2Agenda Defining Corporate Governance Internal Audit’s Role in Corporate GovernanceAreas of Audit FocusRegulatory Considerations
3Governance FunctionsRegulatory and rating agency landscape has changed, with an increased scrutiny on Governance functions, such as:Board / Governance ReportingEnterprise and Operational Risk ManagementTechnologyEmerging RisksContinuous Monitoring
4Corporate GovernanceGovernance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.Board of DirectorsAudit and Risk CommitteesCorporate Committee StructureManagementEnterprise Risk ProgramCompliance and Regulatory ProgramTechnology ProgramSocial Responsibility Program
5Internal Audit’s Role in Governance Internal Audit’s role in governance is as follows:Independent testing and verification of efficacy of corporate standards and business line complianceValidate the overall risk frameworkProvide assurance that the risk management process is functioning as designed and identifies improvement opportunitiesThrough its dual consulting and assurance roles, internal audit can provide tremendous value to a dynamic organization by focusing on areas of greatest exposure, complex operations and key business initiatives, to validate that the organization is well controlled and operating effectively and efficiently to meet the strategic goals of the firm.
6Governance FunctionsInternal audit must assess and make appropriate recommendations for improving Governance in its accomplishment of the following objectives:Promoting appropriate ethics and values within the organizationEnsuring effective organizational performance management and accountabilityCommunicating risk and control information to appropriate areas of the organizationCoordinating the activities of and communicating information among the board, auditors, and management.
7Enterprise Risk Management Enterprise Risk Management ConsiderationsCommensurate with size, risk profile, complexity, and growth of the enterpriseProvide increased business awarenessIncorporate risk considerations in decision making across enterprises
8ERM Framework Step 1: Establish ERM Framework Identify Project ChampionIdentify Project OwnerEstablish Steering CommitteeStep 2: Identify Key ObjectivesList Key ObjectivesPrioritize Key ObjectivesSelect objectives for assessmentsStep 3: Identify Key RisksAssess RiskAssign Risk RatingStep 4: Manage RiskIdentify Control Controls and Mitigation RequirementsDevelop Mitigation Plans for key risksPerform periodic status reviewsRepeat steps 2 – 4 for additional control objectives
9Enterprise Risk Management No formal framework to identify, prioritize and communicate risksNo ongoing risk monitoring and/or risk management enhancement activitiesRisk appetite not articulated or definedLack of aware awareness of Enterprise Risk AppetiteFailure to communicate with executive management, audit committee, and business units on a consistent and formal basis to discuss expectations, business strategies, objectives and initiativePolicies and procedures do not exist, are not documented, are inadequate or are not followed
10Enterprise Risk Management (continued) Performance goals and objectives drive behavior inconsistent with overall Enterprise ethics or standards
11Corporate Social Responsibility (CSR) CSR: The way firms integrate social, environmental, and economic concerns into their values, culture, decision- making strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm and contribute towards society improvements.Responsibility :Board of DirectorsCSR ExecutiveManagement
13CSR Risks (continued) Reputational Risk Compliance Risk Violations of law or principlesErrors or omissions in disclosed CSR informationUnder-performance compared with objectives/targetsAppearance of indifference to social issuesCompliance RiskFailure to comply due to the extent, complexity, and volume of regulations relating to the environment, health and safety, employment, governance, political contributions, conflict of interest, and fraud.Contractual obligations with third parties, such as customers, unions, or employees, and from voluntary adoption of standards.
14CSR Risks (continued) Operational Risk CSR “pressure points” for the organization’s manufacturing processes, products, services and impact on the environment.Under-performance of other targets due to inappropriate CSR strategies, or over-emphasis on CSR strategies.Failure to integrate CSR objectives into processes, or to educate staff appropriately.Failure to develop well-controlled systems for CSR initiatives.Inaccurate or incomplete reporting information.Challenge to apply same standards across multiple countries.
15CSR Risks – contd. Liability Risk External Business Relationships During contracting for CSR terms and conditions and ensuring third-party compliance.Activists or specific classes/special interest groups may take legalaction for alleged harm done by the organization.External Business RelationshipsCustomers, suppliers, or partners could violate CSR termsand conditions, principles, or laws, yet the organization couldbe included as a wrongdoer by association.
16IT governance follows a lifecycle TechnologyIT governance follows a lifecycleIT governance should not be a one-time exerciseUnderstanding the as-is governance structure enables the organization to make only the necessary changesBuilding principles based on organization-specific drivers is the basis for a working governance modelThe governance principles will act as the foundation of the governance framework and set the scene for the later modelAfter running through the lifecycle once, organizations are able to iterate the governance lifecycle without external support
17IT governance decision areas IT principlesIT architecturesIT infrastructureApplicationsIT investmentsHow is IT used within the businessProviding direction for IT deliveryOrganisation and structure of IT assetsApproach to integration of IT assetsEnabling applications and architectureManaging IT assetsHow to support business processesSoftware platformsDetermine the total IT spendPrioritising conflicting investment needsGovernance decisions are either taken centralised or decentralisedBy business, IT or both of themMechanisms have to be aligned to organizational and operations model as well as IT strategy
18Aligning business and IT on different levels IT Executive Steering CommitteeIT Governance CouncilIT Governing Bodies:Architecture and technology boardsService delivery boardsService delivery through business and ITIT client managerarchitecture ownerCIO, CTO, seniorIT managementService managerITmanagementJoint IT governance boardsBusiness levelBusinessprocess ownerBoard, CEO, COOKey userBusiness process frameworksApproveDecideFacilitateDesignIT service managementframeworks e.g. ITILIT level
19IT governance domains IT governance Leadership Monitoring and control Setting the overall direction for IT within the corporationMaintaining cultural values, corporate image and voiceRepresenting corporation’s key IT stakeholdersMonitoring and controlPlanningQualitative benchmarkingManaging service levelsManaging a penalty systemIdentifying areas for service improvementDeveloping IT strategy including sourcing philosophyBuild corporate IT organizationSetting corporate IT goalsAgreeing on IT performance targets with IT customersIT governanceCoordination and complianceCapital allocationEnsuring compliance with IT standards and obligationsCoordinating IT activities between IT demand and supplyCoordinating IT deploymentDetermining capital availableDetermining IT investment criteriaReviewing bids for capitalAllocating resourcesPolicySetting the fundamental IT operating proceduresEstablishing standards, rules and guidelinesDefining technical and application architectures
20Technology Governance Considerations Inherent key IT risksIT objectives and strategiesIT processesIT process duplication and inefficienciesEmerging technologiesTechnology directionSystem disruptionsContracts/3rd party vendors – outsourcingRecords retentionRegulatory compliancePeople managementGlobal sourcingBusiness continuityAsset and portfolio managementIT infrastructure capacityIT security/privacyFinancial reportingGuidance and oversightInfrastructure and asset managementIT governance and strategyStrategic planningChange managementDeliver superiorSystems and applicationsService level managementIT development and designTechnology enablement to achieve business objectivesProduction supportEvaluate the significance of the risk to IT objectivesLink objectives to risksEvaluate management and control activitiesLink risks to IT processesSuperior service support and deliverySecurity and data managementIT operationsContinuity of servicesProblem and incident managementOptimize operating efficiencyInformation security and protectionProtection of informationProject/program managementEffectively manage security riskCustomer support
21Regulatory Expectations Failure to establish and maintain an internal control environment which aligns stakeholders and regulatory expectationsFailure to identify relevant laws and regulationsLack of procedures to comply with applicable laws and regulationsInsufficient or inadequate training of staff on regulatory requirementsFailure to establish adequate working relationship with regulators or authorities