Internal controls and risk management, and other key pillars of good corporate governance
Substantive implementation and periodic reviews of company’s policies and measures are important.
CORPORATE debacles invariably result from major lapses in internal controls and/or systemic failures in the group’s risks management.
Practice Guidance 9 of the Code of Corporate Governance (PGCG) entasks the Board of an issuer with the over-sight responsibility for the group’s risk management framework and polices, and to ensure that the group has a sound and effective system of internal controls (which include financial, operational, compliance and information technology controls), and a robust risks management system (the “company’s internal controls and risks management”).
While a company may have an impressive tome of internal control policies and risks management measures, the cardinal factors that distinguish the gold from the dross lies in firstly, the substantive implementation of the policies and measures, and secondly, periodic reviews thereof to ensure their continual effectiveness by a board committee, such as the Audit Committee or a separate Board Risk Committee.
In this respect, the PGCG, the main board practice note 12.2 and Catalist practice note 12B (collectively, the “internal controls and risk management rules”) hard-wire the regulatory requirement that the board and the audit committee are required to periodically assess the effectiveness of the company’s internal controls and risks management and to make full disclosures in the annual report in the event there are issues or concerns of material weaknesses in relation thereto, including the proposed steps to address the areas of concerns to enable investors to make an informed decision on the company.
The company’s internal controls and risks management must withstand the scrutiny of public transparency and adhere to the high standards of legal accountability to investors. Any intentionally or recklessly false or misleading statement in the annual report on the company’s internal controls and risks management may contravene section 199 of the Securities and Futures Act (SFA), and, possibly a breach of the continuous disclosure responsibility provisions under section 203 of the SFA. This could result in a fine of S$250,000 or to imprisonment for a term not exceeding 7 years, or to both.
The authorities have in recent years stepped up enforcement actions against directors, including independent and non-executive directors (non-management directors) for serious criminal breach by companies. Non-management directors should not be lackadaisical in the discharge of their fiduciary responsibilities and statutory duties.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
A person invited to take up a non-management directorship should carefully consider whether he or she has the time to carry out the duties and responsibilities of a director and the commitment to ensure compliance inter alia with the internal controls and risk management rules. A non-management director must be satisfied that the board is at all times kept duly informed of material developments involving the group, that the issuer is able to comply with all listing and statutory requirements including the continuous public disclosure listing rules.
Non-management directors who (with effect from Jan 1, 2022) comprise the majority of an issuer’s board must exercise stringent over-sight of management to ensure that the board is effectively in control of the company, and not merely be a rubber-stamp of management’s decisions.
The board must not hesitate to query or to even call out any perceived irregularity, unusual transaction that is inconsistent with the ordinary course of the group’s businesses, or any material off-budget expense or the sudden incurrence of a significant risk or financial obligation that has no commensurate benefit to the group. Such “amber-lights” are often indicative that something is not right, that an investigation needs to be conducted promptly to determine if there are corporate abnormalities or material aberrations that need to be addressed.
In the event of a corporate failure, when questioned or probed, a non-management director must be able to raise the defence of due diligence and/or reasonable reliance. The defence of due diligence requires a director to demonstrate that the director has diligently made all requisite enquiries on all concerns and issues and has carried out all reasonable actions to verify information and to address the director’s concerns.
The defence of reasonable reliance would not be satisfied merely by relying on the cosmetic representations or bald assurances of management. Directors would have to demonstrate that in addition to obtaining relevant data and information from management, they have appointed properly qualified professional advisers to conduct financial audit, professional valuations and/or legal due diligence to verify information from management, and that there was basis to rely on such professional guidance before making a board decision.
To be effective, the company’s internal controls and risks management requires the concurrent establishment of a proper whistle-blowing system that is under the direct control of the audit committee. An effective whistle-blowing system must afford whistle-blowers legal protection of their identities and their careers from any retaliatory actions by management.
This may in practice be difficult to achieve unless there are laws and regulations requiring issuers to provide the financial support and other resources to enable the audit committee to properly establish an effective whistle-blowing system of protection and investigations.
Not many employees are prepared to risk their jobs or be black-listed for speaking up. Unless whistle-blowers are protected, a company’s whistle-blowing policy would merely be a “glorified dead letter” write-up in the board’s corporate governance manual.
To complete the proper institutionalisation of internal controls and risks management, the board must put in place a team of internal auditors to monitor the implementation of the control policies and rules.
The group’s internal auditors must be independently staffed (or appointed from a professional external firm) and reports directly to the audit committee. This is necessary on the same principle underlying the need for an effective whistle-blowing system – the group’s internal auditors must be able to independently do their job to detect and report on any breach of the group’s internal controls or any management over-ride, without any fear or favour.
The writer is a senior corporate finance lawyer.
Copyright SPH Media. All rights reserved.
