1 National Police Board 16 September 2009 Elisabeth Styf President ECIIA Chief Audit Executive for...

1National Police Board 16 September 2009

Elisabeth Styf President ECIIA

Chief Audit Executive for the Swedish Police Service

21 police authorities, the National Criminal Police (NCP),

the Police Academy and The Swedish National Laboratory

of Forensic Science

Prior experience as CAE at listed companies and public

entities

IAS Conference 13 October 2009


• My view and experience of corporate governance on

the EU level

• My view and experience of internal audit of the management control system

IAS Conference 13 October 2009


UK Cadbury 1992

USA- SOX 404 2002

2002 - The Winter-report EU’s action plan -

Individual country codes of corporate governance

The European capital markets became more and more integrated

2006: The European Union was adopting a common approach covering: • a few essential rules and • ensuring adequate coordination of national corporate

governance codes.

But

A step back


Important steps for Internal Auditing up until now :

Listed company to include in the annual report a descriptive statement covering the key elements of their corporate governance structure and practice (Amendment of the 4th and 7th Company Directives (2006/46/EC) )

Audit committee of listed companies to monitor the effectiveness of the company's internal control, internal audit where applicable and risk management

systems (Amendment of the 8th Company Directives (2006/43/EC) )


EU directive …….EU directive ……. internal audit where applicableinternal audit where applicable

What are the expectations of internal auditing from the regulators ?

Many countries’ National Corporate GovernanceCodes in Europe do not include internal audit as mandatory


To compare with …….

•Sarbanes-Oxley Act

Internal audit - Mandatory

•King III report – draft

Internal audit - Mandatory


Mandatory within certain sectors in Europe

•Internal Audit in Banks

The Basel Committee’s Internal Audit Paper states that eachbank should have a permanent internal audit function.

•Internal Audit in Insurance and Reinsurance

Solvency II: System of Governance – Draft Insurance and reinsurance undertakings shall provide for an effective internal audit function.

•Public Sector Mostly mandatory


Should Internal Auditing be mandatory

on the European level ?


33 National IIA InstitutesIn Europe

ECIIA

The Institute of Internal Auditors (IIA)

ECIIA - European Confederation of Institutes of Internal Auditing – Limited resources –mainly based upon voluntary work


The main objective for ECIIA is to promote the value of internal audit in Europe

ECIIA To be the Internal Auditors’ National Institutes consolidated voice of internal auditing in Europe


18/04/23 11

Why promote the value of Internal Audit

Because I.A. should be one of the pillars in the corporate governance structure

To establish a relationship with other organizations representing the pillars in corporate governance

= The board of directors , senior management and external auditors

internal auditing in ……position papers and

in regulatory guidance


Harmonizing European companies need to be able to do business across national borders within the EU

Internal audit complies

with international

standards all over

Europe

Internal auditing is bringing value to the organizations


•We are working systematically with elaborated standards

•We are certified (CIA, … )

•We have a quality assurance program

•We are the experts in corporate governance , risk management, internal control etc.

•We are not competing with risk managers, compliance officers, internal control officers etc.

It should not be difficult to convince the Regulators and the Board that internal auditing is bringing value to organizations


Board and A.C.

The Management

EU Parliament , European Commission

External AuditPrivate/ Public

The Company

European Confederationof Directors AssociationsEcoda.org

European Issuers

Fédération des Experts Comptables Européens FEEEUROSAI

Organizations that ECIIA has established a relationship with


How could internal auditors

be involved in the management control system ?


My experience as Chief Audit Executives

• Listed companies (financial institutes as well as not

financial companies) • Government authorities


Regulations in Sweden regarding Internal auditing

For listed companies that do not have a separate internal audit function, the board of directors is to evaluate the need for such a function annually and to justify its decision in its report on internal

controls.For financial institutes - the board should ensure that there is a

function that examines and evaluates the Internal control (including risk control and compliance function). In the companies that have an internal auditing function , internal audit should be that function.

For a number of government authorities – must have an internal audit functionThe scope of the internal auditing should cover all of the organisation’s activities – the work is based on risk assessment.


Regulation (2007:603) on the internal control in Sweden

The government needs to ensure that its different entities fulfills its operational responsibilities and meet the requirements, regarding

–operating efficient activities, –current law and other obligations arising from Sweden's membership in European Union –having a reliable and accurate accounting, and –with good management of government funds

The internal audit should be based on an analysis of operational risks independent review of management's internal governance and control


The Objectives for the Swedish Police • To reduce the opportunities for committing crime

• To prosecute more crimes and increase the quality of crime investigations

• To execute other tasks than investigating crimes on the basis of public needs through prompt and correct handling, good service and a high level of availability


Different entities within the Swedish Police that are audited

• The National Police Board• 21 Local Police Authorities • The Police Academy• National Criminal Police • The Swedish National Laboratory of Forensic Science


Styrelse

Government instructions

Objectives and strategies

Goals Control activities

Risks

Internal audit

Internal audit of the management control system

The Police Board

•Local police authorities•The Police Academy•National Criminal Police •The Swedish National Laboratory of Forensic Science


Main objectives

Strategies

3 Main processes

Process goals

Key controls

Total Riskaptite

Subprocess

I

Local goals

Sub-process

II

Sub-process

III Appropriate risk level ?

To ensure it works

Increase / decrease

Local goals

Localgoals

The strategy and the plans of the Swedish police

Yearly Governmental

instructions

Temporary instructions from politicians

Laws and regulations


External Auditors'

Risk assessment and

Planned Activities

The different entities

Risk Assessment

Governmental

instructions

Audit Plan/Audit WorkProposal

Regulatory/Legal Requirements

Final audit plans

Input Output

Bo

ard

A

pp

rov

al

Audit planning process

Internal audit

Risk Assessment


Is the COSO framework an effective tool to ensure that the management control system works?


Does the management control system

work within all entities ?

Risk management process

Information and communication

Control environment

Control activities

The management and the board has to ensure that everything works as it should

Documentation



Internal Environment

•Is there a formalized and communicated set of ethical values

•Are the right people, skills, tools and resources in place to achieve the objectives of the entity/ business unit / process?



Risk Identification

Risk Valuation

•Avoidance, •Reduction, •Sharing and •Acceptance

Has management assessed the costs versus the benefits of potential risk responses?

Does management utilize reliable techniques to identify the risks?



Does management consider how risk responses and control activities interrelate when designing control activities?

Control activities

Internal as well as external information

Information and Communication



• Is there a process of ongoing monitoring in place for

enterprise risk management mechanism within normal operating activities?

• Is there a periodically evaluation of the effectiveness of your enterprise risk management procedures?

Monitoring and documentation



High Riskareas

Internal audit plan

Risk analysis

Audit recommendations'

Planned control activities

Internal audit's visit Internal audit's visit

New routinesLower risk

The police authority



Should Internal Auditing be mandatory

on the European level ?

Is the COSO framework an effective tool to ensure

that the management control system works?

Thank you

[email protected]

1 National Police Board 16 September 2009 Elisabeth Styf President ECIIA Chief Audit Executive for...

Documents

Transcript of 1 National Police Board 16 September 2009 Elisabeth Styf President ECIIA Chief Audit Executive for...