The Code of Corporate Governance ("Code") recommends at least three working committees of the Board, namely, the Nominating Committee, the Remuneration Committee and the Audit Committee. The Audit Committee is the most important of the three working committees in that its role in Board oversight is often the last line of defence against fraud and mismanagement of risks. Under the Companies Act, all listed companies must have an Audit Committee, although it is not mandatory for unlisted companies. For the Audit Committee to function properly, its members need to be, at the same time, circumspect and painstaking in making enquiries and conducting reviews.
Under the Code, the Committee should comprise at least three directors, all non-executive, the majority of whom, including the Chairman, should be independent. At least two members should have accounting or related financial management expertise or experience. The Committee should have authority to investigate any matter within its terms of reference or charter, full access to and cooperation by management and full discretion to invite any director or executive officer to attend its meetings. In addition, it should be afforded reasonable resources to discharge its functions properly. The Committee should operate under a charter or terms of reference which are approved by the Board.
The role of the Audit Committee is spelt out clearly in the Code, which requires the Committee to understand the internal control process within a company and to review its effectiveness at least once a year. To do that, it should interact closely with the internal auditors and the external auditors to ensure that all material weaknesses in the system are addressed. The internal control system is the bedrock or cornerstone of any risk management system that is implemented in a company, and the internal controls should be updated regularly (at least annually).
The Audit Committee should meet regularly and as warranted by particular circumstances, as deemed appropriate by its members. If the company concerned is required to announce its results on a quarterly basis, the Audit Committee should meet at least four times a year, to review the results to be announced and to carry out its other duties. The agenda for each Audit Committee meeting shall be prepared and dispatched to members within a sufficient time prior to the scheduled meeting for the members of the Audit Committee to consider and deliberate on the agenda items.
Apart from attending Audit Committee meetings, the Audit Committee should, as may be relevant, be concerned with:-
In addition, the Audit Committee should review arrangements by which staff of the company may, in confidence, raise concerns about possible improprieties in matters of financial reporting or other matters. The Committee’s objective should be to ensure that arrangements are in place for the independent investigation of such matters and for appropriate follow up action.
The annual review of internal controls should focus on key controls applied to critical accounting policies and the preparation of financial statements. In particular, the Audit Committee should look out for control deficiencies in the system which could, for example, include the ability of senior management to circumvent internal controls over financial reporting; ineffective controls over accounting for certain complex transactions; and ineffective balance sheet reconciliation processes.
The Audit Committee is also tasked by the Code to consider and review risk management within a company. In doing so, it should ensure that management is familiar with risk management as a concept and the process of managing them. There should be (a) a library of risks which the company should maintain and update regularly, taking into account changing business and environmental circumstances; and (b) a risk management framework for dealing with risks which must be updated regularly in the light of current business performance and future developments. Management then has to demonstrate to the Audit Committee that it actively manages the risk process across the entire business spectrum. Risk management thus concerns managing all risks, be they commercial, compliance or governance in nature. The Audit Committee not only ensures that there is an efficient risk management system, but it should also understand and review the risk framework and the risks dealt within it periodically. In other words, to uphold proper governance standards, management must closely and regularly assess all material commercial and organizational risks.
Audit Committee members should have a general understanding of their duties under the Companies Act, the Securities and Futures Act, the Code and the Listing Rules of the SGX. They must realize that, under the Companies Act, they are required to discharge their duty of good faith, act with reasonable diligence and not make improper use of information acquired by virtue of their position. The Audit Committee should know about and conscientiously seek to ensure compliance by the company with the disclosure requirements under law and regulations, the rules on insider trading, the principles applied by the SGX in determining interested person transactions and the materiality thresholds for announcements and shareholders’ approval. As a matter of principle and good governance, the Audit Committee needs to satisfy itself that these rules have been complied with by the company.
Lastly, the Audit Committee should review periodically, or at least once a year, a register of interested person transactions to ensure that all such transactions are dealt with as required by the SGX rules and that all thresholds for disclosure of these transactions are strictly observed.
These are just some of the many issues which Audit Committees will have to grapple with if they are to ensure that they apply the minimum standard of care, skill and diligence in discharging their duties as directors of companies in Singapore. Audit Committees should also be concerned with the latest developments with regard to business ethics, corporate responsibility and business continuity planning.
