Domain 5: Governance

Risk management.

"A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives."

Control

"Any action taken by management, the board, or other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved."

Governance

"The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives."

CSR Maturity Model

-A CSR maturity model might be developed to help with assessments and to help set CSR goals for the organization. The following maturity levels might be used: 1) No CSR objectives or strategies. 2) CSR strategy is to be in compliance with laws and contracts. 3) Some divisions acknowledge specific CSR risks with stand-alone strategies. The goal is to exceed compliance requirements; reporting is selective. 4) CSR governance, strategies, and performance measures are integrated, and public reporting occurs. 5) CSR is a primary feature of the organization's mission, vision, principles, decision-making processes, and performance measures. Public formal reports are produced, and stakeholders are kept engaged.

Compliance

-Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. -While compliance is a broad term and many areas require compliance (e.g., environmental health and safety, HR, supply chain management, data privacy), here we will focus on compliance with codes of ethics/conduct and control environment policies and procedures.

Creating and protecting value.

-All roles collectively create and protect value when they align with each other and with the prioritized interests of stakeholders. -Alignment requires communication, cooperation, and collaboration. -This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.

Another sensitive task for the CAE is to determine the criteria against which the control environment will be assessed.

-An organization's rating system. -A defined internal control framework's principles. -A maturity model. -An industry standard or other benchmarking subject. -Specific objectives provided by legal counsel.

Training programme test

-Another area for compliance program effectiveness is to assess the effectiveness of education and training programs, including the programs provided by third parties. Internal auditors: -May test the design of a training program by comparing it to best-practice models, for example, use of ethical scenarios. -Determine if the desired effect of the training has been achieved, including whether employees have internalized the ethical values and are likely to apply them. -Place more value on attendees' ethical assessments of others or their assessments of the ethical climate established by management than on their self-assessments.

Measurable strategy and stategic structure

-Articulate an organizational strategy against which the success of the overall enterprise and the contributions of individuals are measured. -Create an organizational structure that supports the enterprise in achieving its strategy.

Methods of Auditing CSR

-Audit by element -Audit by stakeholder -Audit by internal control -Audit by common subject -Audit by risk management based priority

Tools and Techniques for Auditing the Control Environment

-Auditing the control environment is an example of auditing "soft controls," which means there will be subjectivity in the assessments and direct evidence may be difficult to gather. Examples include: -Using surveys to test the effectiveness of control environment elements such as ethics. -Using networking and discussions to evaluate if the actions of management align with their talk. -Leveraging internal auditors' knowledge of the organization's inner workings to provide corroboration on the effectiveness of controls. -"Auditing by walking around" and being visible and observant, which can help: Uncover intangible clues that prompt deeper assessments. Reveal persons who are willing to provide opinions anonymously. -Assessing how management has reacted to past audits and recommendations. -Reviewing materials and experiences from internal auditor participation in committees, task forces, work groups, or ethics and compliance program implementations. -Using data analytics to uncover anomalies.

Commonly Identified Governance Principles

-Board membership -Board qualification -Board independence -Internal Audit -External Audit -Risk Management -Control environment -Compensation policies -Management oversight -Effective interaction -Key information disclosure -Governance disclosure -Governing policy -Measurable strategy -Strategic structure -Transparent structure -Clear lines

The Needs of Stakeholders

-Board responsibilities for GRC start with identifying and understanding the needs of the organization's stakeholders in part because the board has a fiduciary responsibility to certain stakeholders. -Stakeholder interests need to be understood before they can be protected. -This includes discovering what would constitute an unacceptable outcome for each stakeholder in the areas of strategy, finance, compliance, and operations.

Management's Philosophy and Operating Style

-COSO's Internal Control—Integrated Framework does not have a principle related directly to management's philosophy and operating style. -However, the prior discussion of the tone at the top and how management enforces standards of conduct are just a few of the many examples in this topic of how the philosophy and operating style of management impacts the control environment.

CSR Business Activities

-CSR business activities include developing CSR strategies, objectives, policies, procedures, controls, and key performance indicators/performance targets (e.g., emissions, safety incidents, employee satisfaction). -To be effective, CSR controls need to be embedded in regular operations, such as being a required step in project approval processes.

CSR Reporting

-CSR can involve internal and external reporting. -Reports help stakeholders such as investors, the board, management, employees, suppliers, customers, and the community make informed decisions. -A best practice is to perform a cost-benefit analysis on the quantity and types of data to collect, analyze, and report.

Control Environment and Risk management

-Communicate and reinforce an ethical culture, organizational values, appropriate "tone at the top," a nonretaliatory environment for employees to raise concerns, and a way to monitor and investigate potential conflicts of interest. -Clearly define and implement risk management policies, processes, and accountabilities at the board level and throughout the organization.

A code of conduct may address the following subjects:

-Conflicts of interest -Confidentiality -Fair dealing -Proper use of organizational assets -Gifts and gratuities -Compliance with laws, rules, and regulations -Compliance with voluntary standards such as for corporate social responsibility -Reporting of illegal or unethical behavior For example, a written statement about conflicts of interest should: -Generally define conflicts of interest. -Address the expected behavior for employees, other corporate agents, and suppliers. -Include provisions for activities, investments, or other interests that reflect on the entity's integrity or reputation.

Audit - Planning considerations

-Considering staffing the audit with experienced persons to enhance credibility and recommendation acceptance. -Consulting legal counsel for some areas such as pending investigations. -Ensuring that the internal audit activity's reporting structure as documented in the charter is sufficiently independent to enable appropriate access and audit scope. -Considering how differences in national culture or national laws/regulations would impact how the engagement or its recommendations would be received.

Culture and Conduct Definitions

-Culture represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization. -Conduct represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.

Assessments of how the area under review communicates risk and control information typically involve:

-Determining the accuracy, completeness, and timeliness of risk and control information in internal reports, newsletters, relevant memos and emails, and staff meeting minutes. -Using surveys and interviews to gauge how well employees understand their risk and control responsibilities and the potential impact of failure to exercise those responsibilities. -A potential service the internal audit activity could offer in this area would be to provide education on risk and control topics, especially if targeting identified deficiencies

King Report - Code of Corporate Practices and Conduct

-Discipline: Organizations commit to disciplined behavior that is universally accepted as proper and correct. -Transparency: Organizations commit to make it easy for outsiders to analyze the organization's activities. -Independence: Organizations are self-reliant and can manage or avoid conflict. -Accountability: Organizations develop ways to accept and acknowledge the positive and negative consequences of their actions. -Responsibility: Organizations design corrective action into all processes and consider the needs of all stakeholders in decision making. -Fairness: Organizations balance competing interests. -Social responsibility: Organizations embed corporate social responsibility programs into their core business model.

Effective interaction and management oversight

-Ensure effective interaction among the board, management, internal auditors, external auditors, and other assurance providers. -Secure appropriate oversight by management, including establishment and maintenance of a strong set of internal controls.

Board membership, board qualifications and board independence

-Ensure that the board has correct/proper members, committee structure, meeting protocols, sound and independent judgment about organizational affairs, and periodically reaffirmed membership. -Ensure that board members have appropriate qualifications and experience, clear understanding of governance roles, sound knowledge of organizational operations, and independent/objective mindset. -Ensure that the board has sufficient authority, funding, and resources to conduct independent inquiries.

Governing policy and Compensation policies

-Establish a governing policy for the operation of key activities of the organization. -Ensure that compensation policies and procedures for senior management and for others encourage appropriate behavior and are consistent with the organization's ethical values, objectives, strategy, and control environment.

Strategic approach to implementing IT governance.

-Evaluating alternatives. -Ensuring that execution is directed toward objectives. -Monitoring risk and performance against financial and nonfinancial goals: -A key financial goal is to realize the organization's strategy and provide competitive advantage. (A counterexample is senior management thinking that IT exists solely to deliver day-to-day services and limiting goals to operational cost savings.) -A key nonfinancial goal is to ensure a strong system of internal controls. Strong IT governance promotes good control design; weak IT governance could be the root cause of ineffective and deficient controls.

Risk owners GRC related responsibilities

-Evaluating risk management design against risk tolerance. -Assessing risk management capabilities, maturity, and operations. -Monitoring risks on a daily basis. -Providing accurate and timely information and recommendations to senior management and the board.

CSR: Internal audit activity consulting work could include:

-Facilitating a management self-assessment of CSR controls and results. -Consulting on CSR program design and implementation. -Advising on CSR governance, risk management, and control.

Improvement Recommendations for Governance Processes

-Finding ways to improve the flow of information to the board (e.g., more relevant, complete, timely, accurate, and forward-looking) -Avoiding subjectivity by objectively analyzing execution of past strategies -Assessing measurement processes and metrics for degree of alignment to strategy -Analyzing past ethics- or value-based code violations or trends -Assessing post-merger integration plans and progress toward their execution

First line roles

-First line roles deliver products and services to customers and are responsible for managing risk through leadership, action, development of structures and processes, and resource allocation. -They require maintaining a continuous dialogue with the board, including reporting on objective achievement and risk. -They involve ensuring compliance with legal, regulatory, and ethical expectations.

Sets the "Tone at the Top

-For example, an attitude of ignoring the rules on the part of those at the top tends to pervade to lower levels. People may either adopt the same attitude or leave the organization, which results in fewer people remaining who show integrity. The tone at the top encompasses the following concepts: -Top management and the board lead by example, considering stakeholder expectations. -The tone is shown through the actions and decisions of management, leadership and communication that is provided, and responses to deviations. -The tone at the top is fundamental to the proper functioning of the internal control system. -The tone at the top is further expressed in the form of mission statements, value statements, codes of conduct, principles, policies and practices, directives, and guidelines. -The operating style and the conduct of senior management and the board and the risk tolerances they set create an atmosphere that subordinates pick up on—for good or for ill. -A consistent tone helps pull the organization together, while a poor or inconsistent tone creates unintended consequences such as poor risk awareness, poor risk responses, poorly defined or ignored controls, or lack of improvement given feedback.

Coordinated approach to GRC

-GRC requires a cohesive and coordinated approach to ensure that limited risk and control resources are deployed effectively, significant risks are identified and managed appropriately, and risk ownership is clear to all. -Disconnected risk management efforts can otherwise lead to inefficiencies, coverage gaps, and risk ownership arguments.

Governance, risk management, and control interconnected - example

-Governance, risk management, and control are so interconnected that evaluating and improving one area typically improves the other two areas at the same time. For example: Effective governance activities consider risk when setting strategy. Risk management relies on effective governance (e.g., "tone at the top"). Effective governance relies on internal controls and related communication to the board.

Examples of IT Governance Organizational Structures

-IT governance board -IT steering committee -IT portfolio office -IT architecture office -Technology council -Cybersecurity and data protection council

IT Governance Framework: Performance measurament & resource management

-IT governance can help in measurement of the achievement of strategic IT objectives, IT performance, and the delivery of promised business functionality (and therefore contribution to profitability). Tools such as continuous monitoring or root cause analysis support these measurements. -IT governance oversees the aggregate funding of IT at the enterprise level and ensures that there is (and will continue to be) adequate IT capability and infrastructure at the organization.

IT Governance

-IT governance is "the leadership, structure, and oversight processes that ensure the organization's IT supports the objectives and strategies of the organization." -IT governance is the subset of organizational governance directly related to oversight of IT assets and IT risks.

Who owns IT governance?

-IT governance is a shared responsibility of the board and senior management. -The board is responsible for overall strategic IT guidance. -Senior management carries out the day-to-day direction of IT strategy execution. -The board and senior management are responsible for establishing the organization's IT objectives in alignment with the overall business strategy, for defining IT strategies to achieve business objectives, and for establishing: IT governance policies. Organizational structures that include IT roles and authorities. IT processes.

IT Governance Framework: Strategic alignment & Risk management

-IT governance provides the strategic direction for IT and ensures that IT and business strategies are aligned for all IT projects and services. -IT governance can ensure that IT risks are addressed and that enterprise risk management includes risk aspects of IT investments, defined responsibilities for risk management, and a holistic process for analyzing, addressing, and continuously monitoring risks.

What components does an IT governance framework address?

-IT process areas: Change management, information security management, software development, IT project management, etc. -IT mechanisms: Standards, policies, and frameworks for directing, monitoring, and measuring IT performance and managing IT risks. -IT governance organizational structures: IT roles and reporting lines to meet organizational objectives and formally evaluate and prioritize requirement

IT Audit: Specific areas for review:

-IT strategic planning: There is a clear definition of IT's mission and vision, and an IT strategic planning process with major initiatives is in place. -IT tactical planning: Project and change management methodologies are used with related controls, clear definitions of expected benefits, and clarity of scope definition. -IT delivery process: Operational controls, modification processes, and project management processes are functioning as intended. Actual versus planned benefits are analyzed. -Application development methodology: A process such as the systems development life cycle is in place and is used consistently. -Current portfolio administration: A process exists and is effective. -Overall IT efficiency and effectiveness.: IT adds more value than it costs.

Primary outcomes of effective IT governance

-IT strategies are aligned with organizational objectives. -The board and senior management understand the potential and limitations of IT. -IT senior management understands organizational objectives and needs. -An IT governance structure is used to apply and monitor this understanding. -Risks are identified and managed properly. -IT investments are optimized to deliver value. -IT performance is defined, measured, and reported using meaningful metrics. -IT resources are managed effectively.

Assessments of activity coordination and communication among the board, external and internal auditors, other assurance providers, and management include:

-Identifying the meetings that include these parties and determining their frequency of occurrence. -Reviewing meeting minutes, work plans, and reports. -Attending such meetings as participants or observers.

Examples of situations that may influence the risk assessment. of a control environment

-Integrity and ethical values. Lack of code of conduct/ethics or inability to evaluate adherence; high fraud rate. -Management's philosophy and operating style. Frequent management override of controls; lack of consideration of risk in management decision making. -Organizational structure. Ineffective board oversight or control environment monitoring; silos that promote department objectives over organizational objectives. -Assignment of authority and responsibility. Unclear job descriptions; insufficient separation of duties. -HR policies and practices. Compensation and incentive structures that create a high risk of inappropriate behavior or risk taking; poor or nonexistent background or reference checks; no whistleblower policy or hotline. -Competence of personnel. Key function turnover resulting in ineffective supervision; lack of key personnel competence (e.g., favoritism to unqualified family or associates).

Internal Audit's Role in GRC

-Internal auditors also play an indirect (assurance and consulting) role in GRC. -The CAE may document in the internal audit charter the internal audit activity's independence by affirming that senior management and the board are responsible and accountable for GRC. -The CAE works to understand the business and key organizational roles related to GRC. -This can include using GRC frameworks as a guide (especially if adopted by senior management), reviewing board and committee charters and meeting minutes, and reviewing the organization's mission, vision, key objectives, strategic plan, and key controls. -Audit plans in particular may provide evidence that the internal audit activity follows a disciplined, systematic, and risk-based approach. -Egagement reports can also support that results are relevant and add value to GRC processes.

Corporate social responsibility (CSR)

-Is a voluntary initiative to practice and transparently report on the organization's efforts toward good corporate citizenship with its employees and within the community -It is a pledge to develop the organization in sustainable ways by including not only economic but also social and environmental objectives in its values, culture, strategies, decisions, and operations.

IT governance board

-MEMBERS: Chief executive officer, chief financial officer, and chief information officer, plus CAE as nonvoting advisor on risk/control -SCOPE: Set business and IT strategy and investment plans.

Cybersecurity and data protection council

-MEMBERS: Chief information officer, CTO, CISO, chief risk officer (CRO), chief financial officer, chief operating officer, business unit owners, and CAE as nonvoting advisor on risks/controls -SCOPE: Evaluate risk and strategies to protect organization's information assets.

IT architecture office

-MEMBERS: Chief information officer, chief information security officer (CISO), chief operating officer, IT infrastructure managers -SCOPE: Determine IT architecture design.

Technology council

-MEMBERS: Chief information officer, chief technology officer (CTO), and business unit owners -SCOPE: Evaluate technology opportunities.

IT portfolio office

-MEMBERS: IT and business program/project managers -SCOPE: Develop IT project metrics, monitor, and report.

IT steering committee

-MEMBERS: IT senior management and business unit owners -SCOPE: Ensure IT strategic alignment.

Transparent structure and Clear lines

-Maintain an understanding by executive management and the board of the organization's operating structure, including structures that impede transparency. -Set and enforce clear lines of responsibility and accountability in the organization.

Organizational Structure

-Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Considers all structures of the entity. Organizations develop structures to accomplish their objectives, including: -Legal entity structures (e.g., partnerships, subsidiaries). -Organizational structures (e.g., hierarchical, matrix). -Geographic market structures (e.g., regional divisions). -Supply chain structures (e.g., outsourced processes and services).

Management first and second line roles.

-Management is defined broadly to include both "front of house" as well as "back office" activities (e.g., HR). -Management has both first and second line roles. -Positions may have blended roles or specialize in one or the other role.

Culture exists whether intentionally created or not at multiple levels:

-National culture affects the desired objectives of an organizational culture. Researching the cultures of the various countries where the organization's business units are located and where they primarily do business is a best practice. -Organizational culture drives how the organization conducts business and executes its strategies. -Subcultures likely exist at different campuses, in different departments, etc.

Key Point: Word 'defense' dropped

-Note that the word "defense" was dropped from the Three Lines Model to highlight that organizations don't exist to manage risk; they exist to achieve their objectives. -Risk management therefore needs to both be proactive in helping achieve those objectives and serve as a defense.

External Asuurance

-Other GRC stakeholders, including external auditors, regulators, and other external bodies, are not directly part of any of the three lines. -However, they play important roles in GRC. External assurance providers provide additional assurance to: -Satisfy legal and regulatory expectations that serve to protect the interests of stakeholders. -Satisfy requests by management and the governing body to complement internal sources of assurance.

Supply chain members and GRC

-Others directly involved in GRC include d supmembers of the supply chain: suppliers, employees, and customers. -These stakeholders take an active role in the business and would be impacted by business disruptions. -Employees need a livelihood. -Customer and supplier obligations need to be fulfilled. -

King Report on Corporate Governance

-Output of South Africa's King Committee on Corporate Governance. -The report is principles- and outcomes-based, focusing on transparency and disclosures that require entities to explain how the principles are applied. -The report provides a model for good governance that requires an integrated approach inclusive of stakeholder interests and a focus on corporate social responsibility.

Owners, shareholders and investors and GRC

-Owners, shareholders, and investors are not directly involved in the organization's business, but they have a strong interest in the organization's success. -Shareholders can strongly influence the board and help determine who is on the board.

Audit by risk-management-based priority

-Perform audits using a risk-management-based approach, selecting the areas of a CSR program identified as being most significant in terms of risk impact and likelihood, with direction provided by the board and senior management. This method can be combined with any of the prior methods.

Healthy organizational cultures - Characteristics

-Positive tone at the top. The board and senior management define, proactively model, and enforce accountability for desired organizational values, including in their strategies. -Clear communication. Management sets explicit expectations in all communications, daily interactions, and meetings with employees, customers, and third parties. -Open dialogue. Management listens to feedback or constructive criticism and has tools like ethics hotlines or open-door policies to encourage dialogue. -Employee engagement. Objective-setting and strategy discussions are inclusive, such as by listening to personal objectives and evaluating how they align to strategy. -Incentives aligned with core values. Compensation and incentives align with the organization's core values and risk appetite.

Key information disclosure and governnance disclosure

-Provide appropriate disclosure of key information, in a transparent manner, to stakeholders. -Disclose the organization's governance processes, comparing those processes with recognized national codes or best practices.

Regulatory agencies, creditors, and other outside parties and GRC

-Regulatory agencies, creditors, and other outside parties may have an interest in the organization and may have influence. -Regulatory agencies are responsible for establishing the regulations. -Creditors protect their capital by setting stipulations (covenants).

CSR Risks with examples

-Reputation: Appearance of indifference, errors or omissions, or expectations to present negatives as well as positives -Compliance: Compliance failures due to extent, complexity, and volume of regulations (especially for multinational organizations) -Liability:Failure to meet contractual terms and conditions, lawsuits from environmental activists, or HR-related lawsuits -Operational: Environmental "pressure points" created by operations in manufacturing or use of products -Stock market: Failure to qualify for socially responsible investment funds -Employment market: Failure to attract or retain CSR-minded employees -Sales market: Customer boycotts -External business relationships: Customers or suppliers that violate CSR terms and conditions, principles, or laws

Communicating Results - Confidentiality

-Restricting the distribution of the results. -Separately discussing the control environment portion of an assurance engagement that was part of a risk-based business audit in line with the audit plan. -Additional safeguards if the audit was performed at the direction of legal counsel.

Assessing oversight of risk management and control functions can include:

-Reviewing the process for conducting the annual risk assessment. -Reviewing minutes from risk strategy meetings. -Reviewing previously conducted risk assessments. -Interviewing key risk management persons: compliance, risk, and finance officers. -Benchmarking risk management and control processes against relevant sources such as competitors or industry trends. Assessing the level and type of support the internal audit activity provides to the organization's risk management program, including: -Robust and thorough analysis of risk management and internal control systems. -Structure and discipline in the risk management program. -Organizational and divisional risk assessments. -Ongoing formal or informal oversight and input.

Assessments of culture can review:

-Root causes for both those areas with culture deficiencies and those deemed to be operating with best practices (to benchmark culture impact). -Roles and responsibilities of the governance structure. -Programs for communicating values, strategies, and objectives. -Code of conduct, ethics, and sexual harassment training program effectiveness. -Incentives, hiring programs, disciplinary actions, -escalation protocols, or treatment of whistleblowers. -Existing information sources for culture insights, such as employee survey data.

Second line roles

-Second line roles provide complementary expertise, support, monitoring, and challenge to first line roles. -They develop, implement, continuously improve, and report on the adequacy and effectiveness of risk management and internal control at a process, systems, and entity level. -Roles can be broad enterprise risk management roles or they can be specialized, including compliance, ethics, internal control, IT security, sustainability, and quality assurance.

When assessing how strategic and operational decisions are made:

-Start by understanding organizational objectives. This could include a review of strategy documents, mission and vision statements, and so on. -Assess how strategic and operational decisions are discussed and implemented. -Assess whether established, consistent decision-making processes are used. AUDIT TECHNIQUES -Review of past audit reports, board meeting minutes, the board policy manual, and related governance documents. -Interviews with department heads to provide perspective.

Audits of the control environment:

-Start with a risk assessment to help set audit scope, frequency, and rotation. -Take into account planning considerations as individual engagements are planned. -Require assessment criteria. -Require selection of tools and techniques to use.

IT Governance Framework: Areas of Focus

-Strategic alignment -Risk management -Value delivery -Performance measurement -Resource management

Sustainable development

-Sustainable development is a strategy to promote the long-term viability of an organization's operations and actions by ensuring that the current and future needs of the organization and society can be met. -This is done in part by safeguarding, sustaining, and enhancing the human and natural resources the organization uses.

Board responsibilities for GRC

-Takes the lead role in governance, including providing strategic direction and guidance toward setting business objectives. -Provides governance oversight. -Establishes a governance committee. -Articulates requirements for reporting to the board. -Periodically reevaluates governance expectations. -Sets the risk appetite and risk tolerance levels. -Interacts directly with internal and external assurance --providers.

Governance: Type of Engagement

-The CAE's final audit plan uses a risk-based approach to identify higher-risk governance processes to potentially include as assurance engagements. -Consulting services may be preferred when known issues exist or the organization's governance process is immature. -In other cases, continuous monitoring methods can be used, such as assigning internal auditors to observe meetings of governance-related bodies and providing internal audit advice upon request on an ongoing basis.

Control Environment

-The attitude and actions of the board and management regarding the importance of control within the organization. -The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.

Governing Body Role

-The board establishes appropriate governance structures and ensures that organizational objectives align with the prioritized interests of stakeholders. -Critical to the Three Lines Model: -Accountable to stakeholders for oversight and engages with them for two-way, transparent communications on objectives. -Nurtures an ethical and accountable control environment. -Delegates responsibility and provides resources to management to achieve organizational objectives while conforming to legal, regulatory, and ethical expectations. -Establishes appropriate committees, compliance oversight functions, and an independent, objective, and competent internal audit activity. -Determines risk appetite and oversees GRC.

Responsibility for CSR

-The board has overall responsibility for the effectiveness of the governance, risk management, and control (GRC) components of CSR programs, including determining which CSR controls will be needed. -The board and management together are responsible for performing a risk assessment related to CSR and for determining what components and priorities are important to their organization. -Management is responsible for ensuring that: CSR objectives are established. Risks are managed. Related controls are implemented. Performance is measured. Activities are appropriately monitored and reported.

Assignment of Authority and Responsibility

-The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. -Establishes oversight responsibilities. -Applies relevant expertise. -Operates independently Examples of how the board operates independently include setting expectations for and evaluating the conduct of the CEO in regard to ethical values, integrity, and performance. -Provides oversight for the system of internal control. Examples of how the board provides oversight for the system of internal control include: Overseeing definition and application of the organization's code of conduct. -Establishes Reporting Lines -Defines, Assigns, and Limits Authorities and Responsibilities

Senior Management Responsibilities for GRC

-The board provides direction to and empowers senior management to execute the organization's strategy and governance on a day-to-day basis. -Senior management (chief executive officer and finance, ethics, risk, compliance, HR, and IT executives) also provide direct leadership over risk management and control processes, but they delegate the specifics to a risk committee and/or specific line managers who become risk owners.

Components of Internal Control

-The control environment forms a critical foundation for the other components of internal control that need to be integrated: risk assessment, control activities, information and communication, and monitoring activities. -The three categories of objectives that an organization works to achieve using the system of internal controls: operations, reporting, and compliance objectives.

Three lines model - risk roles

-The first line role has the risk owner role. -The second line role has the risk control and compliance role. -The third line role has the risk assurance role.

GRC can be thought of as existing in layers

-The governance structure surrounds all activities to ensure that the organization's values are promoted and key stakeholder needs are considered. (back and forth arrow) -Risk management highlights key risks to success or key opportunities. (back and forth arrow) -Internal control is where the risk management strategies are executed.

Third Line Role

-The internal audit activity is the third line role because it is a systematic, disciplined, competent, independent, and objective assurance and advice role for GRC. -It remains primarily accountable to the board and reports to it on GRC, achievement of objectives, continuous improvement, and disclosures of impairments.

Performance Standard 2100, "Nature of Work"

-The internal audit activity must evaluate and contribute to the improvement of the organization's governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. -Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.

Triple bottom line

-The method creates three balanced measures of success -Economic -Environmental -Social responsibility

CSR Audit Considerations

-The organization may consider recommendations on CSR programs to be sensitive information, and so the CAE should consult with management regarding report distribution. -The CAE should ensure that the audit team has the required skills and knowledge to audit CSR programs, such as expertise in regulations.

To assess the effectiveness of organizational performance management and accountability processes, review:

-The organization's policies and processes related to staff compensation, objective setting, and performance evaluation. -Associated KPIs and incentive plans for appropriate design and execution to prevent or detect unacceptable behavior or excessive risk taking and to promote strategic alignment.

The organization's structure

-The system of internal controls needs to be integrated into the organization at multiple layers that are more and more detailed. -Entity level -Division -Operating unit -Function

Three Catergories of Objectives

-The three categories of objectives that an organization works to achieve using the system of internal controls: operations, reporting, and compliance objectives.

External assurance providers are more effective in GRC when:

-Their activities are carefully coordinated to avoid duplication of effort. -The internal audit activity addresses gaps in their coverage due to their specialized focus areas.

Social Responsbility

-This is fair treatment of and reinvestment in employees, indigenous peoples, and communities. Objectives include: Protecting human rights. Providing fair pay and nondiscriminatory employment, including jobs for the indigenous workforce. Reinvesting in local communities. Encouraging corporate and employee volunteering and donating. Creating a culture of transparency.

Economic.

-This is the traditional bottom line for a business (i.e., profit or loss), but some CSR programs also enhance profitability. Objectives could include: -Reducing waste. -Minimizing energy use. -Becoming an employer of choice. -Reducing safety incidents.

GRC elements that senior management determine...

-To be effective, senior management needs to understand the limits to the scope of their authority and the board's governance expectations. This can take the form of determining: -Who should be the risk owner for key risks, where in the organization to manage specific risks to enable the most efficient and effective responses, and how to manage those risks. -When to direct risk owners to have a lower risk tolerance than the general tolerance level (e.g., multiple significant control deficiencies aggregate to an unacceptable level). -How to set reporting requirements (nature, format, timing) for risk owners to ensure sufficient information for senior management's reporting requirements to the board. -How to refine GRC expectations given business changes, changes in risk tolerance levels, and feedback on GRC effectiveness.

What is internal audit's role in governance, risk management, and control (GRC)? -To consult to create the ultimate strategy for GRC and obtain board approval -To provide absolute assurance that GRC is functioning adequately -To provide objective assurance and consulting activities around GRC -To lead accountability for GRC

-To provide objective assurance and consulting activities around GRC

Poor organizational culture may be the root cause of many control environment issues. A toxic culture can erode the effectiveness of other control layers. Risk factors include:

-Unreasonable deadlines or performance targets. -Incentives not aligned with values. -Employees with little or no risk training. -Organizational silos or other information impediments. -Mistrust toward auditors. -Dislike of controls or disregard of "inconvenient" laws or regulations. -Poor senior management accountability. -Inability to accept evidence that disproves beliefs. -A belief that "this could never happen here." -Failure to enforce standards of conduct.

Poor organizational culture may be the root cause of many control environment issues. It may take the form of:

-Unreasonable deadlines or performance targets. -Incentives not aligned with values. -Employees with little or no risk training. -Organizational silos or other information impediments. -Mistrust toward auditors. -Dislike of controls or disregard of "inconvenient" laws or regulations. -Poor senior management accountability. -Inability to accept evidence that disproves beliefs. -A belief that "this could never happen here." -Failure to enforce standards of conduct.

Internal audit and external audit

-Use internal auditors effectively, ensuring the adequacy of their independence, resources, and scope of activities and the effectiveness of operations. -Effectively use independent outside auditors, ensuring their independence, adequate resources, and scope of activities.

Values

-Values are beliefs about right versus wrong that guide people's and organizations' decisions and actions, especially in situations that require making tradeoffs between conflicting objectives. -Inherent in values is a set of priorities or criteria that help people determine which values are more important than others.

GRC-related Standards

2100, 2110, 2120, and 2130.

Third line independence

Accountability to the board, unfettered access, freedom from bias and interference, and independence from management responsibilities enable the internal audit activity to have objectivity, authority, and credibility.

Systematic process for escalation and resolution of exceptions.

Audits of compliance program effectiveness in the areas of standards of conduct assess whether the organization has a systematic process for escalation and resolution of exceptions. -Management defines key performance indicators and targets for program effectiveness, for example, the number of breaches of confidentiality, the number of harassment cases, or ethics training rates. -Management develops ongoing and periodic procedures to test compliance with specific policies and procedures. Ongoing procedures include hotlines and meetings with direct reporting lines where the expectation is set that such issues would be raised if known. Periodic procedures include annual review of evaluations of behavior from performance reviews and rationales for compensation/promotion decisions. -Issues and alleged violations are compiled and evaluated centrally. Cross-functional teams periodically identify trends and seek root causes of noncompliance. -Investigations are conducted and documented, being careful to comply with related legal and HR investigation policies and procedures. -Corrective actions are determined, subjected to legal, consistency, and fairness reviews, and then implemented. Management responses need to consider adherence to local, regional, and national laws but also be adapted to the circumstances.

Which of the following would be the most appropriate activity for an organization in promoting ethical behavior? Designing and administering employee and stakeholder ethics attitude surveys Building the tone for honesty and integrity from the bottom up Providing whistleblower hotlines for reporting incidents directly to a designated executive Conducting employee ethics interrogations

Designing and administering employee and stakeholder ethics attitude surveys Rationale Ethics attitude surveys are one way to foster a healthy ethical climate. An organization should set the "tone at the top" for honesty and integrity (rather than building it from the bottom up) and should reinforce that every manager, director, and employee needs to maintain these values. Whistleblower hotlines are important, but the best design would be to direct calls to an outside service or possibly an HR professional. Directing calls to an executive creates a risk of retaliation against the employee. An employee ethics interview would be appropriate, but an interrogation would not.

To asess how Appropriate Ethics and Values within the Organization are promoted

Document reviews in this area can include: -Mission and value statements, the organization's code of conduct, and related ethics and values objectives, programs, and activities. -Hiring and training processes, anti-fraud and whistleblowing policies/hotlines, and the related investigation process. -In addition to document reviews, personnel can be interviewed or surveyed to determine their level of awareness of ethical standards and values.

Potential root causes to ethical deficiencies

Emphasis on results, especially those that are short-term Excessive focus on the bottom line (such as sales revenues and profit goals) High-pressure sales tactics Ruthless negotiations Aggressive incentives that are tied to reported financial and nonfinancial information

Conflicts of interest

Ensure appropriate oversight of related-party transactions and conflict-of-interest situations.

An internal audit activity helps an organization maintain effective controls most effectively by -identifying and evaluating significant exposures to risk and monitoring and evaluating the risk management system. -effectively coordinating the activities of and communicating information among the board, management, and external and internal auditors. -evaluating the effectiveness and efficiency of controls and promoting the continuous improvement of the control environment and related control activities. -performing a comprehensive risk assessment and identifying potential areas for audit.

Evaluating the effectiveness and efficiency of controls and promoting the continuous improvement of the control environment and related control activities. Rationale Internal auditors must be proficient in governance, risk, and control activities. In discussing the requirements of Standard 2100, "Nature of Work," Implementing the Professional Practices Framework, second edition, succinctly summarizes how internal auditors must evaluate and contribute to the improvement of governance, risk management, and control systems. For the area of control, the two primary ways the internal audit activity helps an organization maintain effective controls are by evaluating the effectiveness and efficiency of controls and by promoting the continuous improvement of the control environment and related control activities.

Governance - role

Governance of an organization requires appropriate structures and processes that enable: -Accountability to stakeholders by the board through integrity, leadership, and transparency. -Actions by management to achieve objectives, manage risk, and use risk-based decision making and application of resources. -Assurance and advice by an independent internal audit activity.

IT Governance Framework: Value delivery

IT governance can drive the maximum value from IT by ensuring that financial value is measured not only in terms of overall return on investment but also in terms of other strategic measures such as IT tactical plan execution, systems uptime, degree of automation in the systems development life cycle, productivity, and revenue generation.

CSR Audit Assurance Areas

In CSR audits, internal auditors may assess, for example, whether: -CSR information is consistent and current across all media and speeches. -Report information conforms to chosen reporting standards, such as the GRI standards. -CSR strategies and priorities are integrated into decision-making and approval processes. -CSR roles and responsibilities are documented and communicated. -Mandatory requirements based on laws and regulations and chosen voluntary standards such as SA8000 are adopted by the board/management, integrated into management practices, and monitored for compliance. -Requirements of socially responsible investment funds are identified. -CSR data capture and measurement systems are complete, accurate, and timely. -CSR reports have a rigorous disclosure review process, align with the organization's commitments, contain balanced reporting, and are reader-friendly.

A section of a written code of conduct regarding conflict of interest should -Be comprehensive and cover all of the most common conflicts of interest. -Be brief and state simply that employees should always avoid conflicts of interest. -Include provisions for activities that reflect on the organization's reputation. -Include expected behavior of employees but not suppliers or customers.

Include provisions for activities that reflect on the organization's reputation. Rationale A written statement should define the issue; address expected behavior of employees, other corporate agents, and suppliers; and include provisions for activities, investments, or other interests that reflect on the entity's integrity or reputation.

Governance framework

Internal auditors can use the organization's adopted governance framework as the basis of evaluation.

Strong ethical culture

It includes: -Effective board oversight. -Strong tone at the top and senior management involvement. -Organization-wide commitment. -A customized code of conduct. -Timely follow-up and investigation of reported incidents and consistent disciplinary action for offenders. -Ethics training and communications. -Ongoing monitoring systems. -An anonymous incident reporting system. Ethics is everyone's responsibility: -The board oversees the ethical climate and ensures that management has sound ethics-related objectives and programs via assurance from internal auditing. -Senior management promotes and exemplifies an ethical tone at the top and creates explicit strategies to support and enhance the ethical culture, including ethics training. -Line managers' attitudes and behaviors create an ethical subculture for their areas. -Outsourced service providers (e.g., customs clearance) can create reputation risks for unethical actions on the behalf of the organization. Contracts should include things like anti-bribery and conflict-of-interest clauses. -There may be a chief ethics officer and/or designated person (ombudsman) for ethics advice.

Assessments of Ethical Climate:

Key areas: -Whether ethical values are consistent among policy statements. -Whether any policies lack ethics statements and, if so, whether they should be added. -Whether ethics statements are consistently expressed to enable staff to have a cohesive, easily understood picture of expected behavior. -Whether statements are specific and concrete enough to be meaningful. -An entity-wide employee survey is a common tool for ethical climate assessments.

Audit by common subject

Perform audits by common subject area: workplace, marketplace, community, and environment. Auditing by workplace could bundle together issues such as employer of choice, health and safety, diversity and equality, environmental management practices, training and development, ethics, governance, and human rights.

Audit by internal control

Perform audits using internal controls over risk management, data gathering, measuring, and CSR reporting activities. Performing the same audit tests for each area audited ensures that results are comparable. At year end, an overall report on CSR could be made based on all areas audited.

Audit by element

Perform separate audit engagements for each CSR element: governance; environment; ethics; community involvement; health, safety, and security; transparency; and working conditions and human rights.

Audit by stakeholder

Perform separate audit engagements to assess effectiveness of delivering value to each stakeholder group, such as employees and their families, customers, the environment, and so on. The basis for determining effectiveness is fulfillment of each group's needs.

KEY POINT - Consistency

Performance Standard 2100 notes that internal auditors must use a "systematic, disciplined, and risk-based approach." This type of approach is a differentiating attribute for internal auditing and is a key reason the discipline commands respect. Consistency in approach is vital to ensuring that the internal audit activity is delivering the quality required by the Standards.

Organizations that have a culture that emphasizes a formal and consistent risk assessment methodology will be good at identifying -black swans. -emerging risk. -quantitative risk. -qualitative risk.

Quantitative risk Rationale A culture that emphasizes a formal and consistent risk assessment methodology will be good at identifying quantitative risks, but they may miss some qualitative or emerging risks.

Self-assessment exercises/Surveys/Questionnaires

Self-assessment exercises, surveys, and questionnaires can be used to measure how well the key parties in the area being audited understand organizational values, how well their own goals and objectives align with those values, and the degree to which they see others in the organization living by those stated values. Depending on the audience, questionnaires could: -Ask the board to trace their policies back to core values and identify any gaps. -Ask whether annual staff training programs on board policies and procedures occur in the audit area and ask for descriptions of such programs. -Ask whether audit area staff are required to confirm their compliance with board policies and procedures at least annually. -Internal auditors need to be aware that self-assessments, surveys, and questionnaires measure perceptions but that such perceptions may or may not be accurate. -Audit programs can also be developed to test for each specific value in the written code of conduct. For example, an audit program to assess "We value and respect all individuals" may focus primarily on HR policies and procedures and observations of related behavior.

There are two types of values:

Stated values. These are ideal or written values, such as written codes of ethics and/or conduct. Operating values. These are cultural values that guide actual organizational behavior.

The CAE role in GRC

The CAE: -Discusses with the board and senior management the best strategies for the internal audit activity to evaluate and contribute to GRC. -Considers the maturity level of governance, risk management, and control processes. -Assesses risks to GRC (including the impact of culture and the seniority of risk owners). -Highlights areas of weakness. -Makes recommendations (including adoption of a particular GRC framework).

5 principles of the control environment

The control environment includes the following elements: -Integrity and ethical values. -Management's philosophy and operating style. -Organizational structure. -Assignment of authority and responsibility. -Human resource policies and practices. -Competence of personnel.

How might internal audit activity be involved in ethics-and compliance-related issures, violations and dispositions:

The internal audit activity may be involved in ethics- and compliance-related issues, alleged violations, and dispositions in two ways. -First, the internal audit activity may assess whether the escalation and resolution process is effective. -Second, as a result of entity-wide, or specific audit engagement area effectiveness assessments, the activity may need to evaluate deficiencies and communicate results, including making recommendations

Internal Audit Looking at Governance: Performance Standard 2110, "Governance"

The internal audit activity must assess and make appropriate recommendations to improve the organization's governance processes for: -Making strategic and operational decisions. -Overseeing risk management and control. -Promoting appropriate ethics and values within the organization. -Ensuring effective organizational performance management and accountability. -Communicating risk and control information to appropriate areas of the organization. -Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

IT Risk—Root Cause Analysis Framework

The model shows three layers of control: TECHNICAL CONFIGURATION -Start at the technical configuration layer at the bottom -Technical design or architecture of IT resources - application, database and network layers -E.g. poor firewall configuration is identified). IT PROCESSES -Work backwards to potential root causes in IT processes (e.g., poor oversight). -Procedures employed to deliver IT service, information security, application development, change managagement, configurement management -E.g. poor oversight IT GOVERNANCE -Finish with potential root causes in IT governance -'Tone at the top', business alignment, policies, training, risk management, performance, metrics, monitoring and human factors -E.g. no firewall configuration training

Human Resource Policies and Practices

The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. -Establishes policies and practices. Establish the necessary level of competence for a given role. Indicate the basis for requirements (e.g., legal compliance). Specify the skills and conduct that will be required for achieving objectives and supporting internal control. Establish specific accountabilities. -Evaluates competence and addresses shortcomings. -Attracts, develops, and retains individuals. -Plans and prepares for succession.

Integrity and Ethical Values

The organization demonstrates a commitment to integrity and ethical values. -Sets the tone at the top. -Establishes standards of conduct. -Evaluates adherence to standards of conduct. -Addresses deviations in a timely manner.

Competence of Personnel

The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. -Enforces accountability through structures, authorities, and responsibilities. -Establishes performance measures, incentives, and rewards. -Evaluates performance measures, incentives, and rewards for ongoing relevance. -Considers excessive pressures. -Evaluates performance and rewards or disciplines individuals.

Environmental.

This is the responsible and compliant use of natural resources and protection of the natural environment. Objectives include: -Complying with environmental laws and regulations. -Using air, water, and land responsibly. -Meeting carbon emissions goals

Why may the CAE interview key governance roles and review board and committee charters?

To -Gain insight into the role the board plays in the organization's governance, especially regarding strategic and operational decision making. -Understand organization-specific processes and assurance activities currently in place. -Learn about the board's and senior management's understanding and expectations of governance, the requirements of Standard 2110, the nature of governance processes, and the internal audit activity's role in governance.

If Internal audit take on first or second line roles

While having all three roles is a best practice, if internal audit takes on first or second line roles, the CAE should communicate to the board and senior management the impact of this combination and recommend their separation when appropriate, such as after the organization grows in size or complexity.