Internal Audit in Vietnam: New Decree Comes into Effect April 1
Foreign companies need to be aware of a new decree on internal audit in Vietnam that went into effect on April 1. Vietnam Briefing breaks down key aspects of the new decree for foreign investors.
The government issued Decree 05/2019/ND-CP on internal audit in Vietnam on January 22, this year, which came come into effect on April 1.
The new decree applies to state-owned authorities, public service organizations as well as private listed companies to implement and adopt internal (IA) practices.
The move is in line with international best practices, enhancing transparency and effectiveness in corporate governance. This is especially commendable as Vietnam looks to attract greater foreign investment.
What organizations has the new decree affected?
Most organizations are unlikely to be affected unless they are listed, in partnerships with state-owned companies, or provide internal audit services. However, we specifically list the organizations that are affected below:
- Ministries, government agencies;
- People’s Committees (local administrative body) of cities and provinces as well as public service units;
- State owned public service units (including those that set aside US$858,000 (20 billion VND) per year for the total fund of wages, salaries, allowances, and hire at least 200 employees);
- Enterprises including listed companies and organizations with 50 percent of their charter capital held by the state; and
- Organizations and individuals conducting IA activities.
Those subject to the decree are required to complete all the necessary preparations within 24 months from April 1 to conduct IA activities as prescribed in the new decree.
While the decree is not specific to what types of internal audit are required, its purpose is to encourage companies to adopt robust systems of internal control and risk management.
How to structure an IA function
Companies that need to create an IA committee reports to the Board of Directors (BoD) or Board of Supervision (BoS) and Board of Management (BoM) in the organization or company. The aforementioned organizations and companies will need to appoint a Head for IA of the committee. In addition, the appointment and salary of the Head of the IA committee should not be under the BoM’s authority.
While the decree does not spell out the job description of the Head of IA, companies should clearly define the criteria for competence, expertise and skills when recruiting the Head of IA in line with the requirements of the business.
In addition, internal auditors must be independent, objective and without any conflict of interest. Internal auditors must also have three to five years of experience with an understanding about laws and business operations of audited units, be able to analyze data with knowledge and skills related to IA. Auditors should also know about IT audit and industry operations.
How can organizations comply?
The new law states that if the IA department does not have sufficient resources with the required knowledge and experience, organizations can consider outsourcing or co-sourcing IA to a professional firm.
As mentioned earlier, the Ministry of Finance (MoF) is responsible for setting rules on the application of IA. However, in the absence of specific requirements companies should adopt international IA standards such as by the Institute of Internal Auditors (IIA) as long as they don’t oppose the Decree.
Firms are not required to have an independent assessment by a third party but can use a professional service to conduct the assessment or use such a service to develop criteria for it.
While there is no detailed guidance to develop an annual IA plan, executive IA engagement and reporting, organizations should understand and refer to best practices to provide guidance to internal auditors as per the regulations. Further, as with a new decree, the MoF is likely to come up with more specific documents listing out the requirements to comply with the new regulations.