CHAPTER 3

GOVERNANCE

Chapter 3 Learning Objectives

2

Define governance and contrast the different roles and

responsibilities within governance. Articulate the different enterprise-wide governance principles. Describe the changes in regulations and how governance has evolved to its present state. Describe the role of the internal audit function in the governance process. Know where to find information about governance codes and regulations from countries around the world.

Exhibit 3-2
3

Internal Auditing: Assurance and Consulting Services, 2nd

Governance (from book)

4

The combination of processes and structures

implemented by the Board to inform, direct, manage, and monitor the activities of the organization towards the achievement of its objectives.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Key Points
5

Not distinct and separate processes and structures

interrelationships between governance, risk, and controls Must consider risk when setting strategy Must rely on internal controls and communication

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

OECD Corporate Governance Principles

6

First released in May 1999 and revised in 2004,

the OECD Principles are one of the 12 key standards for international financial stability of the Financial Stability Forum (FSF) and form the basis for the corporate governance component of the Report on the Observance of Standards and Codes of the World Bank Group.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

OECD Definition
7

Corporate governance involves a set of relationships

between a companys management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.

According to Cadbury Report,

8

Corporate Governance is the system by which

companies are directed and controlled

Good corporate governance allows boards of

directors to be free to drive their companies forward, but exercise that freedom within a framework of effective accountability.

According to Wikipidi
9

Corporate governance is the set of processes,

customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Corporate governance also includes the relationships among the many stakeholders involved and the goals for which the corporation is governed. The principal stakeholders are the shareholders, management, and the board of directors. Other stakeholders include employees, customers, creditors, suppliers, regulators, and the community at large.

Codes from around the world

10

http://www.ecgi.org/codes/all_codes.php

Bangladesh
11

I. Mission of the Board of Directors Principle: The Board of Directors should lead and oversee strategy and policy of the company and provide direction to the management. Board actions should be in the best interests of the company and shareholders.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Brazil
12

Corporate Governance is a corporate managing and

monitoring system, involving relations with the Owners, Board of Directors, Officers, Independent Auditors, and Fiscal Council. Good corporate governance practices are geared to add value to a company, facilitate its access to capital and contribute to its perpetuation.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Exhibit 3-3
13

Some Video Clips

14

http://www.youtube.com/watch?v=KXd70r75V2w http://www.youtube.com/watch?v=awUgAYks-Y8 http://www.youtube.com/watch?v=wYtN-8st9xs

http://www.youtube.com/watch?v=ra-Sxjjv3-g
http://www.youtube.com/watch?v=1jV0AUjx6Ik

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Strategy
15

How management plans to achieve the

organizations objectives

Key Business Objectives Stakeholder Expectations Performance Measures Risk Appetite

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Exhibit 3-4
16

Roles and Responsibilities within Governance

17

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Knowledge Check
18

Which of the following represents the best governance structure? Operating Mgmt a. Responsibility for Risk b. Oversight Role c. Responsibility for Risk d. Oversight role Executive Mgmt Oversight role Responsibility for Risk Advisory Role Advisory Role Internal Auditing Advisory role Advisory Role Oversight Role Responsibility for Risk

Board
19

Governance begins with the Board Board provides direction Board is accountable to stakeholders

Governance is executed by management

Internal and external activities provide management

and the board with assurance regarding effectiveness of governance

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Stakeholders
20

Directly Involved Employees, Customers, Vendors Interested Investors Influence Regulatory agencies, Rating Agencies,

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

How does the Board enact good governance?

21

Governance Committee Determine desired outcomes Determine unacceptable outcomes

Articulate Requirements
Set Risk Appetite Delegate authority Establish reporting threshold Reevaluate periodically

One Big Fours List of Board HOT TOPICS in Governance for 2011
22

Risk Management where everyone minds the business Sustainable Development the next transforming wave of change Strategy Development the board as hands-on strategy leader Strategy Execution Linking performance to strategy

Corporate Planning past results do not ensure future performance

Shareholder engagement the conversations are two-way Board evaluations the best Boards have regular performance checks Boardroom efficiency do the right things better Director education never stop learning Succession planning the long and short of talent development Regulatory change anticipating change for competitive advantage

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Spencer Stuart 5 Things Boards Should be Looking at

23

Board Effectiveness Strategy Risk Oversight

Sustainability
Succession http://www.spencerstuart.com/research/articles/14

75

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

You Get What You Measure

24

Measures are critical to such governance Measure the wrong things and results can be disastrous. Measure the right onesaligned with the strategic plan and

related business objectivesand managers are motivated and work together toward achieving corporate goals. Identifying what drives value and then linking those drivers to measurements

25

Governance Maturity Model

Key Questions Directors Should be Asking

26

Key Questions Directors Should be Asking

27

Key Questions Directors Should be Asking

28

Key Questions Directors Should be Asking

29

30

Eight Priorities for 2013 (from the IIA)

31

Crisis Management Fraud and Ethics Regulatory Compliance

Social Media
Employee Talent Management Emerging Technologies ERM Globalization and Geopolitical Risks

Setting the Risk Appetite Defining Risk Tolerance 32

Risk Appetite: The amount of risk, on a broad

level, an organization is willing to accept in pursuit of its business objectives

Risk Tolerance: The acceptable levels of risk size

and variation relative to the achievement of objectives, which must alight with the risk appetite of the organization.

How to set Risk Appetite?

33

Determine stakeholders

Determine needs and expectations of stakeholders

Identify potential outcomes that would be

unacceptable to stakeholders (harm and missed opportunities)

Consider outcomes in Financial, Compliance, Operational, and Strategic areas

Set tolerance levels/boundaries within which

management should run organization

Cool video on the need to link risk and strategy

34

http://www.youtube.com/watch?v=qI0b4YZBp4k

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

How does management enact good governance?

35

Understanding the Boards expectations, directions,

risk appetite, and delegated authority A process to identify, manage, and report on risks Process to delegate authority to risk holders Gathering information to report on risks for decision making and for Board

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

How does management enact governance responsibilities?

36

Establish a risk committee to identify risks, linked to

management activities, and assigned to risk owners Evaluate on-going risk appetite and ensure tolerance levels are consistent with risk appetite Articulate reporting requirements nature, format, timing of communication Reevaluate governance expectations periodically

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Knowledge Check
37

Which of the following are typical governance responsibilities of senior management? I. Establishing a governance committee of the board II. Delegating risk tolerance levels to risk managers III. Monitoring day-to-day performance of specific risk management activities IV. Ensuring that sufficient information is gathered to support reporting to the board.
II and III

I, II, and IV
II and IV I, II, III, and IV

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

What do Risk Owners Do?

38

Day to day responsibility for ensuring that risk

management activities effectively manage risks within the organizations risk appetite. Keep risks within tolerable boundaries Identify, measure, manage, monitor, and report on their risks Front line of managing risks key contributors to good governance

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Risk Owner Activities

39

Assessment of risks in terms of inherent nature of

risk, source of risk, potential impact, proposed tolerance level, expected risk management activities. Reevaluate risk management activities periodically Assess risk management capabilities Monitor risk management activities Report risk management activities

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Exhibit 3-6
40

Assurance Activities
41

An objective examination of evidence for the purpose

of providing an independent assessment on governance, risk management, and control processes for the organization
Can be by external or internal parties; most

commonly by internal audit function

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

The Board's Oversight Role

42

A board is not responsible for devising either

measures or the measurement process. That's management's job. But it is responsible for ensuring that management has instituted meaningful measures to enable management to track and monitor performance and take swift corrective action where needed.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Continued
43

The board needs to know that it is getting the right

information, on a timely basis, with management's analysis of where issues lie and what management plans to do. Ultimately, the board needs to know that a process is firmly in place to provide the information they need to conduct meaningful oversight and assess progress toward effective strategy implementation and achievement of stated goals.

Internal Audits Role

44

Exhibit 3-1
45

2010 Planning
46

The chief audit executive must establish a risk-based plan to

determine the priorities of the internal audit activity, consistent with the organization's goals Interpretation: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organizations business, risks, operations, programs, systems, and controls.

2100 Nature of Work

47

The internal audit activity must evaluate and

contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

2100 - Nature of Internal Audits Work

48

Help assess and improve governance by: Promoting appropriate ethics and values Ensuring effective performance management and accountability Effectively communicating risk and control information Effectively coordinating the activities and communicating information

2110 Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
49

Implementation Standards under 2110

50

2110.A1- The internal audit activity must evaluate the

design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.
2110.A2 - The internal audit activity must assess whether

the information technology governance of the organization supports the organization's strategies and objectives.

IA Activities to evaluate governance

51

Ensure it understands Boards governance direction and

expectations, including its expectation of IA

Support managements risk management program Involvement in risk management program Education Risk assessments oversight and input to risk decisions Develop an IA plan that encompasses governance

Continued
52

Determining whether the assertions made by the risk

owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness.
Determining whether the assertions made by senior

management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness.

Continued.
53

Evaluating whether risk tolerance information is

communicated timely and effectively from both the board to senior management and from senior management to the risk owners.

Assessing whether there are any other risk

areas that are currently not included in the governance process, but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).

Internal Auditing: Assurance and Consulting Services, 2nd Edition 2009 by The Institute of

Other Roles of Internal Auditing in Governance

54

Board Risks, Controls, and Practices Audit specific documented governance processes Provide assurance on ways to improve governance

processes if they are not mature Contribute to governance structures through audits Act as facilitators, assisting board in self-assessment of governance activities Observe and formally assess GRC structural design and operational effectiveness

IAs Activities to Evaluate Governance

55

Evaluating whether the various risk management

activities are designed adequately to manage the risks associated with unacceptable outcomes.
Testing and evaluating whether the various risk

management activities are operating as designed.

Aspects of Ethics Audits

56

A "clear and understandable" formal code of conduct and

related statements, policies--including procedures covering fraud and corruption--and other "expressions of aspiration." The communications and demonstrations of expected ethical attitudes and behavior by the leaders of the organization. Explicit strategies the firm uses to enhance its ethical culture. Multiple means of confidentially reporting misconduct.

Continued
57

Regular declarations by employees, suppliers,

and customers that they understand the requirements for ethical behavior in conducting the organization's business. Clear delegation of responsibilities to ensure that ethical consequences are evaluated, that confidential counseling is provided, that allegations of misconduct are investigated, and that case findings are properly reported. Easy access to "learning opportunities to enable all employees to be ethics advocates."

Continued
58

Personnel practices that encourage employees to

be ethical. Regular use of surveys to determine the organization's ethical climate. Regular reviews of processes that might undermine the organization's ethical culture. Regular reference and background checks as part of the hiring process.