2. TABLE OF CONTENTS
04 Auditing Corporate Governance Guide: Sample 1
05 Defining Governance
06 Focusing on the Four Pillars of a Governance
Framework
09 Corporate Governance Fits Together Like a Puzzle
11 Various Corporate Governance Model Exists
12 Common Elements of these Governance Models
13 The New Governance Landscape
15 OCEG 2.0: A Comprehensive Road Map
17 Comparison of OCEG 2.0 Vs. Other Governance
Models
18 Common Themes in Governance Definitions
19 Example Maturity Model Application
20 Corporate Governance: Where to Focus For
Success
21 Defining Governance: Key Takeaways
22 Taking the Next Step for Corporate Governance
Success: Key Questions to Consider
23 Logical Priorities for Corporate Governance
Documentation
24 Our Governance Client Credentials
25 An Internal Auditor’s View of Corporate Governance
Related to Boards
27 Next Steps
28 Auditing Corporate Governance Guide: Sample 2
29 Global Internal Audit at ABC Company
30 Global Governance Council
2
3. TABLE OF CONTENTS
31 Corporate Audit Services at ABC Company
32 ABC Company Governance
33 Corporate Audit Services Stakeholders
34 Internal Audit Transformation
35 Global Internal Audit Organization Structure
36 Governance Structure Accountability
37 Internal Audit Stakeholders
3
5. DEFINING GOVERNANCE
5
We define governance as:
A set of policies, procedures, processes, systems, people and relationships that govern the enterprise to direct
and control the actions of issuers. Governance includes the relationships between an issuer’s shareholders,
board of directors, senior management (as represented by the chief executive officer), internal audit and
external audit, and the mechanisms for holding issuers and the board and executive officers accountable.
Adapted from Draft National Policy 58-201 Corporate Governance Principles
Although there are various authoritative sources, which we have consulted in developing the attached framework, there
is no generally accepted definition or framework for governance.
6. FOCUSING ON THE FOUR PILLARS OF A
GOVERNANCE FRAMEWORK (1/3)
6
Organization
Governance
Board of Directors
Executive
Management
Internal
Auditors
External
Auditors
1
4
2
3
7. FOCUSING ON THE FOUR PILLARS OF A
GOVERNANCE FRAMEWORK (2/3)
7
Board of
Directors Internal
Auditing
Senior
Management
External
Auditing
Effective
Governance
8. FOCUSING ON THE FOUR PILLARS OF A
GOVERNANCE FRAMEWORK (3/3)
8
“The world is awash in change and always will be.”
Are you changing with it?
9. CORPORATE GOVERNANCE FITS TOGETHER LIKE A
PUZZLE (1/2)
9
Management
Control
Environment
Shareholder
Commitments
Industry Standards
Laws and Regulatory Commissions
Management is
responsible for
stewardship, system and
financial implementation,
and operational and
regulatory internal
controls.
The board of directors is
responsible for the
oversight of governance
structure and delegation
of authority to
management.
Internal audit is
responsible for
determining risk
management and
ensuring that controls are
adequate and functioning
effectively.
External audit is
responsible for
determining whether
financial statements are
presented fairly in
accordance with
applicable accounting
principles.
Governance
Capability
Internal
Audit
Board of
Directors
External
Audit
10. CORPORATE GOVERNANCE FITS TOGETHER LIKE A
PUZZLE (2/2)
10
A combination of the following pieces act to govern an organization:
• Board: The board delegates authority to and oversees management.
• Management: Management implements policies, processes and controls.
• Internal Audit: Internal audit determines whether risk and control processes are functioning
effectively.
• External Audit: External audit determines whether financial statements are stated fairly.
There are different ways to accomplish effective governance, and each organization must
develop its own approach based on its organizational structure, culture, capabilities, maturity
and processes.
There is no one-size-fits-all solution to corporate governance. Each organization must
thoughtfully consider what it wants to achieve and how to achieve it.
11. Few authoritative bodies have developed broad guidance on governance; however, two have created their own
framework for assisting companies with developing their internal governance programs:
• Open Compliance and Ethics Group (OCEG)
• Standards Australia
VARIOUS CORPORATE GOVERNANCE MODELS EXIST
11
A couple of authoritative bodies have developed frameworks around risk management that augment the governance
process:
• International Organization for Standards (ISO)
• Committee of Sponsoring Organizations (COSO)
12. COMMON ELEMENTS OF THESE GOVERNANCE
MODELS
12
A fundamental concept related to the board and its relationship to the
organization is developed.
Strategy, risks, controls and compliance are incorporated and
considered.
Framework/organizational structure is overarching.
Internal and external stakeholders are considered.
Specific industry practices, requirements and benchmarking are considered.
Improvement/capability maturity is continuous.
13. THE NEW GOVERNANCE LANDSCAPE (1/2)
13
Corporate governance has traditionally been viewed as what the
board of directors does when providing oversight on strategy, policy,
performance and transparency matters.
While we see the focus on corporate governance from a board of
directors’ responsibility continuing, we also recognize an
enterprisewide focus on governance in which directors and executive,
unit and functional management:
• Set overall business objectives and oversee progress toward those
objectives.
• Establish and sustain a corporate structure that adapts to a
changing operating environment.
• Establish policies and entity-level processes, providing assurance
that desired objectives are met to respond to stakeholder
expectations and preserve reputation.
Governance, Risk and
Compliance
Board of
Directors
14. THE NEW GOVERNANCE LANDSCAPE (2/2)
14
While this emerging view of governance is not new, the financial crisis
has highlighted the importance of a strong governance culture.
As a result, governance needs to be understood as a process to
determine which activities truly matter and how those activities will
make a difference in the organization’s governance program.
The following questions arise as new pressures are placed on the
organization:
• How does the organization achieve alignment with the corporate
strategy and business plan at multiple levels?
• How are the critical risks inherent in the strategy and business plan
identified and managed?
• How are people empowered to make effective and timely
decisions?
• How does management ensure that people have reliable and
timely information?
• Is compensation aligned with longer-term objectives?
15. OCEG 2.0: A COMPREHENSIVE ROAD MAP (1/2)
15
OCEG’s 2.0 Framework begins with eight
integrated components. These components help
drive program development and provide an
outline for elements of a successful governance
program.
These eight integrated components drive the
progress toward the eight universal outcomes,
representing expected and measurable results of
a governance program.
The components do not have to be implemented
in conjunction with each other – they are
designed to be dynamic to the organizational
need, applying each one at the appropriate stage
of developing a governance program.
Culture and Context
Culture and Context
Organize
and Oversee
Detect and
Discern
Monitor and
Measure
Respond
and Resolve
Assess and
Align
Prevent and
Promote
Inform and
Integrate
Achieve business objectives.
Enhance organizational culture.
Increase stakeholder
confidence.
Prepare and protect the
organization.
Prevent, detect and reduce
adversity.
Motivate and inspire desired
conduct.
Improve responsiveness and
efficiency.
Optimize economic and social
value.
Eight Integrated Components Eight Universal Outcomes
16. OCEG 2.0: A COMPREHENSIVE ROAD MAP (2/2)
16
The eight integrated components are
broken down further into elements.
The elements are designed to provide
guidance on how the component is
designed and implemented.
The elements provide context on the
principles underlying the applicable
component, the activities within each
component and the common sources
of failure for effective governance.
The robust nature of this approach
allows for enhanced discussion and
facilitates the alignment of governance
activities for all internal and external
stakeholders.
C
O
D
M
R
A
P
I
Monitor and Measure
M1: Context Monitoring
M2: Performance Monitoring
and Evaluation
M3: Systemic Improvement
M4: Assurance
Context and Culture
C1: External Business
Context
C2: Internal Business
Context
C3: Culture
C4: Values and
Objectives
Organize and Oversee
O1: Outcomes and Commitment
O2: Roles and Responsibilities
O3: Approach and Accountability
Respond and Resolve
R1: Internal Review and
Investigation
R2: Third-Party Inquiries and
Investigations
R3: Crisis Response and
Recovery
R4: Remediation and
Discipline
Assess and Align
A1: Risk Identification
A2: Risk Analysis
A3: Risk Optimization
Detect and Discern
D1: Hotline and
Notification
D2: Inquiry and Survey
D3: Detective Controls
Prevent and Promote
P1: Codes of Conduct
P2: Policies
P3: Preventive Process Controls
P4: Awareness and Education
P5: Human Capital Incentives
P6: Human Capital Controls
P7: Stakeholder Relations and
Requirements
P8: Preventive Technology
Controls
P9: Preventive Physical Controls
P10: Risk Financing/Insurance
Inform and Integrate
I1: Information Management
and Documentation
I2: Internal and External
Communication
I3: Technology and
Infrastructure
Figure 1: OCEG Framework (Element View)
17. COMPARISON OF OCEG 2.0 VS. OTHER
GOVERNANCE MODELS
17
OCEG GRC Capability Model 2.0
• All key functions of an organizational structure are incorporated.
• An organizational approach toward governance is taken.
• The GRC Capability Model provides practical guidance to
implementing an organizational governance program.
Australian Standard AS 3806:2006
• This standard is very process-oriented.
COSO Enterprise Risk Management (ERM)
• COSO ERM is built off the COSO Internal Control Framework.
• Strategic planning is applied enterprisewide.
• The importance of risk appetite is explicitly acknowledged.
ISO 31000 Risk Management
• This model emphasizes the integration of risk management with what
matters (e.g., the core management processes).
• Guidance on implementation is provided.
18. COMMON THEMES IN GOVERNANCE DEFINITIONS
18
Corporate governance is most often viewed as both the structure and the relationships, which determine corporate
direction and performance.
• The board oversees management’s policies and processes.
• Management administers policies, processes and controls.
• Responsibilities and authorities are divided.
• Accountabilities and reward systems are established.
19. EXAMPLE MATURITY MODEL APPLICATION
19
(Continuous Feedback)
Risk management is a source of
competitive advantage.
(Quantitative)
Risks are measured/managed
quantitatively and aggregated
enterprisewide.
(Qualitative/Quantitative)
Policies, processes and standards
are defined and institutionalized.
(Intuitive)
Processes are repeatable but
dependent on individuals.
(Ad Hoc/Chaotic)
Heroics are heavily relied upon,
and institutional capability is
lacking.
Capability
Attributes
• The emphasis on exploiting
opportunities increases.
• Best-of-class processes are used.
• Knowledge is accumulated and
shared.
• Measurement
methodologies/analysis are
rigorous.
• The debate on risk/reward trade-off
issues is intense.
• Processes are uniformly applied
across the organization.
• The remaining elements of
infrastructure are in place.
• Methodologies are rigorous.
• Language is common.
• Quality people are assigned.
• Tasks are defined.
• Initial infrastructure occurs.
• Tasks are undefined.
• Initiative is relied upon.
• A “just do it” attitude is used.
• Key people are relied upon.
Method of
Achievement
Process
Evolution
Optimizing
Managed
Defined
Repeatable
Initial
Continuum
Source: Adapted from the Capability Maturity Model: Guidelines for Improving the Software Process, Carnegie Mellon University Software
Engineering Institute, 1994
20. CORPORATE GOVERNANCE: WHERE TO FOCUS FOR
SUCCESS
20
With the pervasiveness of corporate governance
throughout the organization, a focus on key governance
areas and their ability to meet the organizational
objectives will drive the success of the governance
structure.
By working within each of these areas and leveraging
the OCEG 2.0 Framework, successful corporate
governance is achievable, sustainable and allows for
continuous improvement.
Each area will present its own unique dynamics and
challenges. To enable success for these areas, it will be
imperative to leverage a common corporate governance
language across all areas, as well as business units,
geography and reporting structures.
You do not have to address all these areas at once.
Prioritize the areas to determine which ones should be
addressed first.
Human
Resources
Oversight
Internal Audit
Information
Technology
Governance
IT Security
Regulatory
Compliance
Enterprise
Risk
Management
Shareholder Communications
Information
Management
Strategic
Planning and
Forecasting
External
Environment
Analysis
Example Governance Areas
Board of Directors
Sarbanes-
Oxley
Compliance
Fraud Risk
Management
Finance
Organization
Policies and
Procedures
Development
21. DEFINING GOVERNANCE: KEY TAKEAWAYS
21
Governance is the process by which directors and executive management fulfill their stewardship responsibilities to the
organization’s stakeholders by performing the following tasks:
1 Set overall business objectives and oversee the progress toward those objectives.
Establish and sustain an adaptive corporate structure. 2
3
Distribute rights, responsibilities and authorities among different participants in the corporation,
such as the board, managers, shareholders and other stakeholders.
Provide oversight and monitor the effectiveness of risk management and internal control
processes.
4
5
Ensure that full transparency into what matters in the organization is incorporated through the
alignment of key metrics and targets with established accountabilities and the reward system.
22. TAKING THE NEXT STEP FOR CORPORATE
GOVERNANCE SUCCESS: KEY QUESTIONS TO
CONSIDER
22
• Are we ready to further the discussion about corporate governance?
• What would be our key objectives for this initiative? What do we want to achieve?
• What will acceptable results be? How will this be measured?
• What is the actual structure of our corporate governance today?
− What material and programs already exist that define and demonstrate corporate governance in our
organization?
− How do we feel about what we’ve learned upon reviewing this material?
− Are there easy and clear areas of improvement?
− What areas of the corporate governance puzzle do we want to take on?
• Which governance model or framework might we adopt to fit our needs?
• Which governance activities should we address first? Should we address all activities at once or just a few
over time?
• Do we need outside help? If yes, how do we make sure we get value for the fees paid?
• In the end, anything you do should add value and make your organization stronger. If not, you shouldn’t do
anything.
23. LOGICAL PRIORITIES FOR CORPORATE
GOVERNANCE DOCUMENTATION
23
• Code of conduct
• Conflict of interest statements
• Ethics programs
• Whistleblower programs
• Board charters
• Strategic plans
• Delegation of authority policies
• Policies
• Organization charts
• Performance reporting
• Key performance indicators (KPIs)
The key is not simply having these individual elements but understanding how they fit together to form the
appropriate corporate governance structure.
24. OUR GOVERNANCE CLIENT CREDENTIALS
24
• Clients are active participants and sponsors of OECG.
• Clients are past advisory committee participants for COSO initiatives.
• Clients constantly support ISO frameworks and concepts.
• Clients are involved in thousands of board meetings per year.
• Clients serve more than 25% of Global 1000.
• Clients continuously request to address governance, risk, control, and compliance issues at organizations
of all types and sizes and in all industries.
• Clients serve as a key internal audit provider for completely outsourced audit functions at hundreds of
organizations.
• Clients have substantial practice around all types of governance, including very complex regulatory and
compliance matters.
• Clients are awarded work by selected securities commissions to review corporate governance at selected
public companies.
25. AN INTERNAL AUDITOR VIEW OF CORPORATE
GOVERNANCE RELATED TO BOARDS (1/2)
25
Role of the Board of Directors
• Perform effective and efficient oversight of the organization in the best interests of the company and for the
benefit of the shareholders.
Accountability
• Accountability is appointed by and reported to shareholders.
Principles
• Create a framework for oversight and accountability: An organization should establish the respective roles
and responsibilities of the board and executive officers.
• Structure the board to add value: The board should comprise directors that will contribute to its effectiveness.
• Attract and retain effective directors: A board should have processes to examine its membership to ensure
that directors (individually and collectively) have the necessary competencies and other attributes.
• Continuously strive to improve the board’s performance: The board should have processes to improve its
performance and that of its committees, if any, and individual directors.
• Promote integrity: An organization should actively promote ethical and responsible behavior and decision-
making.
26. AN INTERNAL AUDITOR’S VIEW OF CORPORATE
GOVERNANCE RELATED TO BOARDS (2/2)
26
Principles (Continued)
• Recognize and manage conflicts of interest: An organization should establish a sound system of oversight
and management of actual and potential conflicts of interest.
• Recognize and manage risk: An organization should establish a sound framework of risk oversight and
management.
• Oversee strategy and its implementation: The board should oversee the strategy development process,
resulting strategy, plans for its implementation, and a related annual plan and budget.
• Oversee the organization’s performance: The board should monitor the organization’s performance in the best
interests of the company and for the benefit of the shareholders.
• Compensate appropriately: An organization should ensure that compensation policies align with the best
interest of the organization.
• Engage effectively with shareholders, government and the community: The board should keep
shareholders informed of relevant information, and endeavor to stay informed of the views of shareholders,
government and the community.
• Approve significant transactions and events: The board should approve significant transactions and events to
ensure that they are supportive of the organization’s strategic direction. Oversee and evaluate the external
auditor. The board (audit committee) should appoint, monitor and evaluate the external auditor.
• Oversee and evaluate the internal audit function: The board (audit committee) should oversee and evaluate
the organization’s internal audit activity.
• Oversee and evaluate internal and external legal counsel: The board should oversee and evaluate the
organization’s internal and external legal counsel.
27. NEXT STEPS
27
Discuss the concept of auditing corporate governance with key stakeholders (internal audit, management, audit
committee and board, and legal counsel).
Determine if a current corporate governance model exists and if a specific model is followed.
• If no model exists, decide if you should adopt a model for "criteria" purposes.
Gather existing corporate governance documents.
Determine if an audit is still warranted.
29. GLOBAL INTERNAL AUDIT AT ABC COMPANY
29
(Insert Name)
IT Audit Director
(Insert Name)
Operations Audit
Manager
(Insert Name)
Operations Audit
Manager
(Insert Name)
Operations Audit
Manager
(Insert Name)
Vice President
Audit Staff
• (Insert Name) and (Insert
Name), Operational
Auditors
• (Insert Name) and (Insert
Name), IT Auditors
• (Insert Name), Data
Analytics Specialist
30. GLOBAL GOVERNANCE COUNCIL
30
Global
Internal
Audit
Human
Resources
Int’l
Controls
Labor Law
Internal
Controls
Import/
Export
Sustainability
Corp
Social
Resp
Corp
Comm
Quality
Global
Security
Health
and
Safety
Envrmt
M&A/
Integration
Global
Governance
Council
IT
Security
Mission Statement
Our mission is to coordinate and align internal governance and compliance organizations with the intent of increasing
effectiveness through sharing of knowledge and data and increasing efficiency through the integration of common
processes.
• Minimize review fatigue.
• Optimize cost-effective
integrated assurance.
• Identify emerging risks.
Core Objectives
31. CORPORATE AUDIT SERVICES AT ABC COMPANY
31
(Insert
Name)
Chairman
of the
Board
President
Chief
Executive
Officer
(Insert Name)
Audit Committee Chairperson
(Insert Name)
Chief Audit Executive
(Insert Name)
Consumer and
Small
Business
Banking/Credit
Administration
(Insert Name)
Wholesale
Banking and
Commercial
Real Estate
(Insert Name)
Payment
Services and
Treasury
(Insert Name)
Wealth
Management
and Securities
Services
(Insert Name)
Administrative
Services and
Professional
Practices
(Insert Name)
Technology
and
Operations
(Insert Name)
Basel
(Insert Name)
Enterprisewide
Corporate
Functions
• X audit professionals and X data analysts
• X professional practices/administrative support
(Insert Name)
Regulatory
Compliance
and Home
Mortgage
32. ABC COMPANY GOVERNANCE
32
Board of
Directors
BOD Risk
Management
Committee
Executive Risk Committee
Chief
Technology
Officer
Chief Risk
Officer
Corporate
Risk
Committee
Enterprise
Risk
Management
Corporate
Compliance
Chief Credit
Officer
Executive
Credit
Management
Group
Chief Legal
Officer
Chief
Financial
Officer
Asset Liability
Committee
Market Risk
Committee
Operational
Risk Capital
Quantification
Economic
Capital
Committee
Economic
Scenario
Committee
Capital
Contingency
Committee
Disclosure
Committee
Credit Risk
Assessment
BOD Audit
Committee
Corporate
Audit
Services
33. CORPORATE AUDIT SERVICES STAKEHOLDERS
33
Board of Directors
• Audit Committee
Control Partners
• Corporate Risk Management
• Business Line Risk
Management
• Corporate Compliance
• Business Line Compliance
• Credit Risk Assessment
External
• Independent Public
Accountants
• Regulators (FRB, OCC, FDIC,
CFPB, SEC, etc.)
Management
• Managing Committee
• Senior Business Line
Management
Corporate
Audit
Services
34. INTERNAL AUDIT TRANSFORMATION
34
(Insert Date) (Insert Date) (Insert Date)
Merger of Audit and
SOX 404
Creation of
International Audit
Organization
Creation of Legal
and Compliance
Liaison Position
35. GLOBAL INTERNAL AUDIT ORGANIZATION
STRUCTURE
35
International Operations
Director
International Audit
Consultant
Europe Team
Asia Team
IT Director/SOX PMO
IT Team
Legal and Compliance Audit
Consultant
North America Senior
Manager
North America
Team
Executive Admin
(Insert Name)
Vice President