Fraud and IT Below are some of the key elements of a typical anti-fraud framework that we take into account when assessing framework. Unified Fraud Risk Governance Model Mitigate organization s risk impacts Build Strategic Direction against Fraud Consider: Design & Strategy, Role of Compliance Officer, Role & Responsibilities of Compliance Committee, Anti Fraud Culture, Information & Record Management, Technology Governance Mitigate potential fraud risk events Consider: Code of Conduct, Anti Fraud & Misconduct Policies & Procedures, Management of Conflicts of Interest, Employee & Business Partner Due Diligence, Fraud Awareness Training, Fraud Prevention Risk Assessments Coordinated approach to deal with identified fraud risk events Consider: Investigation & Fraud Response Protocols, Responsibility and Accountability for Investigations, Criteria for use of external investigation resources, Whistleblower investigation, Remedial Actions and Disclosure Protocols Response Detection Expose concealed Fraud Risk Awareness Consider: Whistleblowing Procedures, Ethics line, Monitoring of Fraud Risk Management Framework, Use of Forensic Data Analytics Ensure timely actions against potential fraud Recognize unmitigated risk impacts Our approach for the performing fraud risk assessment will follow a five (5) stage approach outlined below: Establishing the context and evaluation of fraud risk factors Identification of fraud risks/ schemes Analysis of fraud risks/schemes/ scenarios and identification of mitigating Evaluation and prioritization of residual fraud risks Creation of fraud risk profiles. Development of action plans and reporting (and handover)

7 IT General Controls (ITGC) Internal Controls over Financial Reporting (ICOFR) Controls related to organizational oversight framework Controls embedded within business processes to mitigate various business risks Entity-level Business process Manual Application-based IT General Controls (ITGC) Access to Program and Data (APD) Controls for provisioning and deprovisioning necessary access in financially critical applications Program Change (PC) Controls to obtain assurance on authenticity and integrity of changes incorporated into financially critical applications Program Development (PD) Controls over adequate testing of new applications or modules in existing applications to ensure that risks are systematically identified and addressed Application-based can be relied upon only if there is reasonable assurance that the environment hosting these applications is secure IT environment assurance Computer Operations (CO) Controls over problem management, information security and data and system availability A step towards strengthening governance 7

8 Compliance framework Compliances are spread across several categories of laws and regulations Administrative Consumer Corporate Secretarial standards Direct taxation Environmental Indirect taxation Building & construction Intellectual property Information technology Product regulations Labour Police and muncipality Registration/ license Categories of compliances Deduction of taxes Payment of taxes Filing of returns Maintenance of registers Display of notices/signs Prohibition Others Our approach for implementation of Compliance Framework Through KPMG s proprietary tool Vision 360 and KPMG s Center of Excellence, we assist clients in developing a robust automated compliance framework to meet compliance requirements. Step 01 Build knowledge base Conduct business understanding and identify multi-locations Benchmark entity s checklist with KPMG s compliance governance framework Obtain existing compliance checklist details for each multilocation Step 02 Develop compliance program Identify applicable laws and regulations, and compliance with these laws Develop a compliance checklist of the laws which are not mapped to the current Compliance tool Leverage on central, state & local level repositories of acts Step 03 Preparation of checklists Prepare checklist of the additional laws applicable to the entity Map user-wise responsibility and customize MIS/ dashboard for management reporting Step 04 Updates Providing updates of the checklist mapped to the current compliance tool Handhold for a limited period of time

9 How KPMG can help Road map to implement an internal framework Current state understanding Finalize scope and develop project plan Engage with process/control owners and key stakeholders including external auditors Review existing procedures and policies, Risk Control Matrices (RCM) and conduct walkthroughs to determine the level of existing internal financial control compliance Identify key and agree with external auditors to drive more efficiency Documentation of the entity level Evaluate entity level against the COSO 2013 Conduct walkthroughs to confirm control design Document the entity level and evidence linked to financial statement accounts and relevant assertions Independent design review and validation of entity level Report design effectiveness gaps Documentation of process flows & risk matrix Document process flows to demonstrate the existing control environment in line with the requirements of the ADAA guidelines Identify broad categories and sources of risks for each business process, including fraud and IT risks Develop RCMs to ensure coverage of all financial reporting assertions Gap reporting and remediation planning Evaluate the root cause for identified deficiencies Recommend mitigation plan for remediation, in line with the requirements Discuss exceptions identified with the management and external auditors Agree on a remediation plan Management reporting Continuously monitor and update the risk control matrix Improve the effectiveness of internal control Keep a tab on continuous improvements needed in framework, processes, leading practices and changes in laws and regulations. A step towards strengthening governance 9

10 Proposed timeline Activities Apr May June July Aug Sep Oct Nov Dec Jan Feb Mar Planning and scoping Document and test entity level (ELC) Document process level and RCMs Test of design (TOD) evaluation Remediation of design gaps Re-TOD for failed Test of operating TOE effectiveness Remediation of effectiveness gaps Re-ToE for failed Management reporting External auditor testing

11 A step towards strengthening governance 11

12 Contact us Raajeev Batra Partner I Head of Risk Consulting E: raajeevbatra@kpmg.com Sudhir Arvind Partner I Internal Audit, Risk and Compliance Services E: sarvind@kpmg.com Siddharth Behal Partner I ADAA Compliance Lead, Internal Audit Risk and Compliance services E: siddharthbehal@kpmg.com Richard Ackland Partner I Subject Matter Expert - SOX Compliance and External Audit E: richardackland@kpmg.com Walter Palk Partner I Subject Matter Expert - SOX compliance & IT Advisory E: walterpalk@kpmg.com Nick Cameron Partner I Forensics E: nicholascameron@kpmg.com Maryam Mohammadzaman Director I SOX Compliance, Internal Audit and Risk Compliance Services E: mzaman@kpmg.com Raman Bharadwaj Director I IT Advisory E: rbhardwaj@kpmg.com Follow us on: The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Designed by Creative UAE Publication name: A step towards strengthening governance Publication number: J1560 Publication date: March 2018