STUDY UNIT ONE

GOVERNANCE
1.1 GOVERNANCE PRINCIPLES
1. Definition of Corporate Governance
a. Governance: the combination of people, policies, procedures, and processes
(including internal control) that help ensure that an entity effectively and efficiently directs
its activities toward meeting the objectives of its stakeholders.
b. Corporate governance can be either internal or external

Internal External
Corporate charter, bylaws, boards of directors, Laws, regulations, and the government
and internal audit functions regulators
2. Governance Principles

BOD Independent, objective

BOD & MGMT Understand the operating structure, including structures that
impede transparency
An organizational strategy Used to measure organizational and individual performance
organizational structure supports accomplishing strategic objectives
A governing policy the operation of key activities
Responsibility and Clear
accountability
Effective interaction among the board, management, and assurance providers
Appropriate oversight by management, including strong controls
Compensation policies especially for senior management–that encourage
appropriate behavior consistent with the organization’s values,
objectives,
strategy, and internal control
Reinforcement of an ethical employee feedback without fear of
culture retaliation
Effective use of internal and Ensuring their independence, the adequacy of their resources
external auditors, and scope of activities, and the effectiveness of operations
Clear definition and implementation of risk management policies and processes (MGMT)
Transparent disclosure of key information to stakeholders
Comparison of governance processes with national codes or best practices
Oversight of related party transactions and conflicts of interest

3. Governance Process
a. Governance has two major components:

* Oversight is the governance component with which internal auditing is most concerned.
Strategic direction Oversight
a) The business model, a) Risk management activities performed by
b) Overall objectives, senior management and risk
c) The approach to risk taking (including the owners
risk appetite) b) Internal and external assurance activities.
d) The limits of organizational conduct.
b. The board is the source of overall direction to, and the authority of, management.
It also has the ultimate responsibility for oversight.

Board
1. the ultimate responsibility for oversight
2. the source of overall direction to, the
authority of, management
Management
1. performs day-to-day governance
functions.
2. board directives (within specified
tolerances for unacceptable outcomes)
to achieve objectives

4. Governance Practices

a. Governance practices reflect the organization’s unique culture and largely depend on it for
effectiveness.
1) The organizational culture
a) Sets values, objectives, and strategies;
b) Defines roles and behaviors;
c) Measures performance; and
d) Specifies accountability.
2) Thus, the culture determines the degree of sensitivity to social responsibility.

b. Governance practices may use various legal forms, structures, strategies, and
procedures. They ensure that the organization
1) Complies with society’s legal and regulatory rules;
2) Satisfies the generally accepted business norms, ethical principles, and social
expectations of society;
3) Provides overall benefit to society and enhances the interests of the specific
stakeholders in both the long and short term; and
4) Reports fully and truthfully to its stakeholders, including the public, to ensure
accountability for its decisions, actions, and performances.

5. Ethical Culture

a. Because decision making is complex and dispersed in most organizations, each person
should be an ethics advocate, whether officially or informally
Codes of conduct & a) The organization’s values and objectives
vision statements b) The behavior expected
c) The strategies for maintaining a culture consistent with legal,
ethical, and societal responsibilities
Internal auditors’ an active role in support of the organization’s ethical
roles culture (chief ethics officer, member of an ethics council, or
assessor of the ethical climate)
 the role of chief ethics officer may conflict with the
independence attribute of the internal audit activity
(External assurance may be provided by external
auditors, consultants, industry groups, or regulators.)
 In a less mature system: Focus on compliance with
policies, procedures, laws, etc. It also addresses the basic
risks to the organization
  In a more mature governance system: Focus on
optimizing structure and practices
The responsibility of The internal audit activity must evaluate the design,
the internal audit implementation, and effectiveness of the organization’s ethics-
activity related objectives, programs, and activities.
The internal audit activity must assess and make appropriate
recommendations for improving the governance process in its
accomplishment of the following objectives:
1. Promoting appropriate ethics and values within the organization

2. Ensuring effective organizational performance management

and accountability
3. Communicating risk and control information to appropriate

areas of the organization

4. Coordinating the activities of and communicating information

among the board, external & internal auditors, and management.

The responsibility of The design and implementation of governance processes
the BOD & Mgmt

1.2 ROLES OF INTERNAL AUDITORS IN GOVERNANCE

1. Governance is one of the three basic processes identified in the Definition of Internal
Auditing.
a. Understanding the role of the internal audit activity begins with understanding the nature
of governance in a specific organization
b. Governance requirements vary by entity type and regulatory jurisdiction.
c. The unique position of internal auditors in the organization enables them to observe and
formally assess the governance structure while remaining independent.
d. The internal audit activity’s ultimate responsibility is to evaluate and improve
governance.
e. The definition of governance should be agreed upon with the board and senior
management.

2. Other Aspects of Corporate Governance

Trusteeship BOD & Mgmt act as custodians of assets for stakeholders
Empowerment and control Decision making should occur at appropriate levels of the
organization
Good Corporate Integrity & ethical values should be reflected by the tone at the top
Citizenship
Transparency of Transparency may involve accepting a higher cost of capital
Disclosures

1.3 ENVIRONMENTAL AND SOCIAL SAFEGUARDS

1. Corporate Governance and Society
a. A set of principles should be established so that decisions affecting all stakeholders
are not made by and for one interest group
(1) considers the needs not only of the internal stakeholders (e.g.,shareholders
directors, managers, and employees) but also of external stakeholders and the
public
 (2) Risk management can identify environmental and social risks and responses to
each risk.
(3) Compliance audits should be performed to assess whether the organization is
complying with laws addressing environmental and social issues
2. Compliance with Environmental Laws and Regulations
Environmental to protect the 1. Voluntary disclosure and correction of
Protection Agency environment by environmental violations may reduce or
(EPA) writing and eliminate penalties related to
enforcing noncompliance
regulations 2. The internal audit activity can assist the
organization in identifying potential
environmental risks and responses
(including voluntary disclosure).
 The internal audit activity can assess an organization’s compliance with
environmental laws and regulations
ISO 14000 Environmental its commitment to the efficient use of resources
Management and the reduction of waste

3. Employment Regulation in the United States

a. The Occupational Safety and Health Act of 1970 (OSHA)
b. Under the act, employers are required to
a) Provide employees with a workplace free from unrecognized hazards that are
likely to cause death or serious physical harm,
b) Keep detailed records of job-related injuries,
c) Post annual summaries of the records, and
d) Report serious accidents to OSHA.

4. Privacy Concerns
a. The following summarizes the provisions of Practice Advisory 2130.A1-1,
Information Reliability and Integrity:
Information reliability and integrity
internal audit activity determines
The CAE determines
Internal auditors assess
accuracy, completeness, and security
whether mgmt and the BOD clearly understand that it is a
management responsibility for all critical information
regardless of its form
1. whether the internal audit activity has competent
audit resources for evaluating internal and external
risks to information reliability and integrity
2. whether senior management, the board, and the
internal audit activity will be promptly notified about
breaches and conditions that might represent a
threat
1. the effectiveness of preventive, detective, and
mitigative measures against past and future attacks
2. also determine whether the board has been
appropriately informed
3. periodically assess reliability and integrity
practices and recommend new or improved
controls
4. evaluate compliance with laws and regulations
concerning privacy
 5. assess the adequacy of the identification of risks
and the controls that reduce those risks

1.4 CORPORATE SOCIAL RESPONSIBILITY (CSR)

1. Nature of CSR
a. According to CSR concepts, a corporation’s purpose is not only to benefit
shareholders but also to serve other groups in society beyond what the law requires.
b. Actions must be voluntary.
c. CSR can be profitable.
d. However, an organization should avoid the perception that it is committed to CSR
solely for profit. Questionable motives could negatively affect the organization’s image

2. Developing a Framework for CSR

Identifying stakeholders 1. balance its needs and desires in a mutually beneficial
way
1) Internal stakeholders include the following:
a) Shareholders
b) Employees
c) Management
2) External stakeholders include the following:
a) Suppliers
b) Customers
c) Society
Identifying goals Identifying goals communicates the organization’s motives to its
stakeholders

3. ISO Framework – ISO 26000

ISO 26000 standards provide guidance on how businesses and other organizations
can be socially responsible, i.e., act in an ethical and transparent
way that contributes to the health and welfare of society
 Although compliance with ISO 26000 is not required,
compliance could improve relationships with suppliers,
regulators, customers, and other stakeholders

4. CSR Auditing
a. A CSR audit can facilitate a better understanding of an organization’s
1) Goals;
2) Practices, policies, and culture; and
3) Internal decision-making process in regard to CSR
b. A CSR audit program begins with identifying relevant risks. They include
1) The effectiveness of implementation of large CSR projects,
2) The reliability of performance measurements, and
3) Risks associated with external factors (i.e., regulatory bodies).
c. Once these risks are identified, the audit function should review how management
addresses these risks.

5. CSR Reporting
Showing employees how their actions contributed to society can help empower
them through acknowledgment of their achievements
Showing shareholders how the actions of the organization contributed to a better
 image can demonstrate the value of CSR
Informing the public the accomplishments of the organization can improve its
brand and serve as a form of advertising