internal audit & corporate governance
TRANSCRIPT
Internal Audit & Corporate GovernancePRESENTATION BY:
CA ASHWANI JHAMB
IIA CORPORATE GOVERNANCE
MODEL
STRONG GOVERNANCE PROCESS
Board
Responsible
For
Operating
Controls
Controls
Working
Effectively
Management
Responsible
For
High
Ethical
Standards
Monitoring
Corporate
Performance
Internal Audit Department • Provides Objective Assurance, Insight on the effectiveness of Risk Management,
Internal Controls and Governance processes.
• Complements management's assurance that the systems are working effectively
Providing
Assurance
to the Board
Establish
Structures and
Processes/Controls
Guiding
Strategy and
Risk Policy
INTERNAL AUDIT EVOLUTION
Scandals occurred in the late nineties
Collapse of Enron and WorldCom
Investors raised questions on the board of directors and
senior management executives and the oversight bodies
and the internal and external auditors.
Time to move from mere audits of financial records and
traditional tick box approach.
CORPORARE GOVERNANCE SHORTCOMINGS
Lack Of Board Effectiveness
Board’s Risk Oversight
Poor Leadership And Ethics Culture
Defective Communication
Conflicts Of Interest
Accountability Issues
Lack Of Transparency
EXPECTATIONS FROM
STAKEHOLDERS
Focus on most significant risk areas
Timely communicating with the
Management and the Board about
assessment of risks.
Move beyond its comfort zone help
organizations bring internal audit
perspective on strategic initiatives and
changes – e.g digitalization,
cybersecurity.
Change the approach from “trust
based” to “internal controls
effectiveness”.
MEETING STAKEHOLDER EXPECTATIONS
Value preservation (control focus)
Value creation (performance focus)
Be more concerned with identifying opportunities, threats, and
requirements, while also understanding the performance, risk, and
compliance impact.
Align with stakeholder expectations:
•Providing assurance perspective that the Board and the
Management understands.
WHAT IS REQUIRED FROM IA?
Focus of Strategic Risks:
•Strategic risks, as well as operational, financial and compliance risks.
• Strategic risks are risks that affect or are created by an organization’s business
strategy and strategic objectives.
• Operational risks are major risks that affect an organization’s ability to execute its
strategic plan.
• Financial risks include areas such as financial reporting, valuation, market,
liquidity, and credit risks.
• Compliance risks relate to legal and regulatory compliance.
WHAT IS REQUIRED FROM IA?
Focus of Strategic Risks:
•Periodically evaluate and communicate risks to the Board and
Executive Management.
•Alert operational management to emerging issues and changing
regulatory and risk scenarios.
•Risk-based approach to develop the audit universe.
RISK AREAS – TO INCLUDE IN AUDIT PLAN
RISK AREAS
Culture And Ethics
Data Privacy
Data Governance
Third Party Risks
Cybersecurity
WHAT IS REQUIRED FROM IA?
Think Beyond the Scope:
•Connect the dots considering enterprise-wide implications.
•To illustrate an ability (or inability) to associate one idea with
another, to find the “big picture”.
•Broaden the focus on operations, compliance and nonfinancial
reporting issues.
•Watch for patterns and signs indicating a deteriorating risk culture.
WHAT IS REQUIRED FROM IA?
Add more value through Consulting which can result in:
•Strengthening the lines of defense;
•More effective collaboration with other independent functions focused
on managing risk and compliance
•Leveraging technology enabled auditing
• Improvements in control structure, including greater use of automated
controls; and
•Suggestions for improving and streamlining compliance
INTERNAL AUDIT LIMITATIONS
Positioning and reporting of the Internal Audit Department
Management’s influence
Lack of strong support from the Board.
Lack of Board evaluating the scope of Internal audit activities and discuss with CAE.
Lack of adequate resources and skills in terms of experience, training and staff shortage.
Lack of adequate budget to cover the significant risks and critical areas in the audit
plan.
Lack of adequate tools to automate and digitize the Internal Audit Activity.
Lack of adequate access and transparency to the information.
WHAT IA SHOULD DO TOSEEK SUPPORT
Escalating the limitations and concerns to the Audit Committee,
Board and Management on requirement of resources and tools which
may limit the effective functioning of Internal Audit department.
External and Internal quality assurance reviews may assist in
identifying the gaps on which improvement is required.
PERSEVERE AND IMPROVE
IA needs to expand and strengthen itself in following areas:
Adapting with changing technological landscape
Focus and strengthen itself in the areas of risk management and
governance
Use of quantitative skills and knowledge of risk.
Participate in value creation
Use knowledge of enterprise risks
Bring discipline to risk management activities,
Strengthen control design and effectiveness, continuous monitoring &
enhance compliance.
AUTOMATION
Digitize The Internal Audit;
Implementation Of Data Analytics Tool;
IA Needs To Utilize Mainstream Technology;
Data Mining And Analytics;
Graphical Audit Reporting;
Issue Tracking.
GROUP LEVEL ISSUES (PARENT AND SUBSIDIARY)
Uniform implementation of key policies, such as whistle-blower policy,
across the entire group irrespective of the size and location of
subsidiaries.
Internal Audit can implement technology-based solutions to monitor and
review the group activities as a whole.
Related Party transactions.
WHAT IS REQUIRED FROM BOARD?
Facilitate effective, high quality communication
Elevate stature and perspective
THREE LINES OF DEFENCE
FUTURE OF INTERNAL AUDITING
RBIA (Risk Based Internal Audit) focuses more on objectives and high-risk impact
areas instead of simply examining internal controls, it may just be the tool of the
future.
Focus Areas to be covered by IA:
Corporate governance reviews
Audits of enterprise risk management processes
Reviews addressing linkage of strategy and company performance
Ethics audits
International Financial Reporting Standards (IFRS)
Social and sustainability audits
Disaster recovery testing and support
Source: Author's research conducted to five reports by the Institute of Internal Auditors
REGULATIONS IN OMAN
Oman’s Corporate Governance framework and regulations by Capital Market Authority
Oman (CMA) are regarded as one of the best not only in the region but globally.
The CMA brought a new Code of Corporate Governance in the year 2016 that had taken
corporate governance to an entirely new level. Recently, CMA also issued another code
applicable to Government Companies that will bring in unprecedented transparency,
objectivity and discipline to these companies and help protect public money.
CMA Regulation no.10/2018 has clearly explained the role of Audit Committee and
Internal Audit which have provided mandate to Internal Audit and strengthens the most
important pillar of Corporate Governance and the Internal Auditors can now discharge
their statutory obligations without fear of reprisal.
Internal audit is the primary resource of the audit committee in carrying out its duties and responsibilities and one of the cornerstones of good governance. - IIA
THANK YOU
QUESTIONS AND ANSWERS
- NEIL ARMSTRONG