Internal Audit & Corporate GovernancePRESENTATION BY:

CA ASHWANI JHAMB

IIA CORPORATE GOVERNANCE

MODEL

STRONG GOVERNANCE PROCESS

Board

Responsible

For

Operating

Controls

Controls

Working

Effectively

Management

Responsible

For

High

Ethical

Standards

Monitoring

Corporate

Performance

Internal Audit Department • Provides Objective Assurance, Insight on the effectiveness of Risk Management,

Internal Controls and Governance processes.

• Complements management's assurance that the systems are working effectively

Providing

Assurance

to the Board

Establish

Structures and

Processes/Controls

Guiding

Strategy and

Risk Policy

INTERNAL AUDIT EVOLUTION

Scandals occurred in the late nineties

Collapse of Enron and WorldCom

Investors raised questions on the board of directors and

senior management executives and the oversight bodies

and the internal and external auditors.

Time to move from mere audits of financial records and

traditional tick box approach.

CORPORARE GOVERNANCE SHORTCOMINGS

Lack Of Board Effectiveness

Board’s Risk Oversight

Poor Leadership And Ethics Culture

Defective Communication

Conflicts Of Interest

Accountability Issues

Lack Of Transparency

EXPECTATIONS FROM

STAKEHOLDERS

Focus on most significant risk areas

Timely communicating with the

Management and the Board about

assessment of risks.

Move beyond its comfort zone help

organizations bring internal audit

perspective on strategic initiatives and

changes – e.g digitalization,

cybersecurity.

Change the approach from “trust

based” to “internal controls

effectiveness”.

MEETING STAKEHOLDER EXPECTATIONS

Value preservation (control focus)

Value creation (performance focus)

Be more concerned with identifying opportunities, threats, and

requirements, while also understanding the performance, risk, and

compliance impact.

Align with stakeholder expectations:

•Providing assurance perspective that the Board and the

Management understands.

WHAT IS REQUIRED FROM IA?

Focus of Strategic Risks:

•Strategic risks, as well as operational, financial and compliance risks.

• Strategic risks are risks that affect or are created by an organization’s business

strategy and strategic objectives.

• Operational risks are major risks that affect an organization’s ability to execute its

strategic plan.

• Financial risks include areas such as financial reporting, valuation, market,

liquidity, and credit risks.

• Compliance risks relate to legal and regulatory compliance.

WHAT IS REQUIRED FROM IA?

Focus of Strategic Risks:

•Periodically evaluate and communicate risks to the Board and

Executive Management.

•Alert operational management to emerging issues and changing

regulatory and risk scenarios.

•Risk-based approach to develop the audit universe.

RISK AREAS – TO INCLUDE IN AUDIT PLAN

RISK AREAS

Culture And Ethics

Data Privacy

Data Governance

Third Party Risks

Cybersecurity

WHAT IS REQUIRED FROM IA?

Think Beyond the Scope:

•Connect the dots considering enterprise-wide implications.

•To illustrate an ability (or inability) to associate one idea with

another, to find the “big picture”.

•Broaden the focus on operations, compliance and nonfinancial

reporting issues.

•Watch for patterns and signs indicating a deteriorating risk culture.

WHAT IS REQUIRED FROM IA?

Add more value through Consulting which can result in:

•Strengthening the lines of defense;

•More effective collaboration with other independent functions focused

on managing risk and compliance

•Leveraging technology enabled auditing

• Improvements in control structure, including greater use of automated

controls; and

•Suggestions for improving and streamlining compliance

INTERNAL AUDIT LIMITATIONS

Positioning and reporting of the Internal Audit Department

Management’s influence

Lack of strong support from the Board.

Lack of Board evaluating the scope of Internal audit activities and discuss with CAE.

Lack of adequate resources and skills in terms of experience, training and staff shortage.

Lack of adequate budget to cover the significant risks and critical areas in the audit

plan.

Lack of adequate tools to automate and digitize the Internal Audit Activity.

Lack of adequate access and transparency to the information.

WHAT IA SHOULD DO TOSEEK SUPPORT

Escalating the limitations and concerns to the Audit Committee,

Board and Management on requirement of resources and tools which

may limit the effective functioning of Internal Audit department.

External and Internal quality assurance reviews may assist in

identifying the gaps on which improvement is required.

PERSEVERE AND IMPROVE

IA needs to expand and strengthen itself in following areas:

Adapting with changing technological landscape

Focus and strengthen itself in the areas of risk management and

governance

Use of quantitative skills and knowledge of risk.

Participate in value creation

Use knowledge of enterprise risks

Bring discipline to risk management activities,

Strengthen control design and effectiveness, continuous monitoring &

enhance compliance.

AUTOMATION

Digitize The Internal Audit;

Implementation Of Data Analytics Tool;

IA Needs To Utilize Mainstream Technology;

Data Mining And Analytics;

Graphical Audit Reporting;

Issue Tracking.

GROUP LEVEL ISSUES (PARENT AND SUBSIDIARY)

Uniform implementation of key policies, such as whistle-blower policy,

across the entire group irrespective of the size and location of

subsidiaries.

Internal Audit can implement technology-based solutions to monitor and

review the group activities as a whole.

Related Party transactions.

WHAT IS REQUIRED FROM BOARD?

Facilitate effective, high quality communication

Elevate stature and perspective

THREE LINES OF DEFENCE

FUTURE OF INTERNAL AUDITING

RBIA (Risk Based Internal Audit) focuses more on objectives and high-risk impact

areas instead of simply examining internal controls, it may just be the tool of the

future.

Focus Areas to be covered by IA:

Corporate governance reviews

Audits of enterprise risk management processes

Reviews addressing linkage of strategy and company performance

Ethics audits

International Financial Reporting Standards (IFRS)

Social and sustainability audits

Disaster recovery testing and support

Source: Author's research conducted to five reports by the Institute of Internal Auditors

REGULATIONS IN OMAN

Oman’s Corporate Governance framework and regulations by Capital Market Authority

Oman (CMA) are regarded as one of the best not only in the region but globally.

The CMA brought a new Code of Corporate Governance in the year 2016 that had taken

corporate governance to an entirely new level. Recently, CMA also issued another code

applicable to Government Companies that will bring in unprecedented transparency,

objectivity and discipline to these companies and help protect public money.

CMA Regulation no.10/2018 has clearly explained the role of Audit Committee and

Internal Audit which have provided mandate to Internal Audit and strengthens the most

important pillar of Corporate Governance and the Internal Auditors can now discharge

their statutory obligations without fear of reprisal.

Internal audit is the primary resource of the audit committee in carrying out its duties and responsibilities and one of the cornerstones of good governance. - IIA

THANK YOU

QUESTIONS AND ANSWERS

- NEIL ARMSTRONG