SU 5 - Governance Flashcards
A strategy to promote the long-term viability of an organization’s operations and actions by ensuring that the current and future needs of the organization and society can be met.
Sustainable Development
A concept that corporate success should be measured in three dimensions–economic, social, and environmental–not just by traditional economic profitability measures.
Tripple bottom line
The tangible manifestation of culture through the actions, behaviors, and decisions of the individuals who form an organization.
Conduct
The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.
Governance
The leadership, structure, and oversight processes that ensure the organization’s IT supports the objectives and strategies of the organization.
IT Governance
The conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
Compliance
Beliefs about right versus wrong that guide people’s and organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objective.
Values
Refers to how management plans to achieve the organization’s objectives.
Strategy
The way firms integrate social, environmental, and economic concerns into their values, culture, decision making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve society.
Corporate Social Responsibilit (CSR)
The values and norms that exist in an organization.
Culture
The established parameters and boundaries of the audit engagement. It identifies what will be reviewed (processes, activities, and time period) and what will be excluded from the engagement.
Audit scope
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives
Risk Management
Any action taken by management, the board, or other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved
Control
The board of directors functions like an overarching “umbrella” by providing which two broad types of governance to the organization
- Startegic direction
- Governance oversight
4 Responsibilitities of risk owners
- Evaluating risk management design against risk tolerance.
- Assessing risk management capabilities, maturity, and operations.
- Monitoring risks on a daily basis.
- Providing accurate and timely information and recommendations to senior management and the board.
The IIA’s Three Lines Model helps clarify the internal audit activity’s role in what?
GRC
The Three Lines Model is a principles-based model intended to be adapted to the needs of any organization. Its six principles are:
- Governance
- Governing body roles
- Management 1st and 2nd line roles
- 3rd line roles
- 3rd line idependence
- Creating and protecting value
Who determines risk appetite and oversees GRC
The board
Who remains primarily accountable to the board and reports to it on GRC, achievement of objectives, continuous improvement, and disclosures of impairments.
Internal Audit Activity
The report is principles- and outcomes-based, focusing on transparency and disclosures that require entities to explain how the principles are applied
King IV (2016)
A Code of Corporate Practices and Conduct is included in the King report (7 elements)
The Duke Is Fair And Socially Responsible
- Discipline. Organizations commit to disciplined behavior that is universally accepted as proper and correct.
- Transparency. Organizations commit to make it easy for outsiders to analyze the organization’s activities.
- Independence. Organizations are self-reliant and can manage or avoid conflict.
- Accountability. Organizations develop ways to accept and acknowledge the positive and negative consequences of their actions.
- Responsibility. Organizations design corrective action into all processes and consider the needs of all stakeholders in decision making.
- Fairness. Organizations balance competing interests.
- Social responsibility. Organizations embed corporate social responsibility programs into their core business model.
3 key tools to achieve sustainability as per King IV
Chris Finds Innovation
- Innovation
- Fairness
- Collaboration
What approach allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt.
Risk-based Approach
What approach merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control.
Compliance based approach
STANDARD: The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
Implementation Standard 2110.A2 (Assurance Engagements)
The leadership, structure, and oversight processes that ensure the organization’s IT supports the objectives and strategies of the organization is called?
IT governance (Anderson et al. in Internal Auditing)
An IT governance framework addresses the 3 components
- IT process areas. Change management, information security management, software development, IT project management, etc.
- IT mechanisms. Standards, policies, and frameworks for directing, monitoring, and measuring IT performance and managing IT risks.
- IT governance organizational structures. IT roles and reporting lines to meet organizational objectives and formally evaluate and prioritize requirements.
5 areas of a general IT governance framework as per IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance”
- Strategic allignment
- Risk Management
- Value delivery
- Performance measurement
- Resource management
Role of Internal Audit in IT Governance
The internal audit activity must assess IT governance per Standard 2110.A2
Refers to how management plans to achieve the organization’s objectives.
Strategy (Anderson et al. in Internal Auditing )
The attitude and actions of the board and management regarding the importance of control within the organization. It provides the discipline and structure for the achievement of the primary objectives of the system of internal control. Its the foundation for the system of internal controls
Control Environment
6 elements of the control environment
Management Is Assuring Humans Of Competence
- Integrity and ethical values.
- Management’s philosophy and operating style.
- Organizational structure.
- Assignment of authority and responsibility.
- Human resource policies and practices.
- Competence of personnel.
The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) — Integrated Framework
Internal Control Frameworks
3 categories of objectives that an organization works to achieve using the system of internal controls as per COSO framework
COR
- Operations
- Reporting
- Compliance objectives
COSO’s Internal Control—Integrated Framework has five principles related to the control environment
- The organization demonstrates a commitment to integrity and ethical values.
- Sets the tone at the top.
- Establishes standards of conduct.
- Evaluates adherence to standards of conduct.
- Addresses deviations in a timely manner.
What provides behavioral guidance and rules for staff (and outsourced service providers who have been delegated responsibility for organizational processes) when taking actions or making decisions. The code clarifies the expectations of the board and senior management as to what is considered right versus wrong. It provides guidance on common gray areas or difficult decisions and highlights associated risk
A written code of conduct
These are how managers in various organizational or other structures execute their assigned authorities and responsibilities, including reporting information to higher levels. These lines should be documented and understood by the relevant parties.
Reproting Lines
The basis for assessing adherence to organizational ethics and values. There are stated values as well as operating values.
Organizational standards of conduct
Beliefs about right versus wrong that guide people’s and organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objectives.
Values
Two types of values
- Stated values. These are ideal or written values, such as written codes of ethics and/or conduct.
- Operating values. These are cultural values that guide actual organizational behavior.
4 steps when auding the control environment
- Start with a risk assessment to help set audit scope, frequency, and rotation.
- Take into account planning considerations as individual engagements are planned.
- Require assessment criteria.
- Require selection of tools and techniques to use.
6 elements from the IPPF definition of control environment used as potential audit scope areas for a control environment risk assessment
- Integrity and ethical values
- Managment philosophy and operating style
- Organisational structure
- Assignment of authority and responsibility
- HR policies an practices
- Competence of personnel
Who determines the frequency and rotation of control environment audits and how to integrate the results of multiple audits while avoiding duplication of effort.
CAE
Best practice for CAE to determine the criteria against which the control environment will be assessed
Use an internal control framework the first time the control environment is audited at an organization. This can help ensure that the criteria are well rounded and complete.
represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization
Culture (St-Onge et al)
represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.
Conduct (St-Onge et al)
Root cause of many control environment issues.
Poor organizational culture. A toxic culture can erode the effectiveness of other control layers.
5 characteristics of healthy organizational cultures
- Positive tone at the top. The board and senior management define, proactively model, and enforce accountability for desired organizational values, including in their strategies.
- Clear communication. Management sets explicit expectations in all communications, daily interactions, and meetings with employees, customers, and third parties.
- Open dialogue. Management listens to feedback or constructive criticism and has tools like ethics hotlines or open-door policies to encourage dialogue.
- Employee engagement. Objective-setting and strategy discussions are inclusive, such as by listening to personal objectives and evaluating how they align to strategy.
- Incentives aligned with core values. Compensation and incentives align with the organization’s core values and risk appetite.
4 Key areas for an ethical climate assessment to address
- Whether ethical values are consistent among policy statements.
- Whether any policies lack ethics statements and, if so, whether they should be added.
- Whether ethics statements are consistently expressed to enable staff to have a cohesive, easily understood picture of expected behavior.
- Whether statements are specific and concrete enough to be meaningful.
A common tool for ethical climate assessments.
An entity-wide employee survey
The internal audit activity may be involved in ethics- and compliance-related issues, alleged violations, and dispositions in two ways.
First, the internal audit activity may assess whether the escalation and resolution process is effective.
Second, as a result of entity-wide, or specific audit engagement area effectiveness assessments, the activity may need to evaluate deficiencies and communicate results, including making recommendations.
“adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.”
Compliance
When evaluating ethical deficiencies, the internal audit activity should focus on identifying the root causes of exceptions, 5 examples of potential root causes
- Emphasis on results, especially those that are short-term
- Excessive focus on the bottom line (such as sales revenues and profit goals)
- High-pressure sales tactics
- Ruthless negotiations
- Aggressive incentives that are tied to reported financial and nonfinancial information
esponsible for investigating alleged violations of ethics, compliance, or business conduct practices and making recommendations for resolution of misconduct, including disciplinary action.
Management
A voluntary initiative to practice and transparently report on the organization’s efforts toward good corporate citizenship with its employees and within the community. It is a pledge to develop the organization in sustainable ways by including not only economic but also social and environmental objectives in its values, culture, strategies, decisions, and operations.
Corporate social responsibility (CSR)
A strategy to promote the long-term viability of an organization’s operations and actions by ensuring that the current and future needs of the organization and society can be met. This is done in part by safeguarding, sustaining, and enhancing the human and natural resources the organization uses.
Sustainable development
Strategy of triple bottom line creates three balanced measures of success.
- Economic. This is the traditional bottom line for a business (i.e., profit or loss), but some CSR programs also enhance profitability
- Environmental. This is the responsible and compliant use of natural resources and protection of the natural environment
- Social responsibility. This is fair treatment of and reinvestment in employees, indigenous peoples, and communities
Key goal of a triple-bottom-line strategy
To fully integrate all three areas into the organization’s business model and strategy rather than making them afterthoughts
8 risks associated with CSR activities.
- Reputation
- Compliance
- Liability
- Operational
- Stock market
- Employment market
- Sale market
- External business relationships
Who has overall responsibility for the effectiveness of the governance, risk management, and control (GRC) components of CSR programs, including determining which CSR controls will be needed
The board
Who is responsible for performing a risk assessment related to CSR and for determining what components and priorities are important to their organization
Board and management (The organization may create an executive position responsible for CSR programs.)
It include developing CSR strategies, objectives, policies, procedures, controls, and key performance indicators/performance targets (e.g., emissions, safety incidents, employee satisfaction).
CSR business activities
Voluntary CSR standards to determine what to report, provide assurance on the validity of the report, and help ensure that the information is comparable for benchmarking
- The CSR reporting standards of the Global Reporting Initiative (GRI).
- The SA8000 Standard of Social Accountability International.
- The AA1000 standards for assurance of CSR reports of AccountAbility.
Developed to help with assessments and to help set CSR goals for the organization. The following maturity levels might be used:
- No CSR objectives or strategies.
- CSR strategy is to be in compliance with laws and contracts.
- Some divisions acknowledge specific CSR risks with stand-alone strategies. The goal is to exceed compliance requirements; reporting is selective.
- CSR governance, strategies, and performance measures are integrated, and public reporting occurs.
- CSR is a primary feature of the organization’s mission, vision, principles, decision-making processes, and performance measures. Public formal reports are produced, and stakeholders are kept engaged.
A CSR maturity model
5 Assurance Methods of Auditing CSR
- Audit by element: Perform separate audit engagements for each CSR element: governance; environment; ethics; community involvement; health, safety, and security; transparency; and working conditions and human rights.
- Audit by stakeholder: Perform separate audit engagements to assess effectiveness of delivering value to each stakeholder group, such as employees and their families, customers, the environment, and so on. The basis for determining effectiveness is fulfillment of each group’s needs.
- Audit by common subject: Perform audits by common subject area: workplace, marketplace, community, and environment. Auditing by workplace could bundle together issues such as employer of choice, health and safety, diversity and equality, environmental management practices, training and development, ethics, governance, and human rights.
- Audit by internal control: Perform audits using internal controls over risk management, data gathering, measuring, and CSR reporting activities. Performing the same audit tests for each area audited ensures that results are comparable. At year end, an overall report on CSR could be made based on all areas audited.
- Audit by risk-management-based priority: Perform audits using a risk-management-based approach, selecting the areas of a CSR program identified as being most significant in terms of risk impact and likelihood, with direction provided by the board and senior management. This method can be combined with any of the prior methods.
Recommendations on CSR programs should be reported to who
The organization may consider recommendations on CSR programs to be sensitive information, and so the CAE should consult with management regarding report distribution.
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
Risk
A key element of risk
The notion that it always involves uncertainty
an action or potential action that creates or alters goals or approaches for creating, preserving, or realizing value
Opportunity
4 fundamental concepts of risk
- Achieving strategic and operational objectives and succeeding in business requires putting the organization’s assets and resources at some degree of risk.
- Risks taken should be commensurate with the potential reward.
- Risks are not single-point estimates. Rather, there will be a range of possible outcomes associated with a risk, such as from worst case to most likely to best case.
- Risk management should reduce the likelihood of negative events and increase the likelihood of positive events.
The occurrence or realization of a risk (threat or opportunity). Also called an issue.
An event
the level of risk that the organization is willing to accept.
Risk appetite
The boundaries of acceptable outcomes related to achieving business objectives.
Risk tolerance
The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place
Inherent risk
The portion of inherent risk that management can reduce through day-to-day operations and management activities
Controllable risk
The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk).” Note that responses include application of internal controls or other risk management measures
Residual risk
6 considerations related to risk appetite
- The purpose of setting a risk appetite is to limit risks to organizational objectives to an acceptable level. This is done by comparing the cost to the benefits of control.
- Because the future is uncertain, there is no way to completely eliminate risk. (Some amount of residual risk will remain.)
- Risk appetite helps the board and management prioritize potential strategies and resource allocations.
- Risk appetite can be defined at a high level and at increasing levels of detail.
- Risk appetite can differ between business units or products (with higher risk being acceptable for areas with higher potential for reward).
- Risk appetite can change based on changes in the external environment.
