Internal AuditingInternal Auditing s ’s Role in ... · IIA Standards-Governance •...
Transcript of Internal AuditingInternal Auditing s ’s Role in ... · IIA Standards-Governance •...
Internal Auditing’s Internal Auditing s Role in Organizational
Governance
Presented by:David A. Richards, CIA, CPA
PresidentThe Institute of Internal Auditors
david richards@theiia org
www.theiia.org
AGENDA
1 What is Governance?1. What is Governance?
2. What might an organizational 2. What might an organizational governance framework look like?
3. What are the components and principles of governance?
4. What is the role of Internal Auditing
www.theiia.org2
Governance Definition Per IIA Standards
• The combination of processes and structures implemented by p ythe board in order to inform, direct, manage and monitor the , gactivities of the organization toward the achievement of its objectives.
www.theiia.org3
Governance represents the means by which di ti d t l li d t direction and control are applied to stewardship of an organisation’s assets – tangible and intangible, financial and non-tangible and intangible, financial and nonfinancial – in the pursuit and delivery of the primary objective of sustainable value
ti It i ti ll f ti f creation. It is essentially a function of leadership and direction within the organisation; appropriate risk management organisation; appropriate risk management and control over its activities; and the manner in which meaningful disclosure relating to its
ti iti i d t h d th activities is made to shareowners and other stakeholders. King II Report, 2002
South Africawww.theiia.org4
South Africa
What is Governance?
Governance isGovernance is…
A way of life that drives an organization y gforward and establishes a leadership where success and results are valued and
l b h i i i personal behavior is seen as a primary driver to helping concepts become reality.
www.theiia.org5
“Three Little Words” of Governance
•Expectations•Communications•Accountability
www.theiia.org6
Governance – Key Words
• ExpectationsWh t i d d f What is needed for success:•Policies, procedures, guidance, organization, assignment of organization, assignment of responsibilities
• CommunicationsInforming & training
• AccountabilityHolding people accountable for meeting expectations
www.theiia.org7
Why Good Governance?y
• Right visiong• Right tone• Right involvement• Right involvement• Consistent with organization’s
i imission• Consistent with expectations of
constituents
www.theiia.org8
AGENDA
1 What is Governance?1. What is Governance?
2. What might an organizational 2. What might an organizational governance framework look like?
3. What are the components andprinciples of governance?
4. What is the role of Internal Auditing
www.theiia.org9
The IIA Corporate Governance Model
EffectiveEffectiveGovernance
www.theiia.org10
Governance
• Defining roles• Defining rolesLeadership - toneEmployees carry out missionEmployees – carry out missionConstituents – interest in success
• IA role • IA role • Governance model
G i i l• Governance principles
www.theiia.org11
Governance Framework
Governance StructureHow we are organized to:
Assign responsibility Hold people accountable
Governance Practices/CultureHold people accountable
G P i i l
How we use governance components:risk, control, strategy, ethics, etc.
Governance PrinciplesUnderlying statements of expectations
www.theiia.org12
Corporate Stakeholders
Board of DirectorsBoard Committees
StaffingIndependence
Internal AuditExternal Audit
GovernanceC itt
AuditC itt
IndependenceCommitteesChartersAssessment
EthicsRiskControl
Committee Committee
Senior Management
AssessmentGov. Prin. FS Accuracy
EthicsOfficer
ComplianceOfficer
CRO CIO
I f i
DisclosureCommittee
EthicsProgram
ComplianceProgram
EWRMProgram
InformationSecurityProgram
FS disclosure& I/C Assess.
www.theiia.org13Policies, Practices & Culture
AGENDA
1 What is Governance?1. What is Governance?
2. What might an organizational2. What might an organizationalgovernance framework look like?
3. What are the components and principles of governance?
4. What is the role of Internal Auditing
www.theiia.org14
Components of Good GovernanceComponents of Good Governance• Strategy and planning• Risk management• Risk management• Tone at the top
M i d it i• Measuring and monitoring• Transformational transactions
M l i i • Management evaluation, compensation, & succession planningE t l i ti• External communications
• Board dynamics
www.theiia.org15
Governance Principlesp
• Statements of what is importantp• Visualization of governance in action• MeasurableMeasurable• Specific• Enable assignment to key leaders• Enable assignment to key leaders• Overarching statements of how things
should beshould be
www.theiia.org16
King II Governance Ch t i tiCharacteristics
• Discipline = Commitment to standards of b hbehavior
• Transparency = Disclosure of informationI d d C fli t f I t t id d• Independence = Conflicts of Interest avoided
• Accountability = To shareownersR ibilit A t f • Responsibility = Acceptance of consequences
• Fairness = Balance between stakeholders• Social Responsibility ethical environmental • Social Responsibility = ethical, environmental
and economic impacts
www.theiia.org17
King II Guiding PrinciplesKing II Guiding Principles
• Constitution & operation of board and its committees
• Performance evaluation & rewardRi k t d i t l t l• Risk management and internal control
• Internal auditS t i bilit• Sustainability
• Business ethics & organizational integrityAccounting and auditing• Accounting and auditing
• Disclosure practices
www.theiia.org18
Governance Principles1. Organization & functioning board2. Qualifications of board membersQ3. Board authority, funding, & resources4. Transparencyp y5. Articulate Strategy6. Organizational structure7. Establish policies8. Clear lines of responsibility &
accountability
Per IIA position paper April 2006
www.theiia.org19
Per IIA position paper April 2006
Governance Principles
9. Interactions (board, mgt, EA, IA)10. Strong internal controls11. Compensation policies & practices12 Ethical culture values tone at top12. Ethical culture, values, tone at top13. Use of internal auditors14. Define & implement risk mgt policies14. Define & implement risk mgt policies15. Effectively use EA16. Appropriate disclosures of key info.17. Governance process disclosure18. Related party transaction oversight
www.theiia.org20
Governance Principles -P t lPortugal
I. Disclosure of informationII. The exercising of voting and
representation rights by shareholdersIII. Corporate rulesIV. Composition of board of directorspV. Institutional investors
The CMVM (Comissão do Mercado de Valores Mobiliários) Nov 2003
www.theiia.org21
The CMVM (Comissão do Mercado de Valores Mobiliários) Nov 2003
Governance Principles -P t lPortugal
The companies issuing securities admitted to t di l t d k t it t d trading on a regulated market situated or functioning in Portugal are obliged to ensure the disclosure of a set of information on the corporate
t t d ti ith governance structure and practices either as a chapter in the annual management report specially drawn up for the purpose or as an annex to same
th i bj t t P t L … the companies subject to Portuguese Law are also subject to the CMVM’s Corporate Governance Code and to the duty to disclose information on the
t t t d ti i corporate governance structure and practices in accordance with the provided for in the CMVM’s Regulation 1/2007
il
www.theiia.org22
Per CORPORATE GOVERNANCE CODE AND LEGAL FRAMEWORK CONSOLIDATION CMVM April 2007
OECD Governance Principlesp
I. Ensuring the Basis for an EffectivegCorporate Governance Framework
• The corporate governance framework should promote transparent and efficient markets, be consistent with efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory regulatory and different supervisory, regulatory and enforcement authorities.
www.theiia.org23
OECD Governance Principlesp
II. The Rights of Shareholders andKey Ownership Functions
• The corporate governance framework should protect and facilitate the exercise of shareholders’ rights.
www.theiia.org24
OECD Governance Principles
III. The Equitable Treatment of Shareholders
• The corporate governance framework • The corporate governance framework should ensure the equitable treatment of all shareholders, including minority and foreign shareholders All and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rightsfor violation of their rights.
www.theiia.org25
OECD Governance Principles
IV. The Role of Stakeholders in CorporateGovernance
• The corporate governance framework • The corporate governance framework should recognize the rights of stakeholders established by law or through mutual agreements and encourage active co-operation between corporations and stakeholders in pcreating wealth, jobs, and the sustainability of financially sound enterprises
www.theiia.org26
enterprises.
OECD Governance PrinciplesOECD Governance Principles
V. Disclosure and Transparency
h f k• The corporate governance framework should ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation performance ownership situation, performance, ownership, and governance of the company.
www.theiia.org27
OECD Governance Principlesp
VI. The Responsibilities of the Board
• The corporate governance framework should ensure the strategic guidance of the company the effective of the company, the effective monitoring of management by the board, and the board’s accountability , yto the company and the shareholders
www.theiia.org28
Kennesaw State Governance P i i lPrinciples
1. Interaction – Sound governance requires effective interaction among the board, gmanagement, the external auditor, and the internal auditor.
2. Board Purpose – The board of directors should understand that its purpose is to protect the understand that its purpose is to protect the interests of the corporation’s stockholders, while considering the interests of other stakeholders (e.g., creditors, employees, etc.).
3. Board Responsibilities – The board’s major areas of responsibility should be monitoring the CEO, overseeing the corporation’s strategy, and monitoring risks and the corporation’s control monitoring risks and the corporation s control system. Directors should employ healthy skepticism in meeting these responsibilities.
www.theiia.org29
Kennesaw State Governance P i i l ( t )Principles (cont.)
4. Independence – The major stock exchanges should define an “independent” director as one s ou d de e a depe de t d ecto as o ewho has no professional or personal ties (either current or former) to the corporation or its management other than service as a director. The vast majority of the directors should be vast majority of the directors should be independent in both fact and appearance so as to promote arms-length oversight.
5. Expertise – The directors should possess relevant p pindustry, company, functional area, and governance expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should receive detailed orientation and directors should receive detailed orientation and continuing education to assure they achieve and maintain the necessary level of expertise.
www.theiia.org30
Kennesaw State Governance Principles (cont.)
6. Meetings and Information – The board should meet frequently for extended periods of time and meet frequently for extended periods of time and should have access to the information and personnel it needs to perform its duties.
7. Leadership – The roles of Board Chair and CEO h ld b should be separate.
8. Disclosure – Proxy statements and other board communications should reflect board activities and transactions (e g insider trades) in a transparent transactions (e.g., insider trades) in a transparent and timely manner.
9. Committees – The nominating, compensation, and audit committees of the board should be composed ponly of independent directors.
10. Internal Audit – All public companies should maintain an effective, full-time internal audit function that reports directly to the audit committee
www.theiia.org31
that reports directly to the audit committee.
AGENDA
1 What is Governance?1. What is Governance?
2 What might an organizational2. What might an organizationalgovernance framework look like?
3. What are the components and principles of governance?
4. What is the role of Internal Auditing
www.theiia.org32
IIA Standards-Governance• 2110-Governance• The internal audit activity MUST
contribute to the organization's contribute to the organization s governance process by evaluating and improving the process through which (1) values and goals are international( ) gestablished and communicated, (2) the accomplishment of goals is monitored and accountability is
international
ensured, (3) risk and control information is communicated to appropriate areas of the organization;
d (4) ti iti f th b d and (4) activities of the board, external and internal auditors, and management are coordinated.
www.theiia.org33
IIA Standards-Governance
• 2110.A2 – The internal audit activity must assess audit activity must assess whether the information technology governance of th i ti t i internationalthe organization sustains and supports the organization’s strategies
international
organization s strategies and objectives.
www.theiia.org34
Glossary - Definition
Information Technology Governance• Consists of the leadership, p,
organizational structures, and processes that ensure that the enterprise’s i f i h l i d information technology sustains and supports the organization’s strategies and objectives and objectives.
www.theiia.org35
Governance Performance Governance Performance Standard 2110.A1
• The internal audit activity should l t th d i evaluate the design,
implementation, and effectiveness f th i ti ’ thi l t d of the organization’s ethics-related
programs and activities.
www.theiia.org36
Allocation of IA Effort
Best Practice reviewst
t Eff
ort
Audit
P id d i ith f Provide advice with focus onEstablishing Governance
Structure
More Structured
Governance Model
Less Structured
www.theiia.org37
What Should IA Do?
Setting Expectations:IA should:
• Help drafting of policies, procedures, processes, guidance to utilize their
- knowledge- expertise
• Ensuring Controls are build into gprocesses not added on
www.theiia.org38
What Should IA Do?Communicate:IA should:
• Assist in training programs on- Ethics- Risk identification- Control optionsControl options- Fraud awareness
• Design programsDesign programs• Participation in training sessions
www.theiia.org39
What Should IA Do?Accountability:IA should:• Perform objective assessments using
systematic, disciplined approach that i t l ti f idincorporates an evaluation of evidence
• Ensure compliance to management directives by comparison of actual to criteriadirectives by comparison of actual to criteria
• Assist in evaluation of processes to ensure efficient operations and effective efficient operations and effective accomplishment of objectives
www.theiia.org40
Types of assignmentsyp g• Expectations:
Board structure objectives dynamics–Board structure, objectives, dynamics–Board Manual reviews
B d itt t–Board committee assessments–Process for remaining aware of
requirementsrequirements–Proper assignment of organizational
responsibilities & establishment of responsibilities & establishment of Performance measurement systems
–Recruitment procedureswww.theiia.org41
– Recruitment procedures
Types of assignments
• Communication:Ed i f b d b–Education of board members
–Ethics policies and code of conduct –Employee training
•Internal controlsInternal controls•Ethics policies•Disclosures & compliance requirements•Disclosures & compliance requirements•Board policies
www.theiia.org42
Types of assignmentsyp g
•Accountability:–Ethics investigation–Management evaluation & Management evaluation & compensation
f–Board self-assessment–External communicationsExternal communications–External auditor oversight
www.theiia.org43
Good Governance is evident in:
• The way we provide information• How we value the problem identifier & • How we value the problem identifier &
solver• How people in the organization commit • How people in the organization commit
their “personal power” to perform beyond expectationsy p
• The “vision” of what is important• Expectations communicated p• Holds people accountable• Walk the TALK (do vs. say)
www.theiia.org44
Walk the TALK (do vs. say)
I t l A dit ’ R l i Internal Auditors’ Role in organizational governance
is new and often an area where
expertise and credibility is lackingcredibility is lacking
THUS: The Real Challenge!!!THUS: The Real Challenge!!!
www.theiia.org45