Auditing governance Having a voice where it counts

Similar documents
Charity Audit Committee performance evaluation Self assessment checklist. October 2014

MiFID II/MiFIR. Implications for Fund Managers. May Deloitte LLP. All rights reserved.

January Senior Insurance Managers Regime Strengthening accountability in insurance

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

Banking and Financial Services Internal Audit Group

The Internal Audit fraud challenge Prevention, protection, detection

Transforming customer management in the water sector How to become a leader in customer service

Governance in brief BIS and the FRC consult on options for UK implementation of the EU Audit Directive & Regulation

Enhanced Portfolio Management in uncertain times

Global Mobility for Professional Practices Managing a mobile workforce

Developmental assignments Enablers not solutions

Extract of article published in International HR Adviser magazine The role of HR in global mobility

Addressing Cyber Risk Building robust cyber governance

Finance Transformed. Changing the focus Finance Business Partnering

Guidance for audit committees. The internal audit function

A Guide to Corporate Governance for QFC Authorised Firms

Sample risk committee charter

the role of the head of internal audit in public service organisations 2010

IFRS industry insights

Audit, Risk Management and Compliance Committee Charter

Corporate Governance Report

Effective Internal Audit in the Financial Services Sector

CIIA South West Analytics in Internal Audit - Tackling Fraud

Finance Business Partnering Less than the sum of the parts. Organisational perception of Finance, percentage of respondents agreeing with statements

Introduction from Chairman Chairman Role Profile Charter of Expectations Deputy Chairman Role Profile... 7

Cyber Security Evolved

corporategovernance twothousandfourteen

NamCode. The Corporate Governance Code for Namibia

Terms of Reference - Board Risk Committee

ISO27032 Guidelines for Cyber Security

Effective Internal Audit in the Financial. Services Sector. Non Executive Directors (NEDs) and the Management of Risk

The Compliance Universe

THE COMBINED CODE PRINCIPLES OF GOOD GOVERNANCE AND CODE OF BEST PRACTICE

Final Draft Guidance on Audit Committees

Risk appetite How hungry are you?

Robotic Process Automation Overview and RPA Case Study. November 2015

Consultation Paper CP18/15. Corporate governance: Board responsibilities

Operational continuity in recovery and resolution planning Exploring the Service Company structure

Corporate Governance Code for Banks

Framing the future of corporate governance Deloitte Governance Framework

Principles for An. Effective Risk Appetite Framework

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

IFRS industry insights

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

Application of King III Corporate Governance Principles

AUDIT COMMITTEE TERMS OF REFERENCE

Risk committee performance evaluation

MALAYSIAN CODE ON CORPORATE GOVERNANCE

BAHRAIN TELECOMMUNICATIONS COMPANY B.S.C. AUDIT COMMITTEE CHARTER

Deloitte Shared Services, GBS & BPO Conference Shared Services Design Through to Implementation

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

Application of King III Corporate Governance Principles

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

What Every Director. How to get the most from your internal audit. Endorsed by

Corporate Governance. The benefits of good practice for private companies in the GCC February 2013

Corporate Governance. Approach to Governance. Principle 1 Lay solid foundations for management and oversight. ASX Best Practice Recommendations

How To Be Accountable To The Health Department

IFRS industry insights

The role of modern board. Chartered Institute of Management Accountants

Managing Complex Transformations Achieving excellence

Internal Audit and supervisory expectations building on progress

Hunter Hall International Limited

Internal Audit at the University of Cambridge.

Board Risk & Compliance Committee Charter

A CFO s Guide to Corporate Governance

Basel Committee on Banking Supervision

MALAYSIAN CODE ON CORPORATE GOVERNANCE

Corporate Governance in New Zealand Principles and Guidelines

The Companies Act The Social and Ethics Committee and the management of the Ethics Performance of the Company

Corporate Governance Toolkit for small and medium enterprises: 2 nd Edition

EQT HOLDINGS LIMITED BOARD CHARTER (ACN )

D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV

Corporate Governance Guide for Investment Companies

Corporate Governance Statement

Ealing, Hammersmith and West London College

Growth by acquisition.

Good practice for annual reports

Response of the Institute of Business Ethics to the Banking Standards Review consultation

FINANCIAL REPORTING COUNCIL THE UK APPROACH TO CORPORATE GOVERNANCE

APRIL Economic Impact of AIM

The robots are coming. A Deloitte Insight report

CORPORATE GOVERNANCE STATEMENT

Capital Requirements Directive Pillar 3 Disclosure. December 2015

D-G4-L4-025 Mobile Working Technology Feasibility Study for a Healthcare Body Deloitte LLP Service for G-Cloud IV

CORPORATE GOVERNANCE STATEMENT

Annual Shared Services and BPO Conference 2013 Shared services from feasibility through to implementation. Tibor Nagy & Jeppe Larsen

IBA Business and Human Rights Guidance for Bar Associations. Adopted by the IBA Council on 8 October 2015

Low Default Portfolio (LDP) modelling

Transcription:

Auditing governance Having a voice where it counts

Contents Foreword 1 Getting started 2 Challenging effectively 4 Areas of focus in governance 6 Conclusion 8

Foreword The financial services sector is coming to terms with revised expectations from the regulatory and investor communities around corporate governance. The inquests into the financial crisis have illustrated, vividly, the disparity between governance intentions and their effectiveness in practice at some organisations. The recent Chartered Institute of Internal Auditors guidance Effective Internal Audit in the Financial Services Sector recommended that Internal Audit functions should include governance within their remit. The guidance echoes the Prudential Regulation Authority s and the Financial Conduct Authority s ambitions for Internal Audit functions to raise the bar in this area. There is an expectation that Internal Audit will challenge risk appetites, risk management processes and governance effectiveness on a more holistic basis. Organisations should already be assessing whether their governance arrangements are fit for purpose. Good governance reflects an effective culture and provides visibility of management s commitment to embedding it in the organisational structure. Now is the time for Internal Audit functions to challenge the gains that have been made and can play a pivotal role in ensuring that: The design of governance arrangements are fit for purpose. Governance standards have been widely communicated and understood. Incentive structures support, rather than conflict, with governance objectives. Desired governance outcomes are being secured. Commitments are made by management. This paper is essential reading for Heads of Internal Audit, as well as other interested and impacted parties including Boards, Audit Committees and senior management within the business. It is informed by our Partners and practitioners experience of the approach adopted by leading organisations, as well as their understanding of regulatory and investor expectations. Internal Auditors must be front and centre of ensuring their firm acts with integrity and will be alert to potential risks. Sadly we have seen what happens in both the retail and wholesale markets when the right arrangements are not in place. Martin Wheatley, FCA Chief Executive Auditing Governance Having a voice where it counts 1

Getting started Defining objectives For some Internal Audit functions governance will be a new area within their audit universe. For others now is the time to take stock and challenge their existing approach. As with all audits, having clearly defined objectives is the foundation for delivering the desired results. Key questions to consider include: Will the main purpose be to assess minimum compliance with external governance standards and codes, or to assess against internal standards and expectations of good governance? What approach to coverage will be taken? Will every audit incorporate an assessment of the related governance arrangements or will specific governance audits be conducted via thematic or stand-alone audits? To what extent will audits go beyond assessing design effectiveness and consider operating effectiveness of governance arrangements? Will governance audits provide a current point-in-time assessment or include a forward looking perspective i.e. whether the current governance approach is fit-for-purpose in the context of longer-term strategic plans? Governance in action Larger organisations are embedding an assessment of governance into existing audits such as risk audits. How Internal Audit functions choose to slice and embed governance audits into the existing audit plan will be driven by three main factors: 1) complexity of the organisational structure; 2) existing audit types; and 3) size and structure of the Internal Audit function. Will the audit seek to assess the suitability and competence of individuals within the leadership team? Governance in action Internal Audit functions are not only establishing their own definitions but leading functions are developing a range of supporting tools, for example a library of good and bad practice to benchmark against their audit observations. Defining the scope We have observed a number of organisations that do not have a clear articulation of what is meant by governance and hence the initial challenge Internal Audit functions face is defining governance. There are a number of definitions in the market, one of which is from the Organisation for Economic Co-operation and Development (OECD): Corporate governance involves a set of relationships between a company s management, its Board, its shareholders and other stakeholders. [It] provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Underpinning this definition are a number of core components which should be subject to audit procedures. As a minimum, Internal Audit functions will want to ensure that the core components of the governance framework are clearly articulated. Figure 1 provides a list of areas that may inform the approach to auditing governance. 2

Figure 1. Examples of scoping areas for a governance audit Governance structure Roles and responsibilities Legal entity structure Size, composition and independence Accountability Reporting lines Delegated authorities Commitment to governance Leadership and Culture Policies Strategy and risk appetite Three lines of defence Governance in action Where Company Secretariat departments take on a second line role and carry out governance reviews, Internal Audit functions are looking to assess the methodologies used and completeness of coverage. Whistle blowing Attestations and other reviews Escalation Communication with regulators Remuneration Management information Control functions Data integrity In addition, with respect to Board/Board committee effectiveness, many Internal Audit functions are grappling with inherent conflicts of interest and to ensure the function s independence is not compromised if they seek to assess the governing body to which they report. To manage this conflict many financial institutions are leveraging external Board effectiveness experts, or, where effectiveness is primarily tackled in-house, ringfencing contentious areas and bringing in external expertise. Historically Board level committee effectiveness has been the main subject of focus for governance reviews, however management level activity is increasingly seen as a critical part of governance. Deloitte s 2012 global Leadership Premium survey 1 of companies across six geographies identified that analysts continue to focus on executive management in evaluating leadership effectiveness. Internal Audit functions will want to establish the extent to which executive management s behaviour is aligned to and reinforces the governance principles agreed at Board level. 1. 2012 global Leadership Premium survey www.corpgov.deloitte.com/binary/com.epicentric.contentmanagement.servlet. ContentDeliveryServlet/IreEng/Documents/Home/dttl_The_Leadership_Premium_29Mar12.pdf Auditing Governance Having a voice where it counts 3

Challenging effectively Given the sensitive and qualitative nature of governance audits, care needs to be taken in reporting audit observations. A key factor involves looking beyond inputs or processes and assessing impact and outcomes; i.e. evaluating the quality of change brought about by committees; whether a committee s oversight has teeth; and how other stakeholders perceive governance impact? Testing approaches need to get under the skin of effectiveness and should use a broad range of audit tools. Below we discuss six core audit approaches. Governance in action Internal audit functions may wish to consider second-order or historical trend benchmarking. Whilst benchmarking on areas such as board composition is readily available and provides a degree of insight, the overlay of historical trends can illustrate shifts in the composition balance providing a different perspective on organisation-specific points of interest. Audit Approach Document review Interviews Observation Case studies Survey Benchmarking Description Document review is a fundamental starting point. It should help the auditor to understand the design principles of their organisation s governance framework. Assessing the completeness of: structure charts; terms of reference; management information; meeting agendas and minutes; schedules of delegated authority; and governance manuals will enable the auditor to identify gaps that must be addressed. Interviewing stakeholders can provide tangible insights into existing strengths, development areas and barriers to achieving the desired outcomes of governance standards. Observing governance in action, particularly around the extent of challenge and debate at key forums, is extremely valuable in evaluating the dynamics and relationships between stakeholders and the extent to which governance processes have real teeth and lead to action in the business. Deep dives on: selected issues; transactions; corporate events; or significant decisions, where the auditor gains an understanding of the circumstances, escalation, approvals and decisions, and can benchmark these to desired governance outcomes provides demonstrable evidence of governance effectiveness. Surveys allow Internal Audit to get individual perspectives on key issues. Auditors should ensure that survey respondents are strategically targeted; our experience suggests junior personnel are more readily prepared to reveal their true perceptions in a survey process as compared to direct questioning from a superior. Benchmarking externally, for example using available data in annual reports or external analysis such as the Deloitte At the Helm survey 2, is valuable to gain insight on the design of governance arrangements outside of the organisation and understand best practice. Clearly auditors must tailor their approach using the suite of options available to assess both design and operating effectiveness whilst recognising the maturity of governance arrangements within the organisation. So, whilst a review of a Terms of Reference may evidence that a particular committee s role is designed appropriately, observing a meeting or carrying out a case study of a recent decision allows the auditor to assess operating effectiveness. See Figure 2 for a spectrum of audit practices to assess whether a committee is operating effectively. 2. 2013 At the Helm survey www.deloitte.com/assets/dcom-unitedkingdom/local%20assets/documents/services/tax/uk-tax- 2013-at-the-helm-report-deloitte.pdf 4

Figure 2. Spectrum of audit practices to assess whether a committee is effective Basic Moderate Leading Review terms of reference to evidence, e.g. the existence of a committee and whether areas of responsibility are appropriately set out. Review meeting minutes to evidence that the committee meets regularly. Review members biographies to understand and assess the skills and experiences they bring. Carry out a survey or conduct interviews with committee members to provide a qualitative dimension to the assessment e.g. asking for opinions and requesting examples of recent decisions and how those decisions were arrived at. Review meeting minutes and action logs to assess the extent to which actions have teeth and are followed up. Carry out a sample of stakeholder interviews outside of the committee to understand broader perceptions and experiences. Assess how decisions are made via a sample of case studies, e.g. evaluate the strategy setting process, and how risk appetite is set and monitored. Design Operating effectiveness Auditing Governance Having a voice where it counts 5

Areas of focus in governance Governance red flags were present, albeit unaddressed, in many of the financial institutions that failed during the crisis including: A dysfunctional Board. A domineering CEO. Insufficient active Board involvement. Insufficient personal accountability at Board-level. Key posts being held by people with insufficient technical competence. Inadequate four eyes oversight of risk. Inadequate understanding of the aggregation of risk. Figure 3. Focus areas in governance People and Culture Tone from the top continues to be scrutinised. Are those people conveying messages around governance of the right standing in the organisation? Is it the voice of the Board and is the volume at the right level? Are governance messages given the same prominence as commercial messages? The Changing Banking for Good report by the Parliamentary Commission on Banking Standards identified the need for more individual accountability. With this in mind, regulators increasingly expect robust attestations and delegated authority frameworks that reflect individual accountability to be part of best practice governance. Organisational data is being utilised more holistically to understand culture and behaviours. Management information around: employee attrition; training delinquency; exit interview responses; escalation and whistle blowing data provide valuable indicators of the tone at the middle and bottom. There is regulatory and investor appetite to improve Boardroom diversity and address inertia in the appointment process. CRD IV will require a policy on Board diversity and this is raising expectations of the Nominations Committee. Board and Committees There is increased focus on the skills and experience that Board committee members contribute and on the role of the Chair in encouraging healthy and robust debate. Recent and relevant risk experience within Board committee membership is becoming a criterion for leading organisations. This follows on from the Combined Code s introduction of the concept of recent and relevant financial experience in 2003. Board member stretch and non-executive time commitment has been a focus for a number of years. More recently an expectation has formed that Banking Board Chairs will be appointed on a full-time basis, as highlighted by the Parliamentary Commission on Banking Standards, and that the other directorships of non-executives will be capped in order to secure adequate time commitment, as formalised in CRD IV. Management information The quality of Board decision-making is dependent on the quality of management information. There is increasing challenge around how Boards ensure the robustness and completeness of the information presented to them. Whilst most companies have documented escalation policies and procedures in place, operating effectiveness of escalation is in need of review. For example, are there indicators of shooting the messenger and delayed or failed escalation being tolerated? 6

To be effective, Internal Auditors must understand industry practices and recognise what good governance looks like. This provides the basis for confident and credible challenge of the organisation. The areas in Figure 3 should be priorities with respect to ensuring audit coverage is up-todate and reflects market and regulatory expectations. Internal Audit functions should assess the commitment and engagement of senior leaders to governance matters and ensure that champions of good governance are embedded across the organisation, not just in support functions. Internal Audit functions will need to assess the robustness of attestations as the use of these are likely to increase in the future. Internal Audit functions will need to assess management information and data integrity, requiring a robust understanding of what good looks like. Examples are provided below: management information is of an appropriate volume, with balance between the level of detail and ease of use; key risk and performance indicators are highlighted to draw attention to risks and monitor management s progress against the strategy; there are regular reports from control and assurance functions such as internal audit, compliance and risk; management information includes a forward- looking and external perspective, not just a historical and internal perspective; management information encourages strategic debate through insightful analysis and commentary, not just data. For example, comparative figures are included, as appropriate, to allow the identification and analysis of trends; and A regular programme of review of the relevance and sufficiency of management information is in place, with specific personnel tasked with the responsibility. Auditing Governance Having a voice where it counts 7

Conclusion The absence of good governance has led to, in some cases, catastrophic outcomes for organisations and their Boards. Internal Audit is now explicitly expected to provide the Board with a view on governance practices, requiring a more holistic approach to that applied in giving assurance around an organisation s processes and controls. The main challenge we foresee for Internal Audit functions is to overcome the sensitivity of auditing areas such as Board/Board committee effectiveness. It will be critical to obtain the necessary support from the Audit Committee and Board to ensure senior management are open to challenge and that access is provided to Internal Auditors. Such support will be much easier to gain where Internal Auditors help to address common management frustrations around poor management information and slow decision making. With this in mind, over time we expect greater recognition and appreciation of the value generated by governance audits. UK FS Internal Audit leadership Mark FitzPatrick Vice Chairman and Partner +44 (0) 20 7303 5167 mfitzpatrick@deloitte.co.uk Paul Day Partner, Banking and Capital Markets +44 (0) 20 7007 5064 pauday@deloitte.co.uk Russell Davis Partner, Banking and Capital Markets +44 (0) 20 7007 6755 rdavis@deloitte.co.uk FS Governance leadership Kari Hale Partner +44(0) 20 7303 5799 kahale@deloitte.co.uk Natasha de Soysa Director +44 (0) 20 7303 7340 ndesoysa@deloitte.co.uk Jagruti Patel Senior Manager +44 (0) 20 7007 8234 jagrpatel@deloitte.co.uk Ralph Daals Director, Insurance +44 (0) 20 7303 8129 rdaals@deloitte.co.uk Terri Fielding Director, Investment Management and Private Equity +44 (0) 20 7303 8403 tfielding@deloitte.co.uk Mike Sobers Partner, Technology +44 (0) 20 7007 0483 msobers@deloitte.co.uk Kevin Doherty Partner, Scotland +44 (0) 141 304 5711 kedoherty@deloitte.co.uk Jamie Young Director, Regions +44 (0) 113 292 1256 jayoung@deloitte.co.uk 8

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. 2014 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Designed and produced by The Creative Studio at Deloitte, London. 31750A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information