|Xavier Potier - Risk assurance partner, PwC Vietnam
According to Decree 05, to ensure the independence of the internal audit function, board of directors in listed companies, those with 50 per cent of charter capital held by the state that are parent companies, and board members and presidents of parent companies will sign off the internal audit charter and annual audit plan, as well as receive regular internal audit reports.
In addition, the Law on Enterprises also stated that one of the main roles of the audit committee in a joint-stock company is to “supervise the company’s internal audit department”. Thereby, if a JSC wants to build an internal audit function, is it required to establish an audit committee? And if the company has a supervisory board, does it manage the internal audit department?
To answer the above questions, it’s important to understand the functions of an audit committee and the supervisory board. As stipulated in article 137 of the Law on Enterprises, a JSC may choose one of the following models. The first includes shareholders, board of directors, board of supervisors, and director/general director. If the JSC has fewer than 11 shareholders and these hold less than 50 per cent of the company’s total shares, a board of supervisors is not mandatory.
The second model includes shareholders, board of directors, and director/general director. In this case, at least 20 per cent of the board shall be independent members and there has to be an audit committee affiliated with them. Thus, whether or not to establish an audit committee depends on the model that the enterprise chooses.
The next step will be to consider the rights and obligations of the supervisory board. According to Article 170 of the Law on Enterprises, the supervisory board oversees the board of directors and the director or general director in the management and administration of the company; as well as reviews, examines, and evaluates the effectiveness and efficiency of the company’s internal control, internal audit, risk management, and early warning systems. Therefore, if the supervisory board directly manages the internal audit department, it will conflict with the prescribed obligations.
In short, to promote the role and value that internal audit brings to the enterprise, an internal audit needs to accompany functional departments and the board of management in business activities of enterprises by a systematic approach and framework and an independent reporting mechanism to the board of directors.
Internal audit approach
An internal audit approach is the method for carrying out an internal audit, meaning the risk-based approach that prioritises the concentration of resources on auditing of units, departments or processes, assessed at a high level of risk, according to Decree 05. Set out below is PwC’s internal audit approach, which has been developed according to international standards and fully meets the requirements of the decree (see chart).
The risk-based approach requires the internal auditor to have solid professional knowledge and insights into the operations of the enterprise, the environment, and the factors that may negatively affect the achievement of enterprise goals and strategies. Although the identification and management of risks are the responsibility of the board of management, internal auditors will do their job well when they are fully equipped with the knowledge to ensure material risks are effectively controlled.
With regards to human resources, depending on the operational model, field, total number of employees, and other factors, the enterprise can organise an appropriate team of internal auditors, and enterprises can transfer personnel internally.
However, when appointing, it is necessary to pay attention to the standards specified in Decree 05. In addition, enterprises can also hire an independent auditing organisation, which is qualified to conduct audit activities in accordance with the law, to provide internal audit services.
Outsourcing these services can happen in two forms: outsourcing or co-sourcing services (see box). Both of these forms have advantages and limitations that businesses need to keep in mind when making a decision.