Subscribe to the Bombay Chartered Accountant Journal Subscribe Now!

Category: Article

IFRS convergence — Implications for the internal audit function

Article

As corporate India approaches IFRS convergence commencing
from 1st April 2011 (and extending over the next few years for most companies),
internal audit function arises within most corporate entities need to consider
what this process of convergence means to them and what is it that they should
be doing to participate in the process to safeguard the interests of their
organisations.

In many organisations, the IFRS convergence process is led by
and primarily owned by the finance and reporting function and other support
groups like taxation, information technology and systems and internal audit have
a relatively limited role to play in practice.

However, given that IFRS convergence means a fundamental
change in financial reporting and measurement processes, the implications and
therefore the onus on internal audit is significant. While it is obvious that
internal audit needs to look at the training and skill enhancements relating to
IFRS for the internal audit team itself, there are a number of areas where
internal audit can, and should, look to provide assurance to senior
management/board of directors on whether the process of convergence itself
(within a company) is being handled appropriately.

I have tried to set out below five of the top
areas for internal audit to focus on as this process unfolds.

Organisational readiness :

Internal audit function should assess how the organisation
has planned and is implementing the IFRS convergence process. Critical factors
to consider include :




  •   How have teams been staffed and is the organisational commitment (people,
    infrastructure and technology) to the process of rolling out IFRS adequate
    in the context of the organisation ?



  •   Are there adequate knowledge and skills in the hands of the persons who
    are leading this project i.e., are the project leaders/team members suitable
    for the task ?



  •   Have aspects such as budgeting and planning moved to an IFRS basis ? If
    not, what is the organisational roadmap to address potentially different
    basis for financial reporting and performance management ?




  • In the case of future acquisitions and business combinations, is there an
    ability to manage and measure financial performance on a basis different
    from historical cost accounting (i.e., given that IFRS requires acquisition
    date fair valuation; the basis and results will be     different) ? Also are the relevant reconciliations and related controls in place to ensure that IFRS financial
    data and performance is adequately understood and analysed within the
    organisation ?




Training, skills and awareness :

IFRS convergence brings with it a significant challenge in
terms of technical skills and the need to learn new concepts and unlearn old
practices for most affected parties. Internal audit function should consider how
structured and thought through the training and awareness plan relating to IFRS
convergence is and consider the following key factors :




  •   What is the quality, timeliness and breadth of training available to all
    interested/affected parties ?



  •   Have current recruitment practices recognised the change imposed by IFRS
    and are those skills being actively sought



  •   For existing staff (including senior management) what is the incentive/dis-incentive
    to learn and unlearn as required by IFRS ?



  •   What has been the external communication strategy to create awareness
    around IFRS convergence and how it affects the organisation (with parties
    such as investors, bankers and lenders, credit rating agencies, key
    suppliers and customers, etc.) ?




Information technology change management :

One of the areas that is often neglected by companies working
on IFRS convergence is the impact that IFRS changes could cause to information
technology infrastructure within the organisation. Internal audit functions
should ideally focus on this area from an early stage as a poorly executed IT
change program can have significant and long-lasting repercussions for entities.
Key areas to focus on include consideration of how MIS, taxation and other
statutory/regulatory-related reporting and IT needs are going to be catered for
on a post-IFRS convergence basis; what are the checks and controls (including
reconciliation controls) that are being put in place for this purpose and the
robustness of the IT solution being implemented.

Another fundamental area relating to IT changes would be in
the context of business acquisitions and carve-outs proposed in the Indian
context. For business combinations/acquisitions, etc., given that the IFRS
standards require fair valuation to be performed on the acquisition date, the
post-consolidation cost basis would differ from the standalone cost basis for
various financial statement captions. Accordingly, entities need to have the
systems and IT ability to be able to manage the reporting and measurement
requirements on a parallel basis post acquisition. Additionally, if theentity
desires to report/measure performance on pure IFRS (as issued internationally by
the IASB) in addition to the Indian IFRS like standards (IND AS) because it is
listed overseas or wants to provides such information to its investors, IT
systems need to be able to cope with these requirements too. Internal audit
teams should consider the robustness of all IT solutions that are being applied
in the context of the above challenges.

Keyman risk :

There is a dearth of IFRS conversant and experienced resources in India currently. Accordingly talent management and control over key-man/ personnel risk is an important aspect for organisations to think about as they approach IFRS convergence. If too few people are involved in the IFRS convergence process, it can create/accentuate concentration and keyman risk and exposes organisations to more risk than they budget for.

It is critical therefore this risk is recognised and dealt with appropriately from an early stage. Adequate consideration should be given to the size of team involved in the IFRS convergence process, succession planning and most importantly the level and quality of documentation of the process and decisions associated with IFRS convergence, so that organisational interests are protected and the collateral of knowledge/decisions is retained even if there is an increase in staff turnover levels.


Quality control:

Probably the most tricky and challenging aspect of managing the IFRS convergence process in an organisation is ensuring quality control. This aspect is both difficult to measure and often even if a process is managed poorly, the effects may not be evident till well after the convergence process is considered complete. In today’s age where accounting restatements and errors can cause serious reputational and organisational damage, maintaining quality in the convergence process is critical. Internal audit should focus on what are the checks and balances in place to ensure a certain level of quality is maintained in the convergence process and the post convergence environment. For instance, a few areas that require careful consideration are:

  •    has an adequate benchmarking exercise with peers been conducted of the process followed by the company as part of the convergence process;

  •     are the accounting policies in line with industry peers (locally and internationally);

  •     how robust has been the consideration of choices and what is the quality of those choices in the context of the organisation’s operating philosophy;

  •     is there adequate communication to people in positions of governance (senior management, audit committees and boards of directors) of the choices proposed to be made and has their feedback been adequately factored into the convergence process;

  •    what is the quality of the review process of actual work done and adjustments computed relating to IFRS transition;

  •    are all people in reviewing positions adequately informed, skilled and aware about IFRS to discharge their functions adequately in a post-IFRS environment?

  •     are external auditors adequately involved in the IFRS convergence process and do they have appropriate skills to be able to perform the audits in a post-convergence environment?

Conclusion:

IFRS convergence is certainly a significant challenge for many organisations and internal audit functions would best serve their organisational mandate if they did not only react to the change once it happens, but instead look to provide their inputs and insights into the process by which convergence is being achieved. A number of board of directors and audit committees are interested in understanding these aspects and internal audit can provide an independent and timely view that assists them in steering the organisation through the maze that is IFRS convergence in a effective and efficient manner.

Nuances in Internal Audit of Luxury Hospitality Operations

Article

Dilemma :

It is often said
‘. . . . when hospitality becomes an art, it loses its very soul’. Yet, delivery
of soulful services requires unfettered independence. Controls and curbs in such
a scenario are inhibitions, to say the least. Where subjectivity is the name of
the game, the truth may be puzzling. It may take some work to grapple with. It
may be counter-intuitive. It may contradict deeply held prejudices. It may not
be consonant with what we desperately want to be true. But our preferences do
not determine what’s true. We have a method, and that method helps us to reach
not absolute truth, only asymptotic approaches to the truth — never there, just
closer and closer, always finding vast new oceans of undiscovered possibilities.

Approach :

‘We make our world
significant by the courage of our questions and the depth of our answers’. We
can judge our progress by our willingness to embrace what is true rather than
what feels good. In the business of hospitality, the guest is god — begin by
respecting the dictum. After all, class in the business of hospitality is always
more subtle, more intricate, more elegant than what most auditors would like to
imagine.

Knowledge gathering :

Trade nuances :

You have to know the past to
understand the present. Inquiry and interaction are handy tools. In exchange for
freedom of inquiry, the auditor is obliged to appreciate the subtlety of the
oft-hidden controls. A gentle ‘housekeeping’ turndown service in the evening,
for instance, doubles up as a reality check on the profile and preferences of
guests, even room occupancy discrepancies. Numerous are such nuances of the
trade; universally true, and not difficult at all for an open minded auditor to
pick up, gauge or rely upon. Obsolescence, though, is an important word here.
With the changing times, customs need to be tested and disproved assertions be
proved worthless.

Marketing innovations :

From dynamic demand-based
pricing concepts to global distribution systems, luxury hospitality today
embraces the A to Z of marketing, perceptions that auditors often grapple to
come to terms with, not to speak of the efforts to evaluate these. Experience
shows however, that even modern techniques such as these are often prone to
fallacies, and the cure for such fallacious arguments is better arguments. To
counter fallacies, auditors need imagination and skepticism both; not to be
afraid to speculate, but careful to distinguish speculation from fact.

Technological advancements :

Like most trades, high-end
hospitality products and services imbibe the best of technology in all spheres,
be it environment consciousness, information technology or engineering marvels.
Unfortunately, there is no short cut here — either go through the grind yourself
or seek help of experts.

Statutes :

Name a statute and it is
applicable to hotels — ranging from labour laws, indirect and direct taxes,
licences for almost everything you see in operation, food and hygiene,
pollution, GAAPs — the list is endless . . . . this is possibly an area however,
where not much advocacy would be required for auditors; supposed to be their
core competence. I may however caution here that ‘while it is of interest to
note that some dolphins are reported to have learned English — up to fifty words
used in correct context — no human being has been reported to have learned
dolphinese.’ Over confidence does no good.

Creating checkpoints :

Prevention :

Finding the occasional straw
of truth awash in a great ocean of confusion and bamboozle requires
intelligence, vigilance, dedication, and courage. But if we don’t practise these
tough habits of thought, we cannot hope to solve the truly serious problems that
face us.’ Easier said than done — eh ! Not really. For instance, like banks,
hotels have daily revenue closing systems such as ‘Night Audits’ and ‘Income
Audits’. The real challenge in a typical hospitality set-up is the multiplicity
of transaction points; while you rack your brains to repair one leak, another
one crops up. The best use of the gigantic risk and control matrices most
hospitality giants employ, to my mind, would be when robots eventually replace
human employees in the hospitality industry — human brains are far too suave and
thoughtful to be restricted by a ‘risk and control’ matrix.

Inquisitiveness :

Far from straightjacket
operations, the hospitality industry renders detective controls by far the most
effective tool in the hands of internal auditors. A probing mind together with
IT-empowered tools such as CAATs do wonders to dig out clues from unsuspecting
areas. Contrarian thoughts such as ‘The hen is the egg’s way of making
another egg’ work wonders, says experience. ‘What is called for is an exquisite
balance between two conflicting needs : the most skeptical scrutiny of all
hypotheses that are served up to us and at the same time a great openness to new
ideas. If you are only skeptical, then no new ideas make it through to you. On
the other hand, if you are open to the point of gullibility and have not an
ounce of skeptical sense in you, then you cannot distinguish useful ideas from
the worthless ones . . . .’

Conclusion :

The luxury hospitality
industry is in perpetual ‘floatation’, so to say; thus straightjacket auditing
means are often ineffective. Given the multiplicity and voluminous transaction
points, this industry is particularly susceptible to irregularities/frauds. To
get a grip, one must sway with the wave to be in total control.

levitra

Banks and Internal Audit

Article

Corporate governance, as we all know, has been under a strong
and critical public spotlight in recent years, in the wake of a succession of
blows to market confidence and integrity, particularly in the United States, but
echoed in India and other countries as well. The community’s expectations of
Boards and senior management, and of those charged with providing an independent
review of a company’s operations and financial accounts, have been raised. To
meet those expectations, governments and regulatory authorities around the globe
have mounted a concerted campaign to improve standards of corporate behavior and
transparency through international harmonisation of accounting standards,
strengthening the principles of corporate governance, lifting the bar on the
‘fitness and propriety’ of directors and managers and introducing improved
market disclosure standards.


In this demanding environment, the Boards and senior
management need quality advice from sources that can be trusted and that can
offer an objective viewpoint. Much of the focus of Sarbanes-Oxley in the United
States and Clause 49 in India has been on the external audit function. Equally,
however, there is a need to ensure that internal audit is organised, resourced
and empowered, so that it can provide competent, impartial and fearless advice.

This article offers a perspective on the role of internal
audit. It then sets out the expectations of internal audit held by regulators at
the national level and how internal audit needs to gear up to meet these
expectations.

My comments are offered in a constructive spirit to encourage
debate within the internal audit profession.

The role of internal audit :

What better starting point for my comments than the
definition of internal audit approved by the Board of Directors of the Institute
of Internal Auditors :

“Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”


I remind you of this definition because I want to draw a
distinction between internal audit and risk management. As we see it, the basic
function of internal audit is independent appraisal of an institution’s internal
controls, including controls over financial reporting. Of course, a by-product
of internal audit will be recommendations on internal control and process
improvements that could be made, an important role for internal audit in large
and complex institutions in particular.

Risk management, on the other hand, is about identifying and
assessing inherent risks in the products and activities of an institution, and
ensuring that appropriate risk management limits, control mechanisms and
mitigation strategies are in place to contain risk within the institution’s risk
appetite and capital support. The distinction is that risk management has the
important and continuous responsibility of understanding how actual risk facing
the institution is changing (day by day or month by month) and assessing if the
risk limits, controls or mitigations need updating.

Of course, the institutions need to ensure cooperation
between internal audit and risk management and a clarification of roles, so that
unintended gaps do not emerge.

The expectations of Regulators :

The pivotal role of internal audit in the corporate
governance of institutions is enshrined in international standards for
regulators, though they are high-level in nature.

In banking as a case in example, the Core Principles for
Effective Banking Supervision, developed under the auspices of the Basel
Committee on Banking Supervision, specifies the principle that banks should have
in place internal controls that are adequate for the nature and scale of the
business. These should include, inter alia, appropriate independent
internal or external audit and compliance functions to test adherence to these
controls as well as applicable laws and regulations.

In assessing adherence to this principle, the Basel
Committee’s ‘essential criteria’ for the internal audit function are that it :



  • has unfettered access to all the bank’s business lines and support
    departments;



  • has appropriate independence, including reporting lines to the Board of
    Directors and status within the bank to ensure that senior management reacts
    to and acts upon its recommendations;



  • has sufficient resources and staff that are suitably trained and have relevant
    experience, to understand and evaluate the business it is auditing; and



  • employ a methodology that identifies the key risks run by the bank and
    allocates its resources accordingly.



The Basel Committee also issued a paper, Internal audit in banks and the supervisor’s relationship with auditors, in August 2001 to provide more detailed guidance to bank supervisors. The paper has wider applicability and I recommend it to those who are not familiar with it. It sets out 20 separate principles for the internal audit function, dealing with such issues as continuity, professional competence, the audit charter and relationships with the external auditor.

My Assessment on Independence  of the Internal Audit Function:

Our starting ‘point is determining whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate. The following crucial benchmarks need to be in place for internal audit teams.

(i)    Independence:

The Board of the institution should ensure that the independence of the internal audit function is maintained. This independence may be compromised if the function is directly involved in risk management or operational processes. The internal audit function may provide valuable input to those responsible for risk management, but should not itself have direct risk management responsibilities. In practice, some institutions (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, institutions should see that responsibility for day-to-day risk management is transferred elsewhere in a timely manner. Where the internal audit function is outsourced there should not be any conflicts of interest – for example, internal audit should not be a source of referral business for the institution.

Some  food for thought!

I would like to offer you my thoughts on some key issues:

(i)    Establishing  the authority  of internal  audit:

It must be recognised as a core part of governance and not as some form of necessary burden or add-on. Asserting the importance of authority is one thing, earning that authority is another. In the end, it is the professionalism and quality of internal audit work that will show Boards, senior management and regulators that the function does add value. Clearly, the message that internal audit wants to send will not carry weight if it cannot demonstrate that the message is founded on both technical and commercial competence – a balancing of technique and ‘real world’ skills and experience.

(ii)    Transparency  and  independence:

The provision of independence assurance to the audit committee (or Board) is the central tenet of internal audit. The internal audit function should report directly to the audit committee of the Board, and not to management with operational responsibilities. A direct reporting line to the Board has now become international best practice.

In my view, having internal audit answer to management creates real concerns about the independence of the review function. Internal audit must be able to directly inform the audit committee (or the Board) about the adequacy or otherwise of internal controls, including those involving high-level management. Internal audit must know that the board is its master.

(iii)Audit Committees:
The effectiveness of internal audit comes down, ultimately, to the use that the audit committee and Board decide to make of it. These days, diligent and probing Board directors want a strong and active internal audit function to assist them. They rely on internal audit’s knowledge of the risks facing the institution and the control weaknesses, and its recommendations for improvement, to help them discharge their responsibilities.

(iv) Conflict situation:
Regulators can cite too many examples where weak corporate governance has undermined the financial soundness of an institution, whether through unfocussed global expansion, pursuit of growth for growth’s sake, a dominant chief executive officer or a ‘good news’ syndrome. Internal audit should be alert to such signs of weakness and raise them with the audit committee (or Board) as governance, controls or review concerns.

Concluding remarks:
The ever-increasing pressure on institutions to manage their affairs and risks prudently poses considerable challenges for corporate governance structures and for internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For internal auditors as a profession, the current environment is an opportunity to cement your presence in corporate India where India is Rising and Shining.

The challenges and opportunities for internal audit in this risk-focussed environment can perhaps be simply summarised as ‘looking at the right things, not just doing things right’.