In light of the amendments made to the Code of Corporate Governance and SGX Listing Rules with effect from 1 January 2019, more companies recognise the need to step up on their internal control, specifically in the areas of compliance, operational, financial, information technology and risk management. As a result, the role of finance leaders is increasingly important in maintaining this line of defence in effective risk management and internal control.
The revised Code defines how the Board of Singapore-listed companies should adopt the ‘comply-or-explain’ regime, to ensure meaningful disclosures are made to their stakeholders whilst revisions to the SGX Listing Rules have increased the emphasis on the Board to evaluate the adequacy and effectiveness of the system of internal controls and risk management systems. The reinforced checks-and-balances aim to enhance corporate governance in Singapore and strengthen board competencies to act in the best interests of the companies served.
It is not uncommon to think that only larger companies with operations across different geographical locations with thousands of employees are more susceptible to lapses in internal control, but often, the truth differs as this is only what was gathered from the media. Yes, failures of large companies make big news, but smaller businesses are increasingly being thrust into the spotlight for having fallen victim and suffering operational disruptions and financial losses as a consequence of these internal control lapses. So, faced with the dynamic and highly-competitive business landscape, what can small businesses do to respond and be agile when implementing internal controls?
As part of a small business, finance leaders play a key role as a gatekeeper in maintaining the reliability of financial reporting to the stakeholders, including business owners and investors. Implementing adequate and effective internal control over financial reporting and operations can be challenging as a result of these limitations:
• Segregation of duties – To safeguard against the risk of unauthorised transactions, fraudulent activities and manipulation of data, businesses should have clear segregation of accounting roles, responsibilities and risk. Disallowing the same person from executing multiple steps in a transaction is an important control to prevent potential risks of errors and fraud.
• Lack of experience in formalising policies and procedures over key processes – Policies and procedures matter in risk management as they are a hallmark of organisational maturity to some degree in terms of a company’s current operational status and its commitment to effective compliance. Ensuring an appropriate balance in skills and resources that are relative to the needs of each business origination units is necessary to achieve effective results.
• Inadequate resources to perform oversight and review functions – Detailed instructions and useful information on processes, procedures, tools and techniques provide good references as ready sets of standard operating procedures or practice guides to supplement the lack of experience, competencies or judgement when conducting an audit. Such resources add value to the users by allowing them to have clarity on the context of work and provide guidance on the aspects of the process.
• Maintaining insufficient documentation over transactions – The best underlying evidence for an effective management control of all its operations is record-keeping of transactions that businesses should be able to produce on-demand or at regular intervals as the situation requires.
Whilst implementing effective internal control is undoubtedly important, having controls suitable for global conglomerates may not be practical nor serve any favour to the financial pocket. Common internal control lapses which are often found in small businesses can be mitigated through a combination of controls which, holistically, reduces the risks associated with it. Hence, it is imperative for business owners and their key business process owners, including finance leaders, to come together and have a good understanding of the risks and opportunities which may arise at an organisational level so as to implement practical, relevant and cost-effective internal control which will strike the right balance between the business of safeguarding assets and actual business success itself.
Against this backdrop, finance leaders and companies with internal audit functions will need to be agile and rethink to allow disruption in order to transform and deliver the value that stakeholders expect. Daunting as it may seem but not addressing to these issues can further expose businesses to risks which may impact companies’ ability to achieve their corporate strategy. Companies will need to look beyond their challenges and put in place practical and concise risk management systems and internal controls to address the various risks and opportunities involved.
For more information, please contact:
Head of Internal Audit
Nexia TS is a member firm of the “Nexia International” network. Nexia International Limited does not deliver services in its own name or otherwise. Nexia International Limited and the member firms of the Nexia International network (including those members which trade under a name which includes the word NEXIA) are not part of a worldwide partnership. Nexia International Limited does not accept any responsibility for the commission of any act, or omission to act by, or the liabilities of, any of its members. Each member firm within the Nexia International network is a separate legal entity.