Internal audit implementation - What should be noted?

Which entities are required (by law) to implement internal audit?

According to Article 10 of Decree 05/2019/ND-CP, the following entities have to perform internal audit:

• Listed companies.
• Enterprises with 50% of shares owned by the State and operating under the parent company model.
• State enterprises operating under the parent company model.

Other type of enterprise are encouraged to implement internal audit activities.

If not compliant, what sanctions that will be applied?

Currently, Decree 05/2019/ND-CP does not have any specific provisions on this matter. However, for some specific industries such as: Banks, Credit Institutions, Insurance Business, and Securities Trading, there are some sanctions as follow:

- For Banks and Credit institutions, pursuant to Article 8 of Decree 88/2019/ND-CP dated from December 31, 2019:

“3. A fine ranging from VND 80,000,000 to VND 100,000,000 shall be imposed for committing one of the following violations:

a) The internal audit department fails to fulfill its duties defined in Clause 2 Article 41 of the Law on Credit Institutions and relevant laws; etc.

4. A fine ranging from VND 100,000,000 to VND 150,000,000 shall be imposed for failing to establish an internal audit department affiliated to the Board of Controllers."

- For the securities sector, pursuant to Decree 145/2016 /ND-CP effected from December 15, 2016:

+ Clause 2, Article 23:

"2. A fine of from VND 70,000,000 to VND 100,000,000 shall be imposed for any of the following violations: [...]

dd) Failing to set up or maintain internal auditing, internal control and risk management systems; failing to supervise and prevent conflicts of interests between customers or between a securities company or a branch of foreign securities company in Vietnam, securities practitioners and customers."

+ Clause a, Article 26:

A fine of between VND 70,000.000 and 100.000.000 shall be imposed on a fund management company or a Vietnam-based branch of a fund management company which conducts any of following violations.

“a) Failing to set up the risk management system or failing to establish internal auditing or internal control division; failing to ensure qualified human resources for the internal auditing division or internal control division; failing to supervise and prevent conflicts of interests between customers or between the fund management company, securities practitioners and customers "

+ Article 35a:

“C) A fine of from VND 40,000,000 to VND 80,000,000 shall be imposed for failing to promulgate or comply with internal regulations on prevention of money laundering, or failing to conduct an internal auditing of prevention of money laundering;”

- For the insurance and lottery business, according to Decree 98/2013/ND-CP, effected from October 15, 2013, as follows:

“Article 30. Penalties for violations against regulations on financial safety in activities of enterprises

1. A fine of between VND 40,000,000 and 50,000,000 for any of following violations

a) Failing to carry out internal audit as prescribed by law;"

Which types of enterprises that are recommended to implement internal audit (though not required by laws)?

Enterprises with following signals should consider implementation of internal audit if they find that benefits outweigh costs:

• Enterprises have a multi-level governance structure.
• Enterprises do business in many fields.
• Enterprises are expanding business scales and industries.
• Enterprises whom the highest-level governing body find it overloaded and more difficult to control and direct the company than it used to be in the past, more signals of high risks become apparent.
• Enterprises wants to earn trust from the stakeholders by proving that they are implementing the best governance and risk management practices.

When starting implementation of internal audit, what are the priorities?

Implementing internal auditing is a process that takes time to adjust the organization’s awareness, management culture, processes, policies, and people.

At the beginning stage, there will be so many things to do, enterprises should set priority to the following points because they are the foundations for the next steps:

• Promulgating the Internal Audit Charter: This is the most important document setting a foundation for the internal audit activities in the enterprise. It defines the core contents such as: the purpose, authority, and responsibility for internal audit, organizational independence, core principles, ... This document should comply with the guidelines of Decree 05 and Circular 66/2020/TT-BTC, as well as IPPF to ensure compliance from beginning. This document needs to be approved by the Board (including independent and non-operating members).
• Ensuring the organizational independence of the internal audit department: the internal audit department (in terms of function) must be directly under the Board (including independent and non-operating members).
• Selecting and appointing the person in charge of the internal audit department (Chief Audit Executive): As this is the most important position, responsible for the overall internal audit activities, enterprises need to ensure that the selected person must meet criteria of ethical qualities, professional knowledge, as well as independence and objectivity.
• For the beginning stage when in-house human resources may be limited, enterprises should consider using outsourcing services for some internal audit activities.
• Strong internal propaganda about internal audit: Enterprises should strongly promote the internal propaganda about the benefits of internal audit to make sure that every member has adequate awareness and well cooperate with the internal audit to achieve the enterprises’ s objectives and control risks. The fact is that many people (including high – level positions) misunderstand about the internal audit, therefore leading to problems as follow: (1) senior management uses the internal audit as their management tool, rather than an independent department; (2) auditees do not cooperate because they think the internal audit is "police", just focus on their minor mistakes and therefore obstruct their works. Enterprises who disregard this point will likely face a lot of difficulties when implementing internal audit because perceptions and attitudes play a very important role. If we do not try to do it right from the beginning, it will be very struggling to transform them later.