Professional Documents
Culture Documents
GOVERNANCE
1.1 GOVERNANCE PRINCIPLES
1. Definition of Corporate Governance
a. Governance: the combination of people, policies, procedures, and processes
(including internal control) that help ensure that an entity effectively and efficiently directs
its activities toward meeting the objectives of its stakeholders.
b. Corporate governance can be either internal or external
Internal External
Corporate charter, bylaws, boards of directors, Laws, regulations, and the government
and internal audit functions regulators
2. Governance Principles
3. Governance Process
a. Governance has two major components:
* Oversight is the governance component with which internal auditing is most concerned.
Strategic direction Oversight
a) The business model, a) Risk management activities performed by
b) Overall objectives, senior management and risk
c) The approach to risk taking (including the owners
risk appetite) b) Internal and external assurance activities.
d) The limits of organizational conduct.
b. The board is the source of overall direction to, and the authority of, management.
It also has the ultimate responsibility for oversight.
Board Management
1. the ultimate responsibility for oversight 1. performs day-to-day governance
2. the source of overall direction to, the functions.
authority of, management 2. board directives (within specified
tolerances for unacceptable outcomes)
to achieve objectives
4. Governance Practices
a. Governance practices reflect the organization’s unique culture and largely depend on it for
effectiveness.
1) The organizational culture
a) Sets values, objectives, and strategies;
b) Defines roles and behaviors;
c) Measures performance; and
d) Specifies accountability.
2) Thus, the culture determines the degree of sensitivity to social responsibility.
b. Governance practices may use various legal forms, structures, strategies, and
procedures. They ensure that the organization
1) Complies with society’s legal and regulatory rules;
2) Satisfies the generally accepted business norms, ethical principles, and social
expectations of society;
3) Provides overall benefit to society and enhances the interests of the specific
stakeholders in both the long and short term; and
4) Reports fully and truthfully to its stakeholders, including the public, to ensure
accountability for its decisions, actions, and performances.
5. Ethical Culture
a. Because decision making is complex and dispersed in most organizations, each person
should be an ethics advocate, whether officially or informally
Codes of conduct & a) The organization’s values and objectives
vision statements b) The behavior expected
c) The strategies for maintaining a culture consistent with legal,
ethical, and societal responsibilities
Internal auditors’ an active role in support of the organization’s ethical
roles culture (chief ethics officer, member of an ethics council, or
assessor of the ethical climate)
the role of chief ethics officer may conflict with the
independence attribute of the internal audit activity
(External assurance may be provided by external
auditors, consultants, industry groups, or regulators.)
In a less mature system: Focus on compliance with
policies, procedures, laws, etc. It also addresses the basic
risks to the organization
In a more mature governance system: Focus on
optimizing structure and practices
The responsibility of The internal audit activity must evaluate the design,
the internal audit implementation, and effectiveness of the organization’s ethics-
activity related objectives, programs, and activities.
The internal audit activity must assess and make appropriate
recommendations for improving the governance process in its
accomplishment of the following objectives:
1. Promoting appropriate ethics and values within the organization
and accountability
3. Communicating risk and control information to appropriate
4. Privacy Concerns
a. The following summarizes the provisions of Practice Advisory 2130.A1-1,
Information Reliability and Integrity:
Information reliability and integrity accuracy, completeness, and security
internal audit activity determines whether mgmt and the BOD clearly understand that it is a
management responsibility for all critical information
regardless of its form
The CAE determines 1. whether the internal audit activity has competent
audit resources for evaluating internal and external
risks to information reliability and integrity
2. whether senior management, the board, and the
internal audit activity will be promptly notified about
breaches and conditions that might represent a
threat
Internal auditors assess 1. the effectiveness of preventive, detective, and
mitigative measures against past and future attacks
2. also determine whether the board has been
appropriately informed
3. periodically assess reliability and integrity
practices and recommend new or improved
controls
4. evaluate compliance with laws and regulations
concerning privacy
5. assess the adequacy of the identification of risks
and the controls that reduce those risks
4. CSR Auditing
a. A CSR audit can facilitate a better understanding of an organization’s
1) Goals;
2) Practices, policies, and culture; and
3) Internal decision-making process in regard to CSR
b. A CSR audit program begins with identifying relevant risks. They include
1) The effectiveness of implementation of large CSR projects,
2) The reliability of performance measurements, and
3) Risks associated with external factors (i.e., regulatory bodies).
c. Once these risks are identified, the audit function should review how management
addresses these risks.
5. CSR Reporting
Showing employees how their actions contributed to society can help empower
them through acknowledgment of their achievements
Showing shareholders how the actions of the organization contributed to a better
image can demonstrate the value of CSR
Informing the public the accomplishments of the organization can improve its
brand and serve as a form of advertising