Chapter Summary

Governance is the process conducted by the BOD to authorize, direct, and oversee management
toward the achievement of the organization’s objective.
Overview of Governance
The first broad area of governance is depicted in the exhibit as strategic direction. The board is
responsible for providing strategic direction and guidance relative to the establishment of key
business objectives, consistent with the organization’s business model and aligned with
stakeholder priorities.
The second broad area of governance is depicted in the exhibit as governance oversight, which
focuses on the board’s role in managing and monitoring the organization’s operations.

Key components of Government Oversight

Governance is ultimately the responsibility of the BOD , although this responsibility is frequently
carried out by its various committees. The first of the board’s responsibilities is to identify the key
stakeholders of an organization. A stakeholder is any party with a direct or indirect interest in an
organization’s activities and outcomes. Once the key stakeholders are identified, the next step the
board must undertake is to understand the needs and expectations of those stakeholders. Some of
the needs and expectations are self-evident. Finally, the board should identify the potential
outcomes that would be unacceptable to key stakeholders.

Because the various stakeholders will likely have different expectations, the outcomes each type
of stakeholder deems unacceptable will vary as well. The board may need to consider the following
types of outcomes:
• Financial for example, earnings per share, cash liquidity, credit rating, return on
investments, capital availability, tax exposures, material weaknesses, and disclosure
transparency.
• Compliance for example, litigation, code of conduct violations, safety and environmental
violations, restraining orders, governmental investigations, regulatory fines and penalties,
indictments, and arrests.
• Operations for example, achievement of objectives, efficient use of assets, protection of
assets (insurance coverage, asset impairments, asset destruction), protection of people
(health and safety, work stoppages), protection of information (data integrity, data
confidentiality), and protection of community (environmental spills, plant shutdowns).
• Strategic for example, reputation, corporate sustainability, employee morale, and customer
satisfaction.

Assurance Activity
The final component of governance is independent assurance activities, which help provide the
board and senior management with an objective assessment regarding the effectiveness of the
governance and risk management activities. These independent assurance activities can be
performed by a variety of parties, either internal or external to the organization. The most common
internal group to provide such assurances is the internal audit function.

Three Lines of Defense

 • The first line of defense represents the internal control activities conducted by individuals
and management. These activities are comprised of both the specific internal control
activities, referred to as internal control measures in the model, and management controls,
which are those that oversee and monitor the individual activities. First line of defense
controls are very important, but they are conducted by individuals and management who
are directly responsible for those control areas and, therefore, are considered the least
independent and objective of the lines of defense.
• The second line of defense represents other assurance activities such as those listed in the
exhibit. These activities are conducted by individuals reporting through different lines of
management than those directly responsible for the internal control activities. Therefore,
the level of independence and objectivity is considered to be greater than the first line.
However, those performing second line of defense assurance frequently also have other
management responsibilities beyond their assurance responsibilities. Therefore the level of
independence and objectivity may not be sufficient to provide the desired level of
assurance.
• The third line of defense represents the most independent and objective form of assurance.
Internal audit activities typically are the only activities that report functionally to the board
and have no other management responsibilities. Thus, the third line of defense is the most
independent and objective of the three lines.

Review Questions

2. What is the OECD’s definition of corporate governance?

Corporate governance involves a set of relationships between a company’s management,
its board, its shareholders, and other stakeholders. Corporate governance also provides the
structure through which the objectives of the company are set, and the means of attaining those
objectives and monitoring performance are determined.
4. What is The IIA’s definition of governance? How does this definition relate to the figure 3-3?
Combo of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization towards the achievement of its objectives; in figure
3-3 the goal is to set an objectivity
5. What are the three different types of stakeholders that the board must understand? Give
examples of each type.
Directly Involved : Employees work for an organization and, therefore, are directly
involved in the conduct of the organization’s business.
Interest : Shareholders/investors are not directly involved in the business but have a strong
interest in the organization’s success.
Influence : Regulatory agencies represent governmental agencies that may have either an interest
in the organization’s success or may be able to influence that success
8. What role does the internal audit function play in governance?
• Evaluating whether the various risk management activities are designed adequately to
manage the risks associated with unacceptable outcomes.
• Testing and evaluating whether the various risk management activities are operating as
designed.
• Determining whether the assertions made by the risk owners to senior management regarding
the effectiveness of the risk management activities accurately reflect the current state of risk
management effectiveness.
• etc

9. In addition to the internal audit function, what other internal functions may provide
independent assurance to the board or senior management?
Quality Assurance Group (?)