Financial Strategy

Module 16 — Audit, Internal Controls & Governance

The external audit process, internal control frameworks, audit committee responsibilities, and what every CFO must know before signing off financial statements.

Learning Objectives

  • Understand the external audit process from planning to opinion
  • Apply the COSO internal control framework to finance function design
  • Define the CFO's responsibilities to the audit committee
  • Identify red flags that indicate control breakdowns
  • Design an internal audit function appropriate to the entity's size and risk

1. The External Audit Process

Audit Planning — Risk Assessment and Materiality

Auditors begin by assessing the entity's risks of material misstatement (inherent risk × control risk). They set materiality — the threshold below which misstatements are not reported. CFOs influence materiality by understanding what auditors consider significant.

Materiality benchmarks commonly used:

  • 5% of pre-tax profit
  • 0.5–1% of revenue
  • 1–2% of total assets
  • Higher percentage for not-for-profit entities

Audit Evidence — Types, Sufficiency, Appropriateness

Auditors collect evidence through inspection, observation, external confirmation, recalculation, reperformance, analytical procedures, and inquiry. CFOs who understand evidence requirements can prepare supporting documentation proactively.

Key Audit Matters (KAMs)

KAMs are matters of most significance in the audit — communicated in the auditor's report for listed entities. Common triggers:

  • Goodwill impairment testing (IAS 36)
  • Revenue recognition (IFRS 15) — especially long-term contracts
  • Expected Credit Losses (IFRS 9) — for financial entities
  • Going concern assessment

CFO response: For each KAM, prepare a clear documentation package with assumptions, supporting evidence, and sensitivity analysis before the audit starts.

Management Representation Letters

The CFO signs a management representation letter confirming to auditors that:

  • Financial statements give a true and fair view
  • All known related party transactions have been disclosed
  • There are no subsequent events not reflected or disclosed
  • All information provided is complete and accurate

Signing this letter with known misstatements is fraud. Personal liability attaches.

Types of Audit Opinion

OpinionWhen Issued
Unmodified (clean)Financial statements give true and fair view
QualifiedMaterial misstatement in a specific area, but not pervasive
AdverseFinancial statements do not give true and fair view — pervasive
DisclaimerUnable to obtain sufficient evidence — auditor cannot form an opinion

Going Concern

Auditors assess whether the entity can continue operating for at least 12 months from the balance sheet date. The CFO must prepare a going concern assessment — cash flow forecasts, covenant compliance, available facilities, mitigating actions. This is a CFO-signed conclusion.


2. COSO Internal Control Framework

Five Components

ComponentWhat It Covers
Control EnvironmentTone at the top, board oversight, ethics, organizational structure
Risk AssessmentIdentifying and analyzing risks to achieving objectives
Control ActivitiesPolicies and procedures that ensure directives are carried out
Information & CommunicationCapturing and sharing financial and non-financial data
MonitoringAssessing whether controls are present and functioning

17 Principles

COSO 2013 specifies 17 principles (5 per component for the first four, 2 for monitoring). All 17 must be "present and functioning" for the framework to be effective.

Entity-Level vs Process-Level Controls

  • Entity-level: Tone at the top, fraud risk management, period-end close process
  • Process-level: Purchase-to-pay, order-to-cash, payroll, financial reporting

Preventive vs Detective Controls

PreventiveDetective
PurposeStop errors before they occurIdentify errors after they occur
ExamplesSegregation of duties, authorization limitsReconciliations, management review, internal audit
CostLower unit costHigher — resources to investigate findings

3. Internal Audit Function

Three Lines of Defence Model

First Line:   Operational management — owns and manages risk
Second Line:  Risk management, compliance, finance control functions — oversee
Third Line:   Internal audit — independent assurance to board and senior management
External audit: Independent assurance to shareholders and regulators

Internal Audit Charter and Independence

Internal audit must have organizational independence — reporting to the audit committee, not the CFO. The CFO should not have line authority over the Chief Internal Auditor.

Risk-Based Internal Audit Planning

  • Annual audit plan based on risk register and strategic priorities
  • Not just financial risk — operational, IT, compliance, reputational risks
  • Frequency proportional to risk rating of each area

CFO's Relationship with Chief Internal Auditor

The CFO should:

  • Support internal audit's access to all areas and information
  • Respond to findings within agreed timeframes
  • Not seek to suppress findings — audit committee receives unfiltered reports
  • Use internal audit findings to improve controls, not just as a compliance exercise

4. Audit Committee

Composition and Independence Requirements

  • Minimum three members under Pakistan SECP code
  • Majority must be independent non-executive directors
  • At least one member with financial expertise
  • Chairman: independent non-executive director (not board chairman)

CFO's Presentations to the Audit Committee

  • Financial statements — key judgments and estimates
  • Significant accounting policies and any changes
  • Audit findings (internal and external) and management responses
  • Related party transactions
  • Going concern assessment
  • Whistleblower reports received

Managing Difficult Audit Committee Conversations

  • Never surprise the committee — flag issues in advance
  • Present the problem and the solution simultaneously
  • Quantify uncertainty honestly
  • Know which items are judgment calls vs clear violations

5. Fraud Risk

Fraud Triangle

Pressure (Incentive):
"I need to hit the target"
          ↓
Opportunity:           Rationalization:
"I can do it          "Everyone does it"
without being caught"

Common Financial Statement Fraud Schemes

  • Premature or fictitious revenue recognition
  • Overstatement of assets (inflated inventory, unsupported receivables)
  • Understatement of liabilities (unrecorded provisions)
  • Improper capitalization of expenses
  • Round-tripping transactions

CFO's Responsibility Under ISA 240

ISA 240 (The Auditor's Responsibilities Relating to Fraud) requires management — including CFOs — to have processes for fraud identification, prevention, and detection. CFOs who ignore fraud risk expose themselves to regulatory and criminal liability.

Whistleblower Policies

Every material entity should have an anonymous reporting mechanism. CFOs should ensure the hotline is operationally independent (not reporting to management being reported on) and that reports are investigated promptly.


6. Corporate Governance Frameworks

Pakistan Code of Corporate Governance (SECP 2019)

Key requirements for listed entities:

  • Board composition: minimum 33% independent directors
  • Mandatory board committees: audit, HR & remuneration
  • CFO qualifications: must hold CA/CMA/MBA (Finance) or equivalent
  • CFO appointment and removal: board approval required
  • Financial statements: board certification of true and fair view

King IV Principles (South Africa — widely referenced globally)

King IV focuses on outcomes: ethical culture, good performance, effective control, legitimacy. Relevant for BIQAI's engagement with multinational investors and partners who reference King IV.

CFO's Role in Governance — Gatekeeper Function

The CFO is the last line of defence for financial integrity. This means:

  • Refusing to sign off on aggressive accounting without adequate support
  • Escalating to the audit committee independently if CEO pressure compromises financial reporting
  • Understanding that personal liability for false financial statements is real

7. Financial Statement Sign-Off

Director's Responsibility Statement

Listed entity financial statements include a directors' responsibility statement confirming:

  • The financial statements have been prepared in accordance with applicable standards
  • The going concern basis is appropriate
  • The internal control system is adequate

CFO Certification Requirements

Under Pakistan SECP regulations, the CFO personally certifies:

  • Accuracy of financial statements
  • Adequacy of internal controls over financial reporting
  • Disclosure of any material weaknesses to the audit committee

Personal Liability Exposure of CFOs

  • Civil liability: shareholders can sue for losses from misleading financial statements
  • Criminal liability: Companies Act 2017 — directors and officers can face imprisonment for deliberately false statements
  • Regulatory action: SECP can ban individuals from serving as directors

Self-Assessment

  1. Your auditor identifies revenue recognition (IFRS 15) as a Key Audit Matter for multi-year technology contracts. What documentation package should you prepare before the audit starts?

  2. A junior accountant tells you that the accounts payable manager has been bypassing the three-way match process for vendor invoices. Using the COSO framework, identify which control component has failed and design three specific control activities to address it.

  3. Your audit committee chairman asks you to explain why the going concern note in the financial statements is necessary given that the company is profitable. How do you respond?

  4. A management representative letter requires you to confirm that all related party transactions have been disclosed. You later realize one transaction was omitted. What do you do?

  5. The CEO asks you to defer recognition of a PKR 20M provision to the next financial year to avoid missing the earnings target. Using IAS 37 criteria, assess whether deferral is permissible, and describe your obligations if you believe it is not.