In a Search for Regulations on Risk Management, Internal Control and Internal Audit Jacek Socha IAS Conference 17 October 2006 pwc Agenda Background Sarbanes-Oxley Act lessons learnt and benefits EU response EU existing regulations Regulations existing in Poland Page 2 pwc 1
Background The cry for improved risk systems and internal control. Major scandals in United States and Europe damaged public confidence in capital markets and listed companies Improvements in risk systems and internal controls occurred to create the path to restoring public trust In United States a regulatory approach was chosen (Sarbanes Oxley Act) Europe is still in a search for an alternative to Sarbanes Oxley Act Reinforcement of internal audit role Page 3 Sarbanes-Oxley Act lessons learnt SOX was a great challenge for companies. Significant learning curve in Year 1 for all: Lack of guidance; Lack of qualified trained resources. Absolute assurance vs. reasonable assurance. Need for a risk based approach: Better identification of key controls; Testing of low risk areas; One size fits all approach. Duplication of testing - reliance on testing. Information technology controls: Unclear guidance; Interplay of IT controls with broader areas of internal control over financial reporting (ICFR). Page 4 2
Sarbanes-Oxley Act benefits Benefits observed although no significant predictive trend in market reaction might be visible. Increased awareness of internal control over financial reporting (ICFR) by senior. Increased tone at the top. Greater confidence in financial reporting. Greater transparency in the investor community. Recognition there was an under investment in ICFR infrastructure. Allowed for the sharing of best practices and the development of standardized policies. Average of ten largest increases of stock price 30 days after the announcement of a material weakness: % change 41.7% Average of the ten largest decreases in stock price 30 days after the announcement of a material weakness: % change 27.5% Page 5 EU response There is no widespread support for risk and internal control regulations at the EU level. Company-wide risk and internal control are widely recognized as fundamental basis for the long-term success of the firm There are no existing requirements relating to risk and internal control at the EU level comparable to Sarbanes Oxley Act Risk requirements existing in different EU Countries vary considerably Principle-based approach with cost/benefit analysis and care about unintended consequences of prescriptive regulations is widely supported Europe has been learning from costly implementation of Sarbanes-Oxley Act in the US Page 6 3
EU and US Approach to Risk Management and Internal Control There are major differences between EU and US approach to reforming risk and internal control systems. Regulations Types of risks - Financial Reporting - Compliance EUROPE* Principle-based, comply or explain - Operational and Strategic US Legal Act (Sarbanes - Oxley Act) - Financial Reporting External bodies assurance -No independent assurance -Disclosure material published by the company -Market own assessment on risk and internal controls -Assurance must be provided by an independent auditor Page 7 *Prepared on the basis on the following document: Analysis Of Responses To FEE Discussion Paper On Risk Management And Internal Control In The EU, May 2006. EU existing regulations Recent initiatives in EU within Financial Reporting refers indirectly to risk systems, internal control and internal audit. Directive (2006/43/EC) on statutory audits of annual accounts and consolidated accounts Directive (2006/46/EC) on the annual accounts of certain types of companies and on consolidated accounts The role for Audit Committee in risk, internal control, internal audit and financial reporting process Independence of the firm carrying the audit Corporate governance statement Page 8 4
EU existing regulations - comparison Risk and internal control in the old members of the EU and the US are more advanced than in the new members and candidates. Are there Is compliance requirements? with Country requirements mandatory? Belgium Yes No France Yes Yes Germany Yes Yes Where are requirements? Code of Corporate Governance Code of Corporate Governance Stock Corporation Act and Corporate Governance Code Framework Specific legal External Types of risks required? enforcement auditors' Financial Complian Operational sanctions? involvement? Reporting ce and strategic Yes Yes Yes No No No Civil action possible and AMF (market Yes - external Yes No Yes No regulator) reporting enforcement action Liability provisions and Yes - internal Yes Yes Yes No possibility of reporting misdemeanour Netherlands Yes No Corporate Governance Code Yes Yes Yes COSO indicated as suitable No No except for reporting in letter United Kingdom Yes No Combined Code and Listing Rules of the UK Listing Authority Yes Yes Yes Turnbull No Yes - external exception reporting Page 9 COSO, SEC United States Yes Yes Sarbanes - Oxley Act Yes No No CoCo, enforcement Turnbull action Source: FEE, Risk Management and Internal Control in the EU. Discussion Paper, March 2005. Yes - external reporting EU existing regulations - comparison Risk and internal control in the old members of the EU and the US are more advanced than in the new members and candidates. Country Bulgaria Czech Republic Are there requirements? Only for Financial Institutions Only for Financial Institutions Is compliance with requirements mandatory? Hungary Yes No Where are requirements? N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Corporate Governance Recommendations - Budapest Stock Exchange Financial Reporting Types of risks Complian ce Operational and strategic Framework required? Specific legal enforcement sanctions? External auditors' involvement? Yes Yes Yes No No No Latvia Only for Financial N/A N/A N/A N/A N/A N/A N/A N/A Institutions Lithuania No N/A N/A N/A N/A N/A N/A N/A N/A Poland No N/A N/A N/A N/A N/A N/A N/A N/A Romania Yes Yes Companies Law and Stock Market No Yes No No Yes Yes - examine without reporting Slovak Republic Only for Financial N/A N/A N/A N/A N/A N/A N/A N/A Institutions Slovenia No N/A N/A N/A N/A N/A N/A N/A N/A Page 10 Source: FEE, Risk Management and Internal Control in the EU. Discussion Paper, March 2005. 5
Existing regulations in Poland In Poland regulations referring to risk, internal control and internal audit exists for banks and public sectors. Polish Corporate Governance Code refers to some of these elements. The Banking Act defines objectives of the internal control system and the role of internal audit Recommendations concerning prudential standards for risk and sound banking practice by General Inspectorate of Banking Supervision (GINB) (not included in FEE s assessment) Polish Corporate Governance Code for listed companies (not included in FEE s assessment) Public Finance Act referring to internal audit and financial control in the Public Sector Recommendations of the Ministry of Finance in the form of standards for performing financial control and internal audit within public sector Page 11 Polish Capital Market Structure Structure of the Polish capital market SUPERVISORY AUTHORITIES KNF, KNB (GINB) Legislator Capital Market Acts National Depository for Securities Warsaw Stock Exchange Banking Act Public Sector Act Clearing Bank (NBP) Supervisory Authorities Institutional Investors Exchange Members Issuers GINB Standards Individual Investors KNF Financial Supervisory Commission KNB Banking Supervisory Commission (GINB) MTS-CETO Good Practice Committee Corporate Governance Code Page 12 6
WSE Dynamic Statistics Number of companies listed on WSE increased 3 times since 1996 (from 83 to 268). Listed companies - of which foreign WIG (%) 2006 268 7 21.80 2005 255 7 33.66 2004 230 5 27.94 2003 203 1 44.92 2002 216-3.19 2001 230 - -21.99 2000 255 - -1.30 WIG20 (%) 11.54 35.42 24.56 33.89-2.70-33.46 3.40 Examples of foreign companies listed on WSE Examples of foreign banks having investment in banks listed on WSE Page 13 WSE Market Capitalisation Dynamic Statistics Market capitalization of WSE listed companies increased significantly within recent years. Market Capitalization (billion PLN) 450,0 400,0 350,0 300,0 250,0 77,0 116,0 200,0 150,0 28,0 308,4 100,0 50,0 0,0 214,3 123,4 130,1 140,0 103,4 110,6 72,4 43,8 0,2 0,4 5,8 7,5 11,9 24,0 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 Domestic companies Foreign companies Page 14 7
Existing regulations in Poland Banks The requirement for internal control implementation in banks and roles of the Management and Supervisory Boards are specified in the Banking Act. Page 15 Article 9. An internal control system shall operate Banks should in banks implement an Article 9a. The purpose of the internal control internal system control shall system be that of support for the decision-making processes, which contribute to ensuring: 1) the efficiency and efficacy of the bank s An operation; internal control system should support the decisionmaking processes 2) the reliability of financial reporting; 3) the compliance of the bank s operation with the provisions of law and internal regulations. The should be Article 9b. 1. A bank s shall held responsible be responsible for the for design the design, implementation and operation of the and internal implementation control system of the as internal control system. required by the amount and profile of risk involved in the banking activity. The supervisory board should 2. A bank s supervisory board shall exercise perform supervision over the implementation of the internal control system implementation and assess of its the adequacy system and effectiveness. and assess its adequacy and effectiveness Existing regulations in Poland Banks The Banking Act defines the necessity for establishing internal audit unit. Page 16 An organizational sub-unit of Article 9c. 1. An organizational sub-unit of internal internal audit audit shall shall operate operate in in banks which operate in the form of joint-stock banks companies, which operate in state in the banks and cooperative banks where the internal form control of joint-stock is not realized companies under Article 10. The internal control sub-unit 2. An organizational sub-unit of internal audit should shall be be responsible responsible for for the the independent and objective audit and evaluation independent of the and adequacy objective and effectiveness of the internal control system assessment and for providing of the internal its opinion concerning the of the bank, including control the system effectiveness of of risk connected with a bank s activity. Article 9d. 1. Information concerning The confirmed supervisory irregularities board should and recommendations resulting from performed be internal provided audits, with confirmed as well as steps taken to eliminate such irregularities irregularities or comply and with the recommendations, shall be submitted to the supervisory recommendations board periodically. 2. The supervisory board may appoint from among its members an internal The supervisory board may audit committee which shall exercise acts of supervision over the activity of appoint from among its the internal audit sub-unit. members an internal audit committee 8
Existing regulations in Poland - Banks Internal control system is essential for assuring stable functioning of banks. GINB Recommendation: The system of internal control is the essential tool for controlling banking activity Internal control helps an organization accomplish its objectives and assure stability of bank activities The function of internal audit is a part of the process of monitoring of the effectiveness of internal control mechanisms Responsibilities, authorities, scope and position of internal audit unit in the organization should be formally defined The internal audit unit should be placed within the organization in such a manner that allows it to fulfil its responsibilities with necessary power and independence The chief audit executive reports directly to the Chief Executive Officer, reporting line to the supervisory board is crucial for assuring independence and objectivity of internal audit activity The internal audit unit is not responsible for identification, assessment and of risks Page 17 Existing regulations in Poland Listed Companies Polish Corporate Governance Code include several principles referring to internal audit and corporate governance rules for listed companies. Corporate Governance Code (Best Practices in Public Companies in 2002) for companies listed at Warsaw Stock Exchange was implemented in 2002 and revised in 2005 Polish Corporate Governance Code is based on the comply or explain principle In accordance with the Stock Exchange Rules, issuers are obliged to submit statements to the Stock Exchange concerning their adherence to corporate governance guidelines each year Polish Code derived from the OECD Principles of Corporate Governance The Code is based on the Majority Rule and Protection of the Minority It includes good practice rules for: annual general meetings, supervisory boards, boards, and in relations with third parties and third party institutions Page 18 9
Existing regulations in Poland Listed Companies The presence of independent representatives on the board, capable of challenging the decisions of, is widely considered as a mean of protecting the interests of shareholders and other stakeholders. Principle No 20. (a) At least half the members Independent of the supervisory members board should be independent members, subject to point (d) below. comprise Independent at least half members of the of the supervisory board should not have relations with supervisory the company board and its shareholders or employees which could significantly affect the independent member s ability to make impartial decisions. (b) Detailed independence criteria should be laid down in the company s statutes2. (c) Without the consent of the majority of independent supervisory board members, no resolutions should be adopted on the following issues: - performances of any kind by the company and any entities associated with the company in favor of board members; Resolutions - consent to referring the execution to by the company or a subsidiary of a key agreement company s with an performance, entity associated key with the company, a member of the supervisory agreements board or and the auditor board, or with their associated entities; and - appointment of an auditor to audit the appointment should not be company s financial statements. adopted without the consent of (d) In companies where one shareholder holds a the block majority of shares of independent carrying over 50% of all voting rights, the supervisory board should consist of at least two members independent members, including an independent chairman of the audit committee, should such a committee be set up. Page 19 Existing regulations in Poland Listed Companies Listed companies are required to set up audit and remuneration committees. Principle 28. The supervisory board should operate Within in the accordance supervisory with board its bylaws, which should be publicly available. The by-laws least two should committees stipulate should that at at least two committees should be set up: be set up: audit, and - audit, and remuneration. - remuneration The audit committee should consist of at least two independent members and at least one person possessing the relevant qualifications and experience in accounting and finance. The committee s tasks should be specified in the board by-laws. The committees should present reports The audit on their committee activities should to the supervisory board every year. The company should consist then make of at least thesetwo reports available to its shareholders. independent members Principle 43. The auditor should be selected by the supervisory board on the recommendation of the audit committee, or by the general meeting on the recommendation of the supervisory board containing The auditor the should audit be committee selected recommendation. If an auditor other than the one by the recommended supervisory by board the audit on committee is chosen by either the board or the the recommendation general meeting, of detailed the reasons should be given. Information on the selection audit of committee an auditing entity together with the relevant justification should be disclosed in the annual report. Page 20 10
Polish Corporate Governance Code Compliance Statistics Principle No of listed companies All Principles None principle Principle No. 20 (independent members in the supervisory board) Principle No. 28 (setting up the audit and remuneration committee) Principle No. 43 (auditor appointment) Number of companies declaring compliance with the principle in 2006 268 43 5 75 85 134 Number of companies declaring compliance with the principle in 2005 255 33 8 55 74 127 Data is based on CG statements disclosed as at 31 August 2006 by all companies listed on Warsaw Stock Exchange (WSE). Page 21 Existing regulations in Poland Public Sector Act on Public Finance defines legal requirements for internal audit and financial control in the public sector. Page 22 In accordance with the Act on Public Finance: Internal audit in the public sector entity is obligatory General Inspectorate for Internal Audit oversees internal audit activities across all public sector units Internal auditor must be direct subordinate of the head of the entity Internal auditor may be dismissed only with the approval of the General Inspectorate for Internal Audit Each year internal auditor submits to the head of the entity and to the General Inspectorate for Internal Audit a performance report for the last year and the audit plan for the consecutive year Standards for performing internal audit in public sector are the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors 11
Conclusions Control but think and allow to grow Page 23 12