effective internal auditing & internal controls for good corporate governance
DESCRIPTION
EFFECTIVE INTERNAL AUDITING & INTERNAL CONTROLS FOR GOOD CORPORATE GOVERNANCE. Presenter Claire Gomez Miller CIA CRMA FCCA Chief Audit Executive The National Gas Company of Trinidad & Tobago Limited. - PowerPoint PPT PresentationTRANSCRIPT
EFFECTIVE INTERNAL AUDITING & INTERNAL CONTROLS
FOR GOOD CORPORATE
GOVERNANCEPresenter
Claire Gomez Miller CIA CRMA FCCA
Chief Audit Executive The National Gas Company of Trinidad & Tobago Limited
CGM 2
AGENDA –EFFECTIVE INTERNAL AUDITING AND INTERNAL CONTROLS
FOR GOOD CORPORATE GOVERNANCE
1) Overview & Global Definitions of Corporate Governance2) Internal Auditing – 100% Focus on Controls, Risk & Governance3) Standards for Effective Internal Auditing & Controls - Institute of Internal
Auditors & COSO4) Responsibilities of Board of Directors, Board Audit Committee,
Management & Internal Auditors for Effective Control of Risks5) Examples of Governance Risks that must be controlled for Good Governance6) Effective Internal Auditing & Controls for Good Corporate Governance –
Factors that make an Internal Audit Function Ineffective7) Internal Audit Independence8) Pillars of Good Corporate Governance - Working Together for Strong
Governance
July2013
CGM 3July2013
CEO/PRESIDENT & EMT
BOARD FINANCE
COMMITTEE
BOARD
OPERATIONS
COMMITTEE
BOARD
HUMAN RESOURCE
COMMITTEEBOARD TENDERS COMMITTEE
SHAREHOLDER
EXTERNAL AUDITORS
CORPORATE MANAGEMENT
T&T CITIZENSNATIONAL LAWS & REGULATIONS
COMPANY LAW
GLOBAL REGULATIONS
Company Secretary &
Corporate Secretariat
FUNCTIONAL
CONTRACTS:SHAREHOLDERS;EMPLOYEES;SUPPLIERS;CUSTOMERS;CREDITORS.
CGM 4
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
• Corporate or Organizational Governance• Common elements present in most definitions of Corporate
Governance describe it as “the policies, processes, and structures used by organizations to direct and control its activities, achieve its objectives, and protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards.”
• The INSTITUTE OF INTERNAL AUDITORS defines Corporate Governance as “The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”
July2013
CGM 5
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
BELGIUM: "Corporate governance" refers to the set of rules applicable to the management and control of a company. It is the duty of the board of directors to manage the company's affairs exclusively in the interests of the company and all its shareholders, within the framework of the laws, regulations, and conventions under which the company operates.”
{Belgium Commission on Corporate Governance, Corporate Governance for Belgium Listed Companies, December 1998}
July2013
CGM 6
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
AUSTRALIA: “Corporate governance is the system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.”
{The Australian Stock Exchange Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations, March 2003}
July2013
CGM 7
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
CANADA: "Corporate governance" means the process and structures used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among shareholders, the board of directors and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers, and communities.” {Canada’s Toronto Stock Exchange Committee on Corporate Governance, Dey Report, December 1994}
July2013
CGM 8
1.1e) GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
JAPAN: “The nature of supervision by a present-day board of directors, having independent directors at the heart of its activities, is the undertaking of appropriate monitoring from the aspect of fulfilling the duties entrusted to them, while motivating the executive managers and employees with an appropriate compensation system in order to encourage independence. The balancing of this supervision (from the standpoint of the shareholders) with management (the administration of the company business) is called governance. Governance, which is the primary role of the independent director, is to ensure the introduction and correct functioning of the internal audit and compensation systems. Corporate governance is a scheme for ensuring that the executive managers, who have been placed in charge of the company, fulfill their duties.” {Japan Corporate Governance Committee, Corporate Governance Forum of Japan, Revised Corporate Governance Principles, revised October 2001.}
July2013
CGM 9
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
UNITED KINGDOM: “Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders' role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business, and reporting to the shareholders on their stewardship. The board's actions are subject to laws, regulations, and the shareholders in general meeting.”
{United Kingdom - Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury committee), December 1992.}
July2013
CGM 10
CEO/PRESIDENT & EMT
BOARD FINANCE
COMMITTEE
BOARD
OPERATIONS
COMMITTEE
BOARD
HUMAN RESOURCE
COMMITTEEBOARD TENDERS COMMITTEE
SHAREHOLDER
EXTERNAL AUDITORS
CORPORATE MANAGEMENT
T&T CITIZENSNATIONAL LAWS & REGULATIONS
COMPANY LAW
GLOBAL REGULATIONS
Company Secretary &
Corporate Secretariat
FUNCTIONAL
CONTRACTS:SHAREHOLDERS;EMPLOYEES;SUPPLIERS;CUSTOMERS;CREDITORS.July2013
CGM 11
INTERNAL AUDITING: 100% FOCUS ON CONTROLS, RISK & GOVERNANCE
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
July2013
CGM 12
MandatoryNon mandatory
Strongly recommended
IPPF =
https://global.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx
International Standards for the Professional Practice of Internal Auditing
The Standards – Mandatory Element Under
International Professional Practices Framework
Institute of Internal Auditors INC July2013
CGM 13
COSO INTERNAL CONTROL-INTEGRATED FRAMEWORK
• COSO Internal Control-Integrated Framework guides the work of Internal Auditor when evaluating an organization’s internal control system.
• Originally formed in 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM) internal control and fraud deterrence.
• COSO’s sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). www.coso.org.
July2013
CGM 14
INTERNAL CONTROL
Control: Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Control Processes: The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.
Control Environment: The attitude and actions of Board and Management regarding the significance of control within the organization. It provides the discipline and structure for the achievement of the primary objectives of the system of internal control, and includes elements of:
• Integrity and ethical values.• Management’s philosophy and operating style.• Organizational structure.• Assignment of authority and responsibility. • Human resource policies and practices.• Competence of personnel.
July2013
CGM 15
BOARD OF DIRECTORS & THE EFFECTIVE CONTROL OF RISKS
• Risk is defined as anything that prevents the achievement of objectives; therefore to achieve its Objectives, a Company must manage its Risks.
BOD must • Ensure Company has effective, ongoing process to Identify, Measure &
Proactively Manage & Control Business Risks;
• Provide Risk Tolerance Levels that support effective Risk Taking by Management.
• Have on its Agenda – a report on High Risk issues that pose potential liability to
• Company• Directors• Shareholders
– the Management & Control of those risks.
July2013
CGM 16
EFFECTIVE CONTROLS IN THE MANAGEMENT OF RISKS
RISK MANAGEMENT IS CONFORMANCE AND PERFORMANCE.• Risk Management seeks to balance the required conformance of corporate governance
and healthy risks-taking for performance improvement. • Managers must avoid the downside of financial & reputational loss whilst managing the
upside actions that increases financial performance. • Managing the Upside of Risk:• risk is inherent in business; • nature and extent may differ between size and type of organisation • company takes risks in order to pursue opportunities to earn returns for its owners;• striking a balance between risk and return is key to maximizing shareholder wealth.
Managing the Downside of Risk requires a combination of conformance and performance;• Use of Conformance Frameworks• Establishment of Controls
July2013
CGM 17
BOARD AUDIT COMMITTEE• BOARD AUDIT COMMITTEE is responsible
for:– monitoring, overseeing, and evaluating the duties and
responsibilities of management, the internal audit activity, and the external auditors as those duties and responsibilities relate to the organization’s processes for controlling its operations and managing its risks.
– determining that all major issues reported by the internal auditing department, the external auditor, and other outside advisors have been satisfactorily resolved.
– reporting to the full Board all-important matters pertaining to the organization’s controlling and risk management processes.
July2013
CGM 18
MANAGEMENT’S RESPONSIBILITY
• Controlling & risk management are functions of management and are integral parts of the overall process of managing operations.
• As such, it is the responsibility of managers at all levels of the organization to:– Identify and evaluate the exposures to loss which relate to their particular sphere
of operations.– Specify and establish policies, plans, and operating standards, procedures,
systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified.
– Establish practical controlling processes that require and encourage directors, officers, and employees to carry out their duties and responsibilities in a manner that achieves the five control objectives outlined in the preceding paragraph.
– Maintain the effectiveness of the controlling processes they have established and foster continuous improvement to these processes.
July2013
CGM 19
MANAGEMENT’S RESPONSIBILITY Management is charged with the responsibility for establishing a network of processes with the objective of controlling the operations of the Company in a manner which provides the board of director’s reasonable assurance that:
– Data and information published either internally or externally is accurate, reliable, and timely.
– The actions of directors, officers, and employees are in compliance with the organization’s policies, standards, plans and procedures, and all relevant laws and regulations.
– The organization’s resources (including its people, systems, data/information bases, and customer goodwill) are adequately protected.
– Resources are acquired economically and employed profitably; quality business processes and continuous improvement are emphasized.
– The organization’s plans, programs, goals, and objectives are achieved.
July2013
CGM 20
NTERNAL AUDITORS & EFFECTIVE CONTROLS
IIA STANDARD 2100 – Nature of Work: Internal Audit must evaluate and contribute to the improvement of Governance, Risk Management, and Control processes using a systematic and disciplined approach.
IIA STANDARD 2110 – Governance: IA must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:– Promoting appropriate ethics and values within the
organization;– Ensuring effective organizational performance management
and accountability;– Communicating risk and control information to appropriate
areas of the organization; and– Coordinating the activities of and communicating information
among the board, external and internal auditors, and management.
July2013
CGM 21July2013
INTERNAL AUDITORS
IIA STANDARD 2110 – Governance2) Must evaluate the design, implementation, and effectiveness
of the organization’s ethics-related objectives, programs, and activities.
3) Must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
4) Consulting engagement objectives must be consistent with the overall values and goals of the organization.
CGM 22
IIA STANDARD: 2130 – CONTROL1) Internal Audit must assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
2) Must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:– Achievement of the organization’s strategic objectives– Reliability and integrity of financial & operational information;– Effectiveness and efficiency of operations;– Safeguarding of assets; and– Compliance with laws, regulations, and contracts.
July2013
CGM 23
bf…..IIA STANDARD: 2130 – CONTROL
3)Should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.
4)Should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
July2013
CGM 24
The chief audit executive must establish a risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.Interpretation:The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
24
IIA STANDARD 2010 - PLANNING
July2013
CGM 25
Examples of Governance Risks that must be controlled for Good Governance
1) Directors Breach of Fiduciary Duties
2) Lack of Director Proficiency & Care
3) Misdirection of Organization4) Reckless Risk Taking5) Uncontrolled Organization6) Mis-procurement7) Corruption & Bribery8) Conflict of Interest9) Group Think10) Board Room Bullying11) Financial Reporting &
Disclosures12) Corporate Fraud13) Financial Distress14) Poor Corporate Performance15) Loss of License to operate
16) Business Interruption/ discontinuity
17) Impaired Auditors - lack of Independence, Objectivity, Professionalism & Integrity
18) Lack of Audit Proficiency & Care
19) False Assurance20) Limitation of Audit Scope21) Non Implementation of Audit
Recommendations22) Ineffective Corporate Social
Responsibility23) Corporate Non-Compliance &
Unethical Conduct24) Breach of Public Trust
July2013
CGM 26
EFFECTIVE INTERNAL AUDITING & CONTROLS FOR GOOD CORPORATE GOVERNANCE
• Comes from within the Board of Directors, Board Audit Committee , Executive Management and the Internal Audit Function.
• Factors that make an Internal Audit Function ineffective:1. Insufficient focus on Areas of High Risk & Strategic Priorities2. Lack of adequate resource & compensation3. Limitation of Scope4. Communication Barriers between Internal Audit and BAC,
Board and Senior Management5. Lack of Proficiency and Care in conduct of duties – BAC or IA 6. Non compliance with Professional/Regulatory Standards for
the practice of Internal Auditing &Corporate Governance7. Conflict of Interest8. Lack of independence, objectivity, integrity - Board Audit
Committee or Internal Audit.July2013
CGM 27
INTERNAL AUDIT INDEPENDENCE
• IIA Standard 1110 - Organizational Independence• The chief audit executive must report to a level
within the organization that allows the internal audit activity to fulfill its responsibilities.
• The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
• Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board.
July2013
CGM 28
INTERNAL AUDIT INDEPENDENCE• Examples of functional reporting to the board involve
the board: – Approving the internal audit charter; – Approving the risk based internal audit plan;– Approving the internal audit budget and resource plan; – Receiving communications from the chief audit executive on the
internal audit activity’s performance relative to its plan and other matters;
– Approving decisions regarding the appointment and removal of the chief audit executive;
– Approving the remuneration of the chief audit executive; and– Making appropriate inquiries of management and the chief audit
executive to determine whether there are inappropriate scope or resource limitations.
July2013
CGM 29
All PILLARS OF GOVERNANCE MUST BE OF SINGULAR MIND IN INTEGRITY,
PROFICIENCY & PROFESSIONALISM FOR
GOOD CORPORATE GOVERNANCE, EFFECTIVE INTERNAL AUDITING AND
CONTROLS:- The Board of Directors, Board Audit Committee, Chief Executive Officer,
Company Secretary, External Auditor & the Chief Audit Executive/Internal Audit.
July2013
CGM 30July2013