Professional Documents
Culture Documents
PROCESS
MODULE 04
Karl Guerra
DLSAU
Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4
MODULE 4
GOVERNANCE PROCESS
LEARNING OBJECTIVES:
After studying this chapter, you should be able to:
1. Understand the part of Internal Control in Risk Management Process
2. Understand the part of Risk Management Process in Governance Process
3. Know the Objectives of Governance, Risk Management and Control Processes
4. COSO View of Objectives
5. Be familiarize on the Internal Governance Process
6. Aspects of Corporate Governance
7. Know the Risk and Control Issues for Internal Governance, Board, and External
Governance Processes
SECTION 1
INTERNAL CONTROL IN RISK MANAGEMENT PROCESSES
This module will explain the role of internal audit in corporate governance. As per our reference
book/material, the position we take is that internal audit is primarily involved with:
According to The IIA’s International Professional Practices Framework (IPPF), internal auditing is
an independent, objective assurance and consulting activity designed to add value and improve
an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
ENTERPRISE RISK
MANAGEMENT Based on this figure, the IIA define the
Internal Audit’s Role in ERM in their 2009
position paper.
RISK
MANAGEMENT
IFAC
IFAC believes that establishing an
integrated and effective system of
INTERNAL
CONTROL governance, risk management, and internal
control is desirable for all types of organizations
and can make an invaluable contribution to achieving
sustained organizational success. In their position paper 7 release on
December 2012.
Governance involves the set of responsibilities and practices exercised by the governing body
and management of an organization with the goal of:
• Providing strategic direction;
• Establishing accountability for achieving objectives;
• Ascertaining that risks are managed appropriately; and
• Verifying that the organization’s resources are used responsibly
The board has overall responsibility for ensuring that risks are managed. In practice, the board
will delegate the operation of the risk management framework to the management team, who
will be responsible for completing the activities below. There may be a separate function that co-
ordinates and project-manages these activities and brings to bear specialist skills and knowledge.
Everyone in the organization plays a role in ensuring successful enterprise-wide risk management
but the primary responsibility for identifying risks and managing them lies with management.
Internal auditing is an independent, objective assurance and consulting activity. Its core role with
regards to ERM is to provide objective assurance to the board on the effectiveness of risk
management. Indeed, research has shown that board directors and internal auditors agree that
the two most important ways that internal auditing provides value to the organization are in
providing objective assurance that the major business risks are being managed appropriately and
providing assurance that the risk management and internal control framework is operating
effectively. - The Value Agenda, Institute of Internal Auditors – UK and Ireland and Deloitte & Touche 2003
SECTION 2
OBJECTIVES OF GOVERNANCE, RISK MANAGEMENT, AND CONTROL PROCESSES
The Standards have adopted COSO’s objectives of internal control as being the objectives of risk
management and internal control—though showing separately the “safeguarding of assets”
rather than blending this into the “effectiveness and efficiency of operations” objective as
COSO has done.
The internal audit activity must assess and make appropriate recommendations to improve the
organization’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating information among, the board,
external
• and internal auditors, other assurance providers, and management.
The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
• Achievement of the organization’s strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.
The internal audit activity must evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s governance, operations, and information systems
regarding the:
• Objectives of Governance
o Ethics and Values
RISK
o Accountability MANAGEMENT
o Communication
o Coordination
SECTION 3
INTERNAL GOVERNANCE AND ASPECTS OF CORPORATE GOVERNANCE
The scope of Internal Auditing is limited to the Internal Corporate Governance. Nowadays, the
scope of Internal Auditing is becoming more involved in the external aspects of corporate
governance. Any assistance that internal audit provides to the external auditors belongs to the
external aspects of corporate governance since external auditors report to the external
shareholders
BOARD OF DIRECTORS
• Sets the direction of the organization and oversees that management implements the
direction set.
• Has accountability to stakeholders of the organization.
Cause: Management Teams may be selective on the information they fed through to their
boards. Questions arises as to:
• How can boards get the assurance they need that the The extent to which
policies of the board are being implemented by internal audit can fill this
management and that there are no banana skins assurance vacuum
round the corner, known or not to management, over depends on the degree of
which the organization may slip in the future?” confidence that the board,
and its audit committee,
o Do boards need independent assurance on
can have about the
these matters?
independence, objectivity
o To what extent can internal audit fill the
and competence of
board’s assurance vacuum?”
internal audit.
SECTION 4
RISK AND CONTROL ISSUES
1.1 Does the board have effective oversight of the development and adoption of
strategy?
1.2 Is the quality of information that comes to the board appropriate, timely, clear and
reliable?
1.3 Does the board collectively possess the competencies it needs to direct and oversee
the business?
1.4 Do board committees possess the appropriate skills?
1.5 Do individual directors exercise skill, care and diligence?
1.6 Do nonexecutive directors act in the best interests of the organization, or wrongly
promote their own interests or the interests of those who nominated them?
1.7 Do executive directors align themselves with the best interests of the organization,
or seek to promote their executive interests above all else?
1.1 Is a common understanding of the purpose of the organization shared by the board
and the owners?
1.2 How does the board ensure that the organization is keeping to its defined purpose?
1.3 Does the board appropriately empower executive management?
1.4 Does the board receive regular, reliable and clear reports to measure attainment of
performance targets and to monitor management’s progress?
1.5 Does the organization’s structure promote effective performance management and
accountability?
1.6 Is there proper assignment of accountabilities and performance management
responsibilities?
1.7 Do remuneration arrangements align individual performance with organizational
performance and avoid perverse incentives that encourage excessive risk taking?
1.1 Does the evidence indicate that risk and control information is communicated
appropriately?
1.2 Are the board’s and top management’s concerns about major enterprise risks
communicated downwards so as to inform risk management at lower levels?
1.3 Are operating personnel’s perceptions about risk communicated upwards, and
ultimately to top management and to the board where appropriate?
1.4 Is an enterprise-wide view of risk taken?
1.5 Has the organization defined its risk appetite—overall and for its component parts?
1.6 Is risk management embedded into the culture and approach of the organization?
1.7 Does the audit committee of the board concern itself both with the risk
management process of the organization, and also with the specific high-level risks
that the process has (or has not) identified?
1.1 Does the evidence indicate that coordination between these parties is to a high
standard?
1.2 How does the organization ensure that external and internal auditors do not
subordinate their judgement on professional matters to that of anyone else?
1.3 How does the audit committee effectively oversee the external audit so as to ensure
its quality and independence?
1.1 Does the board have effective oversight of the development and adoption of
strategy?
1.2 Is the quality of information that comes to the board appropriate, timely, clear and
reliable?
1.3 Does the board collectively possess the competencies it needs to direct and oversee
the business?
1.4 Do board committees possess the appropriate skills?
1.5 Do individual directors exercise skill, care and diligence?
1.6 Do nonexecutive directors act in the best interests of the Organization, or wrongly
promote their own interests or the interests of those who nominated them?
1.7 Do executive directors align themselves with the best interests of the Organization,
or
seek to promote their executive interests above all else?
C. To Ensure that Appropriate Policies are in Place to Fully Support the Achievement of
the Objectives of the Organization
1.1 Has the board provided sufficient resources to enable executive management to
achieve the goals of the organization?
1.2 Does the board review the policies framework of the organization periodically?
1.3 Are any policies ignored in practice?
1.4 Are different polices on the same issues being followed in different parts of the
organization?
1.5 Are some policies incompatible with other policies?
1.6 Are there any examples of policy statements that are intended only for “public
consumption”, but not for practical use.
D. To Ensure that the Composition and Functioning of the Board Fully Support the
Achievement of the Objectives of the Organization
(a) To ensure that the organization is mindful of the interests of its owners and other
stakeholders.
(b) To ensure that the organization’s accountability to its stakeholders is transparent.
(c) To ensure, so far as is possible, that stakeholders exercise well informed control over
their stakes in the organization.
(d) To Ensure the Organization has a Sound Reputation for Responsible Governance
A. To Ensure that the Organization is Mindful of the Interests of its Owners and other
Stakeholders
1.1 Has the organization formally identified its stakeholder groups (e.g. owners,
creditors, customers, suppliers, staff, local community, tax authorities, trades
unions, pressure groups, politicians, the media, trade associations, etc.)?
1.2 Has the organization established the state of health of its relationship with each
significant stakeholder group, including by enquiry to these groups?
1.3 Does the organization have a strategy to improve stakeholder relationships which
are unhealthy, and to preserve and leverage off the healthy stakeholder
relationships?
1.4 Has the organization set out to understand and mitigate its reputational risks?
1.5 Does the organization have a policy with respect to selecting, preparing, conducting
and reviewing meetings with investors, analysts and the media?
1.6 Does the organization have a policy to determine when it should publish a trading
update or a profits warning?
1.7 How does the organization focus on its corporate social responsibilities?
• Board CSR committee?
• Sustainability audit?
• Internal CSR policies and procedures?
• Commitment to continuous improvement?
1.1 Does the organization engage in regular dialogue with significant stakeholder
groups?
1.2 Does the organization have a satisfactory policy with respect to selecting, preparing,
conducting and reviewing meetings with investors, analysts and the media?
1.3 Does the organization have a satisfactory policy to determine when it should publish
a trading update or a profits warning?
1.4 Are the directors’ corporate governance assertions verging on “box ticking” of
corporate governance requirements, or are they fully informative?
1.5 Does the organization publish an annual sustainability report?
1.6 What is the perception of stakeholders as to the organization’s transparency of
accountability?
C. To Ensure, so Far as is Possible, that Stakeholders Exercise Well Informed Control over
their Stakes in the Organization
1.1 Does the board encourage and welcome that owners, and in some cases other
significant stakeholders, hold the board to account for its performance, behaviour
and financial results?
1.2 Does the board encourage the organization’s principal owners to explain to the
board their views when they do not accept the position of the organization on an
issue?
1.3 Does the organization facilitate that shareholders can exercise their rights
significantly?
1.1 Does the organization’s share price command a premium on account of its
reputation for good corporate governance?
1.2 Does the organization enter its annual report and accounts and its annual
sustainability report for “best in class” awards?
1.3 Is it the organization’s policy to apply best practice corporate governance principles
and to comply with best practice corporate governance provisions/guidelines?
1.4 Has the organization identified areas for improvement in its corporate governance,
with a view to implementing the requisite changes?
1.5 Does the organization invest in public relations to explain its corporate governance
policies?
1.6 Are directors chosen in part for their corporate governance track record?
1.7 Is the board enriched through its diversity—with respect to gender, ethnicity, etc.
ACTIVITY 1
Case Study
REFERENCES:
• The Operational Auditing Handbook Second Edition by Chambers and Rand
• COSO Framework
• INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
(STANDARDS) Revised October 2016
• IIA Position Paper: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK
MANAGEMENT Issued January 2009
• IFAC POLICY POSITION 7 December 2012
ACTIVITY 1
CASE STUDY
Using your assigned company scandal in Module 04 – Fraud and Error in Auditing Theory, analyze
and present the following:
1) What is the structure of Corporate Governance in the entity? What can you say about it?
2) Where did they go wrong in their Corporate Governance?
3) If you were a member of the Board of Directors, what would you do differently to avoid
the scandal to happen?
Note: I am not asking you to present what you have presented in Auditing Theory. Also, I am not
after the details of the issue (that should be presented in Auditing Theory). What I want to hear
is your understanding of the entity’s Corporate Governance and to focus in thinking what could
we do differently to prevent the scandal from happening.
CONDITIONS:
• Present using MS PowerPoint.
• Allotted time is 15 TO 20 minutes
• Every member of the group should have a participation.