1

The Governance

Role of Internal

AuditMs. Jenitha John

IIA Global Board Member

2

PARTICIPATE IN Q&A• Download the IIA Conferences App to

participate in Q&A during select

sessions

• Select the session through the

schedule icon

• Submit your questions for the session

or to specific presenters by selecting

the ASK icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

3

New Realities

Responsibilities for

Corporate

Governance

Governance

Defined

Internal Audit

ValueCorporate Culture

The Role of Internal

Audit

Combined

Assurance

Governance

Review

4

Corporate scandals

Business model rethink against technology disruption (VUCA)

Changing global economic & political conditions

Cybersecurity threats

Competition for talent and workforce demographics

Increased regulatory burden

Consumer spending and behavior

Investor activism

Blended value proposition

Public, private partnerships and the role of government

Evolution of inclusive capitalism (profits vs. wages)

Energy: supply-chain volatility, geopolitical upheaval, climate change

Financial Services: fintech disruption, industry consolidation, and regulatory change

Consumer Goods: digital disruption, industry consolidation, and changing demographics influencing consumer behaviors

New Realities

5

Scale, speed and severity of crisis

Many risks happen

simultaneously

Diverse range of assurance providers

– specialists vs. enthusiasts

Business complexity – burdensome

processes, legacy IT platforms

Risk governance did not link strategy, risk management & risk

bearing capacity

Global pressure now to sharpen risk focus, improve

assurance

“One view – one risk aggregation”

Assessing the cost and effectiveness of

risk and controls

Connected world –Internet of things

Governance no longer mindless

compliance

Information required to predict the future

Cyber Threats

Stay Attuned to the Landscape

6

Lessons from Corporate Scandals

Auditors – both internal and external,–

scope influence, fear of loss of incentive,

complacency, over reliance

IFRS is subject to management discretion

and interpretation – accounting standards

cannot stop fraud

Over reliance on single KPIs – like EPS, focus on

good news culture, ROIC/EVA to be considered

Boards become beholden to management.

Weak Board Chairman, understatement test

of Board packs

Culture & Ethics - Establish and demand the

integrity of disclosures – Autocratic executives, rule

by fear

Gap between remuneration and performance –

personal enrichment & dysfunctional behaviourBoard Management

Analysts RegulatorsBanks

Investors

Consultants Auditors

Customers

Employees

CreditorsSponsor

Consultants

7

What is Governance?

Processes and structures designed to help organizations achieve their objectives

Corporate governance is defined as the exercise of ethical and effective leadership by boards towards the achievement of ethical

culture, good performance, effective control and legitimacy

(King IV Report on Corporate Governance South Africa)

Fundamentally about improving transparency

and accountability

8

Good governance means…

Accountability:Responsibility for

ones own decisions

and actions, and

ensuring they can be

explained and clarified

Responsibility:Reliable and

efficient

performance of

duties, to the best

of ones abilities

Equitable

Treatment:Fair and equitable

treatment of all

stakeholders

Transparency:Ensuring corporate

operations can be

examined and

information is

disclosed to relevant

parties

Ethics:Existence of

business ethics

and code of

conduct

9

Compliance vs Governance

Compliance is tactical in nature

• Reactionary

• Demonstrate that laws and regulations adhered to

• Consequences for non-compliance

Both are essential for short-term competitive advantage as well as

long-term economic gains

Governance is strategic, and optional

• Focus on reducing risks

• Stimulate growth

• Ensure business continuity

10

Responsibility for Corporate Governance

• Ultimate responsibility for governance

• Establish an effective audit committee as a key tool to provide strengthened oversight

• Set ‘tone at the top’ and support the audit function

Board

• Establish sound controls within key business processes

• Obtain assurance via internal audit functionManagement

• Seek assurance that interests are well-managed

• Appoint external auditorsShareholders

• Regulators place governance requirements on BoardsOther Stakeholders

11

Board Committees

Board’s

Role in

Corporate

Governanc

e

Establish

structures and

processes taking

into

consideration

perspectives of

all stakeholders

Oversee and

monitor

strategic,

operational,

financial and

compliance risk

exposures

Collaborate with

management in

setting risk

appetite, risk

tolerance and

alignment with

strategic priorities

Use audit

committee to

provide

strengthened

oversight

12

Roles and Responsibilities of an Audit Committee

7. Finance

Management

6. Technology

Controls5. Compliance 4. Ethics

3. Risk

Management

2. Internal

Controls

1. Financial

Reporting

8. Internal

Audit

9. External

Audit

13

Audit committee effectiveness on Governance

Financial statements

Risk management

Establish direct reporting relationship with external auditors, and provide oversight on scope, independence, rotation, compensation etc.

External audit

Internal controlsInternal controls

Compliance

Management

Internal audit

Ensure financial statements are understandable, transparent and reliable

Ensure a comprehensive, sustainable and effective risk management function, with appropriate risk appetite and monitoring established

Monitor the ‘tone at the top’ - should reinforce an organizational commitment to strong and effective internal controls

Review of organization’s programs, policies and standards relating to adherence with legislation, ethics, fraud investigations etc. Review of current and pending litigation cases against the organization

Communication with senior management on current matters, new developments and matters requiring heightened attention. Provide challenge.

Reviewing audit plans, charter, reports and significant findings. Ensure appropriate risk coverage.Encourage communication between internal audit and the committee.

14

Other requirements for an effective Audit Committee

•Composition and mandate (long-term thinking)

•Clear focus and priorities

•Interaction with other board committees

•Tone of the audit committee (status and standing)

•Preparedness for meetings - drive robust discussions

•ERM effectiveness

•Culture and tone of the organization

•Walking the floor of the organization

•Competency of the company secretary

•Understanding of regulatory impact

•Quality of the audit committee pack

•In camera meetings with management, internal

auditors, external auditors

15

Use in-depth understanding to debate root causes, exposure and remediation –be resolute with follow ups

Assurance –informed and unbiased critique of governance processes, risk management and internal control

Role of Internal Audit

Prognosticator – use foresight identify trends and bring attention to emerging challenges

Enabler –enable informed decision making towards organizational success & value creation

Resources -Effective

utilization of resources

Provide insight on effectiveness and efficiency of key internal controls to management and Board

16

Internal Audit Standard 2110 - GovernanceThe internal audit activity must assess and make appropriate recommendations to

improve the organization’s governance processes for:

Making strategic and operational decisions.

Overseeing risk management and control.

Promoting appropriate ethics and values within the organization.

Ensuring effective organizational performance management and accountability.

Communicating risk and control information to appropriate areas of the organization.

Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

17

Internal Audit’s Governance Mandate

Governance = processes

and structures designed to

help an organization

achieve its objectives

• Influenced by inherent

risks impeding ability to

achieve objectives

• Business controls to

identify and mitigate

risks

• Business conduct policy

to shape culture, values

and philosophy

Internal Audit provides

assurance by assessing and

reporting on the adequacy

and effectiveness of:

• Governance processes

• Risk Management

• Internal Controls

18

Components to Audit in a Governance Review

Corporate Culture

Risk Culture

Information Governance

Technology Governance

Project Governance

Fraud Governance

People Governance

Third Party Governance

Risk Management process maturity

Stakeholder Management

19

Scope & Approach of Governance ReviewsIn

tern

al A

ud

it

Advisory

(Test Design)

Audit Approach – Interviews with key stakeholders, examine charters, philosophy – how does governance

translate into corporate objectives

Understand business environment incl. strategy, governance, regulations, KPI’s

Preliminary reporting on initial inadequacies

Audit

(Test Effectiveness)

Examine Portfolio of evidence – Minutes of Board meetings, Delegation of authority, risk appetite,

remuneration alignment

Reporting

Communicate results of audit to management – identify root cause, assess impact, accountability, conduct issue

remediation workshop

Analyze all governance audit findings in the database

Communicate final consolidated view to governance committees / key stakeholders

Enables strategic and

operational decision-

making

20

Corporate Culture

Corporate culture is the pervasive values, beliefs and attitudes that characterize a company

and guides its practices

It is largely determined by the behaviors an organization rewards and recognizes, both

formally and informally, explicitly and implicitly

A strong culture:

• supports the vision, mission and values of an organization.

• attracts and retains talent because people feel connected to the organization.

• helps build reputation and brand.

• strengthens customer satisfaction and loyalty. Can be a competitive advantage.

• curbs bribery, corruption and other unethical practices.

• can be a significant liability when misaligned with strategy.

21

Roles regarding Corporate Culture

HR

Shape, reinforce, change

culture

Alignment through recruitment,

training, performance

management,

reward/recognition

Risk & Compliance

Ensure risk appetite is set and

adhered to

Monitoring and measuring risk

culture

Perform culture risk

assessments

Internal Audit

Assurance over risk management

adequacy and effectiveness

Assurance on actions aligned to

risk appetite

Insight on whether lived culture is

aligned to desired culture

Board

Sets the Tone at the Top

Establishes ethical framework

Approves Risk Appetite

Corporate Culture Oversight

ASSURANCE PROVIDERS

Management

Sets the tone - top and middle

Develops the philosophy, ethical

framework/values

Risk appetite implementation and

monitoring of desired culture

EX

TE

RN

AL

AU

DIT

& R

EG

UL

AT

OR

S

22

Good governance systems are designed to help organizations

• focus on the activities that contribute most to their overall objectives,

• use their resources effectively, and

• ensure that they are managed in the best interests of all stakeholders.

Combined Assurance

Integrating, coordinating, and aligning the risk management and assurance processes to optimise and maximise the level of risk, governance, and control oversight over the organisation’s risk landscape.” Combined Assurance entails assurance providers working more closely together to ensure:

• the right amount of assurance

• in the right areas

• from people with the best and most relevant skills

• as cost effectively as possible

23

Governance Assurance Providers

• Management - Management

holds ultimate responsibility

for managing risks & controls

• Internal & External Assurance

-Objective and independent

assurance is provided by

Internal and External audit and

professional experts

• Combined Assurance - Leads

to continuous improvement,

operational excellence, and

minimises duplication of effort

between assurance providers

Internal Assurance

•Risk management

•Regulatory Compliance

• Internal Audit

•Legal, Company

secretary

•Health and Safety, FraudManagement

•Strategy,

Operations

•Finance & Treasury

• IT, HR, Product

development, Sales

•Supply chain /

Distribution/Produc

tion

•Oversight etc.

External Assurance

•External auditor

•Sustainability,

Actuarial

•Project management

•Process

improvement

•External forensic

fraud examiners

/Auditors

•Regulatory

inspectors, etc.

24

Key foundational aspects for combined assuranceEffective corporate governance structures –“rhythm on the dance floor”

25

Anticipated Benefits of Combined Assurance

Collaboration

• Leverage common

risk assessments

• Deliver unified,

consistent message

Efficiencies

• Eradication of Assurance

Fatigue

• Cost savings and greater

coverage

• Sharing of lessons

learned

Effective control

environment

• Reporting is more

precise and insightful

• Valuable, relevant data

based on collaboration

and not silos -

facilitates better

decision making

• Facilitates the annual

assurance statements

• Fewer surprises

Underpinned by a mature Risk Management framework and function

26

Internal audit is well positioned to support good governance

Broad view of the organization - familiar

with systems and processes

Insight on potential risks facing industry

and wider economy

Competent workforce – skills and

qualifications

Adherence to IIA IPPF –conformance to robust

standards, independence, objectivity

Value of Internal Audit

Driven to help organization succeed, create and

enhance value

27

Financial literacy

Independence

Knowledge of risk management (including non financial risks) and internal control incl. Internal Financial Controls

Skills & Competencies 1

IQ

2

EQ

3

CQ

4

AQGovernance codes

28

Continuous

calibration of

stakeholder

expectations

Embrace

smarter

tools –

leverage

automation

01 02 03

Agile,

integrated

risk based

assurance

04

Pragmatism

on risk

exposure &

remediation

05

Optimizatio

n

Opportuniti

es Sharing

insights.

06

Bias for learning/ reskilling/ constant reboot

07

Measure value add

and Ongoing

refinement

Propelling GIA value

29

Jenitha John

johnjenitha@gmail.com

30

References

• IIA Position Paper – Internal Audit’s Role in Corporate Governance

• Deloitte - Board Committees (2014)

• Deloitte – Roles And Responsibilities - https://www.corpgov.deloitte.ca

• The Evolving Role of Internal Audit in Corporate Governance -

http://www.internalauditor.me/article/

31

TELL US WHAT YOU THINK!

Evaluate this session right in the

IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete

your session evaluations.