auditing governance functions n.
Skip this Video
Loading SlideShow in 5 Seconds..
Auditing Governance Functions PowerPoint Presentation
Download Presentation
Auditing Governance Functions

Loading in 2 Seconds...

play fullscreen
1 / 22

Auditing Governance Functions - PowerPoint PPT Presentation

  • Uploaded on

Auditing Governance Functions. Agenda. Defining Corporate Governance Internal Audit’s Role in Corporate Governance Areas of Audit Focus Regulatory Considerations. Governance Functions.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Auditing Governance Functions' - lala

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Defining Corporate Governance
  • Internal Audit’s Role in Corporate Governance
  • Areas of Audit Focus
  • Regulatory Considerations
governance functions
Governance Functions
  • Regulatory and rating agency landscape has changed, with an increased scrutiny on Governance functions, such as:
    • Board / Governance Reporting
    • Enterprise and Operational Risk Management
    • Technology
    • Emerging Risks
    • Continuous Monitoring
corporate governance
Corporate Governance
  • Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
    • Board of Directors
    • Audit and Risk Committees
    • Corporate Committee Structure
    • Management
    • Enterprise Risk Program
    • Compliance and Regulatory Program
    • Technology Program
    • Social Responsibility Program
internal audit s role in governance
Internal Audit’s Role in Governance
  • Internal Audit’s role in governance is as follows:
    • Independent testing and verification of efficacy of corporate standards and business line compliance
    • Validate the overall risk framework
    • Provide assurance that the risk management process is functioning as designed and identifies improvement opportunities

Through its dual consulting and assurance roles, internal audit can provide tremendous value to a dynamic organization by focusing on areas of greatest exposure, complex operations and key business initiatives, to validate that the organization is well controlled and operating effectively and efficiently to meet the strategic goals of the firm.

governance functions1
Governance Functions
  • Internal audit must assess and make appropriate recommendations for improving Governance in its accomplishment of the following objectives:
    • Promoting appropriate ethics and values within the organization
    • Ensuring effective organizational performance management and accountability
    • Communicating risk and control information to appropriate areas of the organization
    • Coordinating the activities of and communicating information among the board, auditors, and management.
enterprise risk management
Enterprise Risk Management
  • Enterprise Risk Management Considerations
    • Commensurate with size, risk profile, complexity, and growth of the enterprise
    • Provide increased business awareness
    • Incorporate risk considerations in decision making across enterprises
erm framework
ERM Framework
  • Step 1: Establish ERM Framework
  • Identify Project Champion
  • Identify Project Owner
  • Establish Steering Committee
  • Step 2: Identify Key Objectives
  • List Key Objectives
  • Prioritize Key Objectives
  • Select objectives for assessments
  • Step 3: Identify Key Risks
  • Assess Risk
  • Assign Risk Rating
  • Step 4: Manage Risk
  • Identify Control Controls and Mitigation Requirements
  • Develop Mitigation Plans for key risks
  • Perform periodic status reviews
  • Repeat steps 2 – 4 for additional control objectives
enterprise risk management1
Enterprise Risk Management
  • No formal framework to identify, prioritize and communicate risks
  • No ongoing risk monitoring and/or risk management enhancement activities
  • Risk appetite not articulated or defined
  • Lack of aware awareness of Enterprise Risk Appetite
  • Failure to communicate with executive management, audit committee, and business units on a consistent and formal basis to discuss expectations, business strategies, objectives and initiative
  • Policies and procedures do not exist, are not documented, are inadequate or are not followed
enterprise risk management continued
Enterprise Risk Management (continued)
  • Performance goals and objectives drive behavior inconsistent with overall Enterprise ethics or standards
corporate social responsibility csr
Corporate Social Responsibility (CSR)
  • CSR: The way firms integrate social, environmental, and economic concerns into their values, culture, decision-making strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm and contribute towards society improvements.
  • Responsibility:
    • Board of Directors
    • CSR Executive
    • Management
csr risks
CSR Risks
  • Reputational Risk
  • Compliance Risk
  • Operational Risk
  • Liability Risk
  • External Business Relationships Risk
csr risks continued
CSR Risks (continued)
  • Reputational Risk
    • Violations of law or principles
    • Errors or omissions in disclosed CSR information
    • Under-performance compared with objectives/targets
    • Appearance of indifference to social issues
  • Compliance Risk
    • Failure to comply due to the extent, complexity, and volume of regulations relating to the environment, health and safety, employment, governance, political contributions, conflict of interest, and fraud.
    • Contractual obligations with third parties, such as customers, unions, or employees, and from voluntary adoption of standards.
csr risks continued1
CSR Risks (continued)
  • Operational Risk
    • CSR “pressure points” for the organization’s manufacturing processes, products, services and impact on the environment.
    • Under-performance of other targets due to inappropriate CSR strategies, or over-emphasis on CSR strategies.
    • Failure to integrate CSR objectives into processes, or to educate staff appropriately.
    • Failure to develop well-controlled systems for CSR initiatives.
    • Inaccurate or incomplete reporting information.
    • Challenge to apply same standards across multiple countries.
csr risks contd
CSR Risks – contd.
  • Liability Risk
    • During contracting for CSR terms and conditions and ensuring third-party compliance.
    • Activists or specific classes/special interest groups may take legal

action for alleged harm done by the organization.

  • External Business Relationships
    • Customers, suppliers, or partners could violate CSR terms

and conditions, principles, or laws, yet the organization could

be included as a wrongdoer by association.



IT governance follows a lifecycle

IT governance should not be a one-time exercise

  • Understanding the as-is governance structure enables the organization to make only the necessary changes
  • Building principles based on organization-specific drivers is the basis for a working governance model
  • The governance principles will act as the foundation of the governance framework and set the scene for the later model
  • After running through the lifecycle once, organizations are able to iterate the governance lifecycle without external support

IT governance decision areas

IT principles

  • How is IT used within the business
  • Providing direction for IT delivery
  • Determine the total IT spend
  • Prioritising conflicting investment needs

IT investments

  • Organisation and structure of IT assets
  • Approach to integration of IT assets

IT architectures


  • How to support business processes
  • Software platforms

IT infrastructure

  • Enabling applications and architecture
  • Managing IT assets
  • Governance decisions are either taken centralised or decentralised
  • By business, IT or both of them
  • Mechanisms have to be aligned to organizational and operations model as well as IT strategy
aligning business and it on different levels
Aligning business and IT on different levels

Business level

IT level

Joint IT governance boards

Board, CEO, COO

CIO, CTO, senior

IT management

IT Executive Steering Committee






IT Governance Council



process owner

IT client manager

architecture owner

IT Governing Bodies:

Architecture and technology boards


Key user

Service manager

IT Governing Bodies:

Service delivery boards


Service delivery through business and IT

Business processframeworks

IT service management

frameworks e.g. ITIL


IT governance domains


  • Setting the overall direction for IT within the corporation
  • Maintaining cultural values, corporate image and voice
  • Representing corporation’s key IT stakeholders

Monitoring and control


  • Qualitative benchmarking
  • Managing service levels
  • Managing a penalty system
  • Identifying areas for service improvement
  • Developing IT strategy including sourcing philosophy
  • Build corporate IT organization
  • Setting corporate IT goals
  • Agreeing on IT performance targets with IT customers

IT governance

Coordination and compliance

Capital allocation

  • Ensuring compliance with IT standards and obligations
  • Coordinating IT activities between IT demand and supply
  • Coordinating IT deployment
  • Determining capital available
  • Determining IT investment criteria
  • Reviewing bids for capital
  • Allocating resources


  • Setting the fundamental IT operating procedures
  • Establishing standards, rules and guidelines
  • Defining technical and application architectures

Technology Governance Considerations

Inherent key IT risks

IT objectives and strategies

IT processes

  • IT process duplication and inefficiencies
  • Emerging technologies
  • Technology direction
  • System disruptions
  • Contracts/3rd party vendors – outsourcing
  • Records retention
  • Regulatory compliance
  • People management
  • Global sourcing
  • Business continuity
  • Asset and portfolio management
  • IT infrastructure capacity
  • IT security/privacy
  • Financial reporting

Infrastructure and asset management

Guidance and oversight

IT governance and strategy

Strategic planning

Change management

Deliver superior

Systems and applications

Service level management

IT development and design

Technology enablement to achieve business objectives

Production support

Link objectives to risks

Evaluate the significance of the risk to IT objectives

Link risks to IT processes

Evaluate management and control activities

Superior service support and delivery

Security and data management

IT operations

Continuity of services

Problem and incident management

Optimize operating efficiency

Information security and protection

Project/program management

Protection of information

Customer support

Effectively manage security risk

regulatory expectations
Regulatory Expectations
  • Failure to establish and maintain an internal control environment which aligns stakeholders and regulatory expectations
  • Failure to identify relevant laws and regulations
  • Lack of procedures to comply with applicable laws and regulations
  • Insufficient or inadequate training of staff on regulatory requirements
  • Failure to establish adequate working relationship with regulators or authorities
thank you
Thank you!
  • Questions?