8/27/2020 GOVERNANCE

PROCESS
MODULE 04

Karl Guerra
DLSAU

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

MODULE 4
GOVERNANCE PROCESS

LEARNING OBJECTIVES:
After studying this chapter, you should be able to:
1. Understand the part of Internal Control in Risk Management Process
2. Understand the part of Risk Management Process in Governance Process
3. Know the Objectives of Governance, Risk Management and Control Processes
4. COSO View of Objectives
5. Be familiarize on the Internal Governance Process
6. Aspects of Corporate Governance
7. Know the Risk and Control Issues for Internal Governance, Board, and External
Governance Processes

SECTION 1
INTERNAL CONTROL IN RISK MANAGEMENT PROCESSES

We will discuss relationships between three related processes:

• Governance
• Risk Management
• Internal Control

This module will explain the role of internal audit in corporate governance. As per our reference
book/material, the position we take is that internal audit is primarily involved with:

a) internal governance processes, but is increasingly active in

b) reviewing the board, and
c) providing a service with respect to the accountability of the organization to its
stakeholders.

Prepared by KBG ........................................................................................................................... P a g e | 1

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

DEFINITION OF INTERNAL AUDITING

According to The IIA’s International Professional Practices Framework (IPPF), internal auditing is
an independent, objective assurance and consulting activity designed to add value and improve
an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

HIERARCHY OF PROCESSES BASED ON COSO FRAMEWORK

RELATIONSHIP BETWEEN GOVERNANCE, RISK

GOVERNANCE
MANAGEMENT, AND INTERNAL CONTROL

ENTERPRISE RISK
MANAGEMENT Based on this figure, the IIA define the
Internal Audit’s Role in ERM in their 2009
position paper.
RISK
MANAGEMENT

IFAC
IFAC believes that establishing an
integrated and effective system of
INTERNAL
CONTROL governance, risk management, and internal
control is desirable for all types of organizations
and can make an invaluable contribution to achieving
sustained organizational success. In their position paper 7 release on
December 2012.

Prepared by KBG ........................................................................................................................... P a g e | 2

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

IFAC POLICY POSITION 7

December 2012

Mentioned the following related to Governance:

Governance involves the set of responsibilities and practices exercised by the governing body
and management of an organization with the goal of:
• Providing strategic direction;
• Establishing accountability for achieving objectives;
• Ascertaining that risks are managed appropriately; and
• Verifying that the organization’s resources are used responsibly

Successful organizations adhere to Governance principles, and periodically evaluate results to

ensure the continuing effectiveness of their governance arrangements. As organizations and
their environments change, their governance must adapt to opportunities and threats by
reviewing and revising objectives and improving processes and practices. – Refer to International
Good Practice Guidance: Evaluating and Improving Governance in Organizations, 2009

IIA POSITION PAPER:

THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT
January 2009

Enterprise-wide risk management (ERM) is a structured, consistent and continuous process

across the whole organization for identifying, assessing, deciding on responses to and reporting
on opportunities and threats that affect the achievement of its objectives.

Responsibility for ERM

The board has overall responsibility for ensuring that risks are managed. In practice, the board
will delegate the operation of the risk management framework to the management team, who
will be responsible for completing the activities below. There may be a separate function that co-
ordinates and project-manages these activities and brings to bear specialist skills and knowledge.

Everyone in the organization plays a role in ensuring successful enterprise-wide risk management
but the primary responsibility for identifying risks and managing them lies with management.

Prepared by KBG ........................................................................................................................... P a g e | 3

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

The role of internal auditing in ERM

Internal auditing is an independent, objective assurance and consulting activity. Its core role with
regards to ERM is to provide objective assurance to the board on the effectiveness of risk
management. Indeed, research has shown that board directors and internal auditors agree that
the two most important ways that internal auditing provides value to the organization are in
providing objective assurance that the major business risks are being managed appropriately and
providing assurance that the risk management and internal control framework is operating
effectively. - The Value Agenda, Institute of Internal Auditors – UK and Ireland and Deloitte & Touche 2003

INTERNAL AUDITING’S ROLE IN ERM based on IIA Position Paper 2009

Prepared by KBG ........................................................................................................................... P a g e | 4

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

SECTION 2
OBJECTIVES OF GOVERNANCE, RISK MANAGEMENT, AND CONTROL PROCESSES

COSO > Five sector organizations dedicated to providing

thought leadership through the development of
frameworks and guidance on enterprise risk
management, internal control and fraud deterrence.

• American Accounting Association

• American Institute of Certified Public Accountants
• Financial Executives International
• Institute of Management Accountants
• Institute of Internal Auditors

IIA > Issues INTERNATIONAL STANDARDS FOR THE

PROFESSIONAL PRACTICES OF INTERNAL AUDITING
(STANDARDS)

The Standards have adopted COSO’s objectives of internal control as being the objectives of risk
management and internal control—though showing separately the “safeguarding of assets”
rather than blending this into the “effectiveness and efficiency of operations” objective as
COSO has done.

Standard 2110 on Governance states:

The internal audit activity must assess and make appropriate recommendations to improve the
organization’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating information among, the board,
external
• and internal auditors, other assurance providers, and management.

Prepared by KBG ........................................................................................................................... P a g e | 5

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

Standard 2120.A1 on Risk Management states:

The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
• Achievement of the organization’s strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.

Standard 2130.A1 on Control states:

The internal audit activity must evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s governance, operations, and information systems
regarding the:

• Achievement of the organization’s strategic objectives.

• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.

Prepared by KBG ........................................................................................................................... P a g e | 6

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

The figure shows Summary of IIA

Position on Objectives of Governance GOVERNANCE

Process, Risk Management and

Internal Control ENTERPRISE RISK
MANAGEMENT

• Objectives of Governance
o Ethics and Values
RISK
o Accountability MANAGEMENT
o Communication
o Coordination

• Objectives of Risk Management and

INTERNAL
Internal Controls CONTROL
o Operations
o Compliance
o Reporting
o Strategic

PER COSO FRAMEWORK

• No objectives set for Corporate Governance
• Objectives are set for Risk Management and Internal Control
• Risk Management’s Objectives
o Strategic
o Operations
o Reporting
• Internal Control’s Objectives
o Operations
o Reporting
o Compliance

Prepared by KBG ........................................................................................................................... P a g e | 7

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

SECTION 3
INTERNAL GOVERNANCE AND ASPECTS OF CORPORATE GOVERNANCE

The scope of Internal Auditing is limited to the Internal Corporate Governance. Nowadays, the
scope of Internal Auditing is becoming more involved in the external aspects of corporate
governance. Any assistance that internal audit provides to the external auditors belongs to the
external aspects of corporate governance since external auditors report to the external
shareholders

BOARD OF DIRECTORS

• Sets the direction of the organization and oversees that management implements the
direction set.
• Has accountability to stakeholders of the organization.

BOARD’S ASSURANCE VACUUM

Cause: Management Teams may be selective on the information they fed through to their
boards. Questions arises as to:
• How can boards get the assurance they need that the The extent to which
policies of the board are being implemented by internal audit can fill this
management and that there are no banana skins assurance vacuum
round the corner, known or not to management, over depends on the degree of
which the organization may slip in the future?” confidence that the board,
and its audit committee,
o Do boards need independent assurance on
can have about the
these matters?
independence, objectivity
o To what extent can internal audit fill the
and competence of
board’s assurance vacuum?”
internal audit.

Prepared by KBG ........................................................................................................................... P a g e | 8

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

SECTION 4
RISK AND CONTROL ISSUES

KEY ISSUES FOR DISCUSSION

RISK AND CONTROL ISSUES FOR INTERNAL GOVERNANCE PROCESSES

CONTROL OBJECTIVES FOR INTERNAL GOVERNANCE PROCESSES

(a) To promote appropriate ethics and values within the organization.

(b) To ensure effective organizational performance management and accountability.
(c) To communicate risk and control information to appropriate areas of the organization.
(d) To coordinate the activities of and communicating information among the board,
external and internal auditors, and management.

1) To promote appropriate ethics and values within the organization.

1.1 Does the board have effective oversight of the development and adoption of
strategy?
1.2 Is the quality of information that comes to the board appropriate, timely, clear and
reliable?
1.3 Does the board collectively possess the competencies it needs to direct and oversee
the business?
1.4 Do board committees possess the appropriate skills?
1.5 Do individual directors exercise skill, care and diligence?
1.6 Do nonexecutive directors act in the best interests of the organization, or wrongly
promote their own interests or the interests of those who nominated them?
1.7 Do executive directors align themselves with the best interests of the organization,
or seek to promote their executive interests above all else?

Prepared by KBG ........................................................................................................................... P a g e | 9

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

2) To Ensure the Board Effectively Oversees Management

1.1 Is a common understanding of the purpose of the organization shared by the board
and the owners?
1.2 How does the board ensure that the organization is keeping to its defined purpose?
1.3 Does the board appropriately empower executive management?
1.4 Does the board receive regular, reliable and clear reports to measure attainment of
performance targets and to monitor management’s progress?
1.5 Does the organization’s structure promote effective performance management and
accountability?
1.6 Is there proper assignment of accountabilities and performance management
responsibilities?
1.7 Do remuneration arrangements align individual performance with organizational
performance and avoid perverse incentives that encourage excessive risk taking?

3) Communicating Risk and Control Information to Appropriate Areas of the Organization

1.1 Does the evidence indicate that risk and control information is communicated
appropriately?
1.2 Are the board’s and top management’s concerns about major enterprise risks
communicated downwards so as to inform risk management at lower levels?
1.3 Are operating personnel’s perceptions about risk communicated upwards, and
ultimately to top management and to the board where appropriate?
1.4 Is an enterprise-wide view of risk taken?
1.5 Has the organization defined its risk appetite—overall and for its component parts?
1.6 Is risk management embedded into the culture and approach of the organization?
1.7 Does the audit committee of the board concern itself both with the risk
management process of the organization, and also with the specific high-level risks
that the process has (or has not) identified?

4) Coordinating the Activities of and Communicating Information among the Board,

External and Internal Auditors, and Management

1.1 Does the evidence indicate that coordination between these parties is to a high
standard?

Prepared by KBG ......................................................................................................................... P a g e | 10

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

1.2 How does the organization ensure that external and internal auditors do not
subordinate their judgement on professional matters to that of anyone else?
1.3 How does the audit committee effectively oversee the external audit so as to ensure
its quality and independence?

RISK AND CONTROL ISSUES FOR THE BOARD

CONTROL OBJECTIVES FOR THE BOARD

(a) To ensure the board sets the direction of the organization.

(b) To ensure the board effectively oversees management.
(c) To ensure that appropriate policies are in place to fully support the achievement of the
objectives of the organization.
(d) To ensure that the composition and functioning of the board fully support the
achievement of the objectives of the organization.

A. To Ensure the Board Sets the Direction of the Organization

1.1 Does the board have effective oversight of the development and adoption of
strategy?
1.2 Is the quality of information that comes to the board appropriate, timely, clear and
reliable?
1.3 Does the board collectively possess the competencies it needs to direct and oversee
the business?
1.4 Do board committees possess the appropriate skills?
1.5 Do individual directors exercise skill, care and diligence?
1.6 Do nonexecutive directors act in the best interests of the Organization, or wrongly
promote their own interests or the interests of those who nominated them?
1.7 Do executive directors align themselves with the best interests of the Organization,
or
seek to promote their executive interests above all else?

Prepared by KBG ......................................................................................................................... P a g e | 11

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

B. To Ensure the Board Effectively Oversees Management

1.1 Is the independent element on the board sufficient to be an effective challenge to

management?
1.2 Are the nonexecutive members of the board well informed about the business?
1.3 Does the board work as a team, with outside members contributing to strategy as
well as overseeing executive performance?
1.4 How does the board obtain assurance that the policies of the board are being
implemented by management, and that there are no banana skins round the corner,
known or unknown to management, over which the Organization may slip in the
future? Is this assurance in part independent of management?
1.5 Does the audit committee collectively possess the appropriate recent and relevant
financial experience?
1.6 Do board committees report fully to the board, so that the board is not insulated
from the important deliberations that take place at board committee level?
1.7 Does the audit committee express a periodic opinion (at least once a year) to the
board on:
• the effectiveness of organizational risk management and internal control?
• the reliability of financial and other information used internally and published?
• the professionalism of the Organization’s external auditors?
• the professionalism, independence and scope of internal audit and of other
internal review agencies?

C. To Ensure that Appropriate Policies are in Place to Fully Support the Achievement of
the Objectives of the Organization

1.1 Has the board provided sufficient resources to enable executive management to
achieve the goals of the organization?
1.2 Does the board review the policies framework of the organization periodically?
1.3 Are any policies ignored in practice?
1.4 Are different polices on the same issues being followed in different parts of the
organization?
1.5 Are some policies incompatible with other policies?
1.6 Are there any examples of policy statements that are intended only for “public
consumption”, but not for practical use.

Prepared by KBG ......................................................................................................................... P a g e | 12

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

D. To Ensure that the Composition and Functioning of the Board Fully Support the
Achievement of the Objectives of the Organization

1.1 Is the board the right size to be most effective?

1.2 Is there an avoidance of excessive concentration of power at the top of the
business?
1.3 Does the board collectively possess the appropriate experience, expertise and
personal qualities?
1.4 Does the board meet with the frequency needed to discharge its responsibilities
effectively?
1.5 Is there openness and candor at board meetings and an absence of excessive
formality?
1.6 Is the board supported by the right board committees with appropriate terms of
reference and competent membership?
1.7 Is the performance of the following assessed sufficiently regularly and robustly—
• The board?
• The chairman of the board
• Each board committee?
• The chairman of each board committee?
• Each executive and nonexecutive director?

RISK AND CONTROL ISSUES FOR EXTERNAL GOVERNANCE PROCESSES

CONTROL OBJECTIVES FOR EXTERNAL GOVERNANCE PROCESSES

(a) To ensure that the organization is mindful of the interests of its owners and other
stakeholders.
(b) To ensure that the organization’s accountability to its stakeholders is transparent.
(c) To ensure, so far as is possible, that stakeholders exercise well informed control over
their stakes in the organization.
(d) To Ensure the Organization has a Sound Reputation for Responsible Governance

Prepared by KBG ......................................................................................................................... P a g e | 13

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

A. To Ensure that the Organization is Mindful of the Interests of its Owners and other
Stakeholders

1.1 Has the organization formally identified its stakeholder groups (e.g. owners,
creditors, customers, suppliers, staff, local community, tax authorities, trades
unions, pressure groups, politicians, the media, trade associations, etc.)?
1.2 Has the organization established the state of health of its relationship with each
significant stakeholder group, including by enquiry to these groups?
1.3 Does the organization have a strategy to improve stakeholder relationships which
are unhealthy, and to preserve and leverage off the healthy stakeholder
relationships?
1.4 Has the organization set out to understand and mitigate its reputational risks?
1.5 Does the organization have a policy with respect to selecting, preparing, conducting
and reviewing meetings with investors, analysts and the media?
1.6 Does the organization have a policy to determine when it should publish a trading
update or a profits warning?
1.7 How does the organization focus on its corporate social responsibilities?
• Board CSR committee?
• Sustainability audit?
• Internal CSR policies and procedures?
• Commitment to continuous improvement?

B. To Ensure that the Organization’s Accountability to its Stakeholders is Transparent

1.1 Does the organization engage in regular dialogue with significant stakeholder
groups?
1.2 Does the organization have a satisfactory policy with respect to selecting, preparing,
conducting and reviewing meetings with investors, analysts and the media?
1.3 Does the organization have a satisfactory policy to determine when it should publish
a trading update or a profits warning?
1.4 Are the directors’ corporate governance assertions verging on “box ticking” of
corporate governance requirements, or are they fully informative?
1.5 Does the organization publish an annual sustainability report?
1.6 What is the perception of stakeholders as to the organization’s transparency of
accountability?

Prepared by KBG ......................................................................................................................... P a g e | 14

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

C. To Ensure, so Far as is Possible, that Stakeholders Exercise Well Informed Control over
their Stakes in the Organization

1.1 Does the board encourage and welcome that owners, and in some cases other
significant stakeholders, hold the board to account for its performance, behaviour
and financial results?
1.2 Does the board encourage the organization’s principal owners to explain to the
board their views when they do not accept the position of the organization on an
issue?
1.3 Does the organization facilitate that shareholders can exercise their rights
significantly?

D. To Ensure the Organization has a Sound Reputation for Responsible Governance

1.1 Does the organization’s share price command a premium on account of its
reputation for good corporate governance?
1.2 Does the organization enter its annual report and accounts and its annual
sustainability report for “best in class” awards?
1.3 Is it the organization’s policy to apply best practice corporate governance principles
and to comply with best practice corporate governance provisions/guidelines?
1.4 Has the organization identified areas for improvement in its corporate governance,
with a view to implementing the requisite changes?
1.5 Does the organization invest in public relations to explain its corporate governance
policies?
1.6 Are directors chosen in part for their corporate governance track record?
1.7 Is the board enriched through its diversity—with respect to gender, ethnicity, etc.

Prepared by KBG ......................................................................................................................... P a g e | 15

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

ACTIVITY 1
Case Study

REFERENCES:
• The Operational Auditing Handbook Second Edition by Chambers and Rand
• COSO Framework
• INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
(STANDARDS) Revised October 2016
• IIA Position Paper: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK
MANAGEMENT Issued January 2009
• IFAC POLICY POSITION 7 December 2012

Prepared by KBG ......................................................................................................................... P a g e | 16

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.
OPERATIONAL AUDITING MODULE 4

ACTIVITY 1
CASE STUDY

Using your assigned company scandal in Module 04 – Fraud and Error in Auditing Theory, analyze
and present the following:

1) What is the structure of Corporate Governance in the entity? What can you say about it?
2) Where did they go wrong in their Corporate Governance?
3) If you were a member of the Board of Directors, what would you do differently to avoid
the scandal to happen?

Note: I am not asking you to present what you have presented in Auditing Theory. Also, I am not
after the details of the issue (that should be presented in Auditing Theory). What I want to hear
is your understanding of the entity’s Corporate Governance and to focus in thinking what could
we do differently to prevent the scandal from happening.

CONDITIONS:
• Present using MS PowerPoint.
• Allotted time is 15 TO 20 minutes
• Every member of the group should have a participation.

CRITERIA FOR GRADING:

1) Timeliness – Presented within the allotted time.
2) Accuracy and Conciseness – Facts are stated clearly and briefly but comprehensive.
3) Delivery – The reporter can carry himself/herself thru out the presentation.
4) Presentation – Audience friendly slides.

Prepared by KBG ......................................................................................................................... P a g e | 17

Classified as Confidential. Please do not forward this to unintended users. Otherwise, request necessary permission.