Auditing Governance at Board level October 2017

Transcription

1 Auditing Governance at Board level October 2017

2 Agenda What is Governance? Role and mandate of Internal Audit Planning Governance Considerations Risk Governance Framework Common pitfalls in assessing governance Q&A

3 What is Governance?

4 Definition of Internal Audit The IIA s definition: Internal Auditing is an independent and objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Source: The Professional Practices Framework of the IIA.

5 What is Governance? The IIA definition of corporate governance, included within the International Standards is: Governance is the combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.

6 Role and mandate of Internal Audit

7 Role and mandate of Internal Audit Given these definitions, there are a number of roles that Internal Audit could play in relation to Governance. Include within its scope the design and operating effectiveness of the internal governance structures and processes of the organisation Challenge the Board and Executive Management to improve the effectiveness of governance Provide, at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation CIIA Code for better internal audit in financial services Recommendation 1 provides additional thinking on the primary role of internal audit Recommendation 6a IA should include internal governance structures and processes within its scope

8 Planning Governance Considerations

9 Planning Governance Factors Governance could be evaluated through several different lenses, such as the following: Geography/Legal Entity Audit Plans could include and set out how governance will be assessed across different geographies or legal entities Business Lines and functions Structures and processes used to facilitate key decisions across business lines and functions could form part of each audit engagement. Activities Audit Plans could include a comprehensive range of activities and projects across the organisation and how oversight is provided could be factored into each audit. Governance Culture How governance disseminates from the Board and the culture within teams/individuals could be assessed in each audit

10 What should Internal Audit do? Governance Risk Management Internal Control

11 What should Internal Audit do? (cont d) Top down approach to Governance Governance Risk Management Internal Control

12 What should Internal Audit do? (cont d) Top down approach to Governance Governance Risk Management Bottom up approach to include Governance Internal Control

13 Our assessment framework Board and committees structure Elements Assessed Board and committee review Effectiveness of corporate governance structure, frequency of meetings, terms of reference, reporting lines, escalation policy. Board and committees structure Board and committee review Scope of periodic reviews of the Board and committees, and of the Chairman and members. Board and committee composition and experience Board and committee composition, knowledge and experience. Induction and training. Away-days and deep dives. NED interaction with business. Support from expert opinion. Board and committee composition and experience Governance Effectiveness Decision making Decision making Effectiveness of decision making, including; agenda setting, chairmanship at meetings, and tracking of actions to conclusion. Management Information (MI) Effectiveness of Board and Committee reports, management information and risk escalation. Management Information Oversight and challenge Oversight and challenge Effectiveness of oversight and challenge over the risk and control environment. Challenge over culture and remuneration policy.

14 Specific considerations Board composition The Board should include a sufficient number and quality of NEDs who are independent of the firm s business. Board composition Boards should include a mix of skills, knowledge and experience in order to make informed decisions, and provide effective oversight of the strategy and risk of the firm s business and the opportunity to explore key business issues rigorously. Subsidiary boards must be capable of acting in the best interests and safeguarding the safety and soundness of the firm for which they are responsible. Role of Board Committees the role of a Board committee is to support the Board. The committees are accountable to the Board, but should not relieve the Board of any of its responsibilities. Committee Chairs should make sure committees meet with sufficient frequency, foster an open and inclusive discussion, and devote sufficient time to their remit. The Board should be provided with timely, accurate, complete and relevant Management Information.

15 Specific considerations (cont d) The core responsibilities of the Board includes agreeing and monitoring strategy and risk appetite Role of directors In discharging their responsibilities Executives and NEDs should act in a cooperative and collegiate manner The Board should articulate and maintain a culture of risk awareness and ethical behaviour for the entire organisation to follow in pursuit of its business goals, setting the correct tone from the top. A Board (through its delegated Remuneration Committee) should oversee the design and operation of the firm s remuneration system including; monitoring and reviewing outcomes of the remuneration system. Boards should ensure that they have robust succession plans that recognise current and future business needs and requirements. NEDs should be given adequate time and support to enable them to carry out their duties.

16 Risk Governance Framework

17 framework for assessing Governance An effective risk appetite is fundamental to a strong risk governance framework To implement and embed risk appetite successfully, links must be built with the other components of the risk governance framework Risk appetite supports risk adjusted remuneration, performance ratings and promotion. Risk appetite framework Risk appetite should support accountabilities by providing clarity on the boundaries that the organisation is willing to operate within. Risk appetite requires effective mechanisms for the identification and aggregation of risk. Talent and incentives Risk governance Risk accountability (3LoD) Controls should be aligned to the risk appetite, with appropriate escalation. Risk transparency, MIS and data Controls effectiveness Risk appetite is an essential mechanism to support board oversight. Risk appetite and risk culture are mutually supportive. Risk appetite is a mechanism for articulating the desired behaviours defined by the risk culture.

18 The Framework must be forward-looking and enterprise-wide Components Current state Target state Governance and accountabilities Board-approved in most firms Limited use to drive front-line accountabilities below the top level Metrics Financial risk metrics in place, although most are backward-looking Non-financial risk metrics are limited in maturity Embedding Cascaded from enterprise to line of business (LOB) level Limited demonstrable linkage to limit frameworks and policies Limited calibration outside of financial risks Utilises outputs of stress testing, but constrained to limited, often regulatory scenarios Embedded into the strategic planning process of the firm Drives front-line accountabilities in conjunction with strengthened three-lines-of-defence model (3LoD) Metrics are forward-looking in nature Non-financial risks fully covered in the risk appetite framework and used to drive behaviours Enterprise, legal entity and line of business risk appetite are aligned Risk appetite used to calibrate limit frameworks, including geographic and product concentrations Risk appetite linked to nonfinancial risk management activities, e.g., risk and control selfassessments (RCSAs) Drives stress testing capabilities, e.g., stress scenario library with broader range and across a range of severity spectrums

19 Risk Accountability FS Regulators expectations regarding the three lines of defence Globally the central banks and regulators in the G20 set out their expectation regarding three lines of defence in FSB papers in National regulators are already changing their rules. Ownership of risk by the first line. Day to day operating model Enablers Third Line Second Line First Line Management of risks sits with units originating them. Responsibility for assessing and monitoring all risks related to activities Front line activities must be consistent with risk appetite Any units responsible for identifying, measuring, controlling and monitoring aggregate risk relative to risk appetite must be independent. They should identify and assess material aggregate risks and ensure they are controlled consistent with risk appetite. Independent risk management should establish concentration limits. Much enhanced role for internal audit Overall opinion on risk governance framework. Audit should evaluate compliance with risk management framework policies. Clear risk accountability and embedded risk appetite Aligned with compensation/incentives Escalation process Risk transparency Risk appetite covering all risk types including nonfinancial Focus on measuring forward aggregate risk which can be compared with risk appetite Reviewing controls in first line to ensure appropriate to deliver risk appetite Setting limits in first line Stature of the internal audit function Staffing and compensation Expansion of role, e.g., participant at risk committee

20 Common pitfalls in assessing governance

21 Common pitfalls in assessing Governance Governance is an area which is often overlooked and under assessed by audit functions. There are a number of failings which can lead to IA either incorrectly assessing governance or failing to identify issues. The complexity and nature of governance across a major organisation often means that audit functions have to engage other areas within the first and second line in order to adequately assess if existing structures and processes are sufficient. IA staff are not provided with adequate governance training IA often review minutes and supporting governance documentation but do not always assess the quality of the governance IA often align audits to business structures and not end to end business processes Common Failings Root causes are not identified or understood IA are often attendees at governance meetings but don t use the opportunity to call out good practices IA do not gather data points from other functions (e.g., Operational Risk, HR, etc.)

22 Q&A

23 Thank you