Compliance & Audit Requirements
Three decades of experience navigating audits from Big 4 firms, regulatory compliance across multiple jurisdictions, and implementing bulletproof internal controls. From SOX compliance to Malaysian regulatory requirements.
Table of Contents
- Audit Trail Requirements
- Internal Controls Framework
- Tax Compliance Workflows
- IFRS/MFRS Compliance Features
- Statutory Audit Preparation
Audit Trail Requirements
A robust audit trail is your first line of defense against fraud, errors, and regulatory violations. After decades of working with auditors, I’ve learned what they really look for.
Comprehensive Audit Trail Design
Essential Audit Trail Components
Transaction-Level Audit Trail:
System Fields (Automatic):
- Transaction ID (unique identifier)
- User ID (who performed the action)
- Timestamp (when action occurred)
- Terminal/IP Address (where action originated)
- Module/Screen (which function was used)
Business Fields (Configurable):
- Document Number
- Reference Numbers
- Amounts (original and modified)
- Account Codes
- Approval Levels
- Supporting Documents
Change History:
- Original Values
- Modified Values
- Change Reason Codes
- Supervisor Approvals
- Reversal EntriesAudit Trail Best Practices Implementation
Data Integrity Controls:
Immutable Records:
- No deletion of posted transactions
- Reversal entries for corrections
- Sequential numbering controls
- Digital timestamps
User Activity Logging:
Login/Logout Events:
- Successful authentications
- Failed login attempts
- Session timeouts
- Password changes
- Privilege escalations
Transaction Events:
- Create, Read, Update operations
- Print and export activities
- Report generation
- System configuration changes
- Master data modifications
Security Events:
- Access violations
- Privilege changes
- System administration
- Database access
- Backup and restore operationsRegulatory Audit Trail Requirements
Sarbanes-Oxley (SOX) Compliance
SOX Section 404 Requirements:
Management Assessment:
- Document internal controls
- Test control effectiveness
- Identify material weaknesses
- Quarterly management assertions
IT General Controls (ITGC):
Access Controls:
- User provisioning/deprovisioning
- Privileged access management
- Segregation of duties
- Periodic access reviews
Change Management:
- Development/test/production separation
- Change approval processes
- Testing documentation
- Emergency change procedures
Computer Operations:
- Job scheduling and monitoring
- Backup and recovery procedures
- Database administration
- Network security controls
Documentation Requirements:
- Process narratives
- Risk control matrices
- Testing evidence
- Deficiency tracking
- Management responsesMalaysian Companies Act 2016 Audit Requirements
Statutory Audit Trail Requirements:
Accounting Records (Section 245):
- All transactions recorded
- Supporting documentation maintained
- Chronological order maintained
- Clear audit trail from source to financials
Document Retention:
- Accounting records: 7 years minimum
- Supporting documents: 7 years minimum
- Board minutes: Permanent retention
- Tax records: 7 years after assessment
- Employment records: 12 years minimum
Electronic Records:
- System security controls
- Data backup procedures
- Access control systems
- Change management processes
- Business continuity plansAudit Trail Reporting and Analysis
Standard Audit Reports
User Activity Reports:
Daily Activity Summary:
- Total transactions by user
- High-risk activities performed
- After-hours access
- Weekend/holiday activity
- Failed access attempts
Monthly Privilege Review:
- User access rights listing
- Segregation of duties violations
- Terminated user cleanup
- New user access grants
- Privilege escalations
Exception Reports:
Transaction Anomalies:
- Large amount transactions
- Round dollar amounts
- Manual journal entries
- Reversing entries
- Weekend transactions
Control Violations:
- Approval bypasses
- Segregation of duties conflicts
- System override usage
- Password violations
- Unusual access patternsFraud Detection Analytics
Digital Forensics Capabilities:
Benford's Law Analysis:
- First digit frequency analysis
- Detection of manipulated numbers
- Focus on accounts payable and expenses
- Quarterly analytical reviews
Duplicate Payment Detection:
- Vendor name similarities
- Bank account duplications
- Invoice number patterns
- Amount and date matching
- Address variations
Journal Entry Analytics:
- Round amount entries
- End-of-period concentrations
- Unusual account combinations
- Manual entry patterns
- User behavior analysis
Trend Analysis:
- Expense ratio changes
- Revenue recognition patterns
- Margin fluctuations
- Working capital movements
- Cash flow anomaliesInternal Controls Framework
A robust internal control system is the backbone of financial integrity and operational efficiency.
COSO Framework Implementation
Control Environment Foundation
Tone at the Top:
Board of Directors:
- Independent director requirements
- Audit committee establishment
- Regular executive sessions
- Performance evaluation processes
- Risk appetite statements
Management Philosophy:
- Ethical leadership demonstration
- Integrity and competence emphasis
- Authority and responsibility assignment
- Human resource policies
- Performance measurement systems
Organizational Structure:
- Clear reporting lines
- Appropriate authority levels
- Segregation of duties design
- Communication channels
- Accountability mechanismsRisk Assessment Process
Enterprise Risk Management:
Risk Identification:
- Strategic risks
- Operational risks
- Financial risks
- Compliance risks
- Reputational risks
Risk Analysis:
- Likelihood assessment (1-5 scale)
- Impact assessment (1-5 scale)
- Risk score calculation (Likelihood × Impact)
- Current control effectiveness
- Residual risk determination
Risk Response:
- Accept: Risk within tolerance
- Avoid: Eliminate risk activities
- Reduce: Implement controls
- Share: Insurance or outsourcing
- Monitor: Ongoing assessment
Example Risk Register:
Risk: Unauthorized access to financial systems
Likelihood: 3 (Possible)
Impact: 5 (Severe)
Risk Score: 15 (High)
Controls: Access controls, monitoring, training
Residual Risk: 6 (Medium)Control Activities Design
Preventive Controls
Authorization Controls:
Transaction Authorization Matrix:
Level 1 (Up to MYR 1,000):
- Department Supervisor
- Automatic system approval
- Exception reporting only
Level 2 (MYR 1,001 - 10,000):
- Department Manager approval
- System workflow routing
- Email notifications
Level 3 (MYR 10,001 - 50,000):
- Finance Manager approval
- CFO notification
- Documentation requirements
Level 4 (Above MYR 50,000):
- CFO approval required
- CEO notification
- Board reporting (quarterly)
Segregation of Duties:
Purchasing Process:
- Requisition: Department staff
- Purchase order: Purchasing department
- Receiving: Warehouse staff
- Invoice processing: Accounts payable
- Payment authorization: Finance manager
- Payment execution: TreasuryDetective Controls
Reconciliation Controls:
Bank Reconciliations:
- Daily reconciliation required
- Independent preparer and reviewer
- Variance investigation procedures
- Management sign-off required
- Exception escalation process
Account Reconciliations:
Monthly reconciliations required for:
- All balance sheet accounts
- Inter-company accounts
- Customer and vendor sub-ledgers
- Inventory and fixed assets
- Accrued liabilities
Analytical Reviews:
Monthly variance analysis:
- Budget vs. actual (>5% or MYR 10,000)
- Prior year comparison
- Ratio analysis trends
- Expense per employee metrics
- Industry benchmarkingControl Testing and Monitoring
Internal Control Testing
Control Testing Framework:
Test Types:
- Inquiry: Personnel interviews
- Observation: Process observation
- Inspection: Document examination
- Re-performance: Control re-execution
- Analytical: Data analysis
Testing Frequency:
Key Controls:
- Financial reporting controls: Quarterly
- IT general controls: Semi-annually
- Operations controls: Annually
- Compliance controls: Risk-based
Sample Size Determination:
Population Size Sample Size
1-10 items 100%
11-50 items 10-15 items
51-100 items 15-20 items
100+ items 25+ items
Documentation Requirements:
- Test objectives
- Test procedures performed
- Sample selection method
- Results and exceptions
- Conclusions and ratingsControl Deficiency Management
Deficiency Classification:
Control Deficiency:
- Control design or operation issue
- Does not significantly impact financial reporting
- Management awareness and tracking
Significant Deficiency:
- Important enough for audit committee attention
- Could result in material misstatement
- Formal remediation plan required
Material Weakness:
- Reasonable possibility of material misstatement
- CEO/CFO certification impact
- Immediate remediation required
- External auditor notification
Remediation Process:
1. Root Cause Analysis
- Identify underlying cause
- Assess control design vs. operation
- Determine scope of impact
2. Corrective Action Plan
- Specific remediation steps
- Responsible parties identified
- Target completion dates
- Resource requirements
3. Implementation Monitoring
- Progress tracking
- Milestone reporting
- Effectiveness testing
- Management updates
4. Validation Testing
- Independent testing
- Documentation review
- Sustainable operation confirmation
- Closure approvalTax Compliance Workflows
Tax compliance requires meticulous attention to detail and thorough understanding of constantly changing regulations.
Malaysian Tax Compliance Framework
Corporate Income Tax Compliance
Annual Tax Return (Form C):
Filing Requirements:
- Due date: 7 months from financial year-end
- Electronic filing mandatory (>MYR 25 million turnover)
- Supporting schedules required
- Audited financial statements attachment
Tax Computation Workflow:
1. Accounting Profit Reconciliation
- Start with profit before tax
- Add: Non-deductible expenses
- Less: Non-taxable income
- Timing differences adjustment
2. Tax Incentives and Allowances
- Pioneer status benefits
- Investment tax allowances
- Double deduction claims
- Approved training expenses
3. Capital Allowances Calculation
- Initial allowances
- Annual allowances
- Accelerated capital allowances
- Balancing adjustments
4. Tax Liability Determination
- Apply applicable tax rates
- Consider tax rebates
- Minimum tax provisions
- Installment payment requirements
Example Tax Computation:
Profit before tax: MYR 2,000,000
Add: Entertainment expenses MYR 50,000
Add: Penalties and fines MYR 10,000
Less: Dividend income MYR 100,000
Less: Capital allowances MYR 200,000
Adjusted income: MYR 1,760,000
Tax @ 24%: MYR 422,400
Less: Tax rebates MYR 20,000
Net tax payable: MYR 402,400Sales and Service Tax (SST) Compliance
SST Registration and Filing:
Registration Thresholds:
Sales Tax: MYR 500,000 annual turnover
Service Tax: Generally all taxable service providers
Monthly Return Filing:
Form SST-02A (Sales Tax):
- Output tax on local sales
- Input tax on purchases and imports
- Exempt sales reporting
- Capital goods claims
Form SST-02B (Service Tax):
- Service tax on taxable services
- Designated areas certification
- Special scheme applications
Common Compliance Issues:
□ Incorrect classification of goods/services
□ Missing supporting documentation
□ Late filing penalties (MYR 200-1,000 per month)
□ Incomplete customer/supplier registration verification
□ Incorrect input tax claims
□ Missing approved person certification
SST Audit Preparation:
Documentation Requirements:
- Purchase invoices with valid SST registration
- Sales invoices with proper SST charges
- Import/export documentation
- Capital goods certificates
- Business registration documents
- Financial records reconciliationWithholding Tax Management
Employment Tax (PCB) System
Monthly PCB Deduction:
Calculation Method:
- Gross salary determination
- EPF/SOCSO deductions
- Tax relief applications
- Progressive tax rate application
- Monthly deduction calculation
Filing Requirements:
Form CP39 (Monthly):
- Employee details
- Salary and deductions
- Tax deducted amounts
- Payment to LHDN
Annual Reconciliation:
Form E (by March 31):
- Annual salary summaries
- Total tax deducted
- Employee statements (EA)
- Penalty calculations for shortfalls
Example PCB Calculation:
Gross Salary: MYR 8,000/month
Less: EPF (11%): MYR 880
Less: EIS/SOCSO: MYR 100
Chargeable income: MYR 7,020/month
Annual equivalent: MYR 84,240
Tax calculation:
First MYR 20,000 @ 0%: MYR 0
Next MYR 15,000 @ 3%: MYR 450
Next MYR 15,000 @ 8%: MYR 1,200
Next MYR 15,000 @ 14%: MYR 2,100
Next MYR 19,240 @ 21%: MYR 4,040
Annual tax: MYR 7,790
Monthly PCB: MYR 649Contract Payment Withholding Tax
Withholding Tax Rates:
Residents:
- Contractors: 3%
- Consultants: 10%
- Professional services: 10%
- Rental payments: 10%
- Interest payments: 10%
Non-Residents:
- Technical services: 10%
- Royalties: 10%
- Interest: 15%
- Management fees: 10%
- Branch profits: 24%
Withholding Process:
1. Payment Authorization
- Verify contractor registration
- Check exemption certificates
- Calculate withholding amount
- Obtain proper approvals
2. Payment Execution
- Deduct withholding tax
- Pay net amount to contractor
- Remit tax to LHDN
- Issue withholding certificates
3. Monthly Reporting
- Form CP37 submission
- Payment verification
- Penalty calculations
- Certificate distributionTransfer Pricing Documentation
Transfer Pricing Compliance Framework
Documentation Requirements:
Master File:
- Organizational structure
- Business description
- Intangibles owned
- Financial and tax position
- International transactions
Local File:
- Controlled transactions
- Controlled entity information
- Financial data
- Comparability analysis
- Transfer pricing rulings
Economic Analysis:
Arm's Length Principle:
- Comparable uncontrolled price (CUP)
- Resale price method (RPM)
- Cost plus method (CPM)
- Transactional net margin method (TNMM)
- Profit split method (PSM)
Documentation Timeline:
Preparation: Before transaction execution
Update: Annual review and update
Filing: Within 30 days of LHDN request
Retention: 7 years minimum
Example Transfer Pricing Study:
Related Party Transaction:
- Parent company charges MYR 2M management fee
- Subsidiary in Malaysia
- Services: Strategic planning, IT support
Benchmarking Analysis:
- Identify comparable companies
- Extract financial data
- Calculate margin indicators
- Statistical analysis
- Document arm's length range
Conclusion:
- Management fee rate: 3-5% of revenue
- Company's rate: 4.2% of revenue
- Position: Within arm's length range
- Documentation: Defensible positionIFRS/MFRS Compliance Features
Financial reporting compliance requires deep understanding of accounting standards and their practical implementation.
Revenue Recognition (MFRS 15)
5-Step Revenue Model Implementation
Step 1: Contract Identification
Contract Criteria Assessment:
- Parties have approved the contract
- Rights of parties are identifiable
- Payment terms are identifiable
- Contract has commercial substance
- Collection is probable
Contract Modifications:
- Separate contract treatment
- Modification of existing contract
- Combination approach
- Prospective vs. retrospective
Step 2: Performance Obligations
Identification Criteria:
- Promised goods/services to customer
- Distinct within contract context
- Customer can benefit independently
- Separately identifiable from other promises
Bundling Assessment:
- Series of distinct goods/services
- Same pattern of transfer
- Single performance obligation
- Revenue recognition over timePractical Revenue Recognition Examples
Software Licensing + Support:
Contract Details:
- Software license: MYR 100,000
- Annual support: MYR 20,000
- Implementation: MYR 30,000
- Total contract: MYR 150,000
Performance Obligations:
1. Software license (distinct)
2. Implementation services (distinct)
3. Support services (distinct)
Standalone Selling Prices:
- Software license: MYR 110,000
- Implementation: MYR 35,000
- Support: MYR 25,000
- Total: MYR 170,000
Allocation:
Software: MYR 150,000 × (110,000/170,000) = MYR 97,059
Implementation: MYR 150,000 × (35,000/170,000) = MYR 30,882
Support: MYR 150,000 × (25,000/170,000) = MYR 22,059
Revenue Recognition:
- Software: At go-live date
- Implementation: Over project period
- Support: Over support periodLease Accounting (MFRS 16)
Lessee Accounting Implementation
Lease Identification:
Right to Control Asset:
- Right to obtain economic benefits
- Right to direct use of asset
- Throughout period of use
Initial Recognition:
Right-of-Use Asset:
- Initial lease liability amount
- Prepaid lease payments
- Initial direct costs
- Restoration costs estimate
Lease Liability:
- Present value of unpaid lease payments
- Discount rate determination
- Variable payments excluded
- Extension options assessment
Example Calculation:
Office Lease Details:
- Term: 5 years
- Monthly payment: MYR 10,000
- Incremental borrowing rate: 6%
- Security deposit: MYR 20,000
Initial Measurement:
Lease liability: PV of 60 payments @ 6% = MYR 516,074
Right-of-use asset: MYR 516,074 + MYR 20,000 = MYR 536,074
Subsequent Measurement:
Monthly entries:
Dr. Depreciation expense (MYR 536,074/60) MYR 8,935
Cr. Accumulated depreciation MYR 8,935
Dr. Interest expense MYR 2,580
Dr. Lease liability MYR 7,420
Cr. Cash MYR 10,000Financial Instruments (MFRS 9)
Expected Credit Loss Model
ECL Methodology:
Stage 1 (12-month ECL):
- No significant credit deterioration
- High credit quality at reporting date
- Expected losses next 12 months
Stage 2 (Lifetime ECL):
- Significant credit deterioration
- Not credit-impaired
- Expected losses over life
Stage 3 (Lifetime ECL):
- Credit-impaired assets
- Objective evidence of impairment
- Individual assessment required
Practical Implementation:
Trade Receivables ECL:
Aging Analysis Approach:
Current: 0.5% ECL rate
1-30 days: 1% ECL rate
31-60 days: 3% ECL rate
61-90 days: 10% ECL rate
>90 days: 50% ECL rate
Example Calculation:
Aging Category Balance ECL Rate ECL Amount
Current MYR 500,000 0.5% MYR 2,500
1-30 days MYR 200,000 1.0% MYR 2,000
31-60 days MYR 100,000 3.0% MYR 3,000
61-90 days MYR 50,000 10.0% MYR 5,000
>90 days MYR 30,000 50.0% MYR 15,000
Total MYR 880,000 MYR 27,500
Journal Entry:
Dr. Credit loss expense MYR 27,500
Cr. Allowance for credit losses MYR 27,500Disclosure Requirements Management
Note Disclosure Framework
Critical Accounting Policies:
Revenue Recognition:
- 5-step model application
- Performance obligations identification
- Transaction price allocation
- Contract modifications
- Practical expedients used
Lease Accounting:
- Lease portfolio description
- Discount rate determination
- Variable lease payments
- Extension/termination options
- COVID-19 rent concessions
Financial Instruments:
- Classification and measurement
- Credit risk management
- Fair value disclosures
- Hedge accounting application
- Expected credit loss methodology
Related Party Disclosures:
Key Management Personnel:
- Names and positions
- Compensation details
- Transactions during year
- Outstanding balances
- Terms and conditions
Related Party Transactions:
- Nature of relationship
- Transaction types and amounts
- Outstanding balances
- Terms and conditions
- Guarantees provided/receivedStatutory Audit Preparation
Proper audit preparation can reduce audit fees by 30-50% and significantly improve the audit experience.
Pre-Audit Preparation Strategy
Audit Readiness Assessment
Financial Statement Preparation:
Trial Balance Accuracy:
□ All accounts reconciled
□ Suspense accounts cleared
□ Inter-company balances agreed
□ Analytical review completed
□ Management review finalized
Supporting Documentation:
□ Bank confirmations prepared
□ Legal confirmations ready
□ Related party confirmations
□ Subsequent events review
□ Management representations drafted
Control Documentation:
□ Internal control narratives
□ Process flowcharts updated
□ Risk assessments current
□ Testing evidence available
□ Deficiency tracking updatedAudit File Organization
Permanent File:
Corporate Documents:
- Articles of incorporation
- Board resolutions
- Significant contracts
- Legal opinions
- Insurance policies
Accounting Policies:
- Accounting manual
- Policy changes documentation
- Technical memoranda
- Prior year adjustments
- Management judgments
Current Year File:
Financial Statements:
- Draft financial statements
- Management accounts
- Trial balance
- Adjusting entries
- Comparative analysis
Supporting Schedules:
- Balance sheet reconciliations
- Income statement analysis
- Cash flow workpapers
- Note disclosure support
- Analytical review proceduresAudit Response Management
Auditor Inquiry Response System
Information Request Protocol:
Initial Response (Within 24 hours):
- Acknowledge receipt
- Assign responsible person
- Estimate completion time
- Identify any issues/constraints
Documentation Standards:
- Clear and complete responses
- Supporting evidence attached
- Cross-references provided
- Review by supervisor
- Quality control check
Common Audit Requests:
Cash and Bank:
- Bank reconciliations
- Bank confirmations
- Cash count procedures
- Restricted cash documentation
- Foreign currency positions
Accounts Receivable:
- Aging analysis
- Customer confirmations
- Credit memos after year-end
- Bad debt analysis
- Subsequent collections
Inventory:
- Perpetual records
- Physical count procedures
- Obsolescence analysis
- Cost calculations
- Cut-off testing
Fixed Assets:
- Asset registers
- Depreciation calculations
- Capital expenditure analysis
- Disposal documentation
- Impairment assessmentsManagement Letter Response
Internal Control Recommendations
Deficiency Response Framework:
Management Response Elements:
1. Acknowledgment of finding
2. Root cause analysis
3. Corrective action plan
4. Implementation timeline
5. Responsible parties
6. Monitoring procedures
Example Response:
Finding: Inadequate segregation of duties in cash receipts
Management Response:
- Agree with auditor observation
- Root cause: Limited staffing in finance
- Action: Hire additional staff member
- Timeline: Within 60 days
- Responsible: CFO
- Monitoring: Monthly supervisor review
Cost-Benefit Analysis:
Implementation Cost: MYR 60,000 annually
Risk Reduction: High
Management Priority: Immediate
Board Reporting: Required
Progress Tracking:
- Monthly status updates
- Quarterly board reporting
- Annual effectiveness testing
- Continuous monitoringAudit Committee Reporting
Audit Committee Package:
Pre-Audit Planning:
- Audit scope and approach
- Key areas of focus
- Timeline and deliverables
- Fee arrangements
- Independence matters
Progress Reporting:
- Fieldwork status updates
- Significant findings
- Management responses
- Timeline adjustments
- Resource requirements
Post-Audit Summary:
- Audit opinion
- Significant findings
- Management letter points
- Internal control matters
- Recommendations implementation
Annual Assessment:
- Auditor performance evaluation
- Process improvement opportunities
- Fee benchmarking
- Scope adequacy review
- Independence confirmationContinuous Audit Preparation
Year-Round Audit Readiness
Monthly Activities:
Financial Close:
□ Complete reconciliations within 5 days
□ Perform analytical reviews
□ Document unusual transactions
□ Update roll-forward schedules
□ Review subsequent events
Documentation Maintenance:
□ Update process narratives
□ Maintain evidence files
□ Document system changes
□ Track control testing
□ Monitor key indicators
Quarterly Activities:
Control Testing:
□ Test key controls
□ Document results
□ Report deficiencies
□ Track remediation
□ Update risk assessments
Financial Reporting:
□ Prepare interim financials
□ Review accounting estimates
□ Update fair value measurements
□ Assess going concern
□ Consider disclosure changes
Annual Activities:
Audit Preparation:
□ Complete detailed planning
□ Organize audit files
□ Prepare confirmations
□ Schedule management
□ Coordinate with auditors
Process Improvement:
□ Evaluate audit efficiency
□ Implement recommendations
□ Update procedures
□ Train personnel
□ Plan for next yearThis comprehensive compliance and audit guide provides the framework for maintaining the highest standards of financial control and regulatory compliance. The emphasis is on creating sustainable processes that not only meet current requirements but also position the organization for future regulatory changes and business growth.
Each section includes practical implementation guidance based on three decades of experience working with auditors, regulators, and implementing controls across diverse industries and company sizes. The goal is to transform compliance from a burden into a competitive advantage through superior financial transparency and control.