Session 7: Corporate Governance New York Bankers Association-Community Bank Auditors Group 2016 Internal Audit Training-June 6-8, 2016 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2016 Wolf & Company, P.C.
Corporate Governance The system by which organizations are directed and controlled. The corporate governance structure identifies responsibilities among different participants in the organization, such as the board, management, shareholders and other stakeholders. Done well, positive impacts on capital costs, returns on equity and efficiency result. 2
A Typical Structure Integrated with bank s business strategy and objectives, and not viewed as a compliance obligation. Independent & objective board oversight Accountability among all stakeholders Compensation programs that incentivize long-term growth Establish criteria aligned with business goals A culture of integrity 3
A Typical Structure 4
A Typical Structure A risk-based governance structure: Audit Committee Board of Directors Credit Committee Compensation Committee Nominating Committee Audit Internal Audit Enterprise Risk Committee (Joint Board and Exec. Mgmt.) External CPAs Asset Liability Committee Executive Management Finance Investment Tech & Ops Committee Committee Committee Compliance Committee 5
The Board Boards should: Select and retain competent management Establish, with management, the organization s long- and short-term business objectives Monitor operations Oversee the organization s business performance 6
The Board Balances the appointment of independent and nonindependent Directors. Ensuring an appropriate range and mix of expertise, diversity and knowledge on the board. May appointment a minority of Directors who possess in-depth knowledge of the company and its industry could be helpful for the board as it assesses the company s strategy, risk profile, competition and alternative courses of action. 7
The Board Steers the organization towards policies supporting long-term sustainable growth in shareholder value. Along with management, establishes compensation plans that align goals with long-term value creation. 8
The Board Oversight responsibilities include: Evaluating the adequacy of internal controls Reviewing the risk management program Reviewing the financial reporting process Determining compliance with applicable laws and the organizations code of conduct 9
The Board Ensures all significant activities are covered by clearly communicated and current written policies that can be readily understood by all employees. Establishes mechanisms for obtaining information needed to monitor operations. These mechanisms include various reports. 10
The Board Establishes channels to independently review the bank s performance for compliance with board policies and procedures, laws and regulations, and accuracy of information. This is accomplished by having direct responsibility for hiring, firing, and evaluating the auditors, and having access to corporate counsel as required. 11
Management Primarily responsible for creating a culture of integrity and ethical behavior. Successful corporate governance depends upon successful management of the organization. 12
Management Management should: Establish and monitor effective processes and procedures Evaluate all employees according to high ethical standards Have systems encouraging open internal communication to address problems without fear of retaliation 13
Management Promote accountability through incentive plans encouraging disciplined and transparent risk taking Provide reliable information to the board Develop and communicate the strategic plan to shareholders and other stakeholders Formalize informal compliance and governance practices 14
Management Constructive tension between the board and management is a characteristic of good corporate governance - debates should be conducted within the context of a productive discussion. 15
Employees Perform roles and responsibilities in an ethical manner. Employees should be ready to report/discuss issues affecting the integrity and ethical operations of the organization. 16
Employee Training Provide mandatory trainings on policies and procedures Customize training to the individual's or department's role in the organization Review the training program periodically with the board of directors 17
How effective is your Bank s Corporate Governance? 18
Entity Level Controls Entity-level controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. Controls that have a pervasive effect on a company's internal control. 19
Entity Level Controls Entity level controls are. POWERFUL & PERVASIVE Most often associated with ICFR 20
Control Environment Risk Assessment Control Activities Information and Communication Monitoring 21
Overview Enterprise Risk Management Strategic Planning Governance Objectives of the Institution 22
Controls Monitoring Risk assessment Control environment Process set by Board of Directors Management Other personnel to provide reasonable assurance regarding achievement of objectives relating to Information and communication Control activities Operations Reporting Compliance 23
Objectives Operations Increase ROA Retain key employees Introduce new loan product Compliance Dodd-Frank BSA Reg. O Reporting External financial reporting External non-financial reporting Internal financial reporting Internal nonfinancial reporting 24
Objectives Other common non-financial reporting objectives Cybersecurity GLBA AML ALCO Vendor Management ERM Employee Retention Strategic Planning 25
COSO Framework COSO Objectives Components Organizational Structure 26
Components and Principles Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Information and communication Uses relevant information Communicates internally Communicates externally Monitoring activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies Entity level controls only 27
Control Environment Organization demonstrates commitment and integrity to ethical values The bank has a formal Code of Conduct which reflects ethical values of the organization and guides employees in making appropriate decisions. Board of Directors exercises oversight responsibility Corporate bylaws and charters outline the responsibilities of the Board of Directors and its various committees. Management, with board oversight, establishes, structures, reporting lines and appropriate authorities and responsibilities Organization demonstrates commitment to competence to attract, develop and retain talented individuals Organization holds individuals accountable for internal control responsibilities A clear and effective organization structure exists with appropriate lines of reporting and communication. Annual performance reviews are conducted to evaluate employees relative to their assigned job responsibilities. Formal job descriptions are maintained that clearly outline required skills/knowledge and job responsibilities. 28
Risk Assessment Organization specifies objectives with sufficient clarity to enable the identification and assessment of risks Management establishes acceptable levels of variances from the achievement of objectives Organization identifies risks to the achievement of objectives across the entity and analyzes risks as a basis for determining how risks should be managed Organization considers the potential for fraud in assessing risks to the achievement of objectives New product risk assessment is completed for all new products with proper level of approval obtained. Internal Audit conducts a fraud risk assessment with a focus on management override of controls. Organization identifies and assesses changes that could significantly impact the system of internal control The Board reviews the transition plans for key executive leadership positions in the Company on an annual basis. 29
Information and Communication Organization obtains or generates and uses relevant, quality information to support the functioning of internal control The budget is monitored throughout the year by management. Actual vs Budget results are communicated to the Board of Directors. Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control The whistleblower program is communicated to all employees as part of the Code of Conduct. Organization communicates with external parties regarding matters affecting the functioning of internal control Third party vendor management reports and management s written response are reviewed by the Audit Committee. All findings are tracked and reported on until resolution. 30
Monitoring Organization selects, develops, and performs ongoing and /or separate evaluations to ascertain whether the components of internal control are present and functioning Internal audit performs audits of operational areas. Organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board of Directors Deficiency action plan is developed and monitored on a regular basis. 31
Sample Internal Audit Procedures 32
Corporate Governance Review the corporate governance related policies including the Code of Ethics Review the Board s oversight responsibilities for inclusion of the following: Evaluating the adequacy of internal controls Reviewing the risk management program Reviewing the financial reporting process Determining the compliance with applicable laws and the code of conduct Approving the compensation and benefits program Approving policies 33
Corporate Governance Review corporate governance related board reports for adequacy and accuracy Review Board committees for charters Determine that each non-management director is independent 34
Risk Management Review the risk management related policies and procedures Review and test the controls over: Annual risk assessment Vendor management Project management Change management Business continuity planning Insurance management Review the risk management related reports accuracy 35
Questions? 36