Auditing Governance Functions

gurglejapaneseManagement

Nov 18, 2013 (3 years and 6 months ago)

60 views

Auditing Governance
Functions

Auditing Governance Functions

Page
2

Agenda


Defining Corporate Governance



Internal Audit’s Role in Corporate Governance



Areas of Audit Focus



Regulatory Considerations



Auditing Governance Functions

Page
3

Governance Functions


Regulatory and rating agency landscape has changed,
with an increased scrutiny on Governance functions, such
as:


Board / Governance Reporting


Enterprise and Operational Risk Management


Technology


Emerging Risks


Continuous Monitoring





Auditing Governance Functions

Page
4

Corporate Governance


Governance is the combination of processes and
structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization
toward the achievement of its objectives.


Board of Directors


Audit and Risk Committees


Corporate Committee Structure


Management


Enterprise Risk Program


Compliance and Regulatory Program


Technology Program


Social Responsibility Program

Auditing Governance Functions

Page
5

Internal
Audit’s Role
in
Governance


Internal Audit’s role in governance is as
follows:


Independent testing and verification
of efficacy of corporate standards
and business line compliance


Validate the overall risk framework


Provide assurance that the risk
management process is functioning
as designed and identifies
improvement opportunities


Through its dual consulting and assurance roles,
internal audit can provide tremendous value to a
dynamic organization by focusing on areas of
greatest exposure, complex operations and key
business initiatives, to validate that the
organization is well controlled and operating
effectively and efficiently to meet the strategic
goals of the firm.

Auditing Governance Functions

Page
6

Governance Functions


Internal audit must assess and make appropriate
recommendations for improving Governance in its
accomplishment of the following objectives:



Promoting appropriate ethics and values within the organization


Ensuring effective organizational performance management and
accountability


Communicating risk and control information to appropriate areas of
the organization


Coordinating the activities of and communicating information
among the board, auditors, and management.


Auditing Governance Functions

Page
7


Enterprise Risk Management Considerations


Commensurate with size, risk profile, complexity, and growth of
the enterprise


Provide increased business awareness


Incorporate risk considerations in decision making across
enterprises



Enterprise Risk Management

Auditing Governance Functions

Page
8

ERM Framework



Step 1
:
Establish ERM Framework


Identify Project Champion


Identify Project Owner


Establish Steering Committee


Step 2
:
Identify Key Objectives


List Key Objectives


Prioritize Key Objectives


Select objectives for assessments


Step 3
:
Identify Key Risks


Assess Risk


Assign Risk Rating



Step 4
:
Manage Risk


Identify Control Controls and Mitigation Requirements


Develop Mitigation Plans for key risks


Perform periodic status reviews


Repeat steps 2


4 for additional control objectives


Auditing Governance Functions

Page
9

Enterprise Risk Management


No formal framework to identify, prioritize and
communicate risks


No ongoing risk monitoring and/or risk management
enhancement activities


Risk appetite not articulated or defined


Lack of aware awareness of Enterprise Risk Appetite


Failure to communicate with executive management, audit
committee, and business units on a consistent and formal
basis to discuss expectations, business strategies,
objectives and initiative


Policies and procedures do not exist, are not documented,
are inadequate or are not followed

Auditing Governance Functions

Page
10

Enterprise Risk Management (continued)


Performance goals and objectives drive behavior
inconsistent with overall Enterprise ethics or standards


Auditing Governance Functions

Page
11

Corporate Social Responsibility (CSR)


CSR: The way firms integrate social, environmental, and
economic concerns into their values, culture, decision
-
making strategy and operations in a transparent and
accountable manner and thereby establish better
practices within the firm and contribute towards society
improvements.



Responsibility

:


Board of Directors


CSR Executive


Management


Auditing Governance Functions

Page
12

CSR Risks


Reputational Risk


Compliance Risk


Operational Risk


Liability Risk


External Business Relationships Risk


Auditing Governance Functions

Page
13

CSR Risks (continued)


Reputational Risk


Violations of law or principles


Errors or omissions in disclosed CSR information


Under
-
performance compared with objectives/targets


Appearance of indifference to social issues



Compliance Risk


Failure to comply due to the extent, complexity, and volume of
regulations relating to the environment, health and safety,
employment, governance, political contributions, conflict of
interest, and fraud.


Contractual obligations with third parties, such as customers,
unions, or employees, and from voluntary adoption of standards.


Auditing Governance Functions

Page
14

CSR Risks (continued)


Operational Risk


CSR “pressure points” for the organization’s manufacturing
processes, products, services and impact on the environment.


Under
-
performance of other targets due to inappropriate CSR
strategies, or over
-
emphasis on CSR strategies.


Failure to integrate CSR objectives into processes, or to educate
staff appropriately.


Failure to develop well
-
controlled systems for CSR initiatives.


Inaccurate or incomplete reporting information.


Challenge to apply same standards across multiple countries.

Auditing Governance Functions

Page
15

CSR Risks


contd.


Liability Risk


During contracting for CSR terms and conditions and ensuring
third
-
party compliance.


Activists or specific classes/special interest groups may take legal


action for alleged harm done by the organization.



External Business Relationships


Customers, suppliers, or partners could violate CSR terms


and conditions, principles, or laws, yet the organization could


be included as a wrongdoer by association.


Auditing Governance Functions

Page
16


Understanding the as
-
is governance
structure enables the organization to
make only the necessary changes


Building principles based on
organization
-
specific drivers is the
basis for a working governance
model


The governance principles will act as
the foundation of the governance
framework and set the scene for the
later model


After running through the lifecycle
once, organizations are able to
iterate the governance lifecycle
without external support

IT governance should not be a one
-
time exercise

Technology

IT governance follows a lifecycle



Auditing Governance Functions

Page
17

IT governance decision areas


IT principles

IT architectures

IT infrastructure

Applications

IT investments


How is IT used within the business


Providing direction for IT delivery


Organisation and structure of IT assets


Approach to integration of IT assets


Enabling applications and architecture


Managing IT assets


How to support business processes


Software platforms


Determine the total IT spend


Prioritising conflicting investment needs


Governance decisions are either taken centralised or decentralised


By business, IT or both of them


Mechanisms have to be aligned to organizational and operations model as well as
IT strategy

Auditing Governance Functions

Page
18

Aligning business and IT on different levels

IT Executive Steering Committee

IT Governance Council

IT Governing Bodies:

Architecture and technology boards

IT Governing Bodies:

Service delivery boards

Service delivery through

business and IT

IT client manager

architecture owner

CIO, CTO, senior

IT management

Service manager

IT

management

Joint IT governance boards

Business level

Business


process owner

Board, CEO, COO

Key user

Business

management

Business process

frameworks

Approve

Decide

Facilitate

Design

IT service management

frameworks e.g. ITIL

IT level

Auditing Governance Functions

Page
19

Planning


Developing IT strategy including
sourcing philosophy


Build corporate IT organization


Setting corporate IT goals


Agreeing on IT performance
targets with IT customers

Leadership


Setting the overall direction for IT
within the corporation


Maintaining cultural values,
corporate image and voice


Representing corporation’s key IT
stakeholders

Coordination and compliance


Ensuring compliance with IT
standards and obligations


Coordinating IT activities between
IT demand and supply


Coordinating IT deployment

Monitoring and control


Qualitative benchmarking


Managing service levels


Managing a penalty system


Identifying areas for service
improvement

Capital allocation


Determining capital available


Determining IT investment criteria


Reviewing bids for capital


Allocating resources

Policy


Setting the fundamental IT
operating procedures


Establishing standards, rules and
guidelines


Defining technical and application
architectures

IT governance

IT governance domains

Auditing Governance Functions

Page
20

Technology Governance Considerations

IT objectives and strategies

Inherent key IT
risks

Link risks to IT processes

Evaluate management and control activities

Link objectives to risks

Evaluate the significance of the risk to IT objectives

IT processes


IT process duplication
and inefficiencies


Emerging technologies


Technology direction


System disruptions


Contracts/3rd party
vendors


outsourcing


Records retention


Regulatory compliance


People management


Global sourcing


Business continuity


Asset and portfolio
management


IT infrastructure
capacity


IT security/privacy


Financial reporting

Guidance and oversight

Strategic planning

Superior service support
and delivery

Continuity of services

Protection of information

Optimize operating
efficiency

Effectively manage security
risk

Information
security and
protection

IT operations

IT governance
and strategy

IT development
and design

Infrastructure
and asset
management

Change
management

Service level
management

Production
support

Security and
data
management

Customer
support

Deliver superior

Systems and applications

Technology enablement to
achieve business objectives

Project/program
management

Problem and
incident
management

Auditing Governance Functions

Page
21

Regulatory Expectations


Failure to establish and maintain an internal control
environment which aligns stakeholders and regulatory
expectations


Failure to identify relevant laws and regulations


Lack of procedures to comply with applicable laws and
regulations


Insufficient or inadequate training of staff on regulatory
requirements


Failure to establish adequate working relationship with
regulators or authorities

Auditing Governance Functions

Page
22

Thank you!


Questions?