A public listed company (“PLC”) in Malaysia is mandated under Chapter 15 of the Listing Requirements (“LR”) of Bursa Malaysia Securities Berhad (“Bursa”) to establish an independent Internal Audit (“IA”) function, whether in-house or outsourced, that provides assurance to the Audit Committee and Board of Directors of the PLC concerning the adequacy and operating effectiveness of the PLC’s governance, risk and control processes in realising corporate objectives.

As a preamble, Internal Auditing is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes” (Source: The International Professional Practices Framework ["IPPF"] of the Institute of Internal Auditors).

To assess the status of the IA function and the extent of its work scope in PLCs, Bursa commissioned a thematic study in 2019 together with the Institute of Internal Auditors Malaysia, focusing on the IA Plan, IA reports (including follow-ups) and disclosure of IA function in the Corporate Governance Report of 40 selected PLCs. The study focused on 7 criteria of the IA function, namely:

1. Adoption of a recognised IA framework;
2. Independence and objectivity;
3. Planning the audit;
4. Effectiveness of IA function;
5. Resource management;
6. Communicating audit results; and
7. Monitoring progress.

These criteria are aligned with Bursa’s LR, the Malaysian Code on Corporate Governance (“MCCG”), the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers (“SORMIC”) and the IPPF. The following provides a snapshot on the status of the IA function in terms of compliance with the relevant requirements, including disclosure in the annual report of the 40 PLCs reviewed:

1. Adoption of a recognised IA framework

This relates to the disclosure a recognised framework adopted by the IA function in its work - less than half of the PLCs disclosed. In the absence of such disclosure, it is not possible for the reader to understand the IA standards, Code of Ethics and Core Principles, including the definition of internal audit, adopted by the IA function.

2. Independence and objectivity

It is imperative for an IA function to disclose the independence of its personnel in terms of relationship and that the IA personnel are free from any conflict of interest with the PLC concerned to enable objective assessment to be conducted.

3. Planning the audit

This criterion relates to the adoption of a risk-based plan to identify areas for IA coverage based either on a risk-assessment conducted by the IA function or a review of the risk profile of the PLC prepared by its Management or a combination. The IA function of all 40 PLCs had an IA plan but only 6 of them provided indication that their IA prepared a risk-based audit plan.

4. Effectiveness of IA audit function

This criterion focused on whether the IA scope addressed governance, risk management and internal control processes, including related party transactions; and whether root-cause analysis was conducted as part of the IA work to enable relevant recommendations to address the weaknesses noted.

None of the PLCs disclosed that the IA scope covered governance, risk management and internal control processes, including related party transactions. 32 PLCs disclosed that the IA scope was solely on internal controls. Most PLCs did not review related party transactions in their IA scope even though the financial statements of these PLCs disclosed the presence of significant related party transactions. There was no mention of root-cause analysis conducted by IA of 33 PLCs (83%) before coming up with recommendations in the IA reports.

5. Resource management

This relates to the disclosure of information about the number of IA resources, including the name and qualifications of the person responsible for IA. Such information provides insights on the adequacy of personnel, including the competence of the head of IA, deployed on the IA work. Although 30 PLCs (75%) disclosed pertinent information on their IA function, 10 PLCs (25%) chose to remain silent.

6. Communicating audit results

This criterion concerns the outcome of IA work carried out, i.e. the conclusion or opinion on the adequacy and operating effectiveness of the PLC’s governance, risk and control processes as a group, and how such results, including the recommended action plans, are communicated to the AC. The IA reports of only 12 PLCs (30%)fulfilled this criterion, whilst the remaining 28 PLCs (70%) failed to disclose any IA conclusion or opinion when communicating the audit results to the AC.

7. Monitoring progress

This relates to the follow-up on issues previously reported by the IA function, including the status of implementation of action plans as agreed by Management to address the issues. 33 PLCs (83%) did not monitor the progress of action plans whilst the remaining 7 PLCs (17%) showed that follow-up had been carried out and reported accordingly to the AC.

This study revealed a wide gap, especially in 5 of the 7 criteria above, pertaining to the work of the IA function in meeting the needs of the PLC. Being tasked with overseeing the IA function, the Audit Committee should consider the following measures to enhance the IA function in terms of competency of personnel, standards deployed in IA and the overall quality of work performed:

A. Adoption of a recognised framework

Current scenario of IA in Malaysia (excluding the IA of financial institutions regulated by Bank Negara Malaysia):

Internal auditors are not mandatorily required to be members of any professional body NOR are internal auditors compelled to adopt any recognised IA standards in the conduct of their work. This invariably allows IA to perpetuate its own “standards” in conducting its work and, sometimes, especially for outsourced IA service providers, may be pressured to cover a smaller scope or omit certain vital procedures in order to remain competitive in the market place. This often times lead to having an IA function in form, without much substance, just to comply with Bursa’s LR.

To alleviate this situation, the AC should consider the following corrective measures:

1. Regularly review the scope of IA function to ensure it is sufficient enough to be able to provide relevant assurance on the adequacy and operating effectiveness of the listed issuer’s governance, risk and control processes as promulgated by the SORMIC; and
2. Require the IA function to adopt a globally recognised framework on internal auditing as enumerated in the Malaysian Code on Corporate Governance. A holistic framework like the International Professional Practices Framework of the Institute of Internal Auditors, sets out the following:
1. the definition of IA (i.e. as a minimum, the scope of IA should cover the assessment of an organisation’s governance, risk management and internal control processes);
2. the Core Principles and Code of Ethics that Internal Auditors should abide by (to ensure professional independence, objectivity, non-conflict of interest, and appropriate attributes of IA are embraced and adhered to by Internal Auditors); and
3. a set of IA Standards (that streamline the way IA goes about planning and executing its work, gathering of evidence, communicating the results, and monitoring the progress of remedial action plans).

Such a framework, if adopted by PLCs, will go a long way towards standardising the extent of IA coverage, the approach towards IA and narrowing the existing gaps for better quality IA work; and

B. Ongoing education for Audit Committees on their roles pertaining to the IA function

AC members should keep abreast with developments in regulatory requirements and, accordingly, should consider participating in education sessions organised for AC members from time to time to better understand their roles on corporate governance, risk management and internal controls and how the AC may deploy the IA function to be its “eyes and ears” more effectively. The AC members should also be apprised at such education sessions on how the IA function may be assessed in terms of its competency, resource availability, quality of its report, etc. to ensure the IA function remains a cutting edge in providing assurance and advice to the AC.