Internal Audit and Control
Internal Control System
Internal Control System is the framework under which internal controls are developed and implemented (alone or in concert with other policies or procedures) to manage and control a particular risk or business activity, or combination of risks or business activities, to which the corporation is exposed. To be effective, the internal control system needs to adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision-making and governance of the organization. Internal control effected by the company’s board of directors, management, and all employees, is designed to provide reasonable assurance regarding the achievement of the company’s objectives.
Download Latest I-ACGR
Everyone in the organization has responsibility for internal control.
Management owns the internal control system and is responsible for establishing sound internal control policies and procedures. Management is accountable to the Board of Directors who provides governance, guidance, and oversight.
Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness by providing recommendations.
Directors Review of the Effectiveness of the Internal Control System
The Board of Directors, through the Audit Committee and the Risk Management and Related Party Transactions Committee, has reviewed the internal control system of the Company based on the assessments completed and reported by the internal and external auditors. The Board found the internal control system to be effective.
The statement of the directors on the effectiveness of the company’s internal control system is embodied in the Report of the Audit Committee to the Board of Directors which is part of the Company’s 2022 Integrated Annual Report, which is available on the website.
Management reviews the adequacy and effectiveness of internal controls continuously throughout the year as part of its day-to-day function. Internal Audit assists management to attain company goals through independent risk-based planned reviews and evaluation of the effectiveness of controls.
Period covered by the review: For the year ended December 31, 2021
The directors’ criteria for assessing the effectiveness of the internal control system include:
- Control Environment-the tone of the top and ethical behavior culture in the company
- Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed and provide reasonable assurance that risks are reduced to an acceptable level.
- Information and Communication-systems or processes that support the identification, capture, and exchange of accurate and complete information.
- Control Activities- policies and procedures, international standards and industry best practices to ensure compliance with laws, regulations, supervisory requirements, and relevant internal policies.
- Monitoring-processes used to regularly assess the continuing quality of internal control and risk management activities.
Vision, Mission and Strategy
Vision
To become a leading internal audit organization recognized as a valuable business partner, trusted advisor and enabler by all stakeholders.
Mission
Deliver an independent assessment of financial, regulatory and operational risks, and control effectiveness through assurance and advisory services that supports the achievement of the organization’s objectives and enhances shareholder value.
Strategy
Deliver a high performing and business relevant internal audit organization with increased subsidiary oversight.
Role, Scope and Internal Audit Function
The Internal Audit Group governs its work in adherence to The Institute of Internal Auditors’ “Code of Ethics” and the Company’s Code of Conduct. The Internal Audit also conducts its activities in conformance with the International Standards for the Professional Practice of Internal Auditing (ISPPIA) of The Institute of Internal Auditors and guided by the COSO framework on internal control.
Role
Assist the Board and the Audit Committee in discharging its governance responsibility.
Evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the company’s strategy, objectives and goals to be met.
Scope
The scope of work of the internal audit function is to determine whether Ayala Corporation’s risk management, control, and governance processes is adequate and functioning effectively to ensure:
Risks are appropriately identified and managed;
Financial information is accurate, reliable, and timely
In-house or Outsource Internal Audit Function
In-house
Name of Chief Internal Auditor/Auditing Firm
Catherine H. Ang
Reporting Process
To maintain its independence, Internal Audit reports functionally to the Board of Directors, through the Audit Committee, and administratively to the President and Chief Operating Officer or his designate.
Role
Adopts a risk-based audit approach in developing its annual plan, reassessed quarterly or more frequently, as needed, to consider the changing risk landscape and emerging risks.
Reports risk management issues and internal controls deficiencies identified directly to the Audit Committee and provides recommendation s to improve the company’s operations, in terms of both efficient and effective performance.
Evaluates information security and associated risk exposures.
Conducts annual audit reviews of the company’s ethics-related programs, objectives, and activities to assess its design, implementation, and effectiveness. Any identified non-compliance and the recommended improvements are reported to the Audit Committee of the Board, the Compliance Officer, and Strategic Human Resources Head.
Evaluates regulatory compliance program with consultation from legal counsel and other relevant units or external advisors, as necessary.
Evaluates the company’s readiness in case of business interruption.
Provides support to the company’s anti-fraud and whistleblower programs. Conducts investigations into allegations of unethical practices, including financial or administrative misconduct and other irregular activities, the results of which are reported to the Audit Committee of the Board, the Compliance Officer, and Strategic Human Resources.
Maintains open communication with management and the Audit Committee.
Teams with other internal and external resources as appropriate for assurance and advisory work.
Engages in continuous education and staff development.
Scope
Compliance with policies, standards, procedures and applicable laws and regulations is achieved; Resources are safeguarded; and Achievement of programs, plans and objectives are reasonably assured. In carrying out their duties and responsibilities, members of the internal audit function have full, free, and unrestricted access to all organizational activities, records, property and personnel of Ayala Corporation.
Reporting Process
Reports are issued to management and the Audit Committee upon completion of the audit reviews. Significant findings and issues are taken up in the quarterly meetings of the Audit Committee
As provided in the Audit Committee Charter and the Internal Audit Charter, the Audit Committee is responsible for the setting up of the Internal Audit Department, including the qualification criteria and appointment of the Chief Audit Executive. The Committee evaluates the performance of the Chief Audit Executive and the Internal Auditors taken as a whole. Moreover, the Committee having appointed the Chief Audit Executive, also approves his/her replacement, re-assignment, or dismissal. The Committee also reviews and approves any outsourcing of the internal audit function.
The Chief Audit Executive reports directly to the Board of Directors through the Audit Committee and has direct access to all members of the Audit Committee. The internal audit function as empowered by the Audit Committee Charter and the Internal Audit Charter has free access to all records, properties and personnel.
Internal Audit’s Progress Against Plans, Significant Issues, Significant Findings and Examination Trends
Progress Against Plans
The activities of Internal Audit are guided by the Audit Committee approved, risk-based audit plan. Internal Audit submit periodic reports to the Committee on the status of its activity, accomplishments, key findings and recommendations, as well as management’s responses thereto.
Issues
There are no significant issues noted based on the results of the audit reviews conducted. Noted issues are on enhancements of and compliance to existing policies and procedures.
Finding
There are no significant findings noted based on the results of the audit reviews conducted. Reported findings are primarily on the enhancements and documentation of corporate governance policies and guidelines, and consistent implementation of procedural controls. Report on the results of the audit review is provided to the responsible personnel, department heads, senior management, and the Audit Committee based on the Committee approved Risk Reporting Framework.
Examination Trends
High risk areas are reviewed at least annually. Based on follow-up of audit recommendations, management are addressing reported risk issues, control weaknesses and opportunities for improvement within the audit period and committed timeline.
The relationship among progress, plans, issues and findings should be viewed as an internal control review cycle which involves the following step-by-step activities:
- Preparation of an audit plan inclusive of a timeline and milestones;
- Conduct of examination based on the plan;
- Evaluation of the progress in the implementation of the plan;
- Documentation of issues and findings as a result of the examination;
- Determination of the pervasive issues and findings (“examination trends”) based on single year result and/or year-to-year resuts; and
- Conduct of the foregoing procedures on a regular basis.
Audit Control Policies and Procedures
Internal audit controls, policies and procedures that have been established by the company and the result of an assessment as to whether the established controls, policies and procedures have been implemented under the column “Implementation.”
Policies & Procedures
Finance Manual
Implementation
Implemented
Policies & Procedures
Treasury Manual
Implementation
Implemented
Policies & Procedures
Information Technology Manual
Implementation
Implemented
Policies & Procedures
Human Resources Manual
Implementation
Implemented
Policies & Procedures
Related Party Transactions Policy
Implementation
Implemented
Policies & Procedures
Electronic Disbursement Policy
Implementation
Implemented
Policies & Procedures
Social Media Policy
Implementation
Implemented in 2016
Policies & Procedures
Business Continuity Policy
Implementation
Implemented
Policies & Procedures
Crisis Management Policy
Implementation
Implemented
Policies & Procedures
Code of Conduct and Ethics
Implementation
Implemented
Policies & Procedures
Insider Trading Policy
Implementation
Implemented
Policies & Procedures
Whistleblower Policy
Implementation
Implemented
Policies & Procedures
Data Privacy Policy and Manuals
Implementation
Implemented
Mechanism and Safeguards
Mechanism established by the company to safeguard the independence of the auditors, financial analysts, investment banks and rating agencies:
Auditors (Internal and External)
Rotation of partner-in-charge aligned with SEC rules and regulations
Financial Analysts
Equitable access to company representatives by analysts, regardless of their prior research, opinions, recommendations, earnings estimates or research conclusions on the company.
Investment Banks
Approval of the Investment Committee and/or the Finance Committee and the Board of Directors prior to any engagement with Investment Banks.
Rating Agencies
Approval of the Investment Committee and/or the Finance Committee and the Board of Directors prior to engagement of rating agency.
Auditors (Internal and External)
Functional reporting to the Audit Committee by the internal auditors
Financial Analysts
Equitable release of disclosure/information (i.e. no analyst gets more information than the other) in terms of content and timing (i.e. no one gets ahead of information over another).
Investment Banks
Use of different Investment Banks for each deal.
Rating Agencies
Periodic submission of reports and data to the Rating Agency
Auditors (Internal and External)
Abide by the company’s Code of Ethics
Financial Analysts
Independence and impartiality in the opinions, estimates or forecasts made by analysts on Ayala’s performance.
Investment Banks
Use of multiple Investment Banks instead of just one or two for bond deals.
Rating Agencies
Management interview sessions prior to ratings.
Auditors (Internal and External)
Abide by the company’s policy on Conflict of interest, Insider Trading Policy
Financial Analysts
Open flow of communication with analysts without compromising material non-public information
Attestations to Company’s full compliance with the SEC Code of Corporate Governance:
The Chairman of the Board, Compliance Officer and Chief Audit Executive attest to the adequacy of the Corporation’s systems for internal control and risk management and processes for compliance and governance. Please click the link below: