Auditing corporate governance

Transcription

1 27 July 2018 Auditing corporate governance Chartered Institute of Internal Auditors This guide sets out the steps internal auditors should take when conducting a review of corporate governance. We look at how to provide consultancy and assurance based upon potential risks. Developing the audit plan Research and gather background information Audit committee assurance requirements The second line of defence and the need for coordination How to prepare internal audit plans: what to audit and how Prepare for an audit of corporate governance Skills and experience required Performing corporate governance audits content Risks Developing the audit plan The head of internal audit is responsible for developing a risk-based audit plan based on a documented risk assessment. In preparing this plan, the head of internal audit should assess the relative risk of governance processes, determine the audit approach assurance versus consulting and consider the input of senior management and the board. It may be appropriate to undertake a specific review of corporate governance, organisation reviews of specific subject areas and/or incorporate aspects of corporate governance into other reviews which form part of the audit plan. Governance processes should be interwoven into the culture and activities of the organisation and to help prevent corporate governance failures in the future there should be adequate coverage within the annual internal plan and internal audit assignments. Research and gather background information The company secretary/corporate secretariat is responsible for the efficient administration of a organisation, particularly with regard to ensuring compliance with statutory and regulatory requirements and for ensuring that decisions of the board of directors are implemented. The auditor should confirm the role and responsibilities of the company secretary/corporate. Audit committee assurance requirements In determining the scope of the audit the auditor will need to consider their stakeholders expectations including the organisation s regulators, board, audit committees, senior 1

2 management; head of internal audit as well as the responsibilities documented in the internal audit charter (where one exists). Internal audit functions are increasingly asked to undertake Board Effectiveness Reviews. Such reviews include traditional areas of audit focus such as the integrity of management information produced, the content and scope of board meeting agendas, the allocation of time during meetings to cover topics such as quality, performance, etc, and processes to record board discussion, judgement and actions. Internal auditors may be asked to make subjective judgements such as how effective on-boarding and training sessions for NEDs are and the effectiveness of NED input, challenge and discussion at board level. The second line of defence and the need for coordination The relationship among governance, risk management, and internal control should be considered. This item is addressed in Practice Advisory and guidance published by the IIA entitled Coordination of assurance services both of which explain that governance does not exist as a set of distinct and separate processes and structures. Rather, there are relationships among governance, risk management, and internal controls. Effective governance activities consider risk when setting strategy. Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management). Effective governance relies on internal controls and communication to the board on the effectiveness of those controls. Where appropriate there should be discussion and co-ordination between internal audit and the second line of defence, to avoid duplication of effort, where possible. How to prepare internal audit plans: what could be audited and how Consider if corporate governance should be audited as a separate review looking at governance overall, or as part of other audits? The list that follows provides some of the key risks relating to corporate governance which may impact an organisation, the possible response or controls which may be implemented to mitigate the risk and the method by which internal audit may provide assurance. When determining which of these risks and controls to include in any audit of corporate governance, please consider the objectives of your specific organisation, for example: a listed company may have objectives to grow the business and make profits for shareholders a government department s objectives may be to spend public money appropriately and deliver specific policy matters in an efficient manner a charity s objectives will be to achieve a particular charitable purpose (which will also be subject to the public benefit test). The specific risks to not achieving these objectives should be considered and assessed as 2

3 appropriate. Prepare for an audit of corporate governance The first step is to establish whether management has identified the appropriate regulations or specific practices relating to corporate governance which are relevant to the organisation. Next, the auditor should confirm if management has assessed the risks related to corporate governance and whether management considers that they have adequate controls in place to manage them. Internal Audit should report any failings in this process and be prepared to support management in taking remedial actions. Where internal audit identifies instances of suspected or actual breaches of regulations or best practice guidance, this should be brought to the attention of the board, the audit committee and senior management as soon as possible. Skills and experience required The skills, experience and knowledge required by the auditor who will be completing the review. This type of review will include dealing with senior management and assessing compliance with legal /regulatory requirements which may require a specific level of skill or experience. Auditors will be required to meet with senior stakeholders in the business including executive directors and non-executive directors and must have the skills to be able to discuss, assess and challenge these individuals as part of their activities in assessing the effectiveness of governance. Where the internal audit function does not have the specific skills or experience, consideration should be given to using co-sourcing arrangements to complete the audit (or outsource the completion of the audit). Performing corporate governance audits content Any review will need to include providing assurance on the design and effectiveness of governance controls and the outcome of these controls. The following list provides some of the key risks relating to corporate governance which may impact an organisation, When determining which of these risks and controls to include in any audit of corporate governance, consider the objectives of your specific organisation. The specific risks to not achieving these objectives should be considered and assessed as appropriate. The auditor should assess the design and operating effectiveness of any controls operated by the company secretary/corporate secretariat function. Any audit of corporate governance will have a high profile in the organisation, not least due the seniority of those who will be impacted by the results of the audit. With this in mind, it is important 3

4 that these engagements are adequately supervised. Internal audit should not second guess the decisions of the board but should include in within its scope the processes and controls supporting strategic and operational decision making. It should assess whether the information presented to the board and executive management fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model (financial services code). Risks These are some of the key risks relating to corporate governance which may impact an organisation. We look at the possible response or controls which may be implemented to mitigate the risk, and the method by which internal audit may provide assurance. Risk 1 The actions of the board, including the development of strategic objectives, are taken without due consideration of the impact on the organisation, its stakeholders including shareholders, employees and the wider community. Individuals on the board are not sufficiently experienced or there is insufficient independent representation. Individuals on the board do not have an in depth knowledge of the risks within the organisation or individual focus on their own business line/part of the organisation. Management information is not sufficient to allow the board to undertake informed decisions (they may be genuinely unaware of the impact an action will have). A lack of constructive and challenging dialogue leading to group think. Board composition is determined to a majority of independent individuals (in line with corporate governance requirements, where applicable). Board composition is sufficiently diverse including, but not limited to, gender and race. The required skills for each member of the board are determined and only individuals with the appropriate skills and experience are recruited to the board. Boards to have an in depth knowledge of the risks within a firm s business model. Information provided to boards must be sufficient for them to make informed decisions, and be aware of the impacts of those, including opportunity costs. Assess the composition of the board considering the level of independent individuals and the skills, experience and diversity of the individuals that make up the board. Review the recruitment process to ensure that individuals match the required skills (CVs). Review any training undertaken with board members to ensure they understand the organisation s risks. Review information provided to the board to ensure it is relevant, timely, accurate, and holistic, 4

5 and includes forecasts of the impact of decisions. Risk 2 Non-executive directors (NEDs)/independent members of the board are unable to give independent, robust challenge to the executive/senior management. Individuals on the board do not have an in depth knowledge of the risks within the organisation. There is a lack of robust challenge of management due to the NEDs not fully understanding the organisation, the sector or the key requirements of key stakeholders including regulators. The NEDs do not have the personal skills to be able to effectively challenge management. Effective on-boarding for NEDs to include education on the organisation/the regulatory requirements for NEDs and ongoing training to ensure that their skills remain current. There are adequate opportunities for the NEDS to meet independently with the external and internal auditors and perhaps other assurance providers. Assess the recruitment process for NEDs to confirm that arrangements are in place to identify and assess the skills of individuals prior to appointment. Assess the on-boarding process including training for new NEDs and the ongoing training to ensure that NEDs remain aware of the risks within the organisation, the expectations for the role of a NED. Assess the adequacy of opportunities for the NEDS to meet independently with the external and internal auditors and perhaps other assurance providers. Review the evidence of any discussion/challenge and the actions taken as a result of these meetings. Risk 3 The board does not have sufficient, complete or timely information on which to base its decisions. The board is not monitoring or taking action on the most significant risks to the organisation. Management information provided to the board is incomplete, inaccurate or not timely. Management information provided to the board is overly detailed or unclear. Management information provided to the board is reviewed independently to confirm its integrity; completeness; coverage of the organisation; clarity; and that it includes appropriate content to meet needs of board. 5

6 The duration and frequency of board meetings are such to allow sufficient time for the discussion of key issues and to ensure that any key decisions are made in time for any statutory deadlines. There should also be some flexibility in the scheduling to allow for 'extraordinary' meetings to be called in response to unexpected events. Assess the controls in place to confirm the completeness, coverage of the organisation, clarity, etc. of the management information presented to the board. Confirm that management information is independently reviewed prior to submission to the board. Confirm that the content of the management information includes all topics/material information that would be needed by the board on which to base its decisions. Assess the quality and content of the pack provided to the board which it uses to make its decisions, consider: The level of information/data provided is it of sufficient detail/too much detail; does it include all part s of the organisation? Where matters require approval is this clear; are the decisions required clear; have the different options been explained; are there recommendations for action where appropriate? Is the pack provided on a timely basis to allow the board members sufficient time to read and understand the content, and to gather additional information prior to the board meeting, where appropriate? Is all jargon explained; look for use of acronyms or technical terms which may not be understood by all directors, in particular non-executive directors? Are reports provided by all parts of the business including legal, compliance, finance, etc (consider first line of defence and second line of defence). Is there any part of the business that is not included? Assess whether or not the duration and frequency of board meetings are such to allow sufficient time for the discussion of key issues and to ensure that any key decisions are made in time for any statutory deadlines. There should also be some flexibility in the scheduling to allow for 'extraordinary' meetings to be called in response to unexpected events. Risk 4 Evidence of the decisions made by the board, including the challenge process, is not retained and/or is not transparent in confirming the decision process. Actions agreed by the board are not completed or not completed on a timely basis. Decisions made by the board may not be subject to an appropriate level of challenge or discussion of concerns. Particularly strong characters on the board may adversely impact or unduly influence the decisions made by the board. Decisions may not be agreed by an appropriate quorum of individuals. 6

7 Regulators and other interested parties may not be able to see the extent of any challenge made in respect of decisions made by the board. Actions agreed by the board may not be completed or may not be completed on a timely basis. Processes are in place to record board discussions; votes, raising concerns; escalations (and actions (tracking and follow-up)). The terms of reference of the board defines an appropriate quorum that is required for all key decisions. The chair of the board checks to ensure that all decisions are agreed by an appropriate quorum of individuals, and that records are appropriately maintained. Assess the controls in place to record the minutes of board meetings confirm that these are sufficiently detailed to evidence the level of debate, discussion and challenge for any board meetings. Where discussions take place prior to the board meeting confirm that these discussions are also evidenced. Confirm that all decisions are approved/agreed by the correct quorum and documented appropriately in the minutes. Assess controls for the tracking, follow-up and completion of actions agreed by the board. Risk 5 Committees set up by the board may not fulfil their obligations or there are too many committees each with individual roles meaning that the oversight of the organisation is fragmented and not effective. Decisions made by the board may not be subject to an appropriate level of challenge or discussion of concerns. Particularly strong characters on the board may adversely impact or unduly influence the decisions made by the Board. Decisions may not be agreed by an appropriate quorum of individuals. Regulators and other interested parties may not be able to see the extent of any challenge made in respect of decisions made by the board. Actions agreed by the board may not be completed or may not be completed on a timely basis. 7

8 Processes are in place to record board discussions; votes, raising concerns; escalations (and actions (tracking and follow-up)). The terms of reference of the board defines an appropriate quorum that is required for all key decisions. The chair of the board checks to ensure that all decisions are agreed by an appropriate quorum of individuals, and that records are appropriately maintained. Assess the controls in place to record the minutes of board meetings confirm that these are sufficiently detailed to evidence the level of debate, discussion and challenge for any board meetings. Where discussions take place prior to the board meeting confirm that these discussions are also evidenced. Confirm that all decisions are approved/agreed by the correct quorum and documented appropriately in the minutes. Assess controls for the tracking, follow-up and completion of actions agreed by the board. Assess the committee structure and consider if there is an appropriate structure in place so oversight is not fragmented and is effective. Risk 6 The board is not effective in covering the risks relating to remote offices or does not have responsibility/oversight for all parts of the organisation. The board does not have adequate or effective global/regional oversight. Where regional or legal entity boards/committees exist the reporting arrangements to the global board are not effective. Responsibilities at a global regional/legal entity level are agreed and cascaded from the main Board. Assess the arrangements in place to agree and cascade responsibilities from the main board to regional/legal entity boards or committees. Assess the effectiveness of reporting/ oversight of regional/legal entities. Risk 7 Policies, procedures and projects are not aligned to the organisation s objectives. 8

9 Part of the organisation may implement policies and procedures which either conflict with, or do not support, the organisation in the achievement of its objectives. Framework and structure for the setting, approval and cascade of policies that support the organisation s objectives. Assess the controls in place to ensure that responsibilities for setting and approving policies are agreed and cascaded appropriately to ensure consistency and alignment to the organisation s objectives. Risk 8 The culture of the organisation is not defined or does not support the organisation in achieving its objectives. The culture of the organisation has either not been determined or is not appropriate meaning that parts of the organisation may not be performing or operating in a manner that supports the organisation in achieving its objectives. The tone from the top may not reflect or may be at odds with the objectives of the organisation. The culture of the organisation may be at odds with the tone from the top. The organisation determines its culture, which is agreed at board level and then cascaded throughout the organisation. All communications from management are in line with the culture determined by the organisation, Training is provided to all staff to help them understand what is expected including how they are expected to behave. Management is able to monitor adherence to the culture through staff surveys, controls that indicate inappropriate activity, for example sales at the expense of appropriate advice to customers A Code of Ethics is documented and approved by the board and is cascaded to all staff. On a regular basis, all staff are expected to confirm adherence to the Code of Ethics. There are avenues for employees to escalate or report any deviations from the expected cultures with adequate arrangements in place to effectively deal with these. Determine if management has set and communicated the culture of the organisation. Assess how this was communicated, did it come from the top, were all levels of staff involved. 9

10 Be aware of communications or other actions either during an audit or as part of more general contact with stakeholders/auditees that may indicate that the culture is not being applied throughout the organisations. Assess the controls that management uses to identify the level of adherence to the expected culture, and how management is made aware of any deviations from expected cultures, for example through the whistle-blowing hotline.. Review the process for the approval of the Code of Ethics, and assess the controls in place to determine if all staff regularly attest to adherence with the Code. Risk 9 Risks are accepted or taken which are outside of the organisation s risk appetite. The organisation s risk appetite may conflict with the objectives and values of the organisation. Part of the organisation may take actions which either conflict with, or do not support, the organisation in the achievement of its risk appetite. The risk appetite may have been set inappropriately or may be at odds with the objectives and values of the organisation meaning that risks may be accepted that are not in line with the expectations of the board. The reward structure recognises/rewards excessive risk taking, or individual risk taking without reference to wider business risk appetite. Risk governance: framework and structure; risk appetite developed and approved at group-level ; cascaded throughout organisation monitoring of risk appetite and actions taken when risk appetite is exceeded. Assess the controls in place to develop and approve the risk appetite assess the quality/input information used in the developments. Assess the controls in place for the regular review of the risk appetite to ensure that it remains fit for purpose. Assess the controls in place to cascade the risk appetite throughout the organisation. Assess the controls in place to monitor and action any risk appetite breaches. Review the process to report risks accepted to the audit committee or board. Risk 10 In the event of material financial distress or failure, or other situation such as environmental 10

11 incidents or catastrophic loss of life or assets there is an adverse effect on the wider economy or society. Financial services organisations are expected to have a living will to facilitate rapid and orderly resolution, in the event of material financial distress or failure. Disastrous environmental situations, catastrophic loss of life or assets may have huge impact and then need to be dealt with appropriately, e.g. Chernobyl, BP oil spill, etc. The board has agreed and approved a living will. This living will is subject to regular review and update to ensure that it continues to provide an appropriate solution to the organisation in the event of material financial distress or failure. The board has contingency arrangements in place, which are subject to regular review, to deal with other significant incidents such as disastrous environmental situations, catastrophic loss of life or assets. Review and assess the process for determining, documenting and approving the living will. Assess the appropriateness and completeness of the information provided to the board to consider the various options available to it. Confirm that the living will is reviewed and subject to update, where required, on a periodic basis. Review and assess the contingency policy/process and plans for dealing with other significant incidents such as disastrous environmental situations, catastrophic loss of life or assets. Assess the appropriateness and completeness of the information provided to the board to consider the various options available to it. Confirm that the agreed contingency policy/process and plan are subject to update, where required, on a periodic basis. Risk 11 The governance requirements of any regulatory or legislation requirements are not met leading to increased regulatory risk including sanction, censure or closure of a business. Where an organisation fails to meet regulatory requirements or regulations the organisation may be subject to fines or censure which could adversely impact its reputation and may result in a loss of business or inability to achieve its objectives. The board has an appropriate process to ensure that existing regulatory/ legislation requirements are identified, and actions taken to ensure that the organisation is compliant with these. Appropriate controls are implemented to ensure that these are met and the outcome of these controls is reported to the board on a regular basis. 11

12 The board has an appropriate process to identify new and future regulatory/legislation requirements. Controls are implemented to ensure that these are met and the outcome of these controls is reported to the board on a regular basis. Identify the regulatory/legislation requirements for governance based on the type of organisation being assessed. Confirm how the organisation identified and meets these requirements, and test the controls as appropriate. Confirm that the board receives appropriate reports on the ongoing compliance with these regulations (this may be from internal audit or from management s own risk and control processes (first or second line of defence activity). Assess the controls in place to identify new/emerging regulatory requirements/legislation and the actions taken by the board to ensure that these are addressed timely. Assess the level of reporting to the board on the progress of actions to address these requirements. Risk 12 Communications from the board are not effective as they are not timely or complete meaning that parts of the organisation may not be operating in line with board expectations and may not support the organisation in achieving its objectives. If communications from the board are not clear, complete and timely, different parts of the organisation may take actions that do not support the achievement of the organisations objectives. Actions may be taken, for example, that contradict the board s expectations or which take the organisation in a different direction to that intended. Matters to be communicated are agreed by the board, and appropriate methods of communication are determined and implemented. Communications are clear and provided by senior individuals to indicate the requirements of the board. Assess how the board communicates its decisions ensure that these communications are provided by appropriately senior individuals, are clear and include all relevant parts of the organisation. Further reading Financial services code International Standards: 2110 Governance Practice advisories: PA Board interaction 12

13 PA Governance: definition PA Governance: relationship with risk and control PA Governance: assessments External resources Seven smart things growing companies do 13