Thursday Dec 12, 2024
Tuesday, 19 September 2017 00:51 - - {{hitsCtrl.values.hits}}
Is everything under control? The key question is, as audit committee members around the world, did they express their top challenges and concerns. KPMG’s 2017 Global Pulse Survey highlights that despite audit committees, by and large continue to express confidence in financial reporting and audit quality; yet, legal and regulatory compliance, managing cyber security risks and managing the control environment in the company’s extended organisation are ongoing concerns.
In an effort to sharpen the focus, benchmark responsibilities and practices and strengthen oversight, the 13th Audit Committee Forum was hosted by KPMG recently, bringing together audit committee members. Setting the platform for discussion, key presentations were conducted on ‘NOCLAR (Non-compliance with laws and regulations)’ by Suren Rajakarier, Head of Audit, KPMG in Sri Lanka, ‘The need for IT Governance’ by Suran Wijesinghe, Audit Committee, Nations Trust Bank PLC and the ‘Essentials of Cyber-Security’ by Rohan Muttiah, Chief Operating Officer, Cargills Bank, followed by an interactive panel discussion moderated by Suren Rajakarier.
Suren presented the new standard, NOCLAR, which requires reporting acts of commission/omission contrary to laws and regulations, which have direct effects on material amounts and disclosures in the financial statements or are fundamental to the business and its continuation or its avoidance of material penalties in the public interest. He went on to elaborate on how the standard operates and should be handled, through the following points.
nProfessional accountants should disclose matters of NOCLAR to senior accountants, management and subsequently the Board of Directors. If no action is taken, the matter should be directed to the relevant external authorities. The standard allows for accountants to set aside the duty of confidentiality in preserving public interest.
nOrganisations should implement a policy detailing how an issue of NOCLAR should be handled, to ensure that all employees are aware of the specific action required. A whistle-blowing policy would be a good starting point.
nThe co-operation of other professions together with governments, legislators and regulators is essential to ensure effective implementation of the standard in Sri Lanka, because the country’s legal framework does not provide protection for accountants, in the event of a breach of confidentiality.
nProposed amendments to the SEC Act requires that on becoming aware of an irregularity, the Auditors of listed companies should communicate the same to the Board with a copy to the SEC.
Many members of the Forum agreed that not having enabling legislation to safeguard or protect individuals who comply with NOCLAR, will not achieve its stated objectives.
Suran, in his presentation, highlighted the key importance of IT Governance. “It is important to continuously review the organisation’s IT-related capabilities including skills, resources and IT infrastructure, and identify the gap between the current and the desired status,” he added.
He then went on to state that when evaluating a proposed IT project, the Board should identify the benefits and put in place mechanisms, to measure these benefits through clearly defined KPIs. The key factors to success is having an IT savvy member on the board of an organisation and implementing clear IT governance structures, which should ideally comprise of a Board IT Oversight Committee and an Executive IT Steering Committee.
Rohan on “Essentials of Cyber Security” stated that, Emerging tools such as analytics, bio-metrics, chatbots and P2P lending can pose new cyber threats, by collecting information on user behaviour and identifying ways of breaching security among others. This is so, due to the fact that the strength of a company’s cyber security infrastructure relies on its administrators and the company policies and procedures. It is important to have the recovery infrastructure duly updated, or even hiring highly specialised personnel for the job, as a way of mitigating the risks.
Some of the matters highlighted by Rohan during the discussions were:
nAn assessment on internal vulnerability can be carried out by conducting a 3rd party study, but it must be ensured that the ownership of such a study does not lie with the IT Department. Assessing human behaviour through profiling is usually more complicated, and organisations should pay attention to individuals who have access to the highly confidential data.
nWhile Active Directories are fundamental, there are inevitable data leakages as higher restrictions on data lead to reduced flexibility in doing business.
nConstantly engaging employees and raising awareness on data security through ongoing communication is vital, in striking the balance between access and control.
nIt is important to obtain an independent review and ensure mechanisms are in place, to quantify and measure the success of all IT projects.
nThe differences between penetration and vulnerability testing.
In his concluding remarks, Anthony Jayaranjan thanked Suren Rajakarier, Suran Wijesinghe and Rohan Muttiah for their valuable contributions and he also thanked KPMG for its hospitality and SLID for their continued support. Anthony also thanked all participants for their keen engagement and extended an invitation to the members of the forum to contribute towards the Working Group’s paper on “Audit Committee Responsibilities- Practical Thoughts” which will be circulated soon.