Upload
karina-massey
View
228
Download
1
Embed Size (px)
Citation preview
Auditing Governance Functions
Auditing Governance FunctionsPage 2
Agenda
► Defining Corporate Governance
► Internal Audit’s Role in Corporate Governance
► Areas of Audit Focus
► Regulatory Considerations
Auditing Governance FunctionsPage 3
Governance Functions
► Regulatory and rating agency landscape has changed, with an increased scrutiny on Governance functions, such as:► Board / Governance Reporting► Enterprise and Operational Risk Management► Technology► Emerging Risks► Continuous Monitoring
Auditing Governance FunctionsPage 4
Corporate Governance
► Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.► Board of Directors► Audit and Risk Committees► Corporate Committee Structure► Management► Enterprise Risk Program► Compliance and Regulatory Program► Technology Program► Social Responsibility Program
Auditing Governance FunctionsPage 5
Internal Audit’s Role in Governance
► Internal Audit’s role in governance is as follows:► Independent testing and verification
of efficacy of corporate standards and business line compliance
► Validate the overall risk framework► Provide assurance that the risk
management process is functioning as designed and identifies improvement opportunities
Through its dual consulting and assurance roles, internal audit can provide tremendous value to a dynamic organization by focusing on areas of greatest exposure, complex operations and key business initiatives, to validate that the organization is well controlled and operating effectively and efficiently to meet the strategic goals of the firm.
Auditing Governance FunctionsPage 6
Governance Functions
► Internal audit must assess and make appropriate recommendations for improving Governance in its accomplishment of the following objectives:
► Promoting appropriate ethics and values within the organization► Ensuring effective organizational performance management and
accountability► Communicating risk and control information to appropriate areas
of the organization► Coordinating the activities of and communicating information
among the board, auditors, and management.
Auditing Governance FunctionsPage 7
► Enterprise Risk Management Considerations► Commensurate with size, risk profile, complexity, and growth of
the enterprise► Provide increased business awareness► Incorporate risk considerations in decision making across
enterprises
Enterprise Risk Management
Auditing Governance FunctionsPage 8
ERM Framework
Step 1: Establish ERM Framework • Identify Project Champion• Identify Project Owner• Establish Steering Committee
Step 2: Identify Key Objectives• List Key Objectives• Prioritize Key Objectives• Select objectives for
assessments
Step 3: Identify Key Risks• Assess Risk • Assign Risk Rating
Step 4: Manage Risk • Identify Control Controls and Mitigation
Requirements • Develop Mitigation Plans for key risks• Perform periodic status reviews • Repeat steps 2 – 4 for additional control objectives
Auditing Governance FunctionsPage 9
Enterprise Risk Management
► No formal framework to identify, prioritize and communicate risks
► No ongoing risk monitoring and/or risk management enhancement activities
► Risk appetite not articulated or defined► Lack of aware awareness of Enterprise Risk Appetite► Failure to communicate with executive management, audit
committee, and business units on a consistent and formal basis to discuss expectations, business strategies, objectives and initiative
► Policies and procedures do not exist, are not documented, are inadequate or are not followed
Auditing Governance FunctionsPage 10
Enterprise Risk Management (continued)
► Performance goals and objectives drive behavior inconsistent with overall Enterprise ethics or standards
Auditing Governance FunctionsPage 11
Corporate Social Responsibility (CSR)
► CSR: The way firms integrate social, environmental, and economic concerns into their values, culture, decision-making strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm and contribute towards society improvements.
► Responsibility :► Board of Directors► CSR Executive► Management
Auditing Governance FunctionsPage 12
CSR Risks
► Reputational Risk► Compliance Risk ► Operational Risk ► Liability Risk ► External Business Relationships Risk
Auditing Governance FunctionsPage 13
CSR Risks (continued)
► Reputational Risk► Violations of law or principles
► Errors or omissions in disclosed CSR information
► Under-performance compared with objectives/targets
► Appearance of indifference to social issues
► Compliance Risk► Failure to comply due to the extent, complexity, and volume of
regulations relating to the environment, health and safety, employment, governance, political contributions, conflict of interest, and fraud.
► Contractual obligations with third parties, such as customers, unions, or employees, and from voluntary adoption of standards.
Auditing Governance FunctionsPage 14
CSR Risks (continued)
► Operational Risk► CSR “pressure points” for the organization’s manufacturing
processes, products, services and impact on the environment.
► Under-performance of other targets due to inappropriate CSR strategies, or over-emphasis on CSR strategies.
► Failure to integrate CSR objectives into processes, or to educate staff appropriately.
► Failure to develop well-controlled systems for CSR initiatives.
► Inaccurate or incomplete reporting information.
► Challenge to apply same standards across multiple countries.
Auditing Governance FunctionsPage 15
CSR Risks – contd.
► Liability Risk► During contracting for CSR terms and conditions and ensuring
third-party compliance.
► Activists or specific classes/special interest groups may take legal
action for alleged harm done by the organization.
► External Business Relationships► Customers, suppliers, or partners could violate CSR terms
and conditions, principles, or laws, yet the organization could
be included as a wrongdoer by association.
Auditing Governance FunctionsPage 16
► Understanding the as-is governance structure enables the organization to make only the necessary changes
► Building principles based on organization-specific drivers is the basis for a working governance model
► The governance principles will act as the foundation of the governance framework and set the scene for the later model
► After running through the lifecycle once, organizations are able to iterate the governance lifecycle without external support
IT governance should not be a one-time exercise
TechnologyIT governance follows a lifecycle
Auditing Governance FunctionsPage 17
IT governance decision areas
IT principles
IT architectures
IT infrastructure
Applications
IT investments
► How is IT used within the business► Providing direction for IT delivery
► Organisation and structure of IT assets► Approach to integration of IT assets
► Enabling applications and architecture► Managing IT assets
► How to support business processes► Software platforms
► Determine the total IT spend► Prioritising conflicting investment needs
► Governance decisions are either taken centralised or decentralised
► By business, IT or both of them
► Mechanisms have to be aligned to organizational and operations model as well as IT strategy
Auditing Governance FunctionsPage 18
Aligning business and IT on different levels
IT Executive Steering Committee
IT Governance Council
IT Governing Bodies:Architecture and technology boards
IT Governing Bodies:Service delivery boards
Service delivery through business and IT
IT client managerarchitecture owner
CIO, CTO, senior IT management
Service manager
IT management
Joint IT governance boardsBusiness level
Business process owner
Board, CEO, COO
Key user
Business management
Business processframeworks
Approve
Decide
Facilitate
Design
IT service management frameworks e.g. ITIL
IT level
Auditing Governance FunctionsPage 19
Planning
► Developing IT strategy including sourcing philosophy
► Build corporate IT organization► Setting corporate IT goals► Agreeing on IT performance
targets with IT customers
Leadership
► Setting the overall direction for IT within the corporation
► Maintaining cultural values, corporate image and voice
► Representing corporation’s key IT stakeholders
Coordination and compliance
► Ensuring compliance with IT standards and obligations
► Coordinating IT activities between IT demand and supply
► Coordinating IT deployment
Monitoring and control
► Qualitative benchmarking► Managing service levels ► Managing a penalty system ► Identifying areas for service
improvement
Capital allocation
► Determining capital available► Determining IT investment criteria► Reviewing bids for capital► Allocating resources
Policy
► Setting the fundamental IT operating procedures
► Establishing standards, rules and guidelines
► Defining technical and application architectures
IT governance
IT governance domains
Auditing Governance FunctionsPage 20
Technology Governance Considerations
IT objectives and strategies
Inherent key IT risks
Lin
k ri
sks
to IT
pro
cess
es
Eva
luat
e m
anag
emen
t an
d c
on
tro
l act
ivit
ies
Lin
k o
bje
ctiv
es t
o r
isks
Eva
luat
e th
e si
gn
ific
ance
of
the
risk
to
IT o
bje
ctiv
es
IT processes
► IT process duplication and inefficiencies
► Emerging technologies
► Technology direction
► System disruptions
► Contracts/3rd party vendors – outsourcing
► Records retention
► Regulatory compliance
► People management
► Global sourcing
► Business continuity
► Asset and portfolio management
► IT infrastructure capacity
► IT security/privacy
► Financial reporting
Guidance and oversight
Strategic planning
Superior service support and delivery
Continuity of services
Protection of information
Optimize operating efficiency
Effectively manage security risk
Information security and protection
IT operations
IT governance and strategy
IT development and design
Infrastructure and asset
management
Change management
Service level management
Production support
Security and data
management
Customer support
Deliver superior Systems and applications
Technology enablement to achieve business objectives
Project/program management
Problem and incident
management
Auditing Governance FunctionsPage 21
Regulatory Expectations
► Failure to establish and maintain an internal control environment which aligns stakeholders and regulatory expectations
► Failure to identify relevant laws and regulations► Lack of procedures to comply with applicable laws and
regulations► Insufficient or inadequate training of staff on regulatory
requirements► Failure to establish adequate working relationship with
regulators or authorities
Auditing Governance FunctionsPage 22
Thank you!
► Questions?