Internal Audit and corporate governance

Transcription

1 Internal Audit and corporate governance Audit Masters th Annual Internal Audit Forum Berlin, May 2017 Jana Bacova, Czech National Bank

2 Content Internal Audit Role in Corporate Governance Corporate Governance and 2017 IPPF Stakeholders Expectations Enhancing Corporate Governance through auditing practical examples Jana Bacova 2

3 Corporate governance The combination of processes implemented by the board and structures in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives. Jana Bacova 3

4 Internal Audit Role in Corporate Governance

5 Internal Audit role in modern corporate governance Internal audit assists the board to discharge its corporate governance critical role and ultimate responsibilities (ensuring adequate oversight of effectivness of internal controls) and in doing so internal audit is an integral part of an organisation s corporate governance framework Internal Audit = partner of the top management Jana Bacova 5

6 IIA Best Practice Integrating Concepts of Corporate Governance - 4 groups Oversight board and committees Stewardship - executive mng. (compliance, BCM, RM, controlling, legal ) Performance operating mng. + staff Assurance internal audit Jana Bacova 6

7 Internal Audit* Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. * Definition from IIA International Professional Practice Framework (IPPF) Jana Bacova 7

8 Corporate Governance and 2017 IPPF

9 IIA Standards - governance 2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of the organization s governance, RM, and control process using a systematic, disciplined approach. IA credibility and value are enhanced when auditors are proactive and their evaluations offer new insight and consider future impact. Jana Bacova 9

10 IIA Standards - governance 2110 Governance The internal audit activity must assess and make appropriate recommendations to improve the organisation s governance process for: Making strategic and operational decision Overseeing risk management and control Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Communicating risk and control information to appropriate areas of the organization. Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers and management. Jana Bacova 10

11 IIA Standards - governance 2120 Risk Management A1 The internal audit activity must evauate risk exposures relating to the organisation s governance, operations, and information systems regarding the: Realiability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs Safeguarding of assests; and Compliance with laws, regulations, policies, procedures, and contracts. Jana Bacova 11

12 IIA Standards - governance Controls 2130.A1 The internal audit activity must evaluate the adequacy and effectivenss of controls in responding to risks within the organisation s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Jana Bacova 12

13 IIA Standards - governance Other new key words: Managing the Internal Audit Activity - effectively if considers trends and emerging issues that could impact the organization.the IA activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance Planning - to develop the risk-based plan, the CAE consults with senior management and the board and obtains an understanding of the organization s strategies, key business objectives, associated risks, and risk management processes. Jana Bacova 13

14 IIA Standards - governance Other new key words: Reporting to Senior Management and the Board - reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board 2100 Nature of Work IA evaluations offer new insight and consider future impact. Jana Bacova 14

15 IIA Standards - governance Other new key words: Engagement Planning - plan must consider the organization s strategies, objectives, and risks relevant to the engagement Criteria for Communicating - must include applicable conclusions, as well as applicable recommendations and/or action plans Overall Opinions take into account strategies, objectives, and risks of the organization; and the expectations of senior management, the board, and other stakeholders Jana Bacova 15

16 Stakeholders Expectations

17 Stakeholders expectations assurance / insight / objectivity Work focus on most significant areas/topics demostrate that IA understand risks, consider nontraditional strategic risks Keep up to date with changes in the business Sufficent communication of IA plans build soft skills Quality of IA work reliable and objective results, reports clarity and timeliness Usefulness of recommendation Timeliness of communication of risks Consultative guidance/advisory work helpful suggestions on new emerging risk areas/business process improvements 17

18 Stakeholders Persons/groups that can be impacted or cause impact on IA activities Classification from different aspects (interest, power, influence, needs, expectations) Prioritization Key stakeholders Board of Directors, Supervisory Board, AC, CEO Primary stakeholders selected senior/executive managers (compliance, risk, legal, controlling, budgeting, IT security), BCM, committees, CEO Secondary stakeholders external auditors, operational mng., auditees, staff, public (complainers) Adjust work/communication to stakeholders 18

19 Key Stakeholders needs Understanding of strategy, considering trends, emerging issues, future impact Strategy audit planning, risk oriented approach, high level risk Assurance and consulting services in CG issues Regular communication/feedback Summary reporting/overall opinion on ICS, RM, risk profile Quality of work adding/presenting add value IA - Innovator / Assistant / Advocate of changes Jana Bacova 19

20 Primary Stakeholders needs Keep up to date with business Audit planning process/projects involvement Focus on specific risks legal, compliance, BCM, projects, insights Risk management assistance overlaps, interconnections, white spots, risk scenarios Clear and timely communication (plans, programs, opportunities, recos ) Relevant risk assurance/consultancy Jana Bacova 20

21 Secondary Stakeholders needs Keep up to date with business response on demands Clear and timely communication (plans, engagement programs, audit recos, opinions, action plans, results ) Interim and more detailed communication of findings, risks and opportunities for improvement Risk assessment assistance, education Applicable/relevant findings, recos, action plans Underline matters for (quick) mng. attention/response Jana Bacova 21

22 Stakeholders Expectations Assurance Insight Objectivity Focus Timeliness Quality Communication 22

23 CAE CAE role is crutial member of the mng. team - top internal auditors are much more closer to a top mng. authority + trust + courage effective communication IA has a dual role should have IA perspective x (top) mng. perspective CAE must reflect on and adapt processes to stay fresh and relevant 23

24 Enhancing good governance through auditing

25 Enhancing good governance through auditing How to add value to corporate governance?: evaluate and improve the effectiveness and efficiency of control and mng. processes, risk management; consider trends, emerging issues, strategies, objectives, future impact offer applicable conclusions, recos, action plans, new insight; ask, discuss, communicate! Internal Audit is a service Marketing and selling! Jana Bacova 25

26 Internal auditors must demonstrate and communicate how and where their service add value! IA is a valuable member of the (business) team/top management! 26

27 Thank you for your attention Jana Báčová Executive Director General Secretariat and Secretary to the Board