GOVERNANCE 1 CHAPTER 3
Nov 01, 2014
GOVERNANCE
1
CHAPTER 3
Chapter 3 Learning Objectives2
Define governance and contrast the different roles and responsibilities within governance.
Articulate the different enterprise-wide governance principles.
Describe the changes in regulations and how governance has evolved to its present state.
Describe the role of the internal audit function in the governance process.
Know where to find information about governance codes and regulations from countries around the world.
Exhibit 3-2
Internal Auditing: Assurance and Consulting Services, 2nd
3
Governance (from book)
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
4
The combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization towards the achievement of its objectives.
Key Points
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
5
Not distinct and separate processes and structures – interrelationships between governance, risk, and controls
Must consider risk when setting strategyMust rely on internal controls and
communication
OECD Corporate Governance Principles
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
6
First released in May 1999 and revised in 2004, the OECD Principles are one of the 12 key standards for international financial stability of the Financial Stability Forum (FSF) and form the basis for the corporate governance component of the Report on the Observance of Standards and Codes of the World Bank Group.
OECD Definition7
Corporate governance involves a set of relationships between a company’s management, its board, its shareholders, and other stakeholders.
Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.
According to Cadbury Report,8
Corporate Governance is “the system by which companies are directed and controlled
Good corporate governance allows boards of
directors to be “free to drive their companies forward”, but exercise that freedom within a framework of effective accountability.
According to Wikipidi9
Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Corporate governance also includes the relationships among the many stakeholders involved and the goals for which the corporation is governed. The principal stakeholders are the shareholders, management, and the board of directors. Other stakeholders include employees, customers, creditors, suppliers, regulators, and the community at large.
Codes from around the world10
http://www.ecgi.org/codes/all_codes.php
Bangladesh
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
11
I. Mission of the Board of Directors Principle:
The Board of Directors should lead and oversee strategy and policy of the company and provide direction to the management. Board actions should be in the best interests of the company and shareholders.
Brazil
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
12
Corporate Governance is a corporate managing and monitoring system, involving relations with the Owners, Board of Directors, Officers, Independent Auditors, and Fiscal Council. Good corporate governance practices are geared to add value to a company, facilitate its access to capital and contribute to its perpetuation.
Exhibit 3-313
Some Video Clips
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
14
http://www.youtube.com/watch?v=KXd70r75V2whttp://www.youtube.com/watch?v=awUgAYks-Y8http://www.youtube.com/watch?v=wYtN-8st9xshttp://www.youtube.com/watch?v=ra-Sxjjv3-ghttp://www.youtube.com/watch?v=1jV0AUjx6Ik
Strategy
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
15
How management plans to achieve the organization’s objectives Key Business Objectives Stakeholder Expectations Performance Measures Risk Appetite
Exhibit 3-416
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
17
Roles and Responsibilities within Governance
Knowledge Check18
Which of the following represents the best governance structure? Operating Mgmt Executive Mgmt Internal Auditing a. Responsibility for Risk Oversight role Advisory role b. Oversight Role Responsibility for Risk Advisory Role c. Responsibility for Risk Advisory Role Oversight Role d. Oversight role Advisory Role Responsibility for
Risk
Board
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
19
Governance begins with the BoardBoard provides directionBoard is accountable to stakeholdersGovernance is executed by managementInternal and external activities provide
management and the board with assurance regarding effectiveness of governance
Stakeholders
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
20
Directly Involved – Employees, Customers, Vendors
Interested – InvestorsInfluence – Regulatory agencies, Rating
Agencies,
How does the Board enact good governance?
21
Governance CommitteeDetermine desired outcomesDetermine unacceptable outcomesArticulate RequirementsSet Risk AppetiteDelegate authorityEstablish reporting thresholdReevaluate periodically
One Big Four’s List of Board “HOT TOPICS” in Governance for 2011
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
22
Risk Management – where everyone minds the business Sustainable Development – the next transforming wave of change Strategy Development – the board as hands-on strategy leader Strategy Execution – Linking performance to strategy Corporate Planning – past results do not ensure future performance Shareholder engagement – the conversations are two-way Board evaluations – the best Boards have regular performance
checks Boardroom efficiency – do the right things better Director education – never stop learning Succession planning – the long and short of talent development Regulatory change – anticipating change for competitive advantage
Spencer Stuart – 5 Things Boards Should be Looking at
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
23
Board EffectivenessStrategyRisk OversightSustainabilitySuccession
http://www.spencerstuart.com/research/articles/1475
You Get What You Measure24
Measures are critical to such governanceMeasure the wrong things and results can be
disastrous. Measure the right ones—aligned with the strategic
plan and related business objectives—and managers are motivated and work together toward achieving corporate goals.
Identifying what drives value and then linking those drivers to measurements
25
Governance Maturity Model
Key Questions Directors Should be Asking26
Key Questions Directors Should be Asking27
Key Questions Directors Should be Asking28
Key Questions Directors Should be Asking29
30
Eight Priorities for 2013 (from the IIA)31
Crisis ManagementFraud and EthicsRegulatory ComplianceSocial MediaEmployee Talent ManagementEmerging TechnologiesERMGlobalization and Geopolitical Risks
Setting the Risk AppetiteDefining Risk Tolerance
32
Risk Appetite: The amount of risk, on a broad level, an organization is willing to accept in pursuit of its business objectives
Risk Tolerance: The acceptable levels of risk size and variation relative to the achievement of objectives, which must alight with the risk appetite of the organization.
How to set Risk Appetite?33
Determine stakeholdersDetermine needs and expectations of
stakeholdersIdentify potential outcomes that would be
unacceptable to stakeholders (harm and missed opportunities)
Consider outcomes in Financial, Compliance, Operational, and Strategic areas
Set tolerance levels/boundaries within which management should run organization
Cool video on the need to link risk and strategy
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
34
http://www.youtube.com/watch?v=qI0b4YZBp4k
How does management enact good governance?
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
35
Understanding the Board’s expectations, directions, risk appetite, and delegated authority
A process to identify, manage, and report on risks
Process to delegate authority to risk holdersGathering information to report on risks for
decision making and for Board
How does management enact governance responsibilities?
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
36
Establish a risk committee to identify risks, linked to management activities, and assigned to risk owners
Evaluate on-going risk appetite and ensure tolerance levels are consistent with risk appetite
Articulate reporting requirements – nature, format, timing of communication
Reevaluate governance expectations periodically
Knowledge Check
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
37
Which of the following are typical governance responsibilities of senior management?
I. Establishing a governance committee of the boardII. Delegating risk tolerance levels to risk managersIII.Monitoring day-to-day performance of specific risk management
activitiesIV.Ensuring that sufficient information is gathered to support reporting
to the board. II and III I, II, and IV II and IV I, II, III, and IV
What do Risk Owners Do?
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
38
Day to day responsibility for ensuring that risk management activities effectively manage risks within the organization’s risk appetite.
Keep risks within tolerable boundariesIdentify, measure, manage, monitor, and
report on their risksFront line of managing risks – key
contributors to good governance
Risk Owner Activities
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
39
Assessment of risks in terms of inherent nature of risk, source of risk, potential impact, proposed tolerance level, expected risk management activities.
Reevaluate risk management activities periodically
Assess risk management capabilitiesMonitor risk management activitiesReport risk management activities
Exhibit 3-640
Assurance Activities
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
41
An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization
Can be by external or internal parties; most commonly by internal audit function
The Board's Oversight Role
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
42
A board is not responsible for devising either measures or the measurement process. That's management's job. But it is responsible for ensuring that management has instituted meaningful measures to enable management to track and monitor performance and take swift corrective action where needed.
Continued
43
The board needs to know that it is getting the right information, on a timely basis, with management's analysis of where issues lie and what management plans to do.
Ultimately, the board needs to know that a process is firmly in place to provide the information they need to conduct meaningful oversight and assess progress toward effective strategy implementation and achievement of stated goals.
44
Internal Audit’s Role
Exhibit 3-145
2010 – Planning46
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals
Interpretation: The chief audit executive is responsible for developing a
risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
2100 – Nature of Work
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
47
The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.
2100 - Nature of Internal Audit’s Work48
Help assess and improve governance by:Promoting appropriate ethics and valuesEnsuring effective performance management
and accountabilityEffectively communicating risk and control
informationEffectively coordinating the activities and
communicating information
2110 – Governance49
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:Promoting appropriate ethics and values within the organization;Ensuring effective organizational performance management and accountability;Communicating risk and control information to appropriate areas of the organization; andCoordinating the activities of and communicating information among the board, external and internal auditors, and management.
Implementation Standards under 211050
2110.A1- The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.
2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.
IA Activities to evaluate governance51
Ensure it understands Board’s governance direction and expectations, including its expectation of IA
Support management’s risk management program Involvement in risk management program Education Risk assessments “oversight” and input to risk decisions
Develop an IA plan that encompasses governance
Continued52
Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness.
Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness.
Continued….
Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
53
Evaluating whether risk tolerance information is communicated timely and effectively from both the board to senior management and from senior management to the risk owners.
Assessing whether there are any other risk areas that are currently not included in the governance process, but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).
Other Roles of Internal Auditing in Governance
54
Board Risks, Controls, and PracticesAudit specific documented governance processesProvide assurance on ways to improve
governance processes if they are not matureContribute to governance structures through
auditsAct as facilitators, assisting board in self-
assessment of governance activitiesObserve and formally assess GRC structural
design and operational effectiveness
IA’s Activities to Evaluate Governance55
Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes.
Testing and evaluating whether the various risk management activities are operating as designed.
Aspects of Ethics Audits56
A "clear and understandable" formal code of conduct and related statements, policies--including procedures covering fraud and corruption--and other "expressions of aspiration."
The communications and demonstrations of expected ethical attitudes and behavior by the leaders of the organization.
Explicit strategies the firm uses to enhance its ethical culture.
Multiple means of confidentially reporting misconduct.
Continued57
Regular declarations by employees, suppliers, and customers that they understand the requirements for ethical behavior in conducting the organization's business.
Clear delegation of responsibilities to ensure that ethical consequences are evaluated, that confidential counseling is provided, that allegations of misconduct are investigated, and that case findings are properly reported.
Easy access to "learning opportunities to enable all employees to be ethics advocates."
Continued58
Personnel practices that encourage employees to be ethical.
Regular use of surveys to determine the organization's ethical climate.
Regular reviews of processes that might undermine the organization's ethical culture.
Regular reference and background checks as part of the hiring process.