EFFECTIVE INTERNAL AUDITING & INTERNAL CONTROLS FOR GOOD CORPORATE GOVERNANCE Presenter Claire Gomez Miller CIA CRMA FCCA Chief Audit Executive The National Gas Company of Trinidad & Tobago Limited AGENDA – EFFECTIVE INTERNAL AUDITING AND INTERNAL CONTROLS FOR GOOD CORPORATE GOVERNANCE 1) 2) 3) 4) 5) 6) 7) 8) Overview & Global Definitions of Corporate Governance Internal Auditing – 100% Focus on Controls, Risk & Governance Standards for Effective Internal Auditing & Controls - Institute of Internal Auditors & COSO Responsibilities of Board of Directors, Board Audit Committee, Management & Internal Auditors for Effective Control of Risks Examples of Governance Risks that must be controlled for Good Governance Effective Internal Auditing & Controls for Good Corporate Governance – Factors that make an Internal Audit Function Ineffective Internal Audit Independence Pillars of Good Corporate Governance - Working Together for Strong Governance July2013 CGM 2 COMPANY LAW SHARE HOLDER F U N C T I O N A L CORPORATE MANAGEMENT CEO/PRESIDENT & EMT T&T CITIZENS July2013 GLOBAL REGULATIONS CGM 3 GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE • • • Corporate or Organizational Governance Common elements present in most definitions of Corporate Governance describe it as “the policies, processes, and structures used by organizations to direct and control its activities, achieve its objectives, and protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards.” The INSTITUTE OF INTERNAL AUDITORS defines Corporate Governance as “The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” July2013 CGM 4 GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE BELGIUM: "Corporate governance" refers to the set of rules applicable to the management and control of a company. It is the duty of the board of directors to manage the company's affairs exclusively in the interests of the company and all its shareholders, within the framework of the laws, regulations, and conventions under which the company operates.” {Belgium Commission on Corporate Governance, Corporate Governance for Belgium Listed Companies, December 1998} July2013 CGM 5 GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE AUSTRALIA: “Corporate governance is the system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.” {The Australian Stock Exchange Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations, March 2003} July2013 CGM 6 GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE CANADA: "Corporate governance" means the process and structures used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among shareholders, the board of directors and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers, and communities.” {Canada’s Toronto Stock Exchange Committee on Corporate Governance, Dey Report, December 1994} July2013 CGM 7 1.1e) GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE JAPAN: “The nature of supervision by a present-day board of directors, having independent directors at the heart of its activities, is the undertaking of appropriate monitoring from the aspect of fulfilling the duties entrusted to them, while motivating the executive managers and employees with an appropriate compensation system in order to encourage independence. The balancing of this supervision (from the standpoint of the shareholders) with management (the administration of the company business) is called governance. Governance, which is the primary role of the independent director, is to ensure the introduction and correct functioning of the internal audit and compensation systems. Corporate governance is a scheme for ensuring that the executive managers, who have been placed in charge of the company, fulfill their duties.” {Japan Corporate Governance Committee, Corporate Governance Forum of Japan, Revised Corporate Governance Principles, revised October 2001.} July2013 CGM 8 GLOBAL DEFINITIONS OF CORPORATE GOVERNANCE UNITED KINGDOM: “Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders' role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business, and reporting to the shareholders on their stewardship. The board's actions are subject to laws, regulations, and the shareholders in general meeting.” {United Kingdom - Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury committee), December 1992.} July2013 CGM 9 COMPANY LAW SHARE HOLDER F U N C T I O N A L CORPORATE MANAGEMENT CEO/PRESIDENT & EMT T&T CITIZENS July2013 GLOBAL REGULATIONS CGM 10 INTERNAL AUDITING: 100% FOCUS ON CONTROLS, RISK & GOVERNANCE “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” July2013 CGM 11 International Standards for the Professional Practice of Internal Auditing The Standards – Mandatory Element Under International Professional Practices Framework IPPF = Mandatory Non mandatory Strongly recommended https://global.theiia.org/standardsguidance/Pages/Standards-and-GuidanceIPPF.aspx July2013 Institute of InternalCGM Auditors INC 12 COSO INTERNAL CONTROL-INTEGRATED FRAMEWORK • COSO Internal Control-Integrated Framework guides the work of Internal Auditor when evaluating an organization’s internal control system. • Originally formed in 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM) internal control and fraud deterrence. • COSO’s sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). www.coso.org. July2013 CGM 13 INTERNAL CONTROL Control: Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Processes: The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Control Environment: The attitude and actions of Board and Management regarding the significance of control within the organization. It provides the discipline and structure for the achievement of the primary objectives of the system of internal control, and includes elements of: • • • • • • July2013 Integrity and ethical values. Management’s philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel. CGM 14 BOARD OF DIRECTORS & THE EFFECTIVE CONTROL OF RISKS • Risk is defined as anything that prevents the achievement of objectives; therefore to achieve its Objectives, a Company must manage its Risks. BOD must • Ensure Company has effective, ongoing process to Identify, Measure & Proactively Manage & Control Business Risks; • Provide Risk Tolerance Levels that support effective Risk Taking by Management. • Have on its Agenda – a report on High Risk issues that pose potential liability to • Company • Directors • Shareholders – the Management & Control of those risks. July2013 CGM 15 EFFECTIVE CONTROLS IN THE MANAGEMENT OF RISKS RISK MANAGEMENT IS CONFORMANCE AND PERFORMANCE. • Risk Management seeks to balance the required conformance of corporate governance and healthy risks-taking for performance improvement. • Managers must avoid the downside of financial & reputational loss whilst managing the upside actions that increases financial performance. • Managing the Upside of Risk: • risk is inherent in business; • nature and extent may differ between size and type of organisation • company takes risks in order to pursue opportunities to earn returns for its owners; • striking a balance between risk and return is key to maximizing shareholder wealth. Managing the Downside of Risk requires a combination of conformance and performance; • Use of Conformance Frameworks • Establishment of Controls July2013 CGM 16 BOARD AUDIT COMMITTEE • BOARD AUDIT COMMITTEE is responsible for: – monitoring, overseeing, and evaluating the duties and responsibilities of management, the internal audit activity, and the external auditors as those duties and responsibilities relate to the organization’s processes for controlling its operations and managing its risks. – determining that all major issues reported by the internal auditing department, the external auditor, and other outside advisors have been satisfactorily resolved. – reporting to the full Board all-important matters pertaining to the organization’s controlling and risk management processes. July2013 CGM 17 MANAGEMENT’S RESPONSIBILITY • Controlling & risk management are functions of management and are integral parts of the overall process of managing operations. • As such, it is the responsibility of managers at all levels of the organization to: – Identify and evaluate the exposures to loss which relate to their particular sphere of operations. – Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified. – Establish practical controlling processes that require and encourage directors, officers, and employees to carry out their duties and responsibilities in a manner that achieves the five control objectives outlined in the preceding paragraph. – Maintain the effectiveness of the controlling processes they have established and foster continuous improvement to these processes. July2013 CGM 18 MANAGEMENT’S RESPONSIBILITY Management is charged with the responsibility for establishing a network of processes with the objective of controlling the operations of the Company in a manner which provides the board of director’s reasonable assurance that: – Data and information published either internally or externally is accurate, reliable, and timely. – The actions of directors, officers, and employees are in compliance with the organization’s policies, standards, plans and procedures, and all relevant laws and regulations. – The organization’s resources (including its people, systems, data/information bases, and customer goodwill) are adequately protected. – Resources are acquired economically and employed profitably; quality business processes and continuous improvement are emphasized. – The organization’s plans, programs, goals, and objectives are achieved. July2013 CGM 19 NTERNAL AUDITORS & EFFECTIVE CONTROLS IIA STANDARD 2100 – Nature of Work: Internal Audit must evaluate and contribute to the improvement of Governance, Risk Management, and Control processes using a systematic and disciplined approach. IIA STANDARD 2110 – Governance: IA must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: – Promoting appropriate ethics and values within the organization; – Ensuring effective organizational performance management and accountability; – Communicating risk and control information to appropriate areas of the organization; and – Coordinating the activities of and communicating information among the board, external and internal auditors, and management. July2013 CGM 20 INTERNAL AUDITORS IIA STANDARD 2110 – Governance 2) Must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities. 3) Must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. 4) Consulting engagement objectives must be consistent with the overall values and goals of the organization. July2013 CGM 21 IIA STANDARD: 2130 – CONTROL 1) Internal Audit must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2) Must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: – – – – – July2013 Achievement of the organization’s strategic objectives Reliability and integrity of financial & operational information; Effectiveness and efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations, and contracts. CGM 22 bf…..IIA STANDARD: 2130 – CONTROL 3)Should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 4)Should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. July2013 CGM 23 IIA STANDARD 2010 - PLANNING The chief audit executive must establish a risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. July2013 CGM 24 24 Examples of Governance Risks that must be controlled for Good Governance 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) 14) 15) Directors Breach of Fiduciary Duties Lack of Director Proficiency & Care Misdirection of Organization Reckless Risk Taking Uncontrolled Organization Mis-procurement Corruption & Bribery Conflict of Interest Group Think Board Room Bullying Financial Reporting & Disclosures Corporate Fraud Financial Distress Poor Corporate Performance Loss of License to operate July2013 16) Business Interruption/ discontinuity 17) Impaired Auditors - lack of Independence, Objectivity, Professionalism & Integrity 18) Lack of Audit Proficiency & Care 19) False Assurance 20) Limitation of Audit Scope 21) Non Implementation of Audit Recommendations 22) Ineffective Corporate Social Responsibility 23) Corporate Non-Compliance & Unethical Conduct 24) Breach of Public Trust CGM 25 EFFECTIVE INTERNAL AUDITING & CONTROLS FOR GOOD CORPORATE GOVERNANCE • Comes from within the Board of Directors, Board Audit Committee , Executive Management and the Internal Audit Function. • Factors that make an Internal Audit Function ineffective: 1. Insufficient focus on Areas of High Risk & Strategic Priorities 2. Lack of adequate resource & compensation 3. Limitation of Scope 4. Communication Barriers between Internal Audit and BAC, Board and Senior Management 5. Lack of Proficiency and Care in conduct of duties – BAC or IA 6. Non compliance with Professional/Regulatory Standards for the practice of Internal Auditing &Corporate Governance 7. Conflict of Interest 8. Lack of independence, objectivity, integrity - Board Audit Committee or Internal Audit. July2013 CGM 26 INTERNAL AUDIT INDEPENDENCE • IIA Standard 1110 - Organizational Independence • The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. • The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. • Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. July2013 CGM 27 INTERNAL AUDIT INDEPENDENCE • Examples of functional reporting to the board involve the board: – – – – Approving the internal audit charter; Approving the risk based internal audit plan; Approving the internal audit budget and resource plan; Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; – Approving decisions regarding the appointment and removal of the chief audit executive; – Approving the remuneration of the chief audit executive; and – Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. July2013 CGM 28 All PILLARS OF GOVERNANCE MUST BE OF SINGULAR MIND IN INTEGRITY, PROFICIENCY & PROFESSIONALISM FOR GOOD CORPORATE GOVERNANCE, EFFECTIVE INTERNAL AUDITING AND CONTROLS:The Board of Directors, Board Audit Committee, Chief Executive Officer, Company Secretary, External Auditor & the Chief Audit Executive/Internal Audit. July2013 CGM 29 July2013 CGM 30