Module 16 — Audit, Internal Controls & Governance
The external audit process, internal control frameworks, audit committee responsibilities, and what every CFO must know before signing off financial statements.
Learning Objectives
- Understand the external audit process from planning to opinion
- Apply the COSO internal control framework to finance function design
- Define the CFO's responsibilities to the audit committee
- Identify red flags that indicate control breakdowns
- Design an internal audit function appropriate to the entity's size and risk
1. The External Audit Process
Audit Planning — Risk Assessment and Materiality
Auditors begin by assessing the entity's risks of material misstatement (inherent risk × control risk). They set materiality — the threshold below which misstatements are not reported. CFOs influence materiality by understanding what auditors consider significant.
Materiality benchmarks commonly used:
- 5% of pre-tax profit
- 0.5–1% of revenue
- 1–2% of total assets
- Higher percentage for not-for-profit entities
Audit Evidence — Types, Sufficiency, Appropriateness
Auditors collect evidence through inspection, observation, external confirmation, recalculation, reperformance, analytical procedures, and inquiry. CFOs who understand evidence requirements can prepare supporting documentation proactively.
Key Audit Matters (KAMs)
KAMs are matters of most significance in the audit — communicated in the auditor's report for listed entities. Common triggers:
- Goodwill impairment testing (IAS 36)
- Revenue recognition (IFRS 15) — especially long-term contracts
- Expected Credit Losses (IFRS 9) — for financial entities
- Going concern assessment
CFO response: For each KAM, prepare a clear documentation package with assumptions, supporting evidence, and sensitivity analysis before the audit starts.
Management Representation Letters
The CFO signs a management representation letter confirming to auditors that:
- Financial statements give a true and fair view
- All known related party transactions have been disclosed
- There are no subsequent events not reflected or disclosed
- All information provided is complete and accurate
Signing this letter with known misstatements is fraud. Personal liability attaches.
Types of Audit Opinion
| Opinion | When Issued |
|---|---|
| Unmodified (clean) | Financial statements give true and fair view |
| Qualified | Material misstatement in a specific area, but not pervasive |
| Adverse | Financial statements do not give true and fair view — pervasive |
| Disclaimer | Unable to obtain sufficient evidence — auditor cannot form an opinion |
Going Concern
Auditors assess whether the entity can continue operating for at least 12 months from the balance sheet date. The CFO must prepare a going concern assessment — cash flow forecasts, covenant compliance, available facilities, mitigating actions. This is a CFO-signed conclusion.
2. COSO Internal Control Framework
Five Components
| Component | What It Covers |
|---|---|
| Control Environment | Tone at the top, board oversight, ethics, organizational structure |
| Risk Assessment | Identifying and analyzing risks to achieving objectives |
| Control Activities | Policies and procedures that ensure directives are carried out |
| Information & Communication | Capturing and sharing financial and non-financial data |
| Monitoring | Assessing whether controls are present and functioning |
17 Principles
COSO 2013 specifies 17 principles (5 per component for the first four, 2 for monitoring). All 17 must be "present and functioning" for the framework to be effective.
Entity-Level vs Process-Level Controls
- Entity-level: Tone at the top, fraud risk management, period-end close process
- Process-level: Purchase-to-pay, order-to-cash, payroll, financial reporting
Preventive vs Detective Controls
| Preventive | Detective | |
|---|---|---|
| Purpose | Stop errors before they occur | Identify errors after they occur |
| Examples | Segregation of duties, authorization limits | Reconciliations, management review, internal audit |
| Cost | Lower unit cost | Higher — resources to investigate findings |
3. Internal Audit Function
Three Lines of Defence Model
First Line: Operational management — owns and manages risk
Second Line: Risk management, compliance, finance control functions — oversee
Third Line: Internal audit — independent assurance to board and senior management
External audit: Independent assurance to shareholders and regulators
Internal Audit Charter and Independence
Internal audit must have organizational independence — reporting to the audit committee, not the CFO. The CFO should not have line authority over the Chief Internal Auditor.
Risk-Based Internal Audit Planning
- Annual audit plan based on risk register and strategic priorities
- Not just financial risk — operational, IT, compliance, reputational risks
- Frequency proportional to risk rating of each area
CFO's Relationship with Chief Internal Auditor
The CFO should:
- Support internal audit's access to all areas and information
- Respond to findings within agreed timeframes
- Not seek to suppress findings — audit committee receives unfiltered reports
- Use internal audit findings to improve controls, not just as a compliance exercise
4. Audit Committee
Composition and Independence Requirements
- Minimum three members under Pakistan SECP code
- Majority must be independent non-executive directors
- At least one member with financial expertise
- Chairman: independent non-executive director (not board chairman)
CFO's Presentations to the Audit Committee
- Financial statements — key judgments and estimates
- Significant accounting policies and any changes
- Audit findings (internal and external) and management responses
- Related party transactions
- Going concern assessment
- Whistleblower reports received
Managing Difficult Audit Committee Conversations
- Never surprise the committee — flag issues in advance
- Present the problem and the solution simultaneously
- Quantify uncertainty honestly
- Know which items are judgment calls vs clear violations
5. Fraud Risk
Fraud Triangle
Pressure (Incentive):
"I need to hit the target"
↓
Opportunity: Rationalization:
"I can do it "Everyone does it"
without being caught"
Common Financial Statement Fraud Schemes
- Premature or fictitious revenue recognition
- Overstatement of assets (inflated inventory, unsupported receivables)
- Understatement of liabilities (unrecorded provisions)
- Improper capitalization of expenses
- Round-tripping transactions
CFO's Responsibility Under ISA 240
ISA 240 (The Auditor's Responsibilities Relating to Fraud) requires management — including CFOs — to have processes for fraud identification, prevention, and detection. CFOs who ignore fraud risk expose themselves to regulatory and criminal liability.
Whistleblower Policies
Every material entity should have an anonymous reporting mechanism. CFOs should ensure the hotline is operationally independent (not reporting to management being reported on) and that reports are investigated promptly.
6. Corporate Governance Frameworks
Pakistan Code of Corporate Governance (SECP 2019)
Key requirements for listed entities:
- Board composition: minimum 33% independent directors
- Mandatory board committees: audit, HR & remuneration
- CFO qualifications: must hold CA/CMA/MBA (Finance) or equivalent
- CFO appointment and removal: board approval required
- Financial statements: board certification of true and fair view
King IV Principles (South Africa — widely referenced globally)
King IV focuses on outcomes: ethical culture, good performance, effective control, legitimacy. Relevant for BIQAI's engagement with multinational investors and partners who reference King IV.
CFO's Role in Governance — Gatekeeper Function
The CFO is the last line of defence for financial integrity. This means:
- Refusing to sign off on aggressive accounting without adequate support
- Escalating to the audit committee independently if CEO pressure compromises financial reporting
- Understanding that personal liability for false financial statements is real
7. Financial Statement Sign-Off
Director's Responsibility Statement
Listed entity financial statements include a directors' responsibility statement confirming:
- The financial statements have been prepared in accordance with applicable standards
- The going concern basis is appropriate
- The internal control system is adequate
CFO Certification Requirements
Under Pakistan SECP regulations, the CFO personally certifies:
- Accuracy of financial statements
- Adequacy of internal controls over financial reporting
- Disclosure of any material weaknesses to the audit committee
Personal Liability Exposure of CFOs
- Civil liability: shareholders can sue for losses from misleading financial statements
- Criminal liability: Companies Act 2017 — directors and officers can face imprisonment for deliberately false statements
- Regulatory action: SECP can ban individuals from serving as directors
Self-Assessment
-
Your auditor identifies revenue recognition (IFRS 15) as a Key Audit Matter for multi-year technology contracts. What documentation package should you prepare before the audit starts?
-
A junior accountant tells you that the accounts payable manager has been bypassing the three-way match process for vendor invoices. Using the COSO framework, identify which control component has failed and design three specific control activities to address it.
-
Your audit committee chairman asks you to explain why the going concern note in the financial statements is necessary given that the company is profitable. How do you respond?
-
A management representative letter requires you to confirm that all related party transactions have been disclosed. You later realize one transaction was omitted. What do you do?
-
The CEO asks you to defer recognition of a PKR 20M provision to the next financial year to avoid missing the earnings target. Using IAS 37 criteria, assess whether deferral is permissible, and describe your obligations if you believe it is not.