Auditing Governance Functions

Auditing Governance
Defining Corporate Governance
Internal Audit’s Role in Corporate Governance
Areas of Audit Focus
Regulatory Considerations
Page 2
Auditing Governance Functions
Governance Functions
Regulatory and rating agency landscape has changed,
with an increased scrutiny on Governance functions, such
Page 3
Board / Governance Reporting
Enterprise and Operational Risk Management
Emerging Risks
Continuous Monitoring
Auditing Governance Functions
Corporate Governance
Governance is the combination of processes and
structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization
toward the achievement of its objectives.
Page 4
Board of Directors
Audit and Risk Committees
Corporate Committee Structure
Enterprise Risk Program
Compliance and Regulatory Program
Technology Program
Social Responsibility Program
Auditing Governance Functions
Internal Audit’s Role in Governance
Internal Audit’s role in governance is as
Independent testing and verification
of efficacy of corporate standards
and business line compliance
Validate the overall risk framework
Provide assurance that the risk
management process is functioning
as designed and identifies
improvement opportunities
Through its dual consulting and assurance roles,
internal audit can provide tremendous value to a
dynamic organization by focusing on areas of
greatest exposure, complex operations and key
business initiatives, to validate that the
organization is well controlled and operating
effectively and efficiently to meet the strategic
goals of the firm.
Page 5
Auditing Governance Functions
Governance Functions
Internal audit must assess and make appropriate
recommendations for improving Governance in its
accomplishment of the following objectives:
Page 6
Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and
Communicating risk and control information to appropriate areas of
the organization
Coordinating the activities of and communicating information
among the board, auditors, and management.
Auditing Governance Functions
Enterprise Risk Management
Enterprise Risk Management Considerations
Page 7
Commensurate with size, risk profile, complexity, and growth of
the enterprise
Provide increased business awareness
Incorporate risk considerations in decision making across
Auditing Governance Functions
ERM Framework
Step 1: Establish ERM Framework
•Identify Project Champion
•Identify Project Owner
•Establish Steering Committee
Step 2: Identify Key Objectives
•List Key Objectives
•Prioritize Key Objectives
•Select objectives for assessments
Step 3: Identify Key Risks
•Assess Risk
•Assign Risk Rating
Step 4: Manage Risk
•Identify Control Controls and Mitigation Requirements
•Develop Mitigation Plans for key risks
•Perform periodic status reviews
•Repeat steps 2 – 4 for additional control objectives
Page 8
Auditing Governance Functions
Enterprise Risk Management
► No formal framework to identify, prioritize and
communicate risks
► No ongoing risk monitoring and/or risk management
enhancement activities
► Risk appetite not articulated or defined
► Lack of aware awareness of Enterprise Risk Appetite
► Failure to communicate with executive management, audit
committee, and business units on a consistent and formal
basis to discuss expectations, business strategies,
objectives and initiative
► Policies and procedures do not exist, are not documented,
are inadequate or are not followed
Page 9
Auditing Governance Functions
Enterprise Risk Management (continued)
► Performance goals and objectives drive behavior
inconsistent with overall Enterprise ethics or standards
Page 10
Auditing Governance Functions
Corporate Social Responsibility (CSR)
► CSR: The way firms integrate social, environmental, and
economic concerns into their values, culture, decisionmaking strategy and operations in a transparent and
accountable manner and thereby establish better
practices within the firm and contribute towards society
Responsibility :
Page 11
Board of Directors
CSR Executive
Auditing Governance Functions
CSR Risks
► Reputational Risk
► Compliance Risk
► Operational Risk
► Liability Risk
► External Business Relationships Risk
Page 12
Auditing Governance Functions
CSR Risks (continued)
► Reputational Risk
Violations of law or principles
Errors or omissions in disclosed CSR information
Under-performance compared with objectives/targets
Appearance of indifference to social issues
► Compliance Risk
► Failure to comply due to the extent, complexity, and volume of
regulations relating to the environment, health and safety,
employment, governance, political contributions, conflict of
interest, and fraud.
► Contractual obligations with third parties, such as customers,
unions, or employees, and from voluntary adoption of standards.
Page 13
Auditing Governance Functions
CSR Risks (continued)
► Operational Risk
► CSR “pressure points” for the organization’s manufacturing
processes, products, services and impact on the environment.
► Under-performance of other targets due to inappropriate CSR
strategies, or over-emphasis on CSR strategies.
► Failure to integrate CSR objectives into processes, or to educate
staff appropriately.
► Failure to develop well-controlled systems for CSR initiatives.
► Inaccurate or incomplete reporting information.
► Challenge to apply same standards across multiple countries.
Page 14
Auditing Governance Functions
CSR Risks – contd.
► Liability Risk
► During contracting for CSR terms and conditions and ensuring
third-party compliance.
► Activists or specific classes/special interest groups may take legal
action for alleged harm done by the organization.
► External Business Relationships
► Customers, suppliers, or partners could violate CSR terms
and conditions, principles, or laws, yet the organization could
be included as a wrongdoer by association.
Page 15
Auditing Governance Functions
IT governance follows a lifecycle
IT governance should not be a one-time exercise
Understanding the as-is governance
structure enables the organization to
make only the necessary changes
► Building principles based on
organization-specific drivers is the
basis for a working governance
► The governance principles will act as
the foundation of the governance
framework and set the scene for the
later model
► After running through the lifecycle
once, organizations are able to
iterate the governance lifecycle
without external support
Page 16
Auditing Governance Functions
IT governance decision areas
IT principles
IT investments
IT architectures
IT infrastructure
How is IT used within the business
Providing direction for IT delivery
Determine the total IT spend
Prioritising conflicting investment needs
Organisation and structure of IT assets
Approach to integration of IT assets
How to support business processes
Software platforms
Enabling applications and architecture
Managing IT assets
► Governance decisions are either taken centralised or decentralised
► By business, IT or both of them
► Mechanisms have to be aligned to organizational and operations model as well as
IT strategy
Page 17
Auditing Governance Functions
Aligning business and IT on different levels
Business level
IT level
Board, CEO, COO
IT Executive Steering Committee
CIO, CTO, senior
IT management
IT Governance Council
process owner
IT Governing Bodies:
Architecture and technology boards
IT client manager
architecture owner
Key user
IT Governing Bodies:
Service delivery boards
Service manager
Business process
Page 18
Joint IT governance boards
Service delivery through
business and IT
Auditing Governance Functions
IT service management
frameworks e.g. ITIL
IT governance domains
Monitoring and control
Setting the overall direction for IT
within the corporation
Maintaining cultural values,
corporate image and voice
Representing corporation’s key IT
Developing IT strategy including
sourcing philosophy
Qualitative benchmarking
Managing service levels
Managing a penalty system
Build corporate IT organization
Identifying areas for service
Setting corporate IT goals
Agreeing on IT performance
targets with IT customers
IT governance
Coordination and compliance
Capital allocation
Ensuring compliance with IT
standards and obligations
Coordinating IT activities between
IT demand and supply
Page 19
Setting the fundamental IT
operating procedures
Establishing standards, rules and
Defining technical and application
Coordinating IT deployment
Auditing Governance Functions
Determining capital available
Determining IT investment criteria
Reviewing bids for capital
Allocating resources
Technology Governance Considerations
Inherent key IT
IT objectives and strategies
IT processes
and asset
IT development
and design
Technology enablement to
achieve business objectives
Superior service support
and delivery
IT operations
Continuity of services
Optimize operating
security and
Protection of information
Effectively manage security
Page 20
Auditing Governance Functions
► Emerging technologies
► Technology direction
► System disruptions
► Contracts/3rd party
vendors – outsourcing
► Records retention
► Regulatory compliance
► People management
► Global sourcing
► Business continuity
► Asset and portfolio
► IT infrastructure
► IT security/privacy
► Financial reporting
Evaluate management and control activities
Deliver superior
Systems and applications
► IT process duplication
and inefficiencies
Link risks to IT processes
Strategic planning
Link objectives to risks
IT governance
and strategy
Evaluate the significance of the risk to IT objectives
Guidance and oversight
Service level
Security and
Problem and
Regulatory Expectations
► Failure to establish and maintain an internal control
environment which aligns stakeholders and regulatory
► Failure to identify relevant laws and regulations
► Lack of procedures to comply with applicable laws and
► Insufficient or inadequate training of staff on regulatory
► Failure to establish adequate working relationship with
regulators or authorities
Page 21
Auditing Governance Functions
Thank you!
Page 22
Auditing Governance Functions

similar documents