First published in Business Times, 18 December 2013

Mak Yuen  Teen

internal control

 

Proper explanations: SGX listing rules require the board of directors to provide its opinion on the ‘adequacy’ of the company’s internal controls while the Code of Corporate Governance recommends that the board comment on the ‘adequacy and effectiveness’ of the internal controls and risk management systems. – PHOTO: REUTERS

ON Sept 14, 2011, the Singapore Exchange (SGX) introduced amendments to listing rules to strengthen corporate governance practices and to improve disclosure.

Under Rule 719(1), mainboard issuers are required to have a robust and effective system of internal controls, addressing financial, operational and compliance risks. Rule 1207(10) requires mainboard issuers to disclose in their annual reports, the opinion of the board, with the concurrence of the audit committee (AC), on the adequacy of the internal controls, addressing financial, operational and compliance risks.

This became applicable to annual reports issued for financial years ending on or after Dec 31, 2011. Similar rule amendments were introduced for Catalist companies.

On May 10, 2012, the Monetary Authority of Singapore (MAS) issued a revised Code of Corporate Governance developed by the Corporate Governance Council (CGC) which included significant enhancements to guidelines on risk governance, risk management and internal controls. These guidelines become effective in respect of annual reports for financial years beginning Nov 1, 2012.

Unlike the SGX rules, the Code is “comply or explain”. Some company secretaries and advisers have been telling issuers that compliance with the Code is not mandatory. While this is true, they sometimes fail to remind issuers that under Rule 710 in the mainboard and Catalist rulebooks, issuers which do not comply with any of the Code guidelines have to disclose their non-compliance and provide reasons. Failure to do so is a breach of Listing Rule 710.

The new SGX rules and the revised Code both cover internal controls, but the Code also covers risk governance and risk management. Further, while the listing rules refer to controls addressing financial, operational and compliance risks, the revised Code also refers to information technology (IT) controls.

IT controls are arguably a subset of these other controls, but given the reliance of many issuers on IT today, the specific mention of IT controls is a worthwhile reminder to issuers to pay attention to them.

The listing rules require the issuer to have “a robust and effective set of internal controls” and for the board to provide its opinion on the “adequacy” of the internal controls. The Code, on the other hand, recommends that the board reviews the “adequacy and effectiveness” of the internal controls and risk management systems, and to comment on their “adequacy and effectiveness”.

The word “effectiveness” was added in the revised Code, as the previous Code refers only to the board commenting on “adequacy”, although the latter did recommend that the AC should ensure that the “effectiveness” of the internal controls be reviewed at least annually.

In the Risk Governance Guidance for Listed Boards issued by the CGC together with the revised Code, it is stated that “A risk management and internal controls system is considered adequate and effective if it provides reasonable assurance for the managing of the company’s risks, the safeguarding of its assets, the reliability of financial information, and the compliance with laws and regulations.”

With the SGX’s rules telling boards to provide an opinion about “adequacy” and the Code telling boards to provide an opinion about “adequacy and effectiveness”, the question arises as to the difference between “adequacy” and “adequacy and effectiveness”. According to the Merriam- Webster Online Dictionary, “adequate” means “enough for some need or requirement; good enough; of a quality that is acceptable but not better than acceptable”. “Effective” means “producing a decided, decisive, or desired, effect”.

Internal controls which are “adequate” must still serve their basic purpose and be “good enough”. My main point is that our rules use different terminologies which are not properly defined, and which may confuse those who are supposed to implement them.

A more practical matter is how issuers should report when there are two sets of overlapping rules dealing with internal controls and risk management, one mandatory and the other “comply or explain”.

One scenario is that an issuer which wants to be fully compliant with the SGX rules and the Code will now issue two statements, one to comply with each.

The second scenario is that issuers will include a single statement to comply with both together, which could read something like the following:

“Based on the internal controls and risk management systems established and maintained by the group, work performed by the internal and external auditors, and reviews performed by management, various board committees and the board, the audit committee and the board are of the opinion that the group’s internal controls and risk management systems, addressing financial, operational, compliance and information technology risks, were adequate and effective as at . . .”

Such a statement is a modified version of one of the statements which SGX used in its advisory note to issuers on April 16, 2012, to illustrate what is considered acceptable to comply with Rule 1207(10). The words in italics are those which I have added as a suggestion to comply with SGX Rule 1207(1) and guideline 11.3 in the Code.

In practice, it is of course possible that the board does not feel that it is in a position to comment on the adequacy and effectiveness of the internal controls and risk management systems, perhaps because there is not a properly-resourced internal audit function, a full cycle of internal audits has not been completed, or the board has failed to receive the necessary assurance from management.

However, I suspect that boards are likely to issue a statement to comply with the SGX rule, even if they have doubts about the adequacy of internal controls. I do not recall seeing an opinion from a board that internal controls are not adequate, but given some of the internal control failures we have seen, it is difficult to believe that internal controls in all our issuers are really adequate. This raises the question as to how much reliance investors can place on the board’s opinion.

Inconsistent

Given the inconsistent manner in which issuers have “complied or explained” against the Code in the past, I also foresee many issuers merely complying with the SGX rules and ignoring the need to comply with the more extensive Code guidelines on internal controls and risk management systems or disclosing and explaining deviations from these guidelines.

Company secretaries and advisers have to do more to remind boards of the need to comply with the Code, or to disclose non-compliance and provide explanations. This includes the recommendation in guideline 11.3 of the Code for the board to comment in the annual report on whether it has received assurance from the CEO and CFO that the financial records have been properly maintained, the financial statements give a true and fair view, and on the effectiveness of the internal controls and risk management systems. This is a good guideline, but it throws up interesting scenarios.

The straightforward scenario is that the CEO and CFO provide the assurance and the board comments accordingly. Another scenario is that the assurance is not provided to the board, either because the board does not ask for it or management refuses to provide it. Management may decline to provide the assurance because the Code is not mandatory.

It may be easy to say that the board should fire management if it refuses. But in many SGX-listed issuers, where management are controlling shareholders, directors who insist on management providing such assurance may soon find that they are no longer directors. This does not mean that they should not ask and insist.

If management refuses to give the assurance, then the board ought to make the appropriate disclosure and explanation. A statement that management has declined to provide the assurance will obviously raise concerns to investors, but the board cannot just ignore guideline 11.3 without proper disclosure and explanation, as that would be a breach of Rule 710.

Management’s reluctance to provide such assurance is not merely hypothetical, based on some conversations I have had with directors.

While my commentary has raised implementation issues with those requirements and guidelines in the SGX listing rules and the Code relating to internal controls and risk management, there is a much wider issue of the need for better alignment between the SGX rules and the Code.

In a commentary earlier this year, I highlighted similar confusion caused by SGX rules and the Code guidelines on disclosure on executive remuneration (“Executive pay needs more attention,” BT, May 7, 2013). It may be useful to review the two set of rules and ensure that they are consistent and coherent.

The writer is an associate professor in the NUS Business School where he teaches corporate governance and ethics. He was a member of corporate governance committees which developed and revised the Code of Corporate Governance in 2001 and 2005 respectively