Keeping the Supervisory Board informed and involved: Audit Committee and Internal Audit Function

1
Keeping the Supervisory Boardinformed and
involvedAudit Committee and Internal Audit
Function
May 2006 Yerevan
2
ROAD MAP OF PRESENTATION

• Brief discussion of survey results relating to
  Audit Committee and Internal Audit
• Review of the key responsibilities of the Board
  and its Audit Committee
• The direct links to the IA function
• Defining the IA function
• Internal Audit vs. Internal Control
• The major tasks of the IA function and how they
  relate to the Boards responsibilities
• Controls, Compliance and Risk Management
• Structure and Standards of IA function
• In-house vs. Outsourced
• Professional and Industry Standards
• Summary of AC and IAs role in Corporate
  Governance

3
Key Functions of a Board OECD Corporate
Governance Principles Section VI

• Reviewing and guiding corporate strategy and risk
  policy.
• Monitoring effectiveness of the companys
  governance.
• Selecting and monitoring executives.
• Aligning executive and board remuneration.
• Ensuring transparent board election process.
• Monitoring and managing potential conflicts of
  interest.
• Ensuring the integrity of the firms accounting
  and financial reporting systems, including the
  independent audit and that appropriate controls
  are in place, in particular, systems for risk
  management, financial and operational control,
  and compliance with the law and relevant
  standards.
• Oversee disclosure and communications.

4
OECD 7. Ensuring the integrity of the
corporations reporting systems

• requires that the Board
• Set and enforce clear lines of responsibility and
  accountability
• Ensure appropriate oversight by senior management
• A key way to do this is by implementing an
  internal audit function which directly reports to
  the Board of Directors/Audit Committee
• Set up internal programs to monitor compliance
• Internal audit also assists in monitoring
  compliance

5
Defining the Internal Audit Function
an independent, objective assurance and
consulting activity designed to add value and
improve an organization's operations.  It helps
an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
6
Internal Audit Objectives and Tasks

• To advise management if the organization has
  sound systems of internal controls to protect the
  organization against loss.
• Evaluate system of controls.
• Assess risks / Component of risk
  management.
• Test operations of systems (including IT).
• Communication, recommendations
  for improvement and follow up.

7
IA Task 1 Internal Audit vs. Internal Control

• Internal Controls system / processes
• Internal Audit a function to assess the IC
• IC processes encompass the means by which senior
  management seeks reasonable assurance that
• The entitys accounting and operating reporting
  is complete and reliable
• Operations are being conducted in accordance with
  the entitys prescribed policies and procedures
• The entity is in compliance with applicable laws
  and regulations
• The entitys assets and information are protected
  from improper use.

8
Internal Control Framework

• Under a number of jurisdictions (e.g. US, EU),
  top management has to make certain disclosures
  about the controls and procedures in place, and
  whether they are in compliance with a
  recognizable framework.
• COSO provides an internationally recognizable
  framework for internal control system.

9
COSO on internal controls

• COSO ERM provides the following
  definition of
  Internal Control
• A process effected by an entitys Board of
  Directors, management and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives in the
  following categories
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations
• IC System a synonym for internal control
  applied in an entity.
• The effectiveness of an internal control system
  is measured by its capacity to provide reasonable
  assurance to the board of directors and
  management that these three objectives have been
  met.

10
COSO on internal controls - continued

• In addition to these goals, coso identified five
  interrelated components of internal control
• The control environment, which includes the
  integrity, ethical values, and competence of an
  organization's people.
• Risk assessment.
• Control activities.
• Information and communication, which encompasses
  the methods for identifying, capturing, and
  communicating pertinent information in a time
  frame that enables people to carry out their
  responsibilities.
• Monitoring.
• These components combine to form an integrated
  system of controls. To conclude that internal
  control is effective in any category of
  objectives-operations, financial reporting, or
  compliance-all five components must be present
  and functioning.

11
COSO on internal controls - continued

• Objectives Categories
• Strategic.
• Effectiveness and efficiency of operations
  (including performance and profitability goals
  safeguarding resources against loss).
• Reliability of reporting.
• Compliance with applicable laws and regulations.

12
Division of Responsibilities

• Management
• Establish and maintain an adequate and effective
  system of internal controls
• Develop a system to monitor and control risks

• Internal Audit
• Assist management in the efficient and effective
  discharge of their responsibilities
• Advise and make recommendations on internal
  control and corporate governance

13
Internal Audit helps to monitor the Internal
Controls

• BOARD,
• IN PARTICULAR,
• THE AUDIT
• COMMITTEE
• OVERSEES

BOARD, IN PARTICULAR, THE AUDIT COMMITTEE
OVERSEES
INTERNAL AUDIT FUNCTION EVALUATES
Monitoring the Internal Control Process
MANAGERS HAVE PRIMARY TASK TO DESIGN AND
MAINTAIN CONTROLS
EXTERNAL AUDITORS ASSESS AND OPINE ON
14
IA Task 2 Evaluate System of Internal Controls

• The Board has oversight responsibilities over the
  internal control system.
• The Internal Audit Functions
• Evaluates efficiency and effectiveness of
  controls.
• Recommends new controls where needed or
  discontinuing unnecessary controls.
• Use control frameworks COSO, Basle, etc. in its
  work.
• Lead control self-assessment.
• Provide education on risks and controls.

15
IA Task 3 Assess Risk / Risk Management

• The Board has overall responsibility that risks
  are managed.
• The internal audit function provides objective
  assurance to the board on the effectiveness of
  risk management processes.
• Core internal auditing roles in regard to
  enterprise risk management
• Giving assurance on risk management process
• Giving assurance that risks are correctly
  evaluated
• Evaluating risk management processes
• Evaluating and reporting on the key risks
• Reviewing the management of key risks

16
IA Task 4 Testing Operations / Reviewing
Compliance

• The Board also has oversight for compliance with
  laws and relevant standards
• The Internal Audit function is valuable support
  in its compliance and operations role
• Ensure the managements policies and procedures
  are followed
• Evaluate procedures to safeguard assets
• Analyze impact of changes in procedures
• Assure compliance with laws and regulations
• Review objectives for adherence to organizations
  mission, culture and climate
• Provide insight to the impact of noncompliance

17
An Effective IA Function may be established with
Various Organizational Structures
18
Regardless of Structure High StandardsMust Be Met

• Professional (e.g., IIA Standards) and industry
  standards (e.g., BASLE principles) apply
• The Internal Audit Standard Board (UK) has
  developed Standards for the Professional Practice
  of Internal Auditing.
• IIA Standards for reporting include
• 1000 Purpose, Authority and Responsibility
• 1110 Organizational Independence
• 2020 Communication and Approval
• 2060 Reporting to the Board and Senior Management

19
Standards Independence and Communication

• The chief audit executive should report to a
  level within the organization that allows the
  internal audit activity to fulfill its
  responsibilities. (1110)
• The internal audit activity should be free from
  interference in determining the scope of internal
  auditing, performing work, and communicating
  results. (1110)
• The chief audit executive should communicate the
  internal audit activitys plans and resource
  requirements, including significant interim
  changes, to senior management and to the board
  for review and approval. The chief audit
  executive should also communicate the impact of
  resource limitations (2020)

20
Other Relevant IA Guidance

• There may be other regional or industry specific
  standards

• BASEL Internal Audit Principles in Banks and the
  Supervisor's Relationship with Auditors (2001)
• Continuity
• Independence
• Audit charter
• Impartiality
• Professional competence
• Scope of activity

Basel Committee on Banking
Supervision INTERNAL AUDIT Principles

21
CG Relationship Diagram (1)
STAKEHOLDERS
22
CG Relationships (2)

• AGM

c o n t r o l e n v i r o n m e n t
Supervisory Board
Company
Management Board
External Auditor
23
The Audit Committee and the IA Function

• The responsibilities of the audit committee
  include
• Corporate Governance
• Internal Control and Risk Mgmt.
• Compliance and Ethics
• Financial Reporting and Disclosure
• The internal audit function should report to the
  BoD/Audit Committee. (No independence if it
  reports solely to management)
• More effective if reports to the Audit Committee
• Objectivity is a personal quality of the auditor

24
Audit Committee Composition

• Minimum 3 members
• Members should be independent directors
• Tighter standards on independence than for other
  independent directors
• No compensation from company other than director
  fees
• All members must be financially literate
• At least 1 member (typically the chair) must be
  an audit committee financial expert

25
Audit Committee Role in Governance

• The Institute of Internal Auditors provide the
  following logo describing AC role
• Noses In - Fingers Out.
• In a nutshell, the AC should provide oversight
  of
• Financial reporting
• Risk management
• Internal Control
• Compliance
• Internal Auditors
• External Auditors

26
Audit Committee Responsibilities

• Some detailed Audit Committee responsibilities
  include
• Ensuring that financial statements are
  understandable, transparent, and reliable
• Ensuring the risk management process is
  comprehensive and ongoing, rather than partial
  and periodic
• Helping achieve an organization-wide commitment
  to strong and effective internal controls,
  emanating from the tone at the top

27
Audit Committee Responsibilities (continued)

• Reviewing corporate policies relating to
  compliance with laws and regulations, ethics,
  conflicts of interest, and the investigation of
  miscondsuct and fraud
• Reviewing current and pending corporate-governance
  related litigation or regulatory proceedings to
  which the organization is a party
• Continually communicating with senior management
  regarding status, progress, and new developments,
  as well as problematic areas

28
Audit Committee Responsibilities (continued)

• Ensuring the internal auditors access to the
  audit committee, encouraging communication beyond
  scheduled committee meetings
• Reviewing internal audit plans, reports, and
  significant findings
• Establishing a direct reporting relationship with
  the external auditors

29
Internal Audit Reporting

• In various governance and organizational
  structures the IA reports to SB (Audit Committee
  in particular) and senior management
• internal audit activitys purpose
• authority
• responsibility
• performance relative to its plan
• Also report separately on
• significant risk exposures and control issues
• corporate governance issues
• other matters needed or requested by SB and MB

30
Breakout Sesson Audit Committee and Internal
Audit

• 3 groups will have approx 10-15 minutes for the
  following tasks
• Group 1 Develop annual plan for the AC.
• Group 2 IA has submitted its annual plan for the
  AC consideration. It includes annual audit of
  headoffice functions as well as of all branches.
  Plus semi-annual reporting to the AC (BoD).
  Provide comments and/or suggestions.
• Group 3 Develop criteria for self-assessment of
  AC effectiveness (after 1 year of its
  functioning).
• Group presentations (approx 5 minutes each)
• Discussion of group presentations (approx 5
  minutes each).
• The base material for discussion sample ToR for
  the AC (distributed in advance)

31
COSO on internal audit

• COSO ERM provides the following
  definition of Internal Audit
• Internal audit functions typically provide an
  assessment of risk and control activities of a
  business unit, process or department. In some
  cases particular attention is given to risk
  identification analysis of likelihood and impact,
  risk response, control activities, as well as
  information and communication.

32
Self-Assessment and Monitoring

• Self-assessment or monitoring can provide
  oversight of an enterprises control system
  performance. Self-assessment should be performed
  at all levels of IC system
• BoD
• AC
• IA
• Top Management
• Departments

33
Board Self-Assessment or Monitoring

• Yes or No Questions
• ?? ?? Does the board review the actions
  management takes to deal with material control
  weaknesses and verify that those actions are
  objective and adequate?
• ?? ?? Do audit reports contain sufficient detail?
• ?? ?? Are audit reports timely enough to allow
  for resolution and appropriate action?
• ?? ?? Does the board or audit committee approve
  the selection of key internal
• audit personnel?
• ?? ?? Does the board or audit committee approve
  the overall scope of review activities (such as
  audit or financing coverage)?
• ?? ?? Does the board or audit committee review
  results of audits?
• ?? ?? Does the board or audit committee approve
  the system of internal controls?
• ?? ?? Does the board or audit committee
  periodically review audit or other key control
  systems?
• ?? ?? Is line management held accountable if they
  do not follow up satisfactorily or effectively on
  control weaknesses?

34
Benefits of a Strong Internal Audit Function

• When the internal audit function is properly
  established with adequate authority, scope, and
  resources, it can professionally and proficiently
  aid in the following areas and contribute to good
  corporate governance
• Governance law and regulations
• Internal controls
• Disclosure and transparency
• Risk management
• Compliance
• Ethics and Communication

35
Applicable Literature/Guidance

• Institute of Internal Auditors ltwww.theiia.orggt
• Basle Committee on Banking Supervision
  ltwww.bis.orggt
• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO) ltwww.coso.orggt
• International Federation of Accountants
  ltwww.ifac.orggt

36
Contact details
IFC Yerevan 9 V. Sargssyan str. Yerevan 375010,
Armenia Tel (37410) 545241, 545242 Fax (37410)
545245