CIA Part 1 - Unit 3

Governance Assessments

Assessments of governance are likely to be based on numerous audits. The internal auditor should consider - Audits of specific processes, - Governance issues arising from audits not focused on governance, - The results of other assurance providers' work, and - Such other information as adverse incidents indicating an opportunity to improve governance.

ISO 14000 Standards

ISO 14000 standards are a set of criteria for certification of an environmental management system. - According to ISO, the benefits of using ISO 14000 can include the following: Reduced cost of waste management - Savings in consumption of energy and materials - Lower distribution costsImproved corporate image among regulators, customers, and the public

Internal Mechanisms that Influence Corporate Governance

Internal mechanisms include corporate charters and bylaws, boards of directors, and internal audit functions.

Management

Management performs day-to-day governance functions. Senior management carries out board directives (within specified tolerances for unacceptable outcomes) to achieve objectives.

Risk Owners

Risk owners are responsible for 1. Evaluating the adequacy of the design of risk management activities and the organization's ability to carry them out as designed; 2. Determining whether risk management activities are operating as designed; 3. Establishing monitoring activities; and 4. Ensuring that information to be reported to senior management and the board is accurate, timely, and available.

Corporate Governance

"Corporate governance involves a set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined."

Governance Practices

- Governance applies to all organizational activities. - Governance practices reflect the organization's unique culture and largely depend on it for effectiveness.

Ethical Culture

The ethical culture is an important component of the organizational culture and is crucial to the effectiveness of governance practices. Because decision making is complex and dispersed in most organizations, each person should be an ethics advocate, whether officially or informally. The board oversees the organization's ethical climate. Organizations may designate a chief ethics officer. The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

CSR Strategies

The following are four alternative strategies: 1. Reaction. The organization denies responsibility and tries to maintain the status quo. 2. Defense. The organization uses legal action or public relations efforts to avoid additional responsibilities. 3. Accommodation. The organization assumes additional responsibilities only when pressured. 4. Proaction. The organization takes the initiative in implementing a CSR program that serves as an example for the industry.

Internal Audit's Role in Governance

The internal audit activity is responsible for assessing and improving governance processes. Internal auditors may have an active role in support of the organization's ethical culture. Roles may include chief ethics officer, member of an ethics council, or assessor of the ethical climate. In some circumstances, the role of chief ethics officer may conflict with the independence attribute of the internal audit activity. - The organizational independence of the internal audit activity is necessary because it performs internal assurance services. - External assurance may be provided by external auditors, consultants, industry groups, or regulators.

Recommendations from IA

The internal audit activity must assess and make appropriate recommendations to improve the organization's governance processes for: - Making strategic and operational decisions. - Overseeing risk management and control. - Promoting appropriate ethics and values within the organization. - Ensuring effective organizational performance management and accountability. - Communicating risk and control information to appropriate areas of the organization. - Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

IT Governance

The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.

Auditing Approaches for CSR

Two common approaches to auditing CSR are auditing by element and by stakeholder group.

CSR Frameworks

Two major frameworks exist that provide guidance on CSR implementation. 1. The Global Reporting Initiative (GRI) has developed a sustainability reporting framework that provides specific guidance on measuring CSR performance against predefined criteria. 2. While GRI guidance emphasizes reporting, ISO 26000 emphasizes how to implement and manage a CSR initiative.

Board Duties

- Selection and removal of officers - Decisions about capital structure (mix of debt and equity, consideration to be received for shares, etc.) - Adding, amending, or repealing bylaws (unless this authority is reserved to the shareholders) - Initiation of fundamental changes (mergers, acquisitions, etc.) - Decisions to declare and distribute dividends - Setting of management compensation (sometimes performed by a subcommittee called the compensation committee) - Coordinating audit activities (most often performed by a subcommittee called the audit committee) - Evaluating and managing risk (sometimes performed by a subcommittee called the risk committee)

Governance Principles

1. An independent and objective board with sufficient expertise, experience, authority, and resources to conduct independent inquiries 2. An understanding by senior management and the board of the operating structure, including structures that impede transparency 3. An organizational strategy used to measure organizational and individual performance 4. An organizational structure that supports accomplishing strategic objectives 5. A governing policy for the operation of key activities 6. Clear, enforced lines of responsibility and accountability 7. Effective interaction among the board, management, and assurance providers 8. Appropriate oversight by management, including strong controls 9. Compensation policies-especially for senior management-that encourage appropriate behavior consistent with the organization's values, objectives, strategy, and internal control 10. Reinforcement of an ethical culture, including employee feedback without fear of retaliation 11. Effective use of internal and external auditors, ensuring their independence, the adequacy of their resources and scope of activities, and the effectiveness of operations 12. Clear definition and implementation of risk management policies and processes 13. Transparent disclosure of key information to stakeholders 14. Comparison of governance processes with national codes or best practices 15. Oversight of related party transactions and conflicts of interest

GRC Effectiveness

1. Effective governance considers risk when setting strategy, and risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management). 2. Effective governance relies on controls to manage risks and on communication of their effectiveness to the board.

Responsibility for CSR (Roles)

1. The board is responsible for overseeing CSR and the effectiveness of governance, risk management, and internal control processes related to CSR. 2. Management is responsible for establishing CSR objectives, assessing and managing risks, measuring performance, and monitoring and reporting activities. 3. The internal auditor is responsible for evaluating whether controls over CSR are adequate to achieve CSR objectives. 4. All employees are responsible for the success of CSR initiatives.

Risk Committee

A risk committee may be created that - Identifies key risks, - Connects them to risk management processes, - Delegates them to risk owners, and - Considers whether tolerance levels delegated to risk owners are consistent with the organization's risk appetite.

COSO Enterprise Risk Management Framework

According to the COSO Enterprise Risk Management framework, culture consists of the attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.

Organizational Culture

Accordingly, organizational culture is reflected in 1. Setting values, objectives, and strategies; 2. Defining roles and behaviors; 3. Measuring performance; 4. Specifying accountability; and 5. Complying with corporate social responsibilities.

CSR Responsibilities

Business ethics scholar Archie B. Carroll has identified four responsibilities that an organization must fulfill to be called socially responsible: 1. Economic responsibility to be profitable, or to do what is required by capitalism 2. Legal responsibility to obey the law, or to do what is required by stakeholders 3. Ethical responsibility to be ethical in its practices, given local and global standards, or to do what is expected by stakeholders 4. Philanthropic responsibility to be a good corporate citizen, or to do what is desired by stakeholders

CSR Business Activities

CSR business activities generally include the following: - Establishing and communicating policies and procedures - Setting objectives, performance goals, and strategies - Communicating and integrating CSR principles and controls into the business decision-making processes - Monitoring, evaluating results, and benchmarking - Engaging stakeholders (e.g., through satisfaction surveys, focus groups, and complaint management processes) - Auditing (e.g., public disclosures, internal controls, and contractual compliance with CSR terms and conditions) - External and internal reporting of results

Codes of Conduct

Codes of conduct and vision statements are issued to state 1. The organization's values and objectives; 2. The behavior expected; and 3. The strategies for maintaining a culture consistent with legal, ethical, and societal responsibilities.

Voluntary CSR

Despite increasing pressure from stakeholders for organizations to be more socially and environmentally responsible, CSR is largely a voluntary practice. In most jurisdictions, public companies are not required to disclose their CSR performance. Furthermore, organizations exercise significant discretion in deciding what to disclose about their CSR performance.

Sensitivity around Governance

During the planning, evaluating, and reporting phases, the internal auditor should be sensitive to the consequences of the results and ensure appropriate communications with the board and senior management. -- The internal auditor should consider consulting legal counsel both before the audit and before issuing the final report.

By Element Approach

Element. Separate audits of each element are performed. The following are typical CSR elements with example audit questions: - Governance (Do board members have sufficient and relevant information to fulfill their roles and responsibilities?) - Community investment (What philanthropic practices are in place, and how are decisions made?) - Environment (Are social and environmental impact assessments performed?) - Ethics (Is an anti-corruption culture included in the organization's risk assessment, code of conduct, and policies?) - Health, safety, and security (Are incidents reported, communicated, managed, and resolved appropriately?) - Transparency (Does the organization follow appropriate accounting standards?) - Working conditions and human rights (Is compensation based on fair pay, living wages, and job opportunities?)

Reporting CSR

Every organization must make a business decision about (1) the cost or benefit of producing a CSR report and (2) what information to include in the report. Many organizations use verification and assurance processes for all or parts of the report to increase accountability and reduce the likelihood that the report will appear to be a marketing tool. Reporting methods include the following: - Providing a standalone CSR report - Integrating the CSR report with the annual financial report - Providing CSR information booklets on special topics Distribution formats include the following: - Web pages - Booklets - Press releases - Regulatory filings

External Mechanisms that Influence Corporate Governance

External mechanisms include laws, regulations, and the government regulators who enforce them.

Periodic Risk Reporting to Board

Governance expectations, including tolerance levels, must be periodically reevaluated by the board and senior management. The result may be changes in risk management activities.

Governance

Governance is defined in the glossary of the International Standards for the Professional Practice of Internal Auditing (Standards) as "[t]he combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives."

Purpose of Governance Practices

Governance practices may use various legal forms, structures, strategies, and procedures. They ensure that the organization 1. Complies with society's legal and regulatory rules; 2. Satisfies the generally accepted business norms, ethical principles, and social expectations of society; 3. Provides overall benefit to society and enhances the interests of the specific stakeholders in both the long and short term; and 4. Reports fully and truthfully to its stakeholders, including the public, to ensure accountability for its decisions, actions, and performances.

GRC

Governance, Risk Management and Control

Risk Owners

Managers responsible for specific day-to-day risks

Control Environment

Organizational culture affects the overall control environment and individual engagement risks and controls. (The control environment is defined in Appendix A.) Organizational culture that is risk aggressive (risk averse) is more likely to regard the importance of control within the organization as low (high). Consequently, engagement risks and controls are more (less) likely to be assessed as high.

Other Roles of IA

Other roles of internal auditors in governance include the following: - Obtain the board's approval of the internal audit charter. - Communicate the plan of engagements. - Report significant audit issues. - Communicate key performance indicators to the board on a regular basis. - Discuss areas of significant risk. - Support the board in enterprise-wide risk assessment. - Review the positioning of the internal audit activity within the risk management framework within the organization. - Monitor compliance with the corporate code of conduct/business practices. - Report on the effectiveness of the control framework. - Assess the ethical climate of the board and the organization. - Conduct a follow-up and report on management's response to regulatory body reviews. - Conduct a follow-up and report on management's response to external audit. - Assess the adequacy of the performance measurement system and achievement of organizational objectives. - Support a culture of fraud awareness and encourage the reporting of improprieties.

Components of Governance: Oversight

Oversight is the governance component with which internal auditing is most concerned. It is also the component to which risk management and control activities are most likely to be applied. The elements of oversight are: 1. Risk management activities performed by senior management and risk owners and 2. Internal and external assurance activities.

Senior Management

Senior management determines: 1. Where specific risks are to be managed, 2. Who will be risk owners (managers responsible for specific day-to-day risks), and 3. How specific risks will be managed. Senior management establishes reporting requirements for risk owners related to their risk management activities. Senior management is primarily responsible for establishing and maintaining an organizational culture. Senior management has ultimate responsibility for promoting and setting the example of ethical behavior (i.e., setting the tone at the top). Senior management is also responsible for establishing and maintaining sound ethics-related objectives and programs.

By Stakeholder Approach

Stakeholder group. Separate audits of CSR programs related to each significant stakeholder group are performed that consider compliance with laws, regulations, and contracts. The following are typical stakeholder groups with example audit questions: - Customers (Does the organization have product safety and recall processes?) - Employees and their families (Does the organization prohibit discrimination and harassment?) - Environment (Are social and environmental impact assessments performed?) - Neighboring communities (Does the organization give to local economic support programs?) - Shareholders (Does the organization abide by shareholder rights?) - Suppliers (Are rates and payment terms fair?)

Stakeholders

Stakeholders are persons or entities who are affected by the activities of the entity. Among others, these include shareholders, employees, suppliers, customers, neighbors of the entity's facilities, and government regulators.

Corporate Social Responsibility (CSR)

Stakeholders increasingly expect organizations to accept responsibility and implement strategies and controls that (1) manage their effects on the environment and society, (2) engage stakeholders in their efforts, and (3) report results to the public. CSR is a response to stakeholder expectations. 1. CSR refers to (a) social responsibility, (b) sustainable development, and (c) corporate citizenship. 2. The International Organization for Standardization (ISO) has issued guidance on social responsibility in its ISO 26000. CSR is defined, in part, as "the willingness of an organization to incorporate social and environmental considerations in its decision making and be accountable for the impacts of its decisions and activities on society and the environment." 3. Similarly, an IIA Practice Guide defines CSR as "the way firms integrate social, environmental, and economic concerns into their values, culture, decision-making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve society."

Components of Governance: Strategic Direction

Strategic direction determines 1. The business model, 2. Overall objectives, 3. The approach to risk taking (including the risk appetite), and 4. The limits of organizational conduct.

Board Responsibilities

The Board has the ultimate responsibility for oversight. - Another responsibility is to identify stakeholders, whether directly involved with the business (employees, customers, and suppliers), indirectly involved (investors), or having influence over the business (regulators and competitors). - The board must determine the expectations of stakeholders and the outcomes that are unacceptable.

CSR Maturity Model

The CAE compares the organization's CSR maturity level [using a 5-level maturity scale (level 1 is "initial" and level 5 is "optimizing")] at the time of the internal audit with the level the organization desires to achieve.

Considerations of CAE

The CAE should consider the following in planning assessments of governance: - An audit should address controls in governance processes that are designed to prevent or detect events that could have a negative effect on the organization. - Controls within governance processes often are significant in managing multiple risks. For example, controls related to the code of conduct may be relied upon to manage compliance and fraud risks. - If other audits assess controls in governance processes, the auditor should consider relying on their results. When control issues are known or the governance process is not mature, the CAE may consider different methods for improving control or governance through consulting services.

Design of Governance Processes

The board and management are responsible for the design and implementation of governance processes.

The Board

The board is defined by The IIA as the highest level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization's activities and hold senior management accountable. - Although governance arrangements vary among jurisdictions and sectors, typically the board includes members who are not part of management. If a board does not exist, the word "board" refers to a group or person charged with governance of the organization. - Furthermore, "board" may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee). Thus, the board is the source of overall direction to, and the authority of, management.

Factors of Effective Governance

The design and practice of effective governance vary with - The size, complexity, and life-cycle maturity of the organization; - Its stakeholder structure; and - Legal and cultural requirements.

Evaluating and Auditing CSR

The internal audit activity must maintain its independence and objectivity while performing CSR audits. The internal audit activity's independence and objectivity is not impaired if it 1. Provides advice on the design and implementation of CSR programs or 2. Facilitates a management self-assessment of CSR controls and results. Any internal audit activity that collectively lacks the appropriate skill and knowledge should not perform CSR audits. The chief audit executive (CAE) considers CSR risks, and the internal audit activity evaluates whether the organization has adequate controls to achieve its CSR objectives. 1. Evaluation criteria may include compliance with internal control frameworks (e.g., COSO), quality frameworks (e.g., ISO), or contractual obligations.

Components of Effectiveness Evaluation by IA

The internal audit activity periodically assesses the elements of the ethical climate of the organization and its effectiveness in achieving legal and ethical compliance. Internal auditors therefore evaluate the effectiveness of the following: 1. A formal code of conduct and related statements and policies (including procedures covering fraud and corruption) 2. Frequent demonstrations of ethical attitudes and behavior by influential leaders 3. Explicit strategies to support the ethical culture 4. Confidential reporting of alleged misconduct 4. Regular declarations by employees, suppliers, and customers about the requirements of ethical behavior 5. Clear delegation of responsibilities for providing counsel, investigation, and reporting 6. Easy access to learning opportunities 7. Personnel practices that encourage contributions by employees 8. Regular surveys of employees, suppliers, and customers to determine the state of the ethical climate 9. Regular reviews of the processes that undermine the ethical culture 10. Regular reference and background checks

Audit Plan Requirements

The plan should define - The nature of the work; - The governance processes; and - The nature of the assessments, e.g., consideration of specific risks, processes, or activities.

CSR Risks

The risks of failing to implement an effective CSR program include the following, among others: - Loss of reputation. The organization's brand or reputation could be damaged. - Noncompliance. The organization may fail to comply with regulations or contractual obligations. - Lawsuits. The organization may be held liable for alleged harms. - Operational failures. Operational pressure points (e.g., environmental effects of processes or products) may indicate risks. Risks also result from, for example, not achieving CSR objectives because of inappropriate CSR strategies or over-emphasis on CSR strategies. - Stock market. The organization may lose investors. - Employment market. Employees may leave the organization, or attracting new employees may be difficult. - Sales decline. Customers may boycott services or products.

Maturity of Governance System

The role of, and advice given by, the internal audit activity depend on the maturity of the governance system. - In a less mature system, the internal audit activity emphasizes compliance with policies, procedures, laws, etc. It also addresses the basic risks to the organization. - In a more mature governance system, the internal audit activity's emphasis is on optimizing structure and practices.

Nature of Governance in the Organization

Understanding the role of the internal audit activity begins with understanding the nature of governance in a specific organization. 1. Governance has a range of definitions depending on the circumstances. -- The CAE should work with the board and senior management to determine how governance should be defined for audit purposes. 2. Governance models generally treat governance as a process or system that is not static. -- The approach in the Standards emphasizes the board and its governance activities. Governance requirements vary by entity type and regulatory jurisdiction. Examples include publicly traded companies, not-for-profits, governments, private companies, and stock exchanges.