The Governance Role of Internal AuditCorporate Culture Corporate culture is the pervasive values,...
Transcript of The Governance Role of Internal AuditCorporate Culture Corporate culture is the pervasive values,...
1
The Governance
Role of Internal
AuditMs. Jenitha John
IIA Global Board Member
2
PARTICIPATE IN Q&A• Download the IIA Conferences App to
participate in Q&A during select
sessions
• Select the session through the
schedule icon
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
3
New Realities
Responsibilities for
Corporate
Governance
Governance
Defined
Internal Audit
ValueCorporate Culture
The Role of Internal
Audit
Combined
Assurance
Governance
Review
4
Corporate scandals
Business model rethink against technology disruption (VUCA)
Changing global economic & political conditions
Cybersecurity threats
Competition for talent and workforce demographics
Increased regulatory burden
Consumer spending and behavior
Investor activism
Blended value proposition
Public, private partnerships and the role of government
Evolution of inclusive capitalism (profits vs. wages)
Energy: supply-chain volatility, geopolitical upheaval, climate change
Financial Services: fintech disruption, industry consolidation, and regulatory change
Consumer Goods: digital disruption, industry consolidation, and changing demographics influencing consumer behaviors
New Realities
5
Scale, speed and severity of crisis
Many risks happen
simultaneously
Diverse range of assurance providers
– specialists vs. enthusiasts
Business complexity – burdensome
processes, legacy IT platforms
Risk governance did not link strategy, risk management & risk
bearing capacity
Global pressure now to sharpen risk focus, improve
assurance
“One view – one risk aggregation”
Assessing the cost and effectiveness of
risk and controls
Connected world –Internet of things
Governance no longer mindless
compliance
Information required to predict the future
Cyber Threats
Stay Attuned to the Landscape
6
Lessons from Corporate Scandals
Auditors – both internal and external,–
scope influence, fear of loss of incentive,
complacency, over reliance
IFRS is subject to management discretion
and interpretation – accounting standards
cannot stop fraud
Over reliance on single KPIs – like EPS, focus on
good news culture, ROIC/EVA to be considered
Boards become beholden to management.
Weak Board Chairman, understatement test
of Board packs
Culture & Ethics - Establish and demand the
integrity of disclosures – Autocratic executives, rule
by fear
Gap between remuneration and performance –
personal enrichment & dysfunctional behaviourBoard Management
Analysts RegulatorsBanks
Investors
Consultants Auditors
Customers
Employees
CreditorsSponsor
Consultants
7
What is Governance?
Processes and structures designed to help organizations achieve their objectives
Corporate governance is defined as the exercise of ethical and effective leadership by boards towards the achievement of ethical
culture, good performance, effective control and legitimacy
(King IV Report on Corporate Governance South Africa)
Fundamentally about improving transparency
and accountability
8
Good governance means…
Accountability:Responsibility for
ones own decisions
and actions, and
ensuring they can be
explained and clarified
Responsibility:Reliable and
efficient
performance of
duties, to the best
of ones abilities
Equitable
Treatment:Fair and equitable
treatment of all
stakeholders
Transparency:Ensuring corporate
operations can be
examined and
information is
disclosed to relevant
parties
Ethics:Existence of
business ethics
and code of
conduct
9
Compliance vs Governance
Compliance is tactical in nature
• Reactionary
• Demonstrate that laws and regulations adhered to
• Consequences for non-compliance
Both are essential for short-term competitive advantage as well as
long-term economic gains
Governance is strategic, and optional
• Focus on reducing risks
• Stimulate growth
• Ensure business continuity
10
Responsibility for Corporate Governance
• Ultimate responsibility for governance
• Establish an effective audit committee as a key tool to provide strengthened oversight
• Set ‘tone at the top’ and support the audit function
Board
• Establish sound controls within key business processes
• Obtain assurance via internal audit functionManagement
• Seek assurance that interests are well-managed
• Appoint external auditorsShareholders
• Regulators place governance requirements on BoardsOther Stakeholders
11
Board Committees
Board’s
Role in
Corporate
Governanc
e
Establish
structures and
processes taking
into
consideration
perspectives of
all stakeholders
Oversee and
monitor
strategic,
operational,
financial and
compliance risk
exposures
Collaborate with
management in
setting risk
appetite, risk
tolerance and
alignment with
strategic priorities
Use audit
committee to
provide
strengthened
oversight
12
Roles and Responsibilities of an Audit Committee
7. Finance
Management
6. Technology
Controls5. Compliance 4. Ethics
3. Risk
Management
2. Internal
Controls
1. Financial
Reporting
8. Internal
Audit
9. External
Audit
13
Audit committee effectiveness on Governance
Financial statements
Risk management
Establish direct reporting relationship with external auditors, and provide oversight on scope, independence, rotation, compensation etc.
External audit
Internal controlsInternal controls
Compliance
Management
Internal audit
Ensure financial statements are understandable, transparent and reliable
Ensure a comprehensive, sustainable and effective risk management function, with appropriate risk appetite and monitoring established
Monitor the ‘tone at the top’ - should reinforce an organizational commitment to strong and effective internal controls
Review of organization’s programs, policies and standards relating to adherence with legislation, ethics, fraud investigations etc. Review of current and pending litigation cases against the organization
Communication with senior management on current matters, new developments and matters requiring heightened attention. Provide challenge.
Reviewing audit plans, charter, reports and significant findings. Ensure appropriate risk coverage.Encourage communication between internal audit and the committee.
14
Other requirements for an effective Audit Committee
•Composition and mandate (long-term thinking)
•Clear focus and priorities
•Interaction with other board committees
•Tone of the audit committee (status and standing)
•Preparedness for meetings - drive robust discussions
•ERM effectiveness
•Culture and tone of the organization
•Walking the floor of the organization
•Competency of the company secretary
•Understanding of regulatory impact
•Quality of the audit committee pack
•In camera meetings with management, internal
auditors, external auditors
15
Use in-depth understanding to debate root causes, exposure and remediation –be resolute with follow ups
Assurance –informed and unbiased critique of governance processes, risk management and internal control
Role of Internal Audit
Prognosticator – use foresight identify trends and bring attention to emerging challenges
Enabler –enable informed decision making towards organizational success & value creation
Resources -Effective
utilization of resources
Provide insight on effectiveness and efficiency of key internal controls to management and Board
16
Internal Audit Standard 2110 - GovernanceThe internal audit activity must assess and make appropriate recommendations to
improve the organization’s governance processes for:
Making strategic and operational decisions.
Overseeing risk management and control.
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Communicating risk and control information to appropriate areas of the organization.
Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.
17
Internal Audit’s Governance Mandate
Governance = processes
and structures designed to
help an organization
achieve its objectives
• Influenced by inherent
risks impeding ability to
achieve objectives
• Business controls to
identify and mitigate
risks
• Business conduct policy
to shape culture, values
and philosophy
Internal Audit provides
assurance by assessing and
reporting on the adequacy
and effectiveness of:
• Governance processes
• Risk Management
• Internal Controls
18
Components to Audit in a Governance Review
Corporate Culture
Risk Culture
Information Governance
Technology Governance
Project Governance
Fraud Governance
People Governance
Third Party Governance
Risk Management process maturity
Stakeholder Management
19
Scope & Approach of Governance ReviewsIn
tern
al A
ud
it
Advisory
(Test Design)
Audit Approach – Interviews with key stakeholders, examine charters, philosophy – how does governance
translate into corporate objectives
Understand business environment incl. strategy, governance, regulations, KPI’s
Preliminary reporting on initial inadequacies
Audit
(Test Effectiveness)
Examine Portfolio of evidence – Minutes of Board meetings, Delegation of authority, risk appetite,
remuneration alignment
Reporting
Communicate results of audit to management – identify root cause, assess impact, accountability, conduct issue
remediation workshop
Analyze all governance audit findings in the database
Communicate final consolidated view to governance committees / key stakeholders
Enables strategic and
operational decision-
making
20
Corporate Culture
Corporate culture is the pervasive values, beliefs and attitudes that characterize a company
and guides its practices
It is largely determined by the behaviors an organization rewards and recognizes, both
formally and informally, explicitly and implicitly
A strong culture:
• supports the vision, mission and values of an organization.
• attracts and retains talent because people feel connected to the organization.
• helps build reputation and brand.
• strengthens customer satisfaction and loyalty. Can be a competitive advantage.
• curbs bribery, corruption and other unethical practices.
• can be a significant liability when misaligned with strategy.
21
Roles regarding Corporate Culture
HR
Shape, reinforce, change
culture
Alignment through recruitment,
training, performance
management,
reward/recognition
Risk & Compliance
Ensure risk appetite is set and
adhered to
Monitoring and measuring risk
culture
Perform culture risk
assessments
Internal Audit
Assurance over risk management
adequacy and effectiveness
Assurance on actions aligned to
risk appetite
Insight on whether lived culture is
aligned to desired culture
Board
Sets the Tone at the Top
Establishes ethical framework
Approves Risk Appetite
Corporate Culture Oversight
ASSURANCE PROVIDERS
Management
Sets the tone - top and middle
Develops the philosophy, ethical
framework/values
Risk appetite implementation and
monitoring of desired culture
EX
TE
RN
AL
AU
DIT
& R
EG
UL
AT
OR
S
22
Good governance systems are designed to help organizations
• focus on the activities that contribute most to their overall objectives,
• use their resources effectively, and
• ensure that they are managed in the best interests of all stakeholders.
Combined Assurance
Integrating, coordinating, and aligning the risk management and assurance processes to optimise and maximise the level of risk, governance, and control oversight over the organisation’s risk landscape.” Combined Assurance entails assurance providers working more closely together to ensure:
• the right amount of assurance
• in the right areas
• from people with the best and most relevant skills
• as cost effectively as possible
23
Governance Assurance Providers
• Management - Management
holds ultimate responsibility
for managing risks & controls
• Internal & External Assurance
-Objective and independent
assurance is provided by
Internal and External audit and
professional experts
• Combined Assurance - Leads
to continuous improvement,
operational excellence, and
minimises duplication of effort
between assurance providers
Internal Assurance
•Risk management
•Regulatory Compliance
• Internal Audit
•Legal, Company
secretary
•Health and Safety, FraudManagement
•Strategy,
Operations
•Finance & Treasury
• IT, HR, Product
development, Sales
•Supply chain /
Distribution/Produc
tion
•Oversight etc.
External Assurance
•External auditor
•Sustainability,
Actuarial
•Project management
•Process
improvement
•External forensic
fraud examiners
/Auditors
•Regulatory
inspectors, etc.
24
Key foundational aspects for combined assuranceEffective corporate governance structures –“rhythm on the dance floor”
25
Anticipated Benefits of Combined Assurance
Collaboration
• Leverage common
risk assessments
• Deliver unified,
consistent message
Efficiencies
• Eradication of Assurance
Fatigue
• Cost savings and greater
coverage
• Sharing of lessons
learned
Effective control
environment
• Reporting is more
precise and insightful
• Valuable, relevant data
based on collaboration
and not silos -
facilitates better
decision making
• Facilitates the annual
assurance statements
• Fewer surprises
Underpinned by a mature Risk Management framework and function
26
Internal audit is well positioned to support good governance
Broad view of the organization - familiar
with systems and processes
Insight on potential risks facing industry
and wider economy
Competent workforce – skills and
qualifications
Adherence to IIA IPPF –conformance to robust
standards, independence, objectivity
Value of Internal Audit
Driven to help organization succeed, create and
enhance value
27
Financial literacy
Independence
Knowledge of risk management (including non financial risks) and internal control incl. Internal Financial Controls
Skills & Competencies 1
IQ
2
EQ
3
CQ
4
AQGovernance codes
28
Continuous
calibration of
stakeholder
expectations
Embrace
smarter
tools –
leverage
automation
01 02 03
Agile,
integrated
risk based
assurance
04
Pragmatism
on risk
exposure &
remediation
05
Optimizatio
n
Opportuniti
es Sharing
insights.
06
Bias for learning/ reskilling/ constant reboot
07
Measure value add
and Ongoing
refinement
Propelling GIA value
30
References
• IIA Position Paper – Internal Audit’s Role in Corporate Governance
• Deloitte - Board Committees (2014)
• Deloitte – Roles And Responsibilities - https://www.corpgov.deloitte.ca
• The Evolving Role of Internal Audit in Corporate Governance -
http://www.internalauditor.me/article/
31
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.