Title: Keeping the Supervisory Board informed and involved: Audit Committee and Internal Audit Function
1Keeping the Supervisory Boardinformed and
involvedAudit Committee and Internal Audit
Function
May 2006 Yerevan
2ROAD MAP OF PRESENTATION
- Brief discussion of survey results relating to
Audit Committee and Internal Audit - Review of the key responsibilities of the Board
and its Audit Committee - The direct links to the IA function
- Defining the IA function
- Internal Audit vs. Internal Control
- The major tasks of the IA function and how they
relate to the Boards responsibilities - Controls, Compliance and Risk Management
- Structure and Standards of IA function
- In-house vs. Outsourced
- Professional and Industry Standards
- Summary of AC and IAs role in Corporate
Governance
3Key Functions of a Board OECD Corporate
Governance Principles Section VI
- Reviewing and guiding corporate strategy and risk
policy. - Monitoring effectiveness of the companys
governance. - Selecting and monitoring executives.
- Aligning executive and board remuneration.
- Ensuring transparent board election process.
- Monitoring and managing potential conflicts of
interest. - Ensuring the integrity of the firms accounting
and financial reporting systems, including the
independent audit and that appropriate controls
are in place, in particular, systems for risk
management, financial and operational control,
and compliance with the law and relevant
standards. - Oversee disclosure and communications.
4OECD 7. Ensuring the integrity of the
corporations reporting systems
- requires that the Board
- Set and enforce clear lines of responsibility and
accountability - Ensure appropriate oversight by senior management
- A key way to do this is by implementing an
internal audit function which directly reports to
the Board of Directors/Audit Committee - Set up internal programs to monitor compliance
- Internal audit also assists in monitoring
compliance
5Defining the Internal Audit Function
an independent, objective assurance and
consulting activity designed to add value and
improve an organization's operations. It helps
an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
6Internal Audit Objectives and Tasks
- To advise management if the organization has
sound systems of internal controls to protect the
organization against loss. - Evaluate system of controls.
- Assess risks / Component of risk
management. - Test operations of systems (including IT).
- Communication, recommendations
for improvement and follow up.
7IA Task 1 Internal Audit vs. Internal Control
- Internal Controls system / processes
- Internal Audit a function to assess the IC
- IC processes encompass the means by which senior
management seeks reasonable assurance that - The entitys accounting and operating reporting
is complete and reliable - Operations are being conducted in accordance with
the entitys prescribed policies and procedures - The entity is in compliance with applicable laws
and regulations - The entitys assets and information are protected
from improper use.
8Internal Control Framework
- Under a number of jurisdictions (e.g. US, EU),
top management has to make certain disclosures
about the controls and procedures in place, and
whether they are in compliance with a
recognizable framework. - COSO provides an internationally recognizable
framework for internal control system.
9COSO on internal controls
- COSO ERM provides the following
definition of
Internal Control - A process effected by an entitys Board of
Directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories - Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
- IC System a synonym for internal control
applied in an entity. - The effectiveness of an internal control system
is measured by its capacity to provide reasonable
assurance to the board of directors and
management that these three objectives have been
met.
10COSO on internal controls - continued
- In addition to these goals, coso identified five
interrelated components of internal control - The control environment, which includes the
integrity, ethical values, and competence of an
organization's people. - Risk assessment.
- Control activities.
- Information and communication, which encompasses
the methods for identifying, capturing, and
communicating pertinent information in a time
frame that enables people to carry out their
responsibilities. - Monitoring.
- These components combine to form an integrated
system of controls. To conclude that internal
control is effective in any category of
objectives-operations, financial reporting, or
compliance-all five components must be present
and functioning.
11COSO on internal controls - continued
- Objectives Categories
- Strategic.
- Effectiveness and efficiency of operations
(including performance and profitability goals
safeguarding resources against loss). - Reliability of reporting.
- Compliance with applicable laws and regulations.
12Division of Responsibilities
- Management
- Establish and maintain an adequate and effective
system of internal controls - Develop a system to monitor and control risks
- Internal Audit
- Assist management in the efficient and effective
discharge of their responsibilities - Advise and make recommendations on internal
control and corporate governance
13Internal Audit helps to monitor the Internal
Controls
- BOARD,
- IN PARTICULAR,
- THE AUDIT
- COMMITTEE
- OVERSEES
BOARD, IN PARTICULAR, THE AUDIT COMMITTEE
OVERSEES
INTERNAL AUDIT FUNCTION EVALUATES
Monitoring the Internal Control Process
MANAGERS HAVE PRIMARY TASK TO DESIGN AND
MAINTAIN CONTROLS
EXTERNAL AUDITORS ASSESS AND OPINE ON
14IA Task 2 Evaluate System of Internal Controls
- The Board has oversight responsibilities over the
internal control system. - The Internal Audit Functions
- Evaluates efficiency and effectiveness of
controls. - Recommends new controls where needed or
discontinuing unnecessary controls. - Use control frameworks COSO, Basle, etc. in its
work. - Lead control self-assessment.
- Provide education on risks and controls.
15IA Task 3 Assess Risk / Risk Management
- The Board has overall responsibility that risks
are managed. - The internal audit function provides objective
assurance to the board on the effectiveness of
risk management processes. - Core internal auditing roles in regard to
enterprise risk management - Giving assurance on risk management process
- Giving assurance that risks are correctly
evaluated - Evaluating risk management processes
- Evaluating and reporting on the key risks
- Reviewing the management of key risks
16IA Task 4 Testing Operations / Reviewing
Compliance
- The Board also has oversight for compliance with
laws and relevant standards - The Internal Audit function is valuable support
in its compliance and operations role - Ensure the managements policies and procedures
are followed - Evaluate procedures to safeguard assets
- Analyze impact of changes in procedures
- Assure compliance with laws and regulations
- Review objectives for adherence to organizations
mission, culture and climate - Provide insight to the impact of noncompliance
17An Effective IA Function may be established with
Various Organizational Structures
18Regardless of Structure High StandardsMust Be Met
- Professional (e.g., IIA Standards) and industry
standards (e.g., BASLE principles) apply - The Internal Audit Standard Board (UK) has
developed Standards for the Professional Practice
of Internal Auditing. - IIA Standards for reporting include
- 1000 Purpose, Authority and Responsibility
- 1110 Organizational Independence
- 2020 Communication and Approval
- 2060 Reporting to the Board and Senior Management
19Standards Independence and Communication
- The chief audit executive should report to a
level within the organization that allows the
internal audit activity to fulfill its
responsibilities. (1110) - The internal audit activity should be free from
interference in determining the scope of internal
auditing, performing work, and communicating
results. (1110) - The chief audit executive should communicate the
internal audit activitys plans and resource
requirements, including significant interim
changes, to senior management and to the board
for review and approval. The chief audit
executive should also communicate the impact of
resource limitations (2020)
20Other Relevant IA Guidance
- There may be other regional or industry specific
standards
- BASEL Internal Audit Principles in Banks and the
Supervisor's Relationship with Auditors (2001) - Continuity
- Independence
- Audit charter
- Impartiality
- Professional competence
- Scope of activity
Basel Committee on Banking
Supervision INTERNAL AUDIT Principles
21CG Relationship Diagram (1)
STAKEHOLDERS
22CG Relationships (2)
c o n t r o l e n v i r o n m e n t
Supervisory Board
Company
Management Board
External Auditor
23The Audit Committee and the IA Function
- The responsibilities of the audit committee
include - Corporate Governance
- Internal Control and Risk Mgmt.
- Compliance and Ethics
- Financial Reporting and Disclosure
- The internal audit function should report to the
BoD/Audit Committee. (No independence if it
reports solely to management) - More effective if reports to the Audit Committee
- Objectivity is a personal quality of the auditor
24Audit Committee Composition
- Minimum 3 members
- Members should be independent directors
- Tighter standards on independence than for other
independent directors - No compensation from company other than director
fees - All members must be financially literate
- At least 1 member (typically the chair) must be
an audit committee financial expert
25Audit Committee Role in Governance
- The Institute of Internal Auditors provide the
following logo describing AC role - Noses In - Fingers Out.
- In a nutshell, the AC should provide oversight
of - Financial reporting
- Risk management
- Internal Control
- Compliance
- Internal Auditors
- External Auditors
26Audit Committee Responsibilities
- Some detailed Audit Committee responsibilities
include - Ensuring that financial statements are
understandable, transparent, and reliable - Ensuring the risk management process is
comprehensive and ongoing, rather than partial
and periodic - Helping achieve an organization-wide commitment
to strong and effective internal controls,
emanating from the tone at the top
27Audit Committee Responsibilities (continued)
- Reviewing corporate policies relating to
compliance with laws and regulations, ethics,
conflicts of interest, and the investigation of
miscondsuct and fraud - Reviewing current and pending corporate-governance
related litigation or regulatory proceedings to
which the organization is a party - Continually communicating with senior management
regarding status, progress, and new developments,
as well as problematic areas
28Audit Committee Responsibilities (continued)
- Ensuring the internal auditors access to the
audit committee, encouraging communication beyond
scheduled committee meetings - Reviewing internal audit plans, reports, and
significant findings - Establishing a direct reporting relationship with
the external auditors
29Internal Audit Reporting
- In various governance and organizational
structures the IA reports to SB (Audit Committee
in particular) and senior management - internal audit activitys purpose
- authority
- responsibility
- performance relative to its plan
- Also report separately on
- significant risk exposures and control issues
- corporate governance issues
- other matters needed or requested by SB and MB
30Breakout Sesson Audit Committee and Internal
Audit
- 3 groups will have approx 10-15 minutes for the
following tasks - Group 1 Develop annual plan for the AC.
- Group 2 IA has submitted its annual plan for the
AC consideration. It includes annual audit of
headoffice functions as well as of all branches.
Plus semi-annual reporting to the AC (BoD).
Provide comments and/or suggestions. - Group 3 Develop criteria for self-assessment of
AC effectiveness (after 1 year of its
functioning). - Group presentations (approx 5 minutes each)
- Discussion of group presentations (approx 5
minutes each). - The base material for discussion sample ToR for
the AC (distributed in advance)
31COSO on internal audit
- COSO ERM provides the following
definition of Internal Audit - Internal audit functions typically provide an
assessment of risk and control activities of a
business unit, process or department. In some
cases particular attention is given to risk
identification analysis of likelihood and impact,
risk response, control activities, as well as
information and communication.
32Self-Assessment and Monitoring
- Self-assessment or monitoring can provide
oversight of an enterprises control system
performance. Self-assessment should be performed
at all levels of IC system - BoD
- AC
- IA
- Top Management
- Departments
33Board Self-Assessment or Monitoring
- Yes or No Questions
- ?? ?? Does the board review the actions
management takes to deal with material control
weaknesses and verify that those actions are
objective and adequate? - ?? ?? Do audit reports contain sufficient detail?
- ?? ?? Are audit reports timely enough to allow
for resolution and appropriate action? - ?? ?? Does the board or audit committee approve
the selection of key internal - audit personnel?
- ?? ?? Does the board or audit committee approve
the overall scope of review activities (such as
audit or financing coverage)? - ?? ?? Does the board or audit committee review
results of audits? - ?? ?? Does the board or audit committee approve
the system of internal controls? - ?? ?? Does the board or audit committee
periodically review audit or other key control
systems? - ?? ?? Is line management held accountable if they
do not follow up satisfactorily or effectively on
control weaknesses?
34Benefits of a Strong Internal Audit Function
- When the internal audit function is properly
established with adequate authority, scope, and
resources, it can professionally and proficiently
aid in the following areas and contribute to good
corporate governance - Governance law and regulations
- Internal controls
- Disclosure and transparency
- Risk management
- Compliance
- Ethics and Communication
35Applicable Literature/Guidance
- Institute of Internal Auditors ltwww.theiia.orggt
- Basle Committee on Banking Supervision
ltwww.bis.orggt - Committee of Sponsoring Organizations of the
Treadway Commission (COSO) ltwww.coso.orggt - International Federation of Accountants
ltwww.ifac.orggt
36Contact details
IFC Yerevan 9 V. Sargssyan str. Yerevan 375010,
Armenia Tel (37410) 545241, 545242 Fax (37410)
545245