Internal Auditing’s Internal Auditing s Role in Organizational

Governance

Presented by:David A. Richards, CIA, CPA

PresidentThe Institute of Internal Auditors

david richards@theiia org

www.theiia.org

david.richards@theiia.org

AGENDA

1 What is Governance?1. What is Governance?

2. What might an organizational 2. What might an organizational governance framework look like?

3. What are the components and principles of governance?

4. What is the role of Internal Auditing

www.theiia.org2

Governance Definition Per IIA Standards

• The combination of processes and structures implemented by p ythe board in order to inform, direct, manage and monitor the , gactivities of the organization toward the achievement of its objectives.

www.theiia.org3

Governance represents the means by which di ti d t l li d t direction and control are applied to stewardship of an organisation’s assets – tangible and intangible, financial and non-tangible and intangible, financial and nonfinancial – in the pursuit and delivery of the primary objective of sustainable value

ti It i ti ll f ti f creation. It is essentially a function of leadership and direction within the organisation; appropriate risk management organisation; appropriate risk management and control over its activities; and the manner in which meaningful disclosure relating to its

ti iti i d t h d th activities is made to shareowners and other stakeholders. King II Report, 2002

South Africawww.theiia.org4

South Africa

What is Governance?

Governance isGovernance is…

A way of life that drives an organization y gforward and establishes a leadership where success and results are valued and

l b h i i i personal behavior is seen as a primary driver to helping concepts become reality.

www.theiia.org5

“Three Little Words” of Governance

•Expectations•Communications•Accountability

www.theiia.org6

Governance – Key Words

• ExpectationsWh t i d d f What is needed for success:•Policies, procedures, guidance, organization, assignment of organization, assignment of responsibilities

• CommunicationsInforming & training

• AccountabilityHolding people accountable for meeting expectations

www.theiia.org7

Why Good Governance?y

• Right visiong• Right tone• Right involvement• Right involvement• Consistent with organization’s

i imission• Consistent with expectations of

constituents

www.theiia.org8

AGENDA

1 What is Governance?1. What is Governance?

2. What might an organizational 2. What might an organizational governance framework look like?

3. What are the components andprinciples of governance?

4. What is the role of Internal Auditing

www.theiia.org9

The IIA Corporate Governance Model

EffectiveEffectiveGovernance

www.theiia.org10

Governance

• Defining roles• Defining rolesLeadership - toneEmployees carry out missionEmployees – carry out missionConstituents – interest in success

• IA role • IA role • Governance model

G i i l• Governance principles

www.theiia.org11

Governance Framework

Governance StructureHow we are organized to:

Assign responsibility Hold people accountable

Governance Practices/CultureHold people accountable

G P i i l

How we use governance components:risk, control, strategy, ethics, etc.

Governance PrinciplesUnderlying statements of expectations

www.theiia.org12

Corporate Stakeholders

Board of DirectorsBoard Committees

StaffingIndependence

Internal AuditExternal Audit

GovernanceC itt

AuditC itt

IndependenceCommitteesChartersAssessment

EthicsRiskControl

Committee Committee

Senior Management

AssessmentGov. Prin. FS Accuracy

EthicsOfficer

ComplianceOfficer

CRO CIO

I f i

DisclosureCommittee

EthicsProgram

ComplianceProgram

EWRMProgram

InformationSecurityProgram

FS disclosure& I/C Assess.

www.theiia.org13Policies, Practices & Culture

AGENDA

1 What is Governance?1. What is Governance?

2. What might an organizational2. What might an organizationalgovernance framework look like?

3. What are the components and principles of governance?

4. What is the role of Internal Auditing

www.theiia.org14

Components of Good GovernanceComponents of Good Governance• Strategy and planning• Risk management• Risk management• Tone at the top

M i d it i• Measuring and monitoring• Transformational transactions

M l i i • Management evaluation, compensation, & succession planningE t l i ti• External communications

• Board dynamics

www.theiia.org15

Governance Principlesp

• Statements of what is importantp• Visualization of governance in action• MeasurableMeasurable• Specific• Enable assignment to key leaders• Enable assignment to key leaders• Overarching statements of how things

should beshould be

www.theiia.org16

King II Governance Ch t i tiCharacteristics

• Discipline = Commitment to standards of b hbehavior

• Transparency = Disclosure of informationI d d C fli t f I t t id d• Independence = Conflicts of Interest avoided

• Accountability = To shareownersR ibilit A t f • Responsibility = Acceptance of consequences

• Fairness = Balance between stakeholders• Social Responsibility ethical environmental • Social Responsibility = ethical, environmental

and economic impacts

www.theiia.org17

King II Guiding PrinciplesKing II Guiding Principles

• Constitution & operation of board and its committees

• Performance evaluation & rewardRi k t d i t l t l• Risk management and internal control

• Internal auditS t i bilit• Sustainability

• Business ethics & organizational integrityAccounting and auditing• Accounting and auditing

• Disclosure practices

www.theiia.org18

Governance Principles1. Organization & functioning board2. Qualifications of board membersQ3. Board authority, funding, & resources4. Transparencyp y5. Articulate Strategy6. Organizational structure7. Establish policies8. Clear lines of responsibility &

accountability

Per IIA position paper April 2006

www.theiia.org19

Per IIA position paper April 2006

Governance Principles

9. Interactions (board, mgt, EA, IA)10. Strong internal controls11. Compensation policies & practices12 Ethical culture values tone at top12. Ethical culture, values, tone at top13. Use of internal auditors14. Define & implement risk mgt policies14. Define & implement risk mgt policies15. Effectively use EA16. Appropriate disclosures of key info.17. Governance process disclosure18. Related party transaction oversight

www.theiia.org20

Governance Principles -P t lPortugal

I. Disclosure of informationII. The exercising of voting and

representation rights by shareholdersIII. Corporate rulesIV. Composition of board of directorspV. Institutional investors

The CMVM (Comissão do Mercado de Valores Mobiliários) Nov 2003

www.theiia.org21

The CMVM (Comissão do Mercado de Valores Mobiliários) Nov 2003

Governance Principles -P t lPortugal

The companies issuing securities admitted to t di l t d k t it t d trading on a regulated market situated or functioning in Portugal are obliged to ensure the disclosure of a set of information on the corporate

t t d ti ith governance structure and practices either as a chapter in the annual management report specially drawn up for the purpose or as an annex to same

th i bj t t P t L … the companies subject to Portuguese Law are also subject to the CMVM’s Corporate Governance Code and to the duty to disclose information on the

t t t d ti i corporate governance structure and practices in accordance with the provided for in the CMVM’s Regulation 1/2007

il

www.theiia.org22

Per CORPORATE GOVERNANCE CODE AND LEGAL FRAMEWORK CONSOLIDATION CMVM April 2007

OECD Governance Principlesp

I. Ensuring the Basis for an EffectivegCorporate Governance Framework

• The corporate governance framework should promote transparent and efficient markets, be consistent with efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory regulatory and different supervisory, regulatory and enforcement authorities.

www.theiia.org23

OECD Governance Principlesp

II. The Rights of Shareholders andKey Ownership Functions

• The corporate governance framework should protect and facilitate the exercise of shareholders’ rights.

www.theiia.org24

OECD Governance Principles

III. The Equitable Treatment of Shareholders

• The corporate governance framework • The corporate governance framework should ensure the equitable treatment of all shareholders, including minority and foreign shareholders All and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rightsfor violation of their rights.

www.theiia.org25

OECD Governance Principles

IV. The Role of Stakeholders in CorporateGovernance

• The corporate governance framework • The corporate governance framework should recognize the rights of stakeholders established by law or through mutual agreements and encourage active co-operation between corporations and stakeholders in pcreating wealth, jobs, and the sustainability of financially sound enterprises

www.theiia.org26

enterprises.

OECD Governance PrinciplesOECD Governance Principles

V. Disclosure and Transparency

h f k• The corporate governance framework should ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation performance ownership situation, performance, ownership, and governance of the company.

www.theiia.org27

OECD Governance Principlesp

VI. The Responsibilities of the Board

• The corporate governance framework should ensure the strategic guidance of the company the effective of the company, the effective monitoring of management by the board, and the board’s accountability , yto the company and the shareholders

www.theiia.org28

Kennesaw State Governance P i i lPrinciples

1. Interaction – Sound governance requires effective interaction among the board, gmanagement, the external auditor, and the internal auditor.

2. Board Purpose – The board of directors should understand that its purpose is to protect the understand that its purpose is to protect the interests of the corporation’s stockholders, while considering the interests of other stakeholders (e.g., creditors, employees, etc.).

3. Board Responsibilities – The board’s major areas of responsibility should be monitoring the CEO, overseeing the corporation’s strategy, and monitoring risks and the corporation’s control monitoring risks and the corporation s control system. Directors should employ healthy skepticism in meeting these responsibilities.

www.theiia.org29

Kennesaw State Governance P i i l ( t )Principles (cont.)

4. Independence – The major stock exchanges should define an “independent” director as one s ou d de e a depe de t d ecto as o ewho has no professional or personal ties (either current or former) to the corporation or its management other than service as a director. The vast majority of the directors should be vast majority of the directors should be independent in both fact and appearance so as to promote arms-length oversight.

5. Expertise – The directors should possess relevant p pindustry, company, functional area, and governance expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should receive detailed orientation and directors should receive detailed orientation and continuing education to assure they achieve and maintain the necessary level of expertise.

www.theiia.org30

Kennesaw State Governance Principles (cont.)

6. Meetings and Information – The board should meet frequently for extended periods of time and meet frequently for extended periods of time and should have access to the information and personnel it needs to perform its duties.

7. Leadership – The roles of Board Chair and CEO h ld b should be separate.

8. Disclosure – Proxy statements and other board communications should reflect board activities and transactions (e g insider trades) in a transparent transactions (e.g., insider trades) in a transparent and timely manner.

9. Committees – The nominating, compensation, and audit committees of the board should be composed ponly of independent directors.

10. Internal Audit – All public companies should maintain an effective, full-time internal audit function that reports directly to the audit committee

www.theiia.org31

that reports directly to the audit committee.

AGENDA

1 What is Governance?1. What is Governance?

2 What might an organizational2. What might an organizationalgovernance framework look like?

3. What are the components and principles of governance?

4. What is the role of Internal Auditing

www.theiia.org32

IIA Standards-Governance• 2110-Governance• The internal audit activity MUST

contribute to the organization's contribute to the organization s governance process by evaluating and improving the process through which (1) values and goals are international( ) gestablished and communicated, (2) the accomplishment of goals is monitored and accountability is

international

ensured, (3) risk and control information is communicated to appropriate areas of the organization;

d (4) ti iti f th b d and (4) activities of the board, external and internal auditors, and management are coordinated.

www.theiia.org33

IIA Standards-Governance

• 2110.A2 – The internal audit activity must assess audit activity must assess whether the information technology governance of th i ti t i internationalthe organization sustains and supports the organization’s strategies

international

organization s strategies and objectives.

www.theiia.org34

Glossary - Definition

Information Technology Governance• Consists of the leadership, p,

organizational structures, and processes that ensure that the enterprise’s i f i h l i d information technology sustains and supports the organization’s strategies and objectives and objectives.

www.theiia.org35

Governance Performance Governance Performance Standard 2110.A1

• The internal audit activity should l t th d i evaluate the design,

implementation, and effectiveness f th i ti ’ thi l t d of the organization’s ethics-related

programs and activities.

www.theiia.org36

Allocation of IA Effort

Best Practice reviewst

t Eff

ort

Audit

P id d i ith f Provide advice with focus onEstablishing Governance

Structure

More Structured

Governance Model

Less Structured

www.theiia.org37

What Should IA Do?

Setting Expectations:IA should:

• Help drafting of policies, procedures, processes, guidance to utilize their

- knowledge- expertise

• Ensuring Controls are build into gprocesses not added on

www.theiia.org38

What Should IA Do?Communicate:IA should:

• Assist in training programs on- Ethics- Risk identification- Control optionsControl options- Fraud awareness

• Design programsDesign programs• Participation in training sessions

www.theiia.org39

What Should IA Do?Accountability:IA should:• Perform objective assessments using

systematic, disciplined approach that i t l ti f idincorporates an evaluation of evidence

• Ensure compliance to management directives by comparison of actual to criteriadirectives by comparison of actual to criteria

• Assist in evaluation of processes to ensure efficient operations and effective efficient operations and effective accomplishment of objectives

www.theiia.org40

Types of assignmentsyp g• Expectations:

Board structure objectives dynamics–Board structure, objectives, dynamics–Board Manual reviews

B d itt t–Board committee assessments–Process for remaining aware of

requirementsrequirements–Proper assignment of organizational

responsibilities & establishment of responsibilities & establishment of Performance measurement systems

–Recruitment procedureswww.theiia.org41

– Recruitment procedures

Types of assignments

• Communication:Ed i f b d b–Education of board members

–Ethics policies and code of conduct –Employee training

•Internal controlsInternal controls•Ethics policies•Disclosures & compliance requirements•Disclosures & compliance requirements•Board policies

www.theiia.org42

Types of assignmentsyp g

•Accountability:–Ethics investigation–Management evaluation & Management evaluation & compensation

f–Board self-assessment–External communicationsExternal communications–External auditor oversight

www.theiia.org43

Good Governance is evident in:

• The way we provide information• How we value the problem identifier & • How we value the problem identifier &

solver• How people in the organization commit • How people in the organization commit

their “personal power” to perform beyond expectationsy p

• The “vision” of what is important• Expectations communicated p• Holds people accountable• Walk the TALK (do vs. say)

www.theiia.org44

Walk the TALK (do vs. say)

I t l A dit ’ R l i Internal Auditors’ Role in organizational governance

is new and often an area where

expertise and credibility is lackingcredibility is lacking

THUS: The Real Challenge!!!THUS: The Real Challenge!!!

www.theiia.org45