More than 30 years on, this new law adapts Law 90-07 to an institutional environment marked by a number of changes. To this end, it significantly strengthens the governance of public establishments and institutions in several areas, notably :
- the role and responsibility of directors ;
- the role of deliberative bodies in internal audit, risk management and internal control;
- strengthening control bodies and the role of the internal auditor.
In this article, we look at the main changes and innovations provided for in this law, and give some recommendations for their implementation by the Board of Directors in public companies, administrations and other institutions.
The perimeter
Law 2022-08 extends the scope of application of Law 90-06.
| PARAPUBLIC SECTOR | |
| Public bodies | Public companies |
| - Public establishments (EPIC, EPA)- Agencies- Other similar or assimilated structures | - National company (private law capital held by the State or a public corporation)- Company with majority public shareholding (several public corporations hold directly or indirectly more than 50% of the capital) |
Internal control developments
The law does not give a definition of internal control, but sets out the objectives in its article as follows: «The governing body of each parapublic sector entity adopts and implements an internal control system designed to provide reasonable assurance that the following objectives, among others, are achieved:
- compliance of internal procedures with applicable laws and regulations;
- compliance with current regulations;
- execution and optimization of operations;
- The reliability of financial and accounting information».
This provision suggests that internal control is the responsibility of corporate governance, which could lead to confusion and limit responsibility for internal control, which in reality is everyone's business.
The COSO1 (2013) framework defines internal control as «a process implemented by the board, management and employees of an entity, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance».
«This definition refers to certain fundamental concepts and focuses on the following aspects of internal control:
- it focuses on the achievement of objectives in one or more categories - objectives related to operations, reporting and compliance ;
- it's a process based on the implementation of ongoing tasks and activities. It is a means to an end, not an end in itself; ;
- it is implemented by people. It is not simply based on a set of rules and procedure manuals, documents and systems; ;
- it is carried out by people working at all levels of the organization; ;
- it enables senior management and the board of directors to obtain reasonable rather than absolute assurance; ;
- it is adaptable to the structure of any entity. It offers flexibility of application for the whole entity or a particular subsidiary, division, business unit or business process».
Defence “lines”?
The law provides for the following levels of control:
- control by technical and financial supervisors, the Parapublic Sector Monitoring Committee, the General State Inspectorate and Financial Control; ;
- external control: the financial controller and the statutory auditor ;
- internal control: internal audit and management control.
The law does not define a hierarchical relationship between internal audit and the entity.
Control procedures in parapublic sector companies
How do you implement the provisions of this law in your entity?
A. For the deliberative body
- Creation of an Audit and Remuneration Committee
The Board of Directors must set up an Audit and Remuneration Committee. The prerogatives and composition of the audit committee are not specified in the law. We recommend setting up a committee within the Board, comprising a limited number of members (three or four), and appointing a committee chairman and a rapporteur. The committee gives its opinion on risk management and the assessment of internal control procedures. It must be informed of the audit plan. It recruits and remunerates the internal auditor, and evaluates the internal audit function. It liaises with the statutory auditor(s) and assists the Board in approving the entity's financial statements. It must have a charter and meet regularly (at least twice a year).
- CAC term of office in compliance with OHADA provisions
When reappointing the Statutory Auditor, the Board must ensure that he/she is appointed for a term equal to six financial years. A deputy auditor must also be appointed at the same time as the statutory auditor.
- Drawing up a risk map
The “legalization” of risk management in the parapublic sector is a major step forward. Some companies have already taken this step on a voluntary basis, but the process is often unknown to governance and sometimes to the executive. The approach consists of identifying and assessing risks (using an objective grid) and, above all, implementing a risk management plan with appropriate strategies (acceptance, avoidance, transfer or treatment). The approach must be participative, coordinated by a manager from the entity (the internal auditor, for example). It must take account of the company's strategy, and be updated regularly (at least annually).
- Setting up a mandatory internal audit department
The law abolishes the term “internal controller”, contained in law 90-06, and provides for the function of internal auditor. However, the law does not specify how this function is to be attached, in order to guarantee the necessary independence; nor does it specify the interactions between internal audit and other control bodies (internal control, external control).
- Implementation of an internal audit policy
The law specifies that the entity must put in place an “internal audit policy” to assess how well risks are being managed. We believe that the term “internal audit policy” is not very appropriate. We propose instead a “risk management and internal control policy”. Internal audit is a function for which the roles and responsibilities are well defined in the international auditing standards issued by the IIA.
- Produce an annual Chairman's report and CAC report on corporate governance
The content of the Chairman's report is not defined, nor is the Statutory Auditor's report on corporate governance. We believe that this is the report on internal control and risk management, as drawn up by listed companies and on which the Statutory Auditor is required to give an opinion.
- The Board must adopt an internal control framework for the management of identified risks.
The internal control framework is a powerful steering and internal control tool, enabling us to ensure that risks are under control. It is derived from risk analysis (no control in the absence of risk). It is drawn up by operational staff when risks are identified. It is monitored by operational managers, the internal auditor, external auditors, etc. It must be regularly updated in line with new risks and incidents. For each control identified, the ICR defines the methods of implementation, frequency, formalization, etc. Identified controls can be integrated into the procedures manual (level 1 control).
- Evaluation of the procedures manual
The Board must approve the entity's procedures manual. The manual is subject to evaluation by the entity and, in particular, the internal auditor (who is not required to draw up the manual). The terms and conditions of this ongoing assessment are not defined, but it seems clear that it involves the performance of an internal audit assignment (the practical details of which are set out in international auditing standards). The governing body must carry out an ongoing assessment of the application of procedures. The terms and conditions of this monitoring are not defined in the law. The governing body may entrust this assessment to the executive, who may report on it in his or her annual report, including a chapter on internal control and risk management, or in the report on directives.
B. For the executive
The law provides for a report by the director of the executive branch on the directives (follow-up of recommendations) of supervisory controls. The report may contain a status report on the implementation of the recommendations issued by each control body, as well as a progress report for each area of activity. Three levels of progress can be defined: in progress, completed, not started. Significant recommendations that may pose a threat to the company should be given priority.
The follow-up of recommendations (directives) is a key activity in the internal control and risk management system, and its proper handling is a factor in assessing the importance attached to control by the entity's governance and executive management.
C. For internal audit
The law does not define internal auditing.
Similarly, it makes no reference to its role in risk management; nor is its relationship with the Audit Committee mentioned. As mentioned above, the notion of “internal audit policy” is not clearly defined and can lead to confusion.
We also understand that our role in evaluating the procedures manual will consist in carrying out internal audit assignments.
The internal auditor evaluates the internal control framework through specific assignments linked to this activity. This activity may also form part of the assessment of the entity's risk management.
D. For the Statutory Auditor
The law requires the statutory auditor to draw up a report on corporate governance. However, details concerning the content and structure of this report are not specified.
Conclusion
The Parapublic Sector Orientation Act on the control of state-supported legal entities represents a significant step forward in terms of governance, risk management and internal control of parapublic sector companies. Governance and risk management have been strengthened, and the role of the internal auditor should be reinforced. However, these provisions will require governance and control bodies, notably the audit committee, to be upgraded.
About Moore Senegal
We support private and public sector entities in the implementation of governance, risk and compliance through training, the provision of management tools and performance support.
