International Finance Corporation Corporate Governance and Internal Audit Overview Bob Lamm Independent Senior Advisor Center for Corporate Governance Deloitte LLP Neil White Global IA Analytics Leader Deloitte & Touché LLP November 11, 2015
Agenda The Deloitte Governance Framework 3 Corporate governance fundamentals 5 Select board practices 7 Risk oversight Board composition Cybersecurity 2
Deloitte Governance Framework The Deloitte Governance Framework was developed to help boards and executive management assess the effectiveness of the organization s governance programs. It defines board and management activities that support effective governance. Each area of governance can be considered in the context of four attributes: Skills and knowledge Process Information Behavior 3
Levels of board engagement What makes sense for this organization? Least Involved Most Involved Passive board Certifying board **Engaged board** Intervening board Operating board Functions at the discretion of the CEO Limits its activities and participation Limits its accountability Ratifies management s preferences Certifies to shareholders that the CEO is doing what the board expects and that management will take corrective action when needed Emphasizes the need for independent directors and meets without the CEO Provides insight, advice and support to the CEO and management team Recognizes its ultimate responsibility to oversee CEO and company performance; guides and judges the CEO Becomes intensely involved in decision making around key issues Convenes frequent, intense meetings, often on short notice Makes key decisions that management then implements Fills gaps in management experience Stays informed about current performance and designates external board members to evaluate the CEO Establishes an orderly succession process Is willing to change management to be credible to shareholders Conducts useful, two-way discussions about key decisions facing the company Seeks out sufficient industry and financial expertise to add value to decisions Takes time to define the roles and behaviors required by the board and boundaries of CEO and board responsibilities Source: Building Better Boards by David A. Nadler Harvard Business Review, April 2004. 4
Corporate governance fundamentals Boards, committees and directors Corporate governance is a set of rules, processes and practices by which a company is directed and controlled. It involves balancing interests of many stakeholders, including shareholders, boards of directors, management, employees, customers, suppliers, lenders and creditors, communities and government. Corporations are bound by state law, federal corporate law (e.g., Sarbanes-Oxley, Dodd- Frank), and other regulators/influencers (e.g., SEC, stock exchanges, proxy advisory firms). Directors are bound by fiduciary duties of care and loyalty, as well as implicitly implied good faith, which are owed to stockholders and in some states, others such as communities and employees. Oversight vs. management. Directors may rely upon management, committees, experts, and others. Committees handle much of the boards work; full board providing oversight of committees. Boards are responsible for its own structure and processes. 5
Corporate governance fundamentals Areas of board focus Typical areas of board focus Risk Oversight Strategy CEO and key management succession planning Financial oversight Compliance Hot topics Board composition/ refreshment/ diversity Cybersecurity Shareholder engagement Activism Executive compensation 6
Risk oversight Six key areas of focus Define the board s risk oversight role Understand and accept an appropriate risk appetite Assess the maturity of the risk governance process Foster a Risk Intelligent culture Help management incorporate Risk Intelligence into strategy Make sure the organization disclose the risk story to the stakeholders Questions for the board to consider To help assess the maturity of the risk governance process, boards can ask: How frequently is the board informed on risk management issues? Are specific risks mapped to board committees and processes? Which board committees are responsible for various aspects of risk governance? Are risk identification, analysis of key assumptions, and scenario planning considered in the strategic planning process? Is the board getting the necessary information on these and similar issues in a timely and accurate manner? Source: Risk Intelligent Governance: Lessons from state-of-the-art board practices, Deloitte & Touche LLP 7
Risk oversight The board plays an active role in setting the organization s risk policy. The board receives enough information to assess the impact of business risks. Strongly Agree 26% 19% 21% Strongly Agree 16% 15% 34% Agree 59% 54% 51% Agree 54% 49% 68% Neither agree nor disagree 10% 15% 18% Neither agree nor disagree 9% 18% 10% Disagree 4% 11% 8% Disagree 7% 12% 7% Strongly Disagree 0% 1% 2% Strongly Disagree 1% 0% 0% 0% 20% 40% 60% 80% 100% Global '13 Global '12 Global '11 0% 20% 40% 60% 80% 100% Global '13 Global '12 Global '11 Source: Deloitte Global Director 360 Survey; 3 rd edition. www.global.corpgov.deloitte.com 8
Board composition Areas to consider Independence Qualifications Leadership Tenure Assessment Diversity Board refreshment structure Voting for directors 9
Board composition Diversity The organization/ board has introduced diversity policies for board composition Yes Global 37% The board has implemented the following for its directors (select all that apply): Gender Professional qualifications (e.g., industry) Ethnicity Religion Age Disability Internationaliz ation Sexual orientation No 63% Guidelines 64% 82% 18% 10% 32% 8% 44% 9% 0% 20% 40% 60% 80% Quotas 10% 10% 6% 3% 5% 3% 5% 2% The organization/board has introduced diversity policies for board composition: Term Limits 30% Age Limits 17% None of the above 52% Don t know/ not applicable 10% 0% 50% 100% Source: Deloitte Global Director 360 Survey; 3 rd edition. www.global.corpgov.deloitte.com 10
Information technology Social media and technology risk The board uses social media to: Assess the market s perception of the organization 21% The board actively discusses the following technology risks: Social media 29% Understand concerns/ issues that involve the organization in the marketplace 22% Cyber security 51% Learn what the organization can improve upon 18% Data warehousing 38% Connect with their market including shareholders and other stakeholders 19% Data privacy International data transfer 21% 57% Not applicable, the board does not use social media 63% The board does not discuss technology risks 27% 0% 50% 100% 0% 50% 100% Source: Deloitte Global Director 360 Survey; 3 rd edition. www.global.corpgov.deloitte.com 11
Internal Audit Internal Audit is rapidly evolving to address the modern challenges facing the enterprise 12 12
The Four Faces of the Chief Auditor 13
Optimizing the Internal Audit Function Protect Enterprise Value Financial, compliance, and general IT risks Balance sheet orientation Exception reporting and problem identification Inherent risks and rotational coverage Internal Audit s Value Proposition Enhance Enterprise Value Operational, organizational, and strategic risks Risk Intelligence orientation Proactive reporting and solutions development Focus on emerging risks and trends Optimal balance protect/enhance Independent and objective assurance with value-added advice 14
Internal audit maturity model Understanding the maturity of an IA function helps identify areas of improvement and can help the department enhance its value to the organization. It also helps better align expectations with key stakeholders. Perspective Basic Focus on the past; retrospective look on what happened Focus on present survey battlefield, shoot wounded Style Corporate police Fact finder/father knows best Rotational/Based on history Planning/risk focus (Financial and compliance risks) Existence of Chief Audit Executive (CAE) Risk-based audit plan (Operational, compliance and financial risks) High value Future help the wounded, map the minefield Trusted advisor (auditing and consulting) Enterprise risk-focused audit plan (Full spectrum of risks) Not likely IA Director CAE/Member of C suite Reporting lines CFO/COO CEO Audit Committee Chair Objective and mandate Independence and objectivity Compliance to policies and procedures Assurance on internal control systems an compliance Hopefully Generally Absolutely Business risk assurance SoX ownership Owns Participates Validates IT Auditing Ill-defined GCCs, security, applications Fraud prevention and detection Generally not addressed Reactive Proactive Consulting to improve IT infrastructure Risk Management Limited assessment Thorough assessment ERM Champion Governance No involvement Limited involvement IA as advisor/facilitator Technology Limited Automated workpapers and use of CAATs for data analysis Results Small findings Assurance on key audit units Advanced use of CAATs and continuous assurance approach Proactive risk management contribution/dynamic reporting 15
Focusing over the horizon Leading IA functions proactively engage in key topical areas and high impact areas of focus. Governance Fraud & Ethics Risk Changing the relationship between audit committees and CAEs Improving audit committee performance Internal audit reporting structure with executive-level accountability and presence Internal audit metrics, accountability, and performance improvement Auditing the management compliance process Reporting status of fraud investigations and monitoring hotlines Auditing for broad areas of ethical concern and ethics program Working relationships between in-house legal counsel, security, compliance, HR, and internal audit departments Taking an enterprise compliance approach Managing the cost of compliance Converging risk management, compliance, and IA Assessing risk associated with complex financial instruments, complex accounting and regulatory, and compliance matters relevant to industry Reporting and communicating risk assessment results Assessing reputational and brand risk Assessing cyber risk and threats Monitoring extended enterprise risks Technology Applying data analytics throughout all aspects of the internal audit process Evaluating the basics and evolving IT areas including identity management, social media risks, emerging technology, cyber risk (cyber intelligence and warfare), ShadowIT, mobile security, etc. Protecting customer data Planning for business continuity and crisis management Talent Considering varied and emerging talent models Attracting and retaining the right talent in IA (e.g., management development, rotations, guest auditors, operational experience liaisons) Committing to a highly competent team and supporting professional and leadership development Managing flexibility Mentoring and performance Finance & Compliance Assessing risks associated with business combinations Performing post-acquisition audits Auditing the due diligence process Value-add audits beyond Sarbanes- Oxley; balance of financial, process, IT, and operational auditing Collaborating between internal and external auditors Navigating the regulatory landscape 16
Integration of internal audit & ERM Internal Audit can play any role in ERM from validation to facilitation to ownership of the program depending on the culture of the Company. ERM is a systematic capability to identify, measure, and respond to key risks. When establishing an ERM program, given their knowledge of a company s risk environment, an effective internal audit department should be involved in consulting on the ERM program. Once established, the internal audit function should continually validate the ERM program. Business Units ERM Function Risk Committees Executive Committee Audit Committee Internal Audit Take & Manage Risks Monitor & Aggregate Oversee Approve Ratify Validate Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation Risk identification and self-assessments Developing strategy and taking actions to manage and mitigate risks within policy and risk appetite Providing assertions on risk exposure and controls for their business area/function Business unit risk managers coordinate the business unit risk assessment, monitoring, and mitigation activities Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management Monitoring and participation in specific risk committees for the purpose of providing the enterprise view Providing summary information and analysis to the executive committee to assess, evaluate, and act on risk Oversight over risks within scope of authority Oversight and approval of measurement and management methodologies for risks within scope Oversight of changes in risk profile Oversight of business unit management of designated risk categories Approval of key documents, such as: ERM policy Risk appetite Risk governance model Authorities Committee charters Monitoring risk exposure status Approving board reporting package Monitoring business unit mitigation plans and their status for top risks Approve limit exceptions Ratification of key documents, such as: ERM policy Risk appetite Risk governance model Authorities Committee charters Independent verification and testing of: Internal controls Quality of the ERM program Quality and integrity of risk models 17
Internal audit insights High-impact areas of focus 2016 Many boards and senior executive teams now want internal audit to go beyond table-stakes audits. Cyber security Data visualization Key Performance Indicator (KPI) assurance Corporate governance Internal audit analytics Dynamic internal audit planning 18
Questions?
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited