As we know, under Decree 05/2019/NĐ-CP on internal audit, which took effect on April 1, 2019, listed companies were required to complete all necessary work to comply with the Decree by April 1, 2021 (within 24 months of the effective date).
To provide companies with more useful reference information on internal audit practices from an expert’s perspective, we had the opportunity to interview Mr. Amos Law, Director of Risk Consulting at Crowe Malaysia and also the Technical Consulting Director for Internal Audit Services at Crowe Vietnam, on this important issue.
Currently, Vietnam is gradually issuing legal regulations and guidelines regarding Internal Audit activities within enterprises, specifically Decree No. 05/2019/ND-CP and Circular No. 66/2020/TT-BTC. According to your perspective, what are the differences between Vietnam and Malaysia regarding these regulatory documents?
First of all, from a professional perspective, I am very pleased that Vietnam is gradually formalizing and legislating internal audit activities within listed enterprises, instead of merely encouraging implementation as in the past. This will create both pressure and motivation for listed companies to further improve their corporate governance systems, thereby contributing to minimizing risks and fraud, and ultimately generating greater value for the enterprises themselves and for the economy as a whole.
I have also studied the internal audit regulations issued in Vietnam and compared them with Malaysia, and I would like to provide some general observations as follows:
- According to Decree No. 05, the entities required to implement internal audit activities include not only listed companies but also state agencies and public service units. In Malaysia, however, there is a clearer separation, as the requirements for internal audit are specified separately within each law applicable to each type of entity, rather than being consolidated within a single document. For the corporate sector, Malaysia only mandates internal audit for listed companies.
- Decree No. 05 provides detailed guidelines on the organization and operation of internal audit functions. In Malaysia, we do not have such detailed provisions; the law only requires listed companies to conduct internal audit activities without specific implementation guidelines like those in Decree No. 05. The board of directors is only required to disclose that the company’s internal audit activities are carried out in accordance with recognized standards.
- Decree No. 05 contains content that is highly aligned with the three components of the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (IIA), namely: (1) Code of Ethics, (2) Core Principles for the Professional Practice of Internal Auditing, and (3) Attribute Standards. In addition to these three components, the IPPF also includes other elements, such as: (4) the Definition of Internal Auditing; (5) Performance Standards; and (6) Recommended Guidance for the above components (including Implementation Guidance and Supplemental Guidance). I believe that Vietnam may continue to issue similar documents in the near future.
- Definition of “Internal Audit”: Decree No. 05 does not specifically mention this definition; instead, it provides the concept of the “Objective of Internal Audit.” This concept serves to define the scope and role of the internal audit function.
- Approval authority over the professional matters of internal audit (the Board): Decree No. 05 lists the levels of leadership within the organization that hold approval authority; however, it does not provide a general definition for this concept. According to international standards, the body that approves the professional matters of internal audit (the Board) must be the organization’s highest governing body and should include members who are not involved in the management and executive operations of the enterprise.
- Independence and Objectivity: Decree No. 05 appears to define these concepts primarily with respect to individual auditors, whereas in the IPPF, there is a clear distinction: Independence refers to the organizational independence of the internal audit function (Organizational Independence), while Objectivity applies specifically to individual auditors (Individual Objectivity).
When did the Malaysian government issue its internal audit regulations, and why were they issued? In practice, do companies in Malaysia truly respect the role of internal audit, or are they primarily focused on merely ensuring regulatory compliance?
Internal audit has been mandated in Malaysia since 2008. However, in my observation, the success and effectiveness of internal audit activities largely depend on the support from the highest levels of leadership and management the so-called “Tone at the Top.”
It can be said that internal audit functions as the “eyes and ears” of the leadership and management, helping to provide assurance on the adequacy and effectiveness of the company’s control procedures so that the leadership and management can effectively fulfill their assigned responsibilities. Enterprises lacking adequate control procedures are likely to face higher risks and create more loopholes for inappropriate behaviors and fraud to occur.
What are the penalties if a company fails to comply with internal audit regulations??
In Malaysia, if a company fails to comply with internal audit regulations, it will face public reprimand and a monetary fine of up to 1 million RM (equivalent to approximately 5 billion VND). As I understand it, Vietnam has not yet established specific regulations regarding this matter.
According to Malaysian regulations, are companies allowed to outsource internal audit activities? And what should they be mindful of?
In Malaysia, companies are allowed to outsource internal audit activities, and this is fully aligned with international standards and practices. From what I understand, Decree No. 05 in Vietnam also permits this.
However, at present, Malaysia does not have specific regulations governing internal audit service providers, meaning that almost any company can be permitted to offer internal audit services.
Companies should note that they should not simultaneously engage the same provider for both independent audit services and internal audit services, to avoid conflicts of interest. Furthermore, the concurrent use of internal audit services and advisory services related to governance, risk, or internal control from the same service provider should be carefully considered in terms of the nature and scope to ensure it does not compromise the objectivity of the internal audit function.
Additionally, companies should pay attention to selecting service providers with relevant experience, who comply with international internal audit standards and practices, have a deep understanding of the company’s business operations, and can deliver services that meet the company’s specific requirements.
Among Malaysia’s listed companies, what percentage outsource their internal audit activities? What are the common reasons for outsourcing?
There are approximately 800 listed companies on the stock exchange in Malaysia, and more than 50% of them outsource their internal audit function.
The common reasons for outsourcing are:
- Cost savings, compared to maintaining an in-house internal audit department.
- Difficulty in finding personnel with sufficient competency and experience, this is a reality, as the internal audit function requires personnel with a high level of knowledge and skills, and importantly, enough experience to handle complex situations.
Do you have any advice for Vietnamese companies when implementing internal audit activities?
In my opinion, the first and most challenging task is that companies need to establish a sufficiently strong control environment as the foundation for implementing control procedures. This is because the control environment exerts an overarching influence on everyone, establishing discipline and systemization.
This can be achieved through the oversight of the board of directors and the establishment of policies, procedures, processes, standards, and organizational structures by the executive management. All employees should also be trained to understand the importance of carrying out control procedures to minimize the risks associated with their work.
If you were to explain internal audit in an easy-to-understand way, how would you describe it?
Internal audit plays a crucial role within a company’s control system. It fulfills its role through a combination of assurance work and advisory work. The assurance work provides information to the highest levels of leadership and management about how well the systems and processes which are designed to keep the company on track are actually functioning.
Meanwhile, the advisory work helps improve those systems and processes when necessary. When control procedures are properly established and effectively operating, they help the company manage risks well, thereby enabling it to achieve its financial, operational, and strategic objectives.
At Crowe Vietnam, we have published a Frequently Asked Questions (FAQ) booklet on Internal Audit, presented under the section “Professional Insights – Internal Audit” on the website brochure.crowevietnam.vn. The questions in this publication are framed from the perspective of senior company leaders, helping them easily understand internal audit from the most comprehensive and holistic viewpoint. Everyone is welcome to read and refer to it. In addition, if there are further questions about internal audit, our team is always ready to receive, study, and respond as soon as possible.
Based on your experience with internal audit in Malaysia, do you have any suggestions to help Vietnamese authorities further improve internal audit regulations in the future?
In my opinion, mandating internal audit activities is an important and correct step toward strengthening and improving companies’ governance systems and processes. When companies are better governed, they operate more efficiently, mitigate risks more effectively, gain access to more sources of capital, and better protect the interests of stakeholders. Companies will also become more credible and transparent to investors. Ultimately, in the long term, the economy as a whole will benefit significantly when enterprises are better governed and managed.
Thank you, Mr. Amos Law, for the interview, and we wish you good health!
