As we know, according to Decree 05/2019 / ND-CP on internal audit, effective since April 1, 2019, listed companies must complete the necessary work to comply with this Decree before April 1, 2021 (within 24 months from the effective date). To help enterprises have a better understanding of internal audit in enterprises from the expert's perspective, we had a meeting with Mr. Amos Law (Executive Director of Risk Advisory Services of Crowe Malaysia, and also the Technical Advisor of Crowe Vietnam's Internal Audit Services) on this matter.
Vietnam is now gradually promulgating legal regulations and guidelines on internal audit activities in enterprises, specifically Decree 05/2019 / ND-CP and Circular 66/2020 / TT-BTC. In your opinion, what are the differences between Vietnam and Malaysia in these documents?
First of all, from a professional point of view, I am very happy that Vietnam is gradually making it mandatory for internal audit in listed companies, instead of encouraging implementation as before. This will encourage and motivate listed companies to improve their corporate governance system, thereby reducing risks, and bringing more value to the companies in particular and the economy in general.
After studying the Decree 05 and comparing with Malaysia, I have some general comments as follows:
- According to Decree 05, the subjects that must carry out internal audit are not only listed companies, but also state agencies and public non-business units. For Malaysia, only listed companies are required to have internal audit functions.
- Decree 05 has specific guidelines on the organization and activities of internal audit. In Malaysia, the law only requires listed companies to conduct internal audit, without providing specific guidance like the Decree 05 of Vietnam. The Board of Directors are only required to disclose whether the internal audit function is carried out in accordance to a recognized framework.
- Decree 05 has contents that are similar with 3 components of the International Professional Practices Framework (IPPF ") issued by The Institute of Internal Auditors Inc. “IIA”, which are (1) Codes of Ethics, (2) Core Principles and (3) Attribute Standards. In addition to the three components above, the IPPF also has other components: (4) Internal Audit Definition; (5) Performance Standards; (6) Recommended guidance to implement the Standards (Implementation Guidance and Supplemental Guidance). I think Vietnam may issue similar documents in future.
- Definition of "Internal audit": Decree 05 does not mention this definition, but instead is the concept of "Objectives of internal audit". This definition defines the scope and expectations of the internal audit function.
- The governing body to approve activities of internal audit (the Board): Decree 05 lists down the specific governing titles in the organization that are authorized to approve, but there is no general definition for the concept “the Board”. According to IPPF, the Board is the highest level governing body charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable. Typically, the Board may include members who are not part of management, i.e independent or non-executive Directors.
- Independence and Objectivity: Decree 05 seems to apply these concepts for internal auditors only, whereas in the IPPF, independence relates to the reporting structure of the internal audit department and objectivity relates to the internal auditor.
When did the Malaysian government issue the internal audit regulations? In fact, do companies in Malaysia really respect the role of internal audit, or are they just trying to ensure compliance only?
Internal audit was made mandatory in 2008. However, the success and effectiveness of the internal audit function is very much dependent on the support from the Board and Senior Management of the company (“tone-at-the-top”).
Internal audit are the “eyes and ears on the ground” for the Board and Senior Management and provide them assurance on the adequacy and effectiveness of internal controls in their company, so that they can discharge their fiduciary duties accordingly. Companies with inadequate internal controls would face higher risks and be open to leakages, mismanagement and fraud.
How about penalties if the Malaysian companies do not comply with the regulations on internal audit?
In Malaysia, if companies do not comply with the internal audit regulations, they will be publicly reprimanded and fined not more than RM 1 million (equivalent to about 5 billion VND). As far as I understand, Vietnam has no specific regulations on this issue.
According to Malaysian regulations, are companies allowed to outsource internal audit activities? And what should be noted?
In Malaysia, companies are allowed to outsource internal audit and this is completely in line with International Standards and practices, I understand that Decree 05 also allows for this.
However, currently in Malaysia there is no regulation on internal audit service providers, so almost any individual and company can be allowed to provide internal audit services. 
Enterprises should note that using the financial audit and internal audit from the same service provider may result in potential conflict of interests. The selected vendor should also put in place the necessary safeguards to prevent their objectivity from being compromised, especially if they also provide internal audit and consulting services relating to governance and risk.
Companies should choose vendors with proven track record and adhere to the International Professional Practices Framework as their methodology, understand the company’s business and able to provide customized and personalized service to meet their expectations.
Out of Malaysia's listed firms, how many (%) of them are outsourcing the internal audit activities? What are common reasons for using outsourcing services?
There are about 800 listed companies on the stock exchange in Malaysia and more than 50% outsource their internal audit activities.
Common reasons for outsourcing are:
- Cost saving, as compared to maintaining an in-house internal audit department
- Qualified and experienced resources are always available because it might be difficult to find and retain suitable in-house internal audit staff
What advice do you have for Vietnamese companies when implementing internal audit?
The first step is always the hardest. Companies need to establish a strong control environment that provides the foundation for carrying out internal controls because the control environment sets the tone and provides discipline and structure. This can be done through proper oversight by the board of directors and establishing policies, procedures, processes, standards and structures by management. The staff also have to be educated on the importance of implementing the internal controls to mitigate the risks in their work areas.
To help people feel easier to understand about internal audit, what would you say?
Internal auditors are an important part of the organization’s control framework. We do this through a combination of assurance and consulting assignments. The assurance part of our work involves telling the Board and Management how well the systems and processes designed to keep the organisation on track are working whereas the consulting part offers help to improve those systems and processes where necessary. When the necessary controls are in place and working effectively, it will help companies to address their risks and at the same time achieve their strategic, operational and financial objectives.
At Crowe Vietnam, we have a publication of Frequently Asked Questions (FAQ) on Internal Auditing which are uploaded in “Insight” of the website (www.crowe.vn). This publication may help everyone, especially the high level management, to have clearer vision and understanding about internal audit.
Based on your experience in internal audit in Malaysia, do you have any advice for Vietnam regarding internal audit?
In my opinion, it is an important step in the right direction to enhance the governance framework and processes of companies. Good corporate governance is necessary to enable companies to operate more efficiently, improve access to capital, mitigate risk and safeguard stakeholders. It also makes companies more accountable and transparent to investors. Ultimately, in the long run, the country will benefit when organisations are properly governed and managed.
Thanks Mr. Amos Law and wish you good health!