International Finance CorporationPresentation Transcript
Keeping the Supervisory Board informed and involved: Audit Committee and Internal Audit Function May 2006 Yerevan
ROAD MAP OF PRESENTATION
Brief discussion of survey results relating to Audit Committee and Internal Audit
Review of the key responsibilities of the Board and its Audit Committee
The direct links to the IA function
Defining the IA function
Internal Audit vs. Internal Control
The major tasks of the IA function and how they relate to the Board’s responsibilities
Controls, Compliance and Risk Management
Structure and Standards of IA function
In-house vs. Outsourced
Professional and Industry Standards
Summary of AC and IA’s role in Corporate Governance
Key Functions of a Board OECD Corporate Governance Principles Section VI
Reviewing and guiding corporate strategy and risk policy.
Monitoring effectiveness of the company’s governance.
Selecting and monitoring executives.
Aligning executive and board remuneration.
Ensuring transparent board election process.
Monitoring and managing potential conflicts of interest.
Ensuring the integrity of the firm’s accounting and financial reporting systems, including the independent audit and that appropriate controls are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.
Oversee disclosure and communications.
OECD 7. Ensuring the integrity of the corporation’s reporting systems…
… requires that the Board:
Set and enforce clear lines of responsibility and accountability
Ensure appropriate oversight by senior management
A key way to do this is by implementing an internal audit function which directly reports to the Board of Directors/Audit Committee
Set up internal programs to monitor compliance
Internal audit also assists in monitoring compliance
Defining the Internal Audit Function “ an independent , objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Internal Audit – Objectives and Tasks
To advise management if the organization has sound systems of internal controls to protect the organization against loss.
Evaluate system of controls.
Assess risks / Component of risk management.
Test operations of systems (including IT).
Communication, recommendations for improvement and follow up.
IA Task 1: Internal Audit vs. Internal Control
Internal Controls – system / processes;
Internal Audit – a function to assess the IC;
IC processes encompass the means by which senior management seeks reasonable assurance that:
The entity’s accounting and operating reporting is complete and reliable
Operations are being conducted in accordance with the entity’s prescribed policies and procedures
The entity is in compliance with applicable laws and regulations
The entity’s assets and information are protected from improper use.
Internal Control Framework
Under a number of jurisdictions (e.g. US, EU), top management has to make certain disclosures about the controls and procedures in place, and whether they are in compliance with a recognizable framework.
COSO provides an internationally recognizable framework for internal control system.
COSO on internal controls
COSO ERM provides the following definition of Internal Control :
A process effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
IC System – a synonym for internal control applied in an entity.
The effectiveness of an internal control system is measured by its capacity to provide reasonable assurance to the board of directors and management that these three objectives have been met.
COSO on internal controls - continued
In addition to these goals, coso identified five interrelated components of internal control :
The control environment, which includes the integrity, ethical values, and competence of an organization's people.
Information and communication, which encompasses the methods for identifying, capturing, and communicating pertinent information in a time frame that enables people to carry out their responsibilities.
These components combine to form an integrated system of controls. To conclude that internal control is effective in any category of objectives-operations, financial reporting, or compliance-all five components must be present and functioning.
COSO on internal controls - continued
Effectiveness and efficiency of operations (including performance and profitability goals & safeguarding resources against loss).
Reliability of reporting.
Compliance with applicable laws and regulations.
Division of Responsibilities
Establish and maintain an adequate and effective system of internal controls
Develop a system to monitor and control risks
Assist management in the efficient and effective discharge of their responsibilities
Advise and make recommendations on internal control and corporate governance
Internal Audit helps to monitor the Internal Controls
MANAGERS HAVE PRIMARY TASK TO DESIGN AND MAINTAIN CONTROLS INTERNAL AUDIT FUNCTION EVALUATES Monitoring the Internal Control Process EXTERNAL AUDITORS ASSESS AND OPINE ON BOARD, IN PARTICULAR, THE AUDIT COMMITTEE OVERSEES
IA Task 2: Evaluate System of Internal Controls
The Board has oversight responsibilities over the internal control system.
The Internal Audit Functions:
Evaluates efficiency and effectiveness of controls.
Recommends new controls where needed – or discontinuing unnecessary controls.
Use control frameworks COSO, Basle, etc. in its work.
Lead control self-assessment.
Provide education on risks and controls.
IA Task 3: Assess Risk / Risk Management
The Board has overall responsibility that risks are managed.
The internal audit function provides objective assurance to the board on the effectiveness of risk management processes.
Core internal auditing roles in regard to enterprise risk management:
Giving assurance on risk management process
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating and reporting on the key risks
Reviewing the management of key risks
IA Task 4: Testing Operations / Reviewing Compliance
The Board also has oversight for compliance with laws and relevant standards
The Internal Audit function is valuable support in its compliance and operations role:
Ensure the management’s policies and procedures are followed
Evaluate procedures to safeguard assets
Analyze impact of changes in procedures
Assure compliance with laws and regulations
Review objectives for adherence to organization’s mission, culture and climate
Provide insight to the impact of noncompliance
An Effective IA Function may be established with Various Organizational Structures
Regardless of Structure High Standards Must Be Met
Professional (e.g., IIA Standards) and industry standards (e.g., BASLE principles) apply
The Internal Audit Standard Board (UK) has developed Standards for the Professional Practice of Internal Auditing.
IIA Standards for reporting include:
1000 Purpose, Authority and Responsibility
1110 Organizational Independence
2020 Communication and Approval
2060 Reporting to the Board and Senior Management
Standards – Independence and Communication
The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. (1110)
The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. (1110)
The chief audit executive should communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations (2020)
Other Relevant IA Guidance
There may be other regional or industry specific standards
BASEL Internal Audit Principles in Banks and the Supervisor's Relationship with Auditors (2001)
Scope of activity
Basel Committee on Banking Supervision INTERNAL AUDIT Principles
CG Relationship Diagram (1) STAKEHOLDERS
CG Relationships (2)
Management Board Supervisory Board External Auditor c o n t r o l e n v i r o n m e n t Company Audit Committee Internal Auditor/ Department
The Audit Committee and the IA Function
The responsibilities of the audit committee include:
Internal Control and Risk Mgmt.
Compliance and Ethics
Financial Reporting and Disclosure
The internal audit function should report to the BoD/Audit Committee. (No independence if it reports solely to management)
More effective if reports to the Audit Committee
Objectivity is a personal quality of the auditor
Audit Committee: Composition
Minimum 3 members
Members should be independent directors
Tighter standards on independence than for other independent directors
No compensation from company other than director fees
All members must be “financially literate”
At least 1 member (typically the chair) must be an “audit committee financial expert”
Audit Committee: Role in Governance
The Institute of Internal Auditors provide the following logo describing AC role:
Noses In - Fingers Out.
In a nutshell, the AC should provide oversight of:
Audit Committee: Responsibilities
Some detailed Audit Committee responsibilities include :
Ensuring that financial statements are understandable, transparent, and reliable
Ensuring the risk management process is comprehensive and ongoing, rather than partial and periodic
Helping achieve an organization-wide commitment to strong and effective internal controls, emanating from the tone at the top
Audit Committee: Responsibilities (continued)
Reviewing corporate policies relating to compliance with laws and regulations, ethics, conflicts of interest, and the investigation of miscondsuct and fraud
Reviewing current and pending corporate-governance related litigation or regulatory proceedings to which the organization is a party
Continually communicating with senior management regarding status, progress, and new developments, as well as problematic areas
Audit Committee: Responsibilities (continued)
Ensuring the internal auditors’ access to the audit committee, encouraging communication beyond scheduled committee meetings
Reviewing internal audit plans, reports, and significant findings
Establishing a direct reporting relationship with the external auditors
Internal Audit Reporting
In various governance and organizational structures the IA reports to SB (Audit Committee in particular) and senior management:
internal audit activity’s purpose
performance relative to its plan
Also report separately on:
significant risk exposures and control issues
corporate governance issues
other matters needed or requested by SB and MB
Breakout Sesson: Audit Committee and Internal Audit
3 groups will have approx 10-15 minutes for the following tasks:
Group 1 : Develop annual plan for the AC.
Group 2 : IA has submitted its annual plan for the AC consideration. It includes: annual audit of headoffice functions as well as of all branches. Plus semi-annual reporting to the AC (BoD). Provide comments and/or suggestions.
Group 3 : Develop criteria for self-assessment of AC effectiveness (after 1 year of its functioning).
Group presentations (approx 5 minutes each)
Discussion of group presentations (approx 5 minutes each) .
The base material for discussion – sample ToR for the AC (distributed in advance)
COSO on internal audit
COSO ERM provides the following definition of Internal Audit :
Internal audit functions typically provide an assessment of risk and control activities of a business unit, process or department. In some cases particular attention is given to risk identification analysis of likelihood and impact, risk response, control activities, as well as information and communication.
Self-Assessment and Monitoring
Self-assessment or monitoring can provide oversight of an enterprise’s control system performance. Self-assessment should be performed at all levels of IC system:
Board Self-Assessment or Monitoring
Yes or No Questions:
Does the board review the actions management takes to deal with material control weaknesses and verify that those actions are objective and adequate?
Do audit reports contain sufficient detail?
Are audit reports timely enough to allow for resolution and appropriate action?
Does the board or audit committee approve the selection of key internal
Does the board or audit committee approve the overall scope of review activities (such as audit or financing coverage)?
Does the board or audit committee review results of audits?
Does the board or audit committee approve the system of internal controls?
Does the board or audit committee periodically review audit or other key control systems?
Is line management held accountable if they do not follow up satisfactorily or effectively on control weaknesses?
Benefits of a Strong Internal Audit Function
When the internal audit function is properly established with adequate authority, scope, and resources, it can professionally and proficiently aid in the following areas and contribute to good corporate governance:
Governance law and regulations
Disclosure and transparency
Ethics and Communication
Institute of Internal Auditors <www.theiia.org>
Basle Committee on Banking Supervision <www.bis.org>
Committee of Sponsoring Organizations of the Treadway Commission (COSO) <www.coso.org>
International Federation of Accountants <www.ifac.org>
Contact details: IFC Yerevan 9 V. Sargssyan str. Yerevan 375010, Armenia Tel: (37410) 545241, 545242 Fax: (37410) 545245