Auditing Governance Functions

Report
Auditing Governance
Functions
Agenda
►
Defining Corporate Governance
►
Internal Audit’s Role in Corporate Governance
►
Areas of Audit Focus
►
Regulatory Considerations
Page 2
Auditing Governance Functions
Governance Functions
►
Regulatory and rating agency landscape has changed,
with an increased scrutiny on Governance functions, such
as:
►
►
►
►
►
Page 3
Board / Governance Reporting
Enterprise and Operational Risk Management
Technology
Emerging Risks
Continuous Monitoring
Auditing Governance Functions
Corporate Governance
►
Governance is the combination of processes and
structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization
toward the achievement of its objectives.
►
►
►
►
►
►
►
►
Page 4
Board of Directors
Audit and Risk Committees
Corporate Committee Structure
Management
Enterprise Risk Program
Compliance and Regulatory Program
Technology Program
Social Responsibility Program
Auditing Governance Functions
Internal Audit’s Role in Governance
►
Internal Audit’s role in governance is as
follows:
►
Independent testing and verification
of efficacy of corporate standards
and business line compliance
►
Validate the overall risk framework
►
Provide assurance that the risk
management process is functioning
as designed and identifies
improvement opportunities
Through its dual consulting and assurance roles,
internal audit can provide tremendous value to a
dynamic organization by focusing on areas of
greatest exposure, complex operations and key
business initiatives, to validate that the
organization is well controlled and operating
effectively and efficiently to meet the strategic
goals of the firm.
Page 5
Auditing Governance Functions
Governance Functions
►
Internal audit must assess and make appropriate
recommendations for improving Governance in its
accomplishment of the following objectives:
►
►
►
►
Page 6
Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and
accountability
Communicating risk and control information to appropriate areas of
the organization
Coordinating the activities of and communicating information
among the board, auditors, and management.
Auditing Governance Functions
Enterprise Risk Management
►
Enterprise Risk Management Considerations
►
►
►
Page 7
Commensurate with size, risk profile, complexity, and growth of
the enterprise
Provide increased business awareness
Incorporate risk considerations in decision making across
enterprises
Auditing Governance Functions
ERM Framework
Step 1: Establish ERM Framework
•Identify Project Champion
•Identify Project Owner
•Establish Steering Committee
Step 2: Identify Key Objectives
•List Key Objectives
•Prioritize Key Objectives
•Select objectives for assessments
Step 3: Identify Key Risks
•Assess Risk
•Assign Risk Rating
Step 4: Manage Risk
•Identify Control Controls and Mitigation Requirements
•Develop Mitigation Plans for key risks
•Perform periodic status reviews
•Repeat steps 2 – 4 for additional control objectives
Page 8
Auditing Governance Functions
Enterprise Risk Management
► No formal framework to identify, prioritize and
communicate risks
► No ongoing risk monitoring and/or risk management
enhancement activities
► Risk appetite not articulated or defined
► Lack of aware awareness of Enterprise Risk Appetite
► Failure to communicate with executive management, audit
committee, and business units on a consistent and formal
basis to discuss expectations, business strategies,
objectives and initiative
► Policies and procedures do not exist, are not documented,
are inadequate or are not followed
Page 9
Auditing Governance Functions
Enterprise Risk Management (continued)
► Performance goals and objectives drive behavior
inconsistent with overall Enterprise ethics or standards
Page 10
Auditing Governance Functions
Corporate Social Responsibility (CSR)
► CSR: The way firms integrate social, environmental, and
economic concerns into their values, culture, decisionmaking strategy and operations in a transparent and
accountable manner and thereby establish better
practices within the firm and contribute towards society
improvements.
►
Responsibility :
►
►
►
Page 11
Board of Directors
CSR Executive
Management
Auditing Governance Functions
CSR Risks
► Reputational Risk
► Compliance Risk
► Operational Risk
► Liability Risk
► External Business Relationships Risk
Page 12
Auditing Governance Functions
CSR Risks (continued)
► Reputational Risk
►
►
►
►
Violations of law or principles
Errors or omissions in disclosed CSR information
Under-performance compared with objectives/targets
Appearance of indifference to social issues
► Compliance Risk
► Failure to comply due to the extent, complexity, and volume of
regulations relating to the environment, health and safety,
employment, governance, political contributions, conflict of
interest, and fraud.
► Contractual obligations with third parties, such as customers,
unions, or employees, and from voluntary adoption of standards.
Page 13
Auditing Governance Functions
CSR Risks (continued)
► Operational Risk
► CSR “pressure points” for the organization’s manufacturing
processes, products, services and impact on the environment.
► Under-performance of other targets due to inappropriate CSR
strategies, or over-emphasis on CSR strategies.
► Failure to integrate CSR objectives into processes, or to educate
staff appropriately.
► Failure to develop well-controlled systems for CSR initiatives.
► Inaccurate or incomplete reporting information.
► Challenge to apply same standards across multiple countries.
Page 14
Auditing Governance Functions
CSR Risks – contd.
► Liability Risk
► During contracting for CSR terms and conditions and ensuring
third-party compliance.
► Activists or specific classes/special interest groups may take legal
action for alleged harm done by the organization.
► External Business Relationships
► Customers, suppliers, or partners could violate CSR terms
and conditions, principles, or laws, yet the organization could
be included as a wrongdoer by association.
Page 15
Auditing Governance Functions
Technology
IT governance follows a lifecycle
IT governance should not be a one-time exercise
Understanding the as-is governance
structure enables the organization to
make only the necessary changes
► Building principles based on
organization-specific drivers is the
basis for a working governance
model
► The governance principles will act as
the foundation of the governance
framework and set the scene for the
later model
► After running through the lifecycle
once, organizations are able to
iterate the governance lifecycle
without external support
►
Page 16
Auditing Governance Functions
IT governance decision areas
IT principles
IT investments
IT architectures
Applications
IT infrastructure
►
►
►
►
►
►
►
►
►
►
How is IT used within the business
Providing direction for IT delivery
Determine the total IT spend
Prioritising conflicting investment needs
Organisation and structure of IT assets
Approach to integration of IT assets
How to support business processes
Software platforms
Enabling applications and architecture
Managing IT assets
► Governance decisions are either taken centralised or decentralised
► By business, IT or both of them
► Mechanisms have to be aligned to organizational and operations model as well as
IT strategy
Page 17
Auditing Governance Functions
Aligning business and IT on different levels
Business level
IT level
Board, CEO, COO
IT Executive Steering Committee
CIO, CTO, senior
IT management
Approve
Business
management
IT Governance Council
IT
management
Decide
Business
process owner
IT Governing Bodies:
Architecture and technology boards
IT client manager
architecture owner
Design
Key user
IT Governing Bodies:
Service delivery boards
Service manager
Facilitate
Business process
frameworks
Page 18
Joint IT governance boards
Service delivery through
business and IT
Auditing Governance Functions
IT service management
frameworks e.g. ITIL
IT governance domains
Leadership
Monitoring and control
►
Setting the overall direction for IT
within the corporation
►
Maintaining cultural values,
corporate image and voice
Planning
►
Representing corporation’s key IT
stakeholders
►
Developing IT strategy including
sourcing philosophy
►
Qualitative benchmarking
►
Managing service levels
►
Managing a penalty system
►
Build corporate IT organization
►
Identifying areas for service
improvement
►
Setting corporate IT goals
►
Agreeing on IT performance
targets with IT customers
IT governance
Coordination and compliance
Capital allocation
►
Ensuring compliance with IT
standards and obligations
►
Coordinating IT activities between
IT demand and supply
►
Page 19
Policy
►
Setting the fundamental IT
operating procedures
►
Establishing standards, rules and
guidelines
►
Defining technical and application
architectures
Coordinating IT deployment
Auditing Governance Functions
►
Determining capital available
►
Determining IT investment criteria
►
Reviewing bids for capital
►
Allocating resources
Technology Governance Considerations
Inherent key IT
risks
IT objectives and strategies
IT processes
Infrastructure
and asset
management
IT development
and design
Technology enablement to
achieve business objectives
Superior service support
and delivery
IT operations
Continuity of services
Optimize operating
efficiency
Information
security and
protection
Protection of information
Effectively manage security
risk
Page 20
Auditing Governance Functions
► Emerging technologies
► Technology direction
► System disruptions
► Contracts/3rd party
vendors – outsourcing
► Records retention
► Regulatory compliance
► People management
► Global sourcing
► Business continuity
► Asset and portfolio
management
► IT infrastructure
capacity
► IT security/privacy
► Financial reporting
Evaluate management and control activities
Deliver superior
Systems and applications
► IT process duplication
and inefficiencies
Link risks to IT processes
Strategic planning
Link objectives to risks
IT governance
and strategy
Evaluate the significance of the risk to IT objectives
Guidance and oversight
Change
management
Service level
management
Production
support
Security and
data
management
Problem and
incident
management
Project/program
management
Customer
support
Regulatory Expectations
► Failure to establish and maintain an internal control
environment which aligns stakeholders and regulatory
expectations
► Failure to identify relevant laws and regulations
► Lack of procedures to comply with applicable laws and
regulations
► Insufficient or inadequate training of staff on regulatory
requirements
► Failure to establish adequate working relationship with
regulators or authorities
Page 21
Auditing Governance Functions
Thank you!
►
Questions?
Page 22
Auditing Governance Functions

similar documents