Post on 10-Dec-2015
1National Police Board 16 September 2009
Elisabeth Styf President ECIIA
Chief Audit Executive for the Swedish Police Service
21 police authorities, the National Criminal Police (NCP),
the Police Academy and The Swedish National Laboratory
of Forensic Science
Prior experience as CAE at listed companies and public
entities
IAS Conference 13 October 2009
2National Police Board 16 September 2009
• My view and experience of corporate governance on
the EU level
• My view and experience of internal audit of the management control system
IAS Conference 13 October 2009
3National Police Board 16 September 2009
UK Cadbury 1992
USA- SOX 404 2002
2002 - The Winter-report EU’s action plan -
Individual country codes of corporate governance
The European capital markets became more and more integrated
2006: The European Union was adopting a common approach covering: • a few essential rules and • ensuring adequate coordination of national corporate
governance codes.
But
A step back
4National Police Board 16 September 2009
Important steps for Internal Auditing up until now :
Listed company to include in the annual report a descriptive statement covering the key elements of their corporate governance structure and practice (Amendment of the 4th and 7th Company Directives (2006/46/EC) )
Audit committee of listed companies to monitor the effectiveness of the company's internal control, internal audit where applicable and risk management
systems (Amendment of the 8th Company Directives (2006/43/EC) )
5National Police Board 16 September 2009
EU directive …….EU directive ……. internal audit where applicableinternal audit where applicable
What are the expectations of internal auditing from the regulators ?
Many countries’ National Corporate GovernanceCodes in Europe do not include internal audit as mandatory
6National Police Board 16 September 2009
To compare with …….
•Sarbanes-Oxley Act
Internal audit - Mandatory
•King III report – draft
Internal audit - Mandatory
7National Police Board 16 September 2009
Mandatory within certain sectors in Europe
•Internal Audit in Banks
The Basel Committee’s Internal Audit Paper states that eachbank should have a permanent internal audit function.
•Internal Audit in Insurance and Reinsurance
Solvency II: System of Governance – Draft Insurance and reinsurance undertakings shall provide for an effective internal audit function.
•Public Sector Mostly mandatory
8National Police Board 16 September 2009
Should Internal Auditing be mandatory
on the European level ?
9National Police Board 16 September 2009
33 National IIA InstitutesIn Europe
ECIIA
The Institute of Internal Auditors (IIA)
ECIIA - European Confederation of Institutes of Internal Auditing – Limited resources –mainly based upon voluntary work
10National Police Board 16 September 2009
The main objective for ECIIA is to promote the value of internal audit in Europe
ECIIA To be the Internal Auditors’ National Institutes consolidated voice of internal auditing in Europe
11National Police Board 16 September 2009
18/04/23 11
Why promote the value of Internal Audit
Because I.A. should be one of the pillars in the corporate governance structure
To establish a relationship with other organizations representing the pillars in corporate governance
= The board of directors , senior management and external auditors
internal auditing in ……position papers and
in regulatory guidance
12National Police Board 16 September 2009
Harmonizing European companies need to be able to do business across national borders within the EU
Internal audit complies
with international
standards all over
Europe
Internal auditing is bringing value to the organizations
13National Police Board 16 September 2009
•We are working systematically with elaborated standards
•We are certified (CIA, … )
•We have a quality assurance program
•We are the experts in corporate governance , risk management, internal control etc.
•We are not competing with risk managers, compliance officers, internal control officers etc.
It should not be difficult to convince the Regulators and the Board that internal auditing is bringing value to organizations
14National Police Board 16 September 2009
Board and A.C.
The Management
EU Parliament , European Commission
External AuditPrivate/ Public
The Company
European Confederationof Directors AssociationsEcoda.org
European Issuers
Fédération des Experts Comptables Européens FEEEUROSAI
Organizations that ECIIA has established a relationship with
15National Police Board 16 September 2009
How could internal auditors
be involved in the management control system ?
16National Police Board 16 September 2009
My experience as Chief Audit Executives
• Listed companies (financial institutes as well as not
financial companies) • Government authorities
17National Police Board 16 September 2009
Regulations in Sweden regarding Internal auditing
For listed companies that do not have a separate internal audit function, the board of directors is to evaluate the need for such a function annually and to justify its decision in its report on internal
controls.For financial institutes - the board should ensure that there is a
function that examines and evaluates the Internal control (including risk control and compliance function). In the companies that have an internal auditing function , internal audit should be that function.
For a number of government authorities – must have an internal audit functionThe scope of the internal auditing should cover all of the organisation’s activities – the work is based on risk assessment.
18National Police Board 16 September 2009
Regulation (2007:603) on the internal control in Sweden
The government needs to ensure that its different entities fulfills its operational responsibilities and meet the requirements, regarding
–operating efficient activities, –current law and other obligations arising from Sweden's membership in European Union –having a reliable and accurate accounting, and –with good management of government funds
The internal audit should be based on an analysis of operational risks independent review of management's internal governance and control
19National Police Board 16 September 2009
The Objectives for the Swedish Police • To reduce the opportunities for committing crime
• To prosecute more crimes and increase the quality of crime investigations
• To execute other tasks than investigating crimes on the basis of public needs through prompt and correct handling, good service and a high level of availability
20National Police Board 16 September 2009
Different entities within the Swedish Police that are audited
• The National Police Board• 21 Local Police Authorities • The Police Academy• National Criminal Police • The Swedish National Laboratory of Forensic Science
21National Police Board 16 September 2009
Styrelse
Government instructions
Objectives and strategies
Goals Control activities
Risks
Internal audit
Internal audit of the management control system
The Police Board
•Local police authorities•The Police Academy•National Criminal Police •The Swedish National Laboratory of Forensic Science
22National Police Board 16 September 2009
Main objectives
Strategies
3 Main processes
Process goals
Key controls
Total Riskaptite
Subprocess
I
Local goals
Sub-process
II
Sub-process
III Appropriate risk level ?
To ensure it works
Increase / decrease
Local goals
Localgoals
The strategy and the plans of the Swedish police
Yearly Governmental
instructions
Temporary instructions from politicians
Laws and regulations
23National Police Board 16 September 2009
External Auditors'
Risk assessment and
Planned Activities
The different entities
Risk Assessment
Governmental
instructions
Audit Plan/Audit WorkProposal
Regulatory/Legal Requirements
Final audit plans
Input Output
Bo
ard
A
pp
rov
al
Audit planning process
Internal audit
Risk Assessment
24National Police Board 16 September 2009
Is the COSO framework an effective tool to ensure that the management control system works?
25National Police Board 16 September 2009
Does the management control system
work within all entities ?
Risk management process
Information and communication
Control environment
Control activities
The management and the board has to ensure that everything works as it should
Documentation
Internal audit of the management control system
26National Police Board 16 September 2009
Internal Environment
•Is there a formalized and communicated set of ethical values
•Are the right people, skills, tools and resources in place to achieve the objectives of the entity/ business unit / process?
Internal audit of the management control system
27National Police Board 16 September 2009
Risk Identification
Risk Valuation
•Avoidance, •Reduction, •Sharing and •Acceptance
Has management assessed the costs versus the benefits of potential risk responses?
Does management utilize reliable techniques to identify the risks?
Internal audit of the management control system
28National Police Board 16 September 2009
Does management consider how risk responses and control activities interrelate when designing control activities?
Control activities
Internal as well as external information
Information and Communication
Internal audit of the management control system
29National Police Board 16 September 2009
• Is there a process of ongoing monitoring in place for
enterprise risk management mechanism within normal operating activities?
• Is there a periodically evaluation of the effectiveness of your enterprise risk management procedures?
Monitoring and documentation
Internal audit of the management control system
30National Police Board 16 September 2009
High Riskareas
Internal audit plan
Risk analysis
Audit recommendations'
Planned control activities
Internal audit's visit Internal audit's visit
New routinesLower risk
The police authority
Internal audit of the management control system
31National Police Board 16 September 2009
Should Internal Auditing be mandatory
on the European level ?
Is the COSO framework an effective tool to ensure
that the management control system works?
Thank you
Elisabeth.styf@rps.police.se