effective internal auditing and internal controls for good corporate
advertisement
EFFECTIVE INTERNAL AUDITING
& INTERNAL CONTROLS
FOR
GOOD CORPORATE
GOVERNANCE
Presenter
Claire Gomez Miller CIA CRMA FCCA
Chief Audit Executive
The National Gas Company of Trinidad & Tobago Limited
AGENDA –
EFFECTIVE INTERNAL AUDITING AND INTERNAL CONTROLS
FOR GOOD CORPORATE GOVERNANCE
1)
2)
3)
4)
5)
6)
7)
8)
Overview & Global Definitions of Corporate Governance
Internal Auditing – 100% Focus on Controls, Risk & Governance
Standards for Effective Internal Auditing & Controls - Institute of Internal
Auditors & COSO
Responsibilities of Board of Directors, Board Audit Committee,
Management & Internal Auditors for Effective Control of Risks
Examples of Governance Risks that must be controlled for Good
Governance
Effective Internal Auditing & Controls for Good Corporate Governance –
Factors that make an Internal Audit Function Ineffective
Internal Audit Independence
Pillars of Good Corporate Governance - Working Together for Strong
Governance
July2013
CGM
2
COMPANY
LAW
SHARE
HOLDER
F
U
N
C
T
I
O
N
A
L
CORPORATE MANAGEMENT
CEO/PRESIDENT & EMT
T&T CITIZENS
July2013
GLOBAL
REGULATIONS
CGM
3
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
•
•
•
Corporate or Organizational Governance
Common elements present in most definitions of Corporate
Governance describe it as “the policies, processes, and
structures used by organizations to direct and control its
activities, achieve its objectives, and protect the interests of
its diverse stakeholder groups in a manner consistent with
appropriate ethical standards.”
The INSTITUTE OF INTERNAL AUDITORS defines Corporate
Governance as “The combination of processes and structures
implemented by the board to inform, direct, manage, and
monitor the activities of the organization toward the
achievement of its objectives.”
July2013
CGM
4
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
BELGIUM: "Corporate governance" refers to the set of
rules applicable to the management and control of a
company. It is the duty of the board of directors to
manage the company's affairs exclusively in the
interests of the company and all its shareholders, within
the framework of the laws, regulations, and
conventions under which the company operates.”
{Belgium Commission on Corporate Governance, Corporate Governance for
Belgium Listed Companies, December 1998}
July2013
CGM
5
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
AUSTRALIA: “Corporate governance is the system
by which companies are directed and managed. It
influences how the objectives of the company are
set and achieved, how risk is monitored and
assessed, and how performance is optimized.”
{The Australian Stock Exchange Corporate Governance Council, Principles of
Good Corporate Governance and Best Practice Recommendations, March 2003}
July2013
CGM
6
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
CANADA: "Corporate governance" means the process and
structures used to direct and manage the business and affairs
of the corporation with the objective of enhancing shareholder
value, which includes ensuring the financial viability of the
business. The process and structure define the division of
power and establish mechanisms for achieving accountability
among shareholders, the board of directors and management.
The direction and management of the business should take into
account the impact on other stakeholders such as employees,
customers, suppliers, and communities.” {Canada’s Toronto Stock
Exchange Committee on Corporate Governance, Dey Report, December 1994}
July2013
CGM
7
1.1e) GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
JAPAN: “The nature of supervision by a present-day board of directors,
having independent directors at the heart of its activities, is the undertaking
of appropriate monitoring from the aspect of fulfilling the duties entrusted to
them, while motivating the executive managers and employees with an
appropriate compensation system in order to encourage independence. The
balancing of this supervision (from the standpoint of the shareholders) with
management (the administration of the company business) is called
governance.
Governance, which is the primary role of the independent director, is to
ensure the introduction and correct functioning of the internal audit and
compensation systems.
Corporate governance is a scheme for ensuring that the executive managers,
who have been placed in charge of the company, fulfill their duties.”
{Japan Corporate Governance Committee, Corporate Governance Forum of Japan,
Revised Corporate Governance Principles, revised October 2001.}
July2013
CGM
8
GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE
UNITED KINGDOM: “Corporate governance is the system by which
companies are directed and controlled. Boards of directors are
responsible for the governance of their companies. The
shareholders' role in governance is to appoint the directors and
the auditors and to satisfy themselves that an appropriate
governance structure is in place. The responsibilities of the board
include setting the company's strategic aims, providing the
leadership to put them into effect, supervising the management of
the business, and reporting to the shareholders on their
stewardship. The board's actions are subject to laws, regulations,
and the shareholders in general meeting.”
{United Kingdom - Report of the Committee on the Financial Aspects of Corporate
Governance (Cadbury committee), December 1992.}
July2013
CGM
9
COMPANY
LAW
SHARE
HOLDER
F
U
N
C
T
I
O
N
A
L
CORPORATE MANAGEMENT
CEO/PRESIDENT & EMT
T&T CITIZENS
July2013
GLOBAL
REGULATIONS
CGM
10
INTERNAL AUDITING: 100% FOCUS
ON CONTROLS, RISK & GOVERNANCE
“Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's
operations.
It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness
of risk management, control, and
governance processes.”
July2013
CGM
11
International Standards for the Professional Practice of
Internal Auditing
The Standards – Mandatory
Element Under
International Professional
Practices Framework
IPPF =
Mandatory
Non mandatory
Strongly
recommended
https://global.theiia.org/standardsguidance/Pages/Standards-and-GuidanceIPPF.aspx
July2013
Institute of InternalCGM
Auditors INC
12
COSO INTERNAL CONTROL-INTEGRATED
FRAMEWORK
• COSO Internal Control-Integrated Framework guides the work of
Internal Auditor when evaluating an organization’s internal control
system.
• Originally formed in 1985, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) is a joint
initiative of five private sector organizations and is dedicated to
providing thought leadership through the development of
frameworks and guidance on enterprise risk management (ERM)
internal control and fraud deterrence.
• COSO’s sponsoring organizations are the American Accounting
Association (AAA), the American Institute of Certified Public
Accountants (AICPA), Financial Executives International (FEI), The
Institute of Internal Auditors (IIA), and the Institute of
Management Accountants (IMA). www.coso.org.
July2013
CGM
13
INTERNAL CONTROL
Control: Any action taken by management, the board, and other parties to
manage risk and increase the likelihood that established objectives and goals
will be achieved. Management plans, organizes, and directs the performance
of sufficient actions to provide reasonable assurance that objectives and goals
will be achieved.
Control Processes: The policies, procedures, and activities that are part of a
control framework, designed to ensure that risks are contained within the risk
tolerances established by the risk management process.
Control Environment: The attitude and actions of Board and Management
regarding the significance of control within the organization. It provides the
discipline and structure for the achievement of the primary objectives of the
system of internal control, and includes elements of:
•
•
•
•
•
•
July2013
Integrity and ethical values.
Management’s philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
CGM
14
BOARD OF DIRECTORS & THE EFFECTIVE
CONTROL OF RISKS
• Risk is defined as anything that prevents the achievement of
objectives; therefore to achieve its Objectives, a
Company must manage its Risks.
BOD must
• Ensure Company has effective, ongoing process to Identify,
Measure & Proactively Manage & Control Business Risks;
• Provide Risk Tolerance Levels that support effective Risk Taking by
Management.
• Have on its Agenda
– a report on High Risk issues that pose potential liability to
• Company
• Directors
• Shareholders
– the Management & Control of those risks.
July2013
CGM
15
EFFECTIVE CONTROLS IN THE MANAGEMENT OF RISKS
RISK MANAGEMENT IS CONFORMANCE AND PERFORMANCE.
•
Risk Management seeks to balance the required conformance of corporate
governance and healthy risks-taking for performance improvement.
•
Managers must avoid the downside of financial & reputational loss whilst
managing the upside actions that increases financial performance.
•
Managing the Upside of Risk:
• risk is inherent in business;
• nature and extent may differ between size and type of organisation
• company takes risks in order to pursue opportunities to earn returns for its owners;
• striking a balance between risk and return is key to maximizing shareholder wealth.
Managing the Downside of Risk requires a combination of conformance and
performance;
• Use of Conformance Frameworks
• Establishment of Controls
July2013
CGM
16
BOARD AUDIT COMMITTEE
• BOARD AUDIT COMMITTEE is
responsible for:
– monitoring, overseeing, and evaluating the duties and
responsibilities of management, the internal audit activity,
and the external auditors as those duties and
responsibilities relate to the organization’s processes for
controlling its operations and managing its risks.
– determining that all major issues reported by the internal
auditing department, the external auditor, and other
outside advisors have been satisfactorily resolved.
– reporting to the full Board all-important matters pertaining
to the organization’s controlling and risk management
processes.
July2013
CGM
17
MANAGEMENT’S RESPONSIBILITY
• Controlling & risk management are functions of
management and are integral parts of the overall process of
managing operations.
• As such, it is the responsibility of managers at all levels of the organization
to:
– Identify and evaluate the exposures to loss which relate to their particular
sphere of operations.
– Specify and establish policies, plans, and operating standards, procedures,
systems, and other disciplines to be used to minimize, mitigate, and/or limit
the risks associated with the exposures identified.
– Establish practical controlling processes that require and encourage directors,
officers, and employees to carry out their duties and responsibilities in a
manner that achieves the five control objectives outlined in the preceding
paragraph.
– Maintain the effectiveness of the controlling processes they have established
and foster continuous improvement to these processes.
July2013
CGM
18
MANAGEMENT’S RESPONSIBILITY
Management is charged with the responsibility for establishing
a network of processes with the objective of controlling the
operations of the Company in a manner which provides the
board of director’s reasonable assurance that:
– Data and information published either internally or externally is
accurate, reliable, and timely.
– The actions of directors, officers, and employees are in compliance
with the organization’s policies, standards, plans and procedures, and
all relevant laws and regulations.
– The organization’s resources (including its people, systems,
data/information bases, and customer goodwill) are adequately
protected.
– Resources are acquired economically and employed profitably; quality
business processes and continuous improvement are emphasized.
– The organization’s plans, programs, goals, and objectives are achieved.
July2013
CGM
19
NTERNAL AUDITORS & EFFECTIVE CONTROLS
IIA STANDARD 2100 – Nature of Work: Internal Audit must evaluate and
contribute to the improvement of Governance, Risk
Management, and Control processes using a
systematic and disciplined approach.
IIA STANDARD 2110 – Governance: IA must assess and make appropriate
recommendations for improving the governance process in its
accomplishment of the following objectives:
– Promoting appropriate ethics and values within the
organization;
– Ensuring effective organizational performance
management and accountability;
– Communicating risk and control information to
appropriate areas of the organization; and
– Coordinating the activities of and communicating
information among the board, external and internal
auditors, and management.
July2013
CGM
20
INTERNAL AUDITORS
IIA STANDARD 2110 – Governance
2) Must evaluate the design, implementation, and effectiveness
of the organization’s ethics-related objectives, programs, and
activities.
3) Must assess whether the information technology governance
of the organization sustains and supports the organization’s
strategies and objectives.
4) Consulting engagement objectives must be consistent with
the overall values and goals of the organization.
July2013
CGM
21
IIA STANDARD: 2130 – CONTROL
1) Internal Audit must assist the organization in maintaining
effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
2) Must evaluate the adequacy and effectiveness of controls
in responding to risks within the organization’s governance,
operations, and information systems regarding the:
–
–
–
–
–
July2013
Achievement of the organization’s strategic objectives
Reliability and integrity of financial & operational information;
Effectiveness and efficiency of operations;
Safeguarding of assets; and
Compliance with laws, regulations, and contracts.
CGM
22
bf…..IIA STANDARD: 2130 – CONTROL
3)Should ascertain the extent to which
operating and program goals and objectives
have been established and conform to those
of the organization.
4)Should review operations and programs to
ascertain the extent to which results are
consistent with established goals and
objectives to determine whether operations
and programs are being implemented or
performed as intended.
July2013
CGM
23
IIA STANDARD 2010 - PLANNING
The chief audit executive must establish a risk-based plans to
determine the priorities of the internal audit activity, consistent
with the organization’s goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan.
The chief audit executive takes into account the organization’s risk
management framework, including using risk appetite levels set by
management for the different activities or parts of the organization.
If a framework does not exist, the chief audit executive uses his/her own
judgment of risks after consideration of input from senior management and
the board.
The chief audit executive must review and adjust the plan, as necessary, in
response to changes in the organization’s business, risks, operations,
programs, systems, and controls.
July2013
CGM
24
24
Examples of Governance Risks
that must be controlled for Good Governance
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
15)
Directors Breach of Fiduciary
Duties
Lack of Director Proficiency &
Care
Misdirection of Organization
Reckless Risk Taking
Uncontrolled Organization
Mis-procurement
Corruption & Bribery
Conflict of Interest
Group Think
Board Room Bullying
Financial Reporting &
Disclosures
Corporate Fraud
Financial Distress
Poor Corporate Performance
Loss of License to operate
July2013
16) Business Interruption/
discontinuity
17) Impaired Auditors - lack of
Independence, Objectivity,
Professionalism & Integrity
18) Lack of Audit Proficiency &
Care
19) False Assurance
20) Limitation of Audit Scope
21) Non Implementation of Audit
Recommendations
22) Ineffective Corporate Social
Responsibility
23) Corporate Non-Compliance &
Unethical Conduct
24) Breach of Public Trust
CGM
25
EFFECTIVE INTERNAL AUDITING & CONTROLS FOR
GOOD CORPORATE GOVERNANCE
• Comes from within the Board of Directors, Board Audit
Committee , Executive Management and the Internal Audit
Function.
• Factors that make an Internal Audit Function ineffective:
1. Insufficient focus on Areas of High Risk & Strategic Priorities
2. Lack of adequate resource & compensation
3. Limitation of Scope
4. Communication Barriers between Internal Audit and BAC,
Board and Senior Management
5. Lack of Proficiency and Care in conduct of duties – BAC or IA
6. Non compliance with Professional/Regulatory Standards for
the practice of Internal Auditing &Corporate Governance
7. Conflict of Interest
8. Lack of independence, objectivity, integrity - Board Audit
Committee or Internal Audit.
July2013
CGM
26
INTERNAL AUDIT INDEPENDENCE
• IIA Standard 1110 - Organizational Independence
• The chief audit executive must report to a level
within the organization that allows the internal audit
activity to fulfill its responsibilities.
• The chief audit executive must confirm to the board,
at least annually, the organizational independence of
the internal audit activity.
• Interpretation:
Organizational independence is effectively achieved
when the chief audit executive reports functionally
to the board.
July2013
CGM
27
INTERNAL AUDIT INDEPENDENCE
• Examples of functional reporting to the board involve
the board:
–
–
–
–
Approving the internal audit charter;
Approving the risk based internal audit plan;
Approving the internal audit budget and resource plan;
Receiving communications from the chief audit executive on the
internal audit activity’s performance relative to its plan and other
matters;
– Approving decisions regarding the appointment and removal of the
chief audit executive;
– Approving the remuneration of the chief audit executive; and
– Making appropriate inquiries of management and the chief audit
executive to determine whether there are inappropriate scope or
resource limitations.
July2013
CGM
28
All PILLARS OF GOVERNANCE
MUST BE OF SINGULAR MIND IN INTEGRITY,
PROFICIENCY & PROFESSIONALISM
FOR
GOOD CORPORATE GOVERNANCE,
EFFECTIVE INTERNAL AUDITING AND
CONTROLS:The Board of Directors, Board Audit
Committee, Chief Executive Officer,
Company Secretary, External Auditor & the
Chief Audit Executive/Internal Audit.
July2013
CGM
29
July2013
CGM
30
