Corporate governance services
In March 2003, the ASX Corporate Governance Council (the Council), comprising representatives of a range of business groups...
In March 2003, the ASX Corporate Governance Council (‘the Council), comprising representatives of a range of business groups, published ‘Principles of Good Corporate Governance and Best Practice Recommendations’. This publication describes ten core principles of good corporate governance, each of which is supported by best practice recommendations and implementation guidance and suggestions (including required disclosures).
The ten core principles are:
- Lay solid foundations for management and oversight - Recognise and publish the respective roles and responsibilities of board and management.
- Structure the board to add value - Have a board of an effective composition, size and commitment to adequately discharge its responsibilities and duties.
- Promote ethical and responsible decision-making - Actively promote ethical and responsible decision-making.
- Safeguard integrity in financial reporting - Have a structure to independently verify and safeguard the integrity of the company’s financial reporting.
- Make timely and balanced disclosure – Promote timely and balanced disclosure of all material matters concerning the company.
- Respect the rights of shareholders - Respect the rights of shareholders and facilitate the effective exercise of those rights.
- Recognise and manage risk - Establish a sound system of risk oversight and management and internal control.
- Encouraged enhanced performance - Fairly review and actively encourage enhanced board and management effectiveness.
- Remunerate fairly and responsibly - Ensure that the level and composition of remuneration is sufficient and reasonable and that its relationship to corporate and individual performance is defined.
- Recognise the legitimate interests of stakeholders - Recognise legal and other obligations to all legitimate stakeholders.
A statement disclosing the extent to which the entity has followed the best practice recommendations set by the ASX Corporate Governance Council during the reporting period. If the entity has not followed all of the recommendations the entity must identify those recommendations that have not been followed and give reasons for not following them. If a recommendation had been followed for only part of the period, the entity must state the period during which it had been followed.
CEO and CFO Statements about Financial Reports and Internal Controls
The Council recommends that a company’s CEO and CFO should make statements about the company’s financial reports and internal controls in order to achieve compliance with Principle 4 ‘Safeguard integrity in financial reporting’ and Principle 7 ‘Recognise and manage risk’. The relevant Recommendations are discussed below:
Recommendation 4.1: CEO and CFO Statements about Financial Reports
Principle 4 requires a company to have a structure of review and authorisation that independently verifies and safeguards the integrity of the company’s financial reporting, including the truthful and factual presentation of the company’s financial position.
One of the five recommendations made by the Council to achieve Principle 4 is Recommendation 4.1, in that the company should: Require the chief executive officer (or equivalent) and the chief financial officer (or equivalent) to state in writing to the board that the company’s financial reports present a true and fair view, in all material respects, of the company’s financial condition and operational results and are in accordance with relvant accounting standards.
Recommendation 7.2: CEO and CFO statements about risk oversight and management and internal control
Principle 7 requires a company to establish a sound system of risk oversight and management and internal control, which is designed to identify, assess, monitor and manage risk, and inform investors of material changes to the company’s risk profile. One of the three recommendations made by the Council to achieve Principle 7 is Recommendation 7.2, being that:
The chief executive officer (or equivalent) and the chief financial officer (or equivalent) should state to the board in writing that:
7.2.1 The statement given in accordance with best practice recommendation 4.1 (the integrity of financial statements) is founded on a sound system of risk management and internal compliance and control which implements the policies adopted by the board. 7.2.2 The company’s risk management and internal compliance and control system is operating efficiently and effectively in all material respects.
| Framework component | Indicative attributes |
|---|---|
| Internal Environment | Board responsibilities for risk management have been established. At least three independent / non-executive directors are involved. |
| A risk management policy is in place. | |
| Ethical values have been established. | |
| The Board has set its risk reporting expectations, consistent with the risk management policy. | |
| Responsibility and accountability for risk management has been delegated from the Board to management with appropriate functions and accountabilities within the business. | |
| Risk management has been incorporated into business and personal performance criteria. | |
| Objective Setting | Business objectives / strategies have been developed and documented. |
| Key performance indicators have been established to monitor achievement. | |
| Event identification | Management has implemented systems and processes to identify risks that could threaten the achievement of business objectives. Risk profiles are prepared describing the material risks facing the organisation. |
| The risk identification process considers internal and external factors. | |
| Risk assessment | Consistent risk assessment criteria are used to measure the likelihood and impact of identified risks. These have been tailored to suit the environment and risk appetite of the organisation. Material risks are assessed across all material business units. |
| Risk Response | Consideration is given to all options for managing a risk including: avoidance, reduction, sharing / transfer and acceptance. |
| Control activities | Responsibility and accountability for control activities has been assigned within the organisation. |
| The effectiveness of controls is evaluated periodically with remedial actions implemented and monitored where necessary. Effectiveness assessment includes evaluation of design (i.e. fitness for purpose) and execution (i.e. compliance). |
|
| Information and communication | The risk management policy has been communicated internally and made publicly available. |
| Communication channels (e.g. intranet, internet, internal knowledge systems) have been established to enable people to access relevant risk management information. | |
| Risk management information is integrated with other information used to manage the organisation. | |
| Monitoring | The Board and Management regularly review and update the organisation's risk profile. |
| Protocols have been established for reporting risk issues, with escalation to senior management / the Board as necessary. | |
| Appropriate risk monitoring functions, such as internal audit, have been established and are coordinated to ensure completeness of monitoring activities. | |
| An internal audit function has been structured in a manner that achieves organisational objectivity and permits full and unrestricted access to top management and the audit committee of the Board. |
Comparative Analysis of Recommendations 4.1 and 7.2 to CLERP 9 and the Sarbanes-Oxley Act
CEO and CFO Declarations under CLERP 9
The Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Bill was introduced into Parliament on 4th December 2003 under the Corporate Law Economic Reform Program No. 9 (‘CLERP 9’). The new Section 295A of the Corporations Act proposed under CLERP 9 would require that the CEO (or equivalent) and CFO (or equivalent) of a listed entity make a written declaration to the directors of the entity whether, in their opinion:
- the financial records of the entity for the financial year have been properly maintained in accordance with Section 286 the Corporations Act;
- the financial statements, and the notes thereto, for the financial year comply with Australian Accounting Standards;
- the financial statements and notes for the financial year give a true and fair view; and
- any other matters prescribed by the Corporations Regulations.
Sections 302 and 404 of the Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 introduced sweeping regulatory, financial reporting and corporate governance reforms in the U.S. capital markets, and has instigated a wave of similar regulatory actions globally. The two provisions of the Sarbanes-Oxley Act most compatible to Recommendations 4.1 and 7.2 are Sections 302 and 404.
CEO and CFO Certifications under Section 302
Section 302 of the Sarbanes-Oxley Act directed the SEC to implement rules requiring the CEO and CFO of SEC registrants to certify each periodic report (for a foreign registrant, the Form 20-F annual report) for periods ending after 29 August 2002, in the exact form specified by the SEC. In their certifications, the CEO and CFO state that they have reviewed the report, and that to their knowledge the report is true and complete in all material respects and the financial statements and other financial information are fairly presented. These statements are similar to both Recommendation 4.1 and CLERP 9. However, the Section 302 certifications go further, in that they also include statements regarding ‘disclosure controls and procedures’ and ‘internal control over financial reporting’.
Reporting on Internal Control over Financial Reporting under Section 404
Section 404 of the Sarbanes-Oxley Act directed the SEC to implement rules requiring the management of SEC registrants to report annually on the effectiveness of internal control over financial reporting (as defined above), and requiring the external auditor to attest to and report on management’s assessment. The SEC’s final rules under Section 404 were released in June 2003 and are effective for U.S. “accelerated filers” (i.e. seasoned U.S. public companies with public equity exceeding US$75 million) for financial years ending on or after 15 June 2004. For all other registrants, including foreign private issuers, the effective date is financial years ending on or after 15 April 2005.
Under the SEC rules, a company’s annual report must include a report of management on the company’s internal control over financial reporting which, at a minimum, includes the following:
- A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting;
- A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control over financial reporting;
- Management’s assessment of the effectiveness of the registrant’s internal control over financial reporting as of the end of the most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective; and
- A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation (i.e. audit) report on management’s assessment of the company’s internal control over financial reporting.
| Element | ASX Recommendations 4.1 and 7.2 | CLERP 9 (refer 3.1 below) | Sarbanes-Oxley Act – Section 302 (refer 3.2.1 below) | Sarbanes-Oxley Act – Section 404 (refer 3.2.2 below) |
|---|---|---|---|---|
| Form of report | Written statement to board of directors | Written statement to board of directors | Exhibit to Form 20-F annual report | Footnote in Form 20-F annual report |
| Statements regarding financial reporting | Financial report true and fair, complies with accounting standards | Financial report true and fair, complies with accounting standards | Financial report true and fair | No reference |
| Statements regarding internal controls | Internal control over financial reporting efficient and effective | Financial records properly maintained | Disclosure controls and procedures effective | Internal control over financial reporting effective |
| Time period for internal control statements | Throughout reporting period | Throughout reporting period | As of reporting date | As of reporting date |
| Audit requirements | Not audited | Not audited | Limited review. No separate opinion | Audited. Separate audit opinion on internal control |
Scope of Process for Evaluating Internal Controls related to Financial Reporting Objective under Recommendation 7.2
The following table describes the key steps in our recommended process for evaluating internal controls related to the financial reporting objective, and the minimum activities and deliverables needed to comply with Recommendation 7.2. The table also compares these steps to Section 404 of the Sarbanes-Oxley Act.
| Process step | Minimum activities for Recommendation 7.2 | Comparison to SOA Section 404 | Deliverables for Recommendation 7.2 |
|---|---|---|---|
| 1. Understand the definition of internal control | Identify the criteria against which internal controls are to be evaluated | Same | Document criteria for internal control evaluation |
| 2 Organise a project team to conduct the evaluation | Establish a project team to plan and supervise the development, staffing and execution of the internal control evaluation process | Same | Document project plan and timelines |
| 3. Evaluate internal control at an entity level | Evaluate the five elements of internal control relating to the financial reporting objective that have a pervasive effect on the organisation | Similar, except higher standard for documenting evidence of design and operating effectiveness of controls (to enable independent attestation) | Entity-level controls evaluation questionnaire |
| 4. Understand and evaluate internal control and the process, transaction or application level | Determine materiality thresholds for internal control evaluation | Same | Document materiality determinations |
| Determine relevant assertions in significant accounts and disclosures, and link to significant processes | Same | Spreadsheet analysis of relevant assertions in significant accounts and disclosures, linked to significant processes | |
| Identify and evaluate major classes of transactions embedded in significant processes |
Similar, except higher standard for documenting understanding of transaction flows (to enable independent attestation) | High-level analysis (narrative of flow chart) of significant transaction flow in significant processes | |
| Identify financial reporting risks (i.e., what can go wrong) and internal controls to prevent or detect identified risks | Same | Document significant financial reporting risks and related internal controls | |
| Evaluate design effectiveness of internal controls relating to financial reporting objective | Same | Document basis for evaluation of design effectiveness of internal controls | |
| 5. Evaluate overall effectiveness, identify matters for improvement, and establish monitoring system | Evaluate operating effectiveness of internal controls relating to financial reporting objective | Similar, except higher standard for documented evidence of operating effectiveness (to enable independent attestation), but only 'as of' reporting date (rather than reporting period) | Document basis for evaluation of operating effectiveness of internal controls |
| Report on effectiveness of internal control over financial reporting | Similar, except report included in audited financial statements | CEO and CFO Statement to the Board of Directors | |
| Identify matters for improvement and establish monitoring system | Same | None |
Where does Australian Risk Services fit?
Australian Risk Services assist clients in following areas:
- risk management policy
- business risk profiling
- assessment of effectiveness of controls