Baixe o app para aproveitar ainda mais
Prévia do material em texto
Orienta INTERNAL AUDIT ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS “T his document is the result of a partnership between the Brazilian Institute of Corporate Governance (IBGC) and the Institute of Internal Auditors of Brazil (IIA Brazil) and aims to deepen the view of members of boards directors, audit commit- tees, auditors and other executives on the internal audit function and its integration with corporate governance.” INTERNAL AUDIT: ESSENTIAL ASPECTS FO R TH E BO ARD O F DIRECTO RS IBGC O rienta PUBLISHED BY SPONSORSHIP Internal Audit Essential aspects for the Board of Directors São Paulo | 2019 Founded on November 27, 1995, the Brazilian Institute of Corporate Governance (IBGC), a civil organization, is the Brazilian ref- erence entity and one among the main refer- ence organizations for corporate governance worldwide. Its purpose is to generate and dis- seminate knowledge on the best corporate governance practices and influence the most diverse agents in its adoption, contributing to the sustainable development of organiza- tions and, consequently, to a better society. For more information on the Brazilian In- stitute of Corporate Governance, go to <www. ibgc.org.br>. To become a member of IBGC, call: (11) 3185-4200. Board of Directors CHAIRMAN Henrique Luz VICE-CHAIRMEN Leila Abraham Loria and Monika Hufenüssler Conrads BOARD MEMBERS Carlos Eduardo Lessa Brandão, Doris Beatriz França Wilhelm, Iêda Aparecida Patricio Novais, Israel Aron Zylberman, Leonardo Wengrover and Vicky Bloch http://www.ibgc.org.br http://www.ibgc.org.br Founded on November 20, 1960, IIA-Brazil, the brazilian chapter of The Institute of Inter- nal Auditors, is an entity that represents the internal audit activity through publications, training opportunities, events and certifica- tions for professionals and organizations. Affiliated to The Institute of Internal Au- ditors (The IIA) in the United States, IIA-Brazil is one of the largest internal audit institutes in the world. For more information about IIA-Brazil, visit our website <www.iiabrasil.org.br>. To join IIA-Brazil, please call: +55 11 5523 1919 Board of Directors 2019-20 CHAIRMAN OF THE BOARD Rene Guimarães Andrich – CIA, CCSA, CRMA VICE CHAIRMAN OF THE BOARD Fabio de Figueiredo Pimpão – CIA, CCSA, CRMA BOARD COUNSELORS Hélio Takashi Ito – CCSA, CRMA Isabel Cristina Bittencourt Santiago – CRMA Monique Sausmikat Guedes – CCSA Rossana Guerra de Sousa – CIA, CRMA Tania Mara Cordeiro – CCSA Washington Lopes da Silva 2 CCSA, CRMA Executive Board GENERAL DIRECTOR Paulo Roberto Gomes SECRETARY DIRECTOR Carlos Renato Fontes Trisciuzzi – CIA, CCSA, CRMA, QIAL CHIEF FINANCIAL OFFICER Marcelo Fridori – CIA, CCSA, CRMA DIRECTOR OF STANDARDS AND CERTIFICATIONS Nancy Salvadori Bittar – CIA, CCSA, CRMA DIRECTOR OF TRAINING AND EVENTS Antônio Edson Maciel dos Santos – CCSA CSO Cristiane Da Cunha Casagrande http://www.iiabrasil.org.br CREDITS This publication was developed by a working group formed by members of the Instituto Brasileiro de Gover- nança Corporativa – IBGC [Brazilian Institute of Corporate Governance] and the Instituto dos Auditores Internos do Brasil – IIA Brasil [Institute of Internal Auditors - IIA Brazil]. The following were the members of the working group: Alberto Whitaker, Antônio Edson Maciel dos Santos, Lucas Legnare, Luiz Martha, Mercedes Stinco, Paulo Vanca, Renan Perondi and Rene Andrich. Cover image: Shutterstock WRITTEN BY Luciana Del Caro ACKNOWLEDGMENTS To: Celso Giacometti and Paulo Baraldi for their contributions in several steps of the development of this work; Jorge R. Manoel and Renato Trisciuzzi for taking part in a workshop that discussed the structure of this publication; Gilberto Mifano, Fábio Coimbra, Fabiano Castello, Mauro Cunha and Marcelo Fridori, for their critical reading and comments provided to a restricted audience; PwC, particularly to Andre Pannunzio and Rosana Napoli, for their active participation and contributions for preparation of this work; Alberto Ragazzini, Alex Borges, Alexandre de Mello Silva, André Fischer, Antonio Carlos Siegner Laporta, Artur Damasceno, Bruno Bandeira Costa de Sousa, Carlos Berti Niemeyer, Carlos Donizeti Macedo Maia, Carlos Eduardo Lopes Neves, Clovis Antonio Pereira Pinto, Debora Santille, Douglas Monaco, Felipe Cabral, Guilherme Fernandes Rios, Hanya Pereira Rego, Henrique Luz, Irineu Monteiro de Carvalho, José Maria Rabelo, Lucas Agostinelli, Luciana Bacci Costa, Percival Gratti Junior, Rodrigo Rojo Marcondes, Valdir Lauro Nether, William Claudio Alves Julian, William Schulz, High Performance Consultoria, Nissan and Vitria for their valuable contri- butions throughout the public hearing process. I59i Brazilian Institute of Corporate Governance Internal Audit: Essential aspects for the Board of Directors / Brazilian Institute of Corporate Governance, The Institute of Internal Auditors. - São Paulo, SP : IBGC Orienta, 2019. 56 p. - (IBGC Orienta ) Translation of: Auditoria interna: aspectos essenciais para o conselho de administração ISBN: 978-85-99645-78-9 1. Corporate Governance. 2. Board of Directors. 3. Internal Audit. I. The Institute of Internal Auditors. II. Title. III. Series. CDD-658.4 2019-1857 CDU 658.114 Prepared by Vagner Rodolfo da Silva - CRB-8/9410 Index for systematic catalog 1. Corporate Governance 658.4 2. Corporate Governance 658.114 International Cataloging Data in Publication (CIP) according ISBD FOREWORD 7 INTRODUCTION 9 Background 11 Acting professionally 13 1. RESPONSIBILITIES OF THE INTERNAL AUDIT 15 1.1. Assurance 16 1.2. Advisory 16 1.3. Assurance and Advisory Services 16 1.4. Main responsibilities of the internal audit 17 1.4.1. Risk assessment 18 1.4.2. Internal controls 18 1.4.3. Fraud prevention, detection and investigation 18 1.4.4. Compliance 18 2. INTERNAL AUDIT AND THE GOVERNANCE SYSTEM 19 2.1. The internal audit in the three lines of defense model 20 2.2. Outsourcing and co-sourcing 23 3. INTERNAL AUDIT RELATIONSHIPS 25 3.1. Board of directors 25 Table of Contents 3.2. The audit committee and other committees 26 3.3. Fiscal Council 27 3.4. Executive management and other areas of the organization 28 3.5 External audit 29 3.6 Second line of defense bodies (risk management, internal controls, compliance) 29 3.7 Shareholders/Investors 30 3.8 Regulatory and supervisory bodies 30 4. ENSURING EFFECTIVENESS OF THE INTERNAL AUDIT 31 4.1. Promoting independence 31 4.2 Focusing on the culture of the organization 33 4.3 Acting timely and creating value 35 4.4. Improving qualifications 36 4.5. Assessing the assessor 37 FINAL CONSIDERATIONS 39 BIBLIOGRAPHY 41 APPENDIX I – THE AUDIT COMMITTEE’S ASSESSMENT OF THE INTERNAL AUDIT 43 APPENDIX II – INTERNAL REGULATIONS OF INTERNAL AUDIT 49 INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 7 Foreword Foreword I nternal audit is a relevant activity for the strengthening of governance in organizations. It has been gaining momentum and increasing its scope of action since the second half of the twentieth century, as its ability to increase the organization’s perception of the man- agement of its relevant goals, targets and respective r risks, to improve controls, and to avoid losses and promote gains became more evident. Nevertheless, its main roles and respon- sibilities are seldom sufficiently well-known within organizations, especially regarding its inclusion in the context of corporate governance. Its benefits, therefore, are not always duly taken advantage of. Internal audit can interact and collaborate with internal controls, risk and compliance ar- eas and contribute towards increasing revenue and reducing costs. This ability to help improve corporate governance by adding value and not just avoiding losses should be taken better advantage of by members of boards of directors and audit committees, and by the audit leaders themselves, so that all ofthem may fully benefit from this activity in their pursuit of organizational goals and particularly fulfill their responsibilities. This document is the result of a partnership between the Brazilian Institute of Corporate Governance (IBGC) and the Institute of Internal Auditors of Brazil (IIA Brazil) and aims to deep- en the view of members of boards directors, audit committees, auditors and other executives on the internal audit function and its integration with corporate governance. The publication focuses on the roles and relationships of internal audit within the gover- nance structure of organizations. It does not purport to indicate how audit processes should be conducted, a subject on which a wealth of technical material is already available. It is also import- ant to stress that the content of this document is comprehensive and considers a wide variety BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE8 Foreword of organization types and sizes and does aim to highlight internal audit activities in specific sectors. It is up to the reader, therefore, to seek knowledge applicable to the particular sector of their organization and required by specific regulations, thus adding to their own reality. In the expectation that this new volume of the “IBGC Orienta” series will provide top- ics for reflection and recommendations, both broadening and deepening internal audit knowledge, IBGC and IIA Brazil wish you a pleasant reading. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 9 Introduction T he activities and responsibilities of internal audit are not yet fully understood by many directors, although this activity is increasingly present in different types of organizations and, in certain cases is a legal or normative requirement (as is the case, for example, of the financial sector - CMN Resolution 4,588/2017 - insurance - Susep Circular 249/2004 - and Law 13,303/2016). Oftentimes, internal audit activities are still seen as an inspection activity in charge of identifying errors and deviations in other areas of the organization, or as an activ- ity lacking independence and being considered a mere top management support. Achieving greater independence, in fact, is one of the greatest challenges this activity currently faces. The lack of information also leads many people to confuse its duties with those of the external audit (the external audit of the financial statements). The activity, therefore, needs to be better understood to be used for the benefit of organizations. Rather than being just an inspection activity, if the internal audit is well structured and composed by specialists with multidisci- plinary and diversified profiles that are compatible with the needs, it should help add value to the organization. The Institute of Internal Auditors (IIA) & defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organiza- tion’s operations. It helps an organization to accomplish its objectives through a systematic and disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes.” It is evident from this definition that the internal audit activity depends on the size and level of maturity of the organization and should not contemplate merely the financial aspects of the business. The construction of the internal audit working plan should consider a risk as- Introduction & IIA, International Standards for the Professional Practice of Internal Audit (IPPF), 2016. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE10 Introduction sessment and prioritization process aligned with the organization strategy and may sug- gest improvements that go further than a mere assurance of the processes. Complementarity and integration MAIN CHARACTERISTICS OF INTERNAL AND EXTERNAL AUDITS Internal and external audits have play important roles in the governance system. Their activities are essential to the organization, but their focuses are different. Both are com- plementary and non-exclusive, and a robust governance structure must rely on both. So that the internal and external audit activities can help the organization effectively build value, it is recommended that these areas consider each other’s work when de- veloping their action plans. ! An active internal audit team provides organization’s governance agents with great- er security and comfort. IBGC’s Código das Melhores Práticas de Governança Corporativa [Code of Best Corporate Governance Practic- es] recommends that organizations have their own audit team, either internal or outsourced. The internal audit activity must be per- formed independently and objectively: • Independently: “Is freedom from conditions that threaten the ability of the internal audit activity to carry out its internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsi- bilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and to the board of di- rectors. This can be achieved through a dual reporting relationship. Threats to independence must be managed at the level of the individual auditor, the engagement, functional and or- ganizational levels.” • Objectively: “Objectivity is an un- biased mental attitude that allows internal auditors to perform engage- ments in such a manner that they believe in their work product with no quality compromise. Objectivity requires that the judgment of inter- nal auditors on audit matters are not subordinate to others” &. The decision to inter- nalize or outsource (in whole or in part) the internal audit activity is related to the organization size, the segment in which it operates and the maturi- ty of its governance. Regulatory requirements, or market and investor pressure for greater governance lead to implementation of the activity. It is also necessary to improve processes and con- trols, which helps reduce losses. In fact, inter- nal audit has been expanding its scope and over time it has been playing a broader and more active role in organizations. The evolution of internal audit was driv- en by the publication of Brazilian and interna- tional standards, which established reference principles for its operation and helped to guide and level the practice. Internal audit became based on the same principles, regardless of the size, purpose, complexity and structure of the organization and of the activity being conduct- ed by either an internal or outsourced area. & Ibidem. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 11 Introduction Background µ T here are two main guidelines directing the activities of audit pro- fessionals: The International Professional Practices Frame- work (IPPF) and, in the case of Brazil, the Brazilian Ac- counting Standards. The first standards were created in 2009 and have since been subject to several revisions, the most recent in 2017 £. They aim to outline the principles of the activity, provide a frame- work for the generation of added value, establish the bases on which to evaluate its performance and promote improvements in organization- al processes. The Brazilian Accounting Standards deal with the internal accounting audit ac- tivity and procedures. Internal audit is gov- erned by two specific rules in force since 2004 ¤, one dealing with technical pa- rameters and the other with ethical and professional matters. The technical stan- dard provides a more specific definition of the activities of the internal audit, but such as the IIA’s definition, emphasizes that the ultimate aim of the activity is helping the organization to achieve its goals: “The in- ternal audit comprises the examinations, analyses, evaluations, surveys and evidence methodologically structured to assess the integrity,adequacy, effectiveness, efficien- cy and cost-effectiveness of the processes, information systems and internal controls integrated with the environment and risk management, in order to assist the entity’s management in reaching its goals.” Another front that led to the expansion and deepening of the internal audit function µ The regulations, laws and standards cited in this chapter are not exhaustive. It is up to the reader to be aware of all the regulations applying to their field of work. £ Before the IPPF, there were other standards, provided by the Professional Practices Framework (PPF) of 2002. within organizations and of the governance system was provided by laws and regulations in Brazil and worldwide. The regulatory framework has recognized the activity as a means of making the control environment of public and private organizations more effective. A major step in this direction, and one that in- spired other countries, was the Sarbanes-Oxley Act (SOX), approved in 2002 and applicable to publicly traded companies whose shares are traded in the United States. Although the law did not foresee the obligation to have an inter- nal audit function but rather the installation of an internal audit committee, this indirectly contributed to boosting the activity, to the extent that it attempted to strengthen the internal con- trol structures of companies. As the internal audit function is responsible, among other factors, for evaluating the ef- fectiveness and efficiency of internal controls, it had to become more robust to meet to the new requirements. In turn, the US Securities and Exchange Commission (SEC) – the reg- ulatory body of the US capitals market and equivalent to the CVM in Brazil, - and the New York Stock Exchange (NYSE) made inter- nal audit mandatory for companies listed on this stock exchange. Because of its nature and the specific way in which it operates, the financial sector in Brazil was one of the first in which the inter- nal audit activity became mandatory by regu- lation. Since 1998, financial institutions and other institutions authorized to operate by the Central Bank of Brazil have been obliged ¤ The rules are the NBC TI 01 (technical parameters), approved by Resolution CFC 986/2003, and PI 01 (professional). BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE12 Introduction to have an internal audit ac- tivity µ. This obligation has existed for insurance compa- nies since 2004 £. Companies in other sectors, on the other hand, are subject to specific regulations, according to their listing segments on the Brazilian stock exchange or depending on the compo- sition of their capital (whether a mixed-cap- ital [government-controlled + private] or a state-owned company). Publicly traded companies listed on the Novo Mercado [New Market] segment must have internal audit, a requirement existing since this listing seg- ment was reformulated in 2017. In addition to having an area dedicated to this activity, companies also need to have compliance functions and an audit committee. The importance of internal audit in oth- er publicly traded companies is increasing, even though the function is not mandatory by law. Instruction 586/2017 of the Brazilian Se- curities & Exchange Commission (Comissão de Valores Mobiliários – CVM) ¤ Ü brought greater transparency and imposed on pub- µ Resolution CMN 2,554/1998, Circular 3,856/2017 of the Brazilian Central Bank and Resolution 4,588/2017 of the Brazilian Monetary Council. £ Susep Circular 249, February 20, 2004. licly traded companies the need to disclose information as to their adherence (or other- wise) to the governance practices established by the Código Brasileiro de Governança Corporativa – Companhias Abertas µ [Brazilian Code of Corporate Governance – Publicly held Corporations]. Companies have to explain to which practices they ad- here and which they do not obey (and, in this case, they need to explain why they are not in line with the code pro- visions). With regard to internal audit, the code states that the area must be compati- ble with the size, complexity and risks of the business, and that it is incumbent upon the board of directors to ensure qualification of the team of auditors and their independence towards the executive management £. If the practices recommended by the code are not adopted, or are only partially adopted, the issuer must explain the motives. Even if they are adopted, the issuer must pro- vide the basis for its statement and provide information as to why it understands that it is in compliance with the practice; in other words, the issuer must describe the structure of its internal audit and discuss its adequacy in contrast with the size and complexity of the company’s activities. The internal audit function is also gain- ing strength and visibility in the public sector. In response to serious governance problems in Brazilian mixed capital and state-owned com- panies, in 2016 the Law of State-owned Com- ¤ The instruction applies to the issuers of securities registered in Category A, whose shares or share deposit certificates are traded on the stock exchange. µ The Brazilian Code of Corporate Governance – Publicly-held Companies, launched on November 16, 2016, was prepared by the eleven market entities part of the Inter-agent Working Group. £ In the absence of a board of directors and of the audit committee, this is incumbent upon the highest governing body in the organization, to which the internal audit must report. Ü CVM Instruction 586/2017 re- quires the issuer to report whether it adopts the following practices rec- ommended by the code: i. “The company must have an internal audit area directly connected to the board of directors”; ii. “If this activity is outsourced, the internal audit services must not be exercised by the same company that audits the financial statements. The company shall not hire for inter- nal audit anyone who has provided external audit services for the com- pany in+ the previous three years.” INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 13 Introduction panies was sanctioned µ Ü. It determined that these com- panies should have day-to- day internal controls and risk management structures and practices encompassing the actions of manag- ers and employees. Such companies shall also have an area in charge of checking compliance with obligations and risk management. The in- ternal audit and the audit committee have be- come mandatory in state-owned companies. Also in relation to the public sector, at the end of 2017 the Ministry of Transparency µ Law 13,303, of June 30, 2016. Ü The duties of the internal audit function, according to the Law of State-owned Companies: “The internal audit should: I – be linked to the board of directors, either directly or by way of an audit committee £; II – be responsible for assessing the adequacy of internal controls, the effective- ness of risk management and governance processes and the reliability of the process of collecting, measuring, classifying, accumulating, registering and disclosing events and transactions for preparation of the financial statements.” and the Office of the Federal Controller Gen- eral (CGU) issued a manual to provide guid- ance on the internal auditing of organs and units that are part of the federal executive branch’s Internal Control System (SCI) µ, and of other federal executive branch bodies and entities. µ The actions of the SCI were disciplined by Law 10,180, of February 6, 2001. SCI aims at assessing the actions of federal public administrators and the actions of the federal government, by way of accounting, financial, budgetary, operational and asset supervision. Acting professionally In addition to the rules and regulations at-taching greater importance to internal au- diting over time, this activityhas also been the object of a search for constant strengthening by professional bodies, such as the IIA, which operates both globally and nationwide. IIA Global, headquartered in the United States, is an association of auditors founded in 1941 to develop professionalism in internal audit. The Institute of Internal Auditors of Brazil (IIA Brazil), in turn, was founded in 1960 and trains, qualifies and certifies its associates. An- other strand of its activities is the internal and external quality assurance service of the internal audit function using a global methodology, as well as training and defending the profession. The internal audit function is assessed by a team of skilled, qualified or accredited professionals with vast experience. This assur- ance engagement is performed by external professionals who meet IPPF requirements and is requested by the audit committee. The £ In the absence of a board of directors, the internal audit function must be directly linked to the organization’s highest governing body. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE14 Introduction so-called Quality Assessment (QA)analyzes compliance of the internal audit function with the standards defined in the IPPF and with other regulations governing the profession. Based on this analysis, the area audited re- ceives a recommendations report with a view to remaining in line with global standards of internal audit activity. There are also various certificates avail- able to internal audit professionals, accord- ing to the area in which the auditor operates. All aim at attesting the capacity required for working in internal auditing and the qualifica- tions needed to face the challenges posed by the profession. You can find out more about certification in Chapter 4. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 15 Responsibilities of the internal audit M arket pressures and the regulatory framework have, over time, enlarged the scope of the internal audit function so that it focused also on topics related to risk, internal controls and governance. Another relevant change in the activity was its adoption of a preven- tive stance. Demand for the advisory work of the internal audit function - provided the inde- pendence and objectivity of the professionals are preserved – surged, as it has for assurance services. In this chapter, the main responsibilities of the internal audit will be addressed, but without going into the technical details of the function. It is currently expected that the internal audit area be capable of identifying risks and acting to minimize the probability of their occurrence and impact, i.e., the function has a pre- ventive and collaborative characteristics and acts on risks that could prevent achievement of the organization key objectives. It is likewise expected that it can, among other aspects, identi- fy opportunities for improving controls, acting independently with the organization manage- ment in supporting the preparation of an action plan and following up on its execution, which lies upon the managers of the audited areas. It is important to emphasize that internal audit should monitor implementation of the action plans agreed with the managers in charge and disclose what has not yet been implemented, or those cases where management has decided to bear the risks involved. Since the internal audit function provides assurance and advisory services, and because expectations regarding its preventive role are high, there is a risk that it could divert from its primary task, that of assurance, to focus overmuch on advice. These two duties need to be even- ly distributed to avoid wasting the organization talents and resources. It is worth to better examine the two concepts, to understand the actions of auditing in each of these tasks. Responsibilities of the internal audit 1 BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE16 Responsibilities of the internal audit 1.1. Assurance T he assurance service, as defined by the IIA, “comprises the objective assess- ment of the evidence by the internal auditor, in order to provide opinions or conclusions re- garding an entity, operation, function, process, system or other important matters.” This task must be aligned with the organization’s stra- tegic objectives. 1.2. Advisory A dvisory services are intended for the internal audit’s customer (a person, group or function in the organization) and are usually carried out at the request of someone. Internal customers and auditors establish limitations on the nature and scope of the work. Advisory should not be generic, but rather focus on improving controls, processes and systems, or other areas according to the needs of the organization. To actually add val- ue, the internal audit must have a good un- derstanding of the organization functioning, thus guiding its actions towards achieving the strategic objectives determined. The internal audit function can provide assurance services in areas for which it has previously performed advisory services, pro- vided that the nature of the advice provided has not impaired its independence and ob- jectivity µ. Advice may be recommended when critical vulnerability aspects are identified in processes and the audited area is unable to mitigate the risks. In these cases, the advice of an internal auditor, who knows the process- es, may be a good solution. µ The IIA recommends that the person in charge of the internal audit who has provided advisory services waits one year before undertaking assurance engagements. Although advisory work carried out by the internal audit team may be a good practice depending on the organization needs and its current stage, in certain cases and fields of operation, the practice is vetoed. 1.3. Assurance and Advisory Services O n the one hand, the internal audit function has profound knowledge of processes and areas and can undoubtedly contribute towards improving the organiza- tion, making suggestions for improvements in processes, controls and risk management. This is yet another way in which internal au- dit can add value through providing internal advisory services. On the other hand, there is a risk that acting as advisor may remove the auditor’s objectivity and independence, espe- cially if the advisor has to issue opinions and INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 17 Responsibilities of the internal audit audit the area or process that they have them- selves helped develop or improve. Ideally, organizations should seek an advantageous match between the activities to avoid wasting the knowledge held by the internal audit function, which can be very relevant. It must also avoid that its actions in consultancy jeopardize its duty as assessor. Both roles are possible and often necessary. Although the day-to-day activity is as- surance, advice often naturally follows in its wake: when an auditor identifies a problem, they are frequently already thinking of its solution. The manner to harmonize situations like this varies according to the size and ma- turity of the governance of each organization. In small and medium-sized organiza- tions, it is common for an auditor to provide advisory services also, as there is no suffi- ciently robust team to separately perform the two functions. An organization that does not have a structure dedicated to risks and inter- nal controls, for example, may require the ad- visory services of the internal audit function. In large organizations, on the other hand, the involvement of the internal audit function in advice tasks is usually smaller and the roles are better defined and more clearly outlined. If the two types of service can be clearly separated, the internal audit function is ex- pected to focus primarily on assurance. The need to perform both approaches poses addi- tional challenges for the auditor. When there are demandsfor both services, auditors need to maintain their independence and objectiv- ity, but they must also develop interpersonal skills and seek to understand how managers act. They must also coordinate efforts with the second line of defense (see Item 2.1), taking into consideration the results of this instance only if its objectivity and rigor has been tested. The search for a coherent and profitable division between advisory and assurance work should also be a concern of the board of directors and the audit committee, if existent. One possibility worth the committee´s exam- ining is the investment in auditors training to use data analysis tools which, apart from providing the auditor with a more in-depth analysis of the audited area, s may also free up the professionals for strategic and adviso- ry activities. The audit committee shall specify which assurance and advisory activities will be con- ducted by the internal auditors. The audit plan should include work expectations and priori- ties and be aligned with the stakeholders and frequently reviewed and updated. The internal audit function should not depart from its role as assessor, and any consultation work must be performed under certain conditions: when there is skill, competence, time, and, above all, the conditions needed to ensure the auditor’s independence and objectivity. 1.4. Main responsibilities of the internal audit The internal audit shall develop an audit plan based on a risk-assessment process and aligned with the organization’s strategic plan. This plan must be approved by the audit committee or the highest governing body. Internal audit work focuses on a variety of aspects, depending on the level of matu- rity of the organization, and shall, among other aspects, assess the financial impacts of the vulnerabilities found. Some of the main BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE18 Responsibilities of the internal audit responsibilities of the internal audit team from a corporate governance perspective are risk assessment, internal controls, fraud pre- vention and detection and compliance. 1.4.1. Risk assessment The organization management and the risk management function, if existent, are respon- sible for identifying and mitigating risks. The internal audit should audit this function and assess whether it is adequately identifying and mitigating risks and shall report risks that have not been identified by the area. In pre- paring its work plan, it can also use the risks identified by the function responsible for risk management. 1.4.2. Internal controls Internal controls are the responsibility of the first line of defense (see Item 2.1). When there is an internal controls area, it monitors their adequacy and effectiveness. It incumbent upon the management of the organization to ensure that controls work properly, and it is incumbent upon the internal audit function to check that internal controls are being exer- cised as desired. Auditors must evaluate the internal controls and report the results so that the area or person in charge can coordinate the implementation of actions with the man- agers to ensure that the controls introduced to mitigate risks are effective. Auditors shall also analyze and recommend improvements to make processes more effective. 1.4.3. Fraud prevention, detection and investigation Fraud prevention is the responsibility of the organization and must be carried out through the implementation of internal controls. Cer- tain organizations have specific areas to de- tect operational fraud. Regarding investigation, the best prac- tice recommends organizations having a spe- cific area for this activity and, in its absence, the investigation should be carried out by the internal audit function, with the support of external specialists as necessary. The internal audit shall assess the ade- quacy of the policies, rules and instruments introduced to prevent fraud. 1.4.4. Compliance Management of compliance in an organi- zation is preferably assigned to a specific function, which is responsible for checking and ensuring adherence to laws, norms, internal policies and to the code of conduct of the organization. The internal audit team shall assess whether compliance processes are adequate and report any non-compliance and outcomes so that the compliance man- agement unit may coordinate the necessary actions with the managers. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 19 Internal audit and the governance system C orporate governance is the system by which organizations are managed, monitored, and motivated, and internal audit is one among an organization’s control and monitoring bodies or functions, operating alongside the fiscal council, audit committee and of the inde- pendent auditors and risk management, internal controls and compliance functions. Assessments and recommendations by the internal auditors shall be aligned with the strategic direction of the organization and are designed to improve internal controls, standards and procedures, as well as to r identify risks and suggest the controls needed for their mitigation. These as- sessments will be used by management and by the board of directors (and its advisory committees, such as the audit com- mittee); one of the duties of the board of directors is to over- see the business decisions taken by managers and guarantee their alignment with the principles, mission, vision and values of the organization. The internal audit activity plays a key role in governance also by assessing risks to the reputation of the organization, seeking to understand the ethical culture of collaborators (including outsourced or partner companies and particularly suppliers part of the organization’s production chain) and em- phasizing effectiveness organizational processes for compli- ance with legal and regulatory obligations. Internal audit and the governance system 2 The various areas of an organization must understand the fundamental role of internal audit in the governance structure. Internal audit does not concentrate on people, but rather on auditing issues that pose risks potentially preventing the organization from achieving its objectives. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE20 Internal audit and the governance system When providing assurance and ad- visory services, the internal auditor should always be guided by independence and objectivity. While the former needs to be guaranteed by the organization’s manage- ment, the latter is an attitude of the auditor personally. Both attributes shall be accom- panied by timeliness: the faster the internal audit can identify risks and opportunities for improvement and point to solutions, the greater value it will add. The priority focus of the internal audi- tor is to help mitigate risks and vulnerabil- ities in processes and controls before they materialize. It is necessary, however, to es- tablish priorities, given the impossibility of assessing all of the organization’s processes and controls. These priorities are guided by the organization’s risk matrix, which classi- fies risks according to their probability and impact, and by changes in the business en- vironment. During their work, the internal auditor should be constantly aware of the opportuni- ties for adding value and preventing losses. For such, the actions of the compliance area need to be actively monitored and may pro- vide recommendations for improving con- trols, rules and procedures, in line with best market practices. 2.1 The internal audit in the three lines of defense model U se of the three lines of defense model allows for an understanding of how in- ternal audit connects with the various areas in the organization and how it relates to cor- porate governance &. This model suggests adopting a coordinated approach, which specifies responsible for the different instanc-es of control and risk management. Since it establishes the roles and responsibilities of each one, risk management communication is improved, avoiding overlapping of activi- ties or ignorance of certain risks. The first line of defense is operational management, responsible for maintaining effective internal controls. The second line are the managers of the risk management, compliance, internal controls and other con- trol areas. This line monitors control prac- tices put in place by the first line, suggests improvements and assists those responsible for processes in the front line in identifying risks in their areas. The second line also en- compasses the compliance function, which monitors the risks of non-adherence to laws, rules, procedures, etc. & See The IIA, The Three Lines of Defense in Effective Risk Management and Control, 2013. The second line has the knowledge and breadth needed to act throughout the organization, but does not have full impar- tiality for assessing, since it is involved with management. Impartiality and independence are made possible by the third line of defense, the internal audit function. Being external, it may evaluate both the functions and processes related to internal controls, com- pliance and risk management of the two previous lines, and to evaluate the organi- zation as a whole. In organizations with the three lines clearly established, the internal audit team can audit the functions of the second line of defense and operational functions of the first line. Based on the risk matrix, the scope of the audit of the second line should be propor- tional to the size of the compliance problems the organization may face, so that response by the second line is fast and effective. If the organization does not have an area dedicated to the second line ( risk man- agement, compliance and internal controls INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 21 Internal audit and the governance system areas), the audit area can support these ac- tivities, always with due regard for indepen- dence and objectivity issues. Likewise, the internal audit function may interact with the area responsible for the complaints channel and support their investigations. It is advisable that the internal audit area reports to the board of directors in or- der to guarantee its independence within the organization. When this body is advised by an audit committee, the area shall report to this committee. The internal audit area shall present its audit plans to the audit committee with the works already performed and the level of compliance with its recommendations. The audit committee is responsible for rec- ommending approval of the internal audit budget, compensation of its professionals and appointment and replacement of the 1st Line of Defense 2nd Line of Defense The three lines of defense model Adapted from Guidance on the 8th EU Company Law Directive of the ECII/FERMA, Article 41 Governing Body / Board / Audit Committee Senior Management Manage- ment Controls Internal Control Measures Internal Audit Financial Control Security Risk Management Quality Inspection Compliance Regulator External Audit 3rd Line of Defense internal audit leader. The internal audit area reports to the organization’s chief executive. The compensation paid to internal auditors shall not depend on the results of the business, but instead to protect the value of the organization. If the board of directors deems a variable compensation for the internal audit area is appropriate, bonuses can be trailed to aspects such as independence, qualifications, training pro- grams and accomplishment of the audit plan, focusing on the quality of the work performed. Certain rules, such as those of the Central Bank (see CMN Resolution 4588/2017), prohibit the practice of con- necting the area’s compensation with per- formance, since it compromises impartiality and may lead to illegitimate incentives. The nature of the audit activity is one of assur- ance and supervision. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE22 Internal audit and the governance system Although not ideal, initial approval of the internal audit plan is often followed by budgetary cuts. In such cases, the leader of the internal audit team shall establish prior- ities and clearly explain to the management the tasks to remain unperformed due to such budget cuts. Such as with budget approval, the definition of budget cuts is the prerog- ative of the board of directors, supported by the audit committee. In an ideal structure, the three lines of defense are clearly established and limited. Figure. Context and structure of the corporate governance system Shareholders Fiscal CouncilIndependent Auditor Internal Auditor Committees Governance Secretariat STAKEHOLDERS REGU LATION (COMPULSORY AND OPTIONAL) ENVIRONMENT Board of Directos Audit Committee Officers Chief Executive Officer Administrators However, this is not always the case: due to the need to reduce costs, the audit leader is often also involved with risk management and compliance functions. In practice, the size of the organization and its maturity stage vis- à-vis governance may lead to many variations. It is advisable that the structure pro- posed by the three lines of defense model be adopted, and that any overlapping of func- tions between the second and third lines, if in place, be temporary and dealt with always with due regard for the concept of objectivity. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 23 Internal audit and the governance system Absent the internal audit, indepen- dence and objectivity are compromised. If the limits of the second line of defense are not clearly defined, the knowledge it adds, its presence throughout the organization and its preventive nature are defeated. In both cases, the organization may be weakened. T he internal audit activity can be out-sourced, and it is up to the organiza- tion’s highest governing body to ensure its qualifications, objectivity and independence. The hiring process for external suppliers of internal audit services shall always be free of conflict of interest. The existence of a leader within the organization, who is responsible for planning and coordinating the work, be- ing in charge of it, is essential. in view of is- sues such as expertise, geographical location or other practical reasons, the work can be outsourced either fully or partially. Liability for the work, however, continues to lie upon remains with the persons designated by the board of directors of the organization, Oftentimes, it is necessary to bring in professionals with expertise in different ar- eas to complement internal audit activities. External technical support (or co-sourcing) can be a solution for filling gaps or provid- ing the knowledge necessary for adequate assurance, when such knowledge does not exist within the organization. Furthermore, when an auditor is not trained for assessing a determined subject, such person must be diligent to declare technical inability for the task at hand and thus request assistance. If the internal audit activity is outsourced, the work should not be performed by the same company providing external auditing services in view of possible risks to the independence of both tasks. Internal auditors, however, may collaborate with external auditors to the extent necessary, especially for identifying and pro- posing improvements in the internal controls of the organization &. Another common practice is to invite specialist professionals who work in another area or sector of the same organization to support the internal audit work. In this event, once again the need to guarantee indepen- dence of the work shall be observed. IPPF Standards 1210.A1 and 1210. C1 require the audit leader toseek assistance and advice if the team does not have the necessary skills to carry out all or part the work. In case of advisory services, the leader shall decline work if the team is unable to do it or seek help in performing it. & See, among other documents: IBGC, Código das Melhores Práticas de Governança Corporativa, 2015, p. 90; GT Interagentes, Código Brasileiro de Governança Corporativa, 2016, p. 53; The IIA, “Position Paper: Staffing/ Resourcing Considerations for Internal Audit Activity”, 2018, p. 3; Bacen, Resolution 4588/2017, Art. 3, para. 1. 2.2 Outsourcing and co-sourcing INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 25 Internal audit relationships T he internal audit work is usually extensive enough to permeate the whole organization. There are many decision-making bodies and sectors with which the internal audit func- tion relates: from the executive board to the operational areas, second line of defense areas, to monitoring and supervisory bodies, such as the board of directors, the audit committee, part- ners/shareholders and the independent auditors. Given this extensive characteristic, and also because the internal audit area may use information from other areas or provide it to them, it is crucial to establish productive relationships with all audited sectors and functions, as well as with those bodies to which the internal audit area reports, at the same time preserving the independence, objectivity, proficiency, due professional care and standards relevant for the per- formance of its activities. It is always important to bear in mind that the information available to the internal audit is confidential. 3.1. Board of directors A s we have seen in the three lines of defense model, the board of directors is a stake-holder served by the areas and the functions performed in all three lines. The board is, therefore, one of the main customers of the internal audit service. The internal audit team shall truly understand the board’s priorities. As opposed to being confined in its function and working in those areas deemed of interest, the audit team should take a step back and discover what the actual priorities of the collegiate body. When auditors do not concentrate their work in the board of directors’ interest areas, the Internal audit relationships 3 BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE26 Internal audit relationships internal audit team fails to serve the board satisfactorily, rendering it harder to conquer the latter’s attention and trust. The advantage of focusing audit work on those areas that are a priority for the board is that it leads to a mutually beneficial relationship being es- tablished. To avoid a disconnection between the audit and the board, the internal audit leader shall provide time in the audit plan to build a relationship with the board and to become acquainted with the minutes of meetings of the board concerning internal audit activities. In these interactions, the internal audit lead- er may better understand the needs of the board, demonstrate how the internal audit can add value and clarify issues on the audit’s assurance role and potential advice. Efforts to build a good relationship with the board involve managing its expec- tations regarding the role of the audit func- tion and explaining the services it is capable or not to perform. When the internal audit team is not subordinated to the organization’s main governing body, it is subject to interference by managers, who may ultimately attempt to exert pressure and influence internal audit reports. By consequence, the internal audit The board of directors, with the support of the audit committee, if existent, is the body providing the appropriate environment for the internal audit team independent work. Direct access to the board of directors is a necessary condition for such independent work. shall report to the audit committee or to the board of directors. The board, supported by the audit committee, shall actively participate in planning the internal audit work, approve its annual plan, analyze the results and moni- tor implementation of the internal audit team recommendations. In multinational compa- nies, which generally do not have boards of directors in Brazil, the internal audit usually reports to the audit committee or to the glob- al director of internal audit committee. 3.2. The audit committee and other committees T he internal audit area ideally reports to the board of directors through the audit committee and, as such, shall be seen as an important ally of this latter body. It prepares reports and generates information used by the audit committee to oversee internal controls, compliance, ethics, risk management and preparation of financial statements. The relationship between the internal audit team and the audit committee shall, therefore, be one of trust, so that the main is- sues or deficiencies identified by the former are promptly reported to the latter. In order to safeguard the work inde- pendence, meetings between the internal audit team and the audit committee should generally take place with no other executives present, except when participation of anoth- er area of the organization is recommended. Since the audit committee, as an adviso- ry body to the board of directors, is responsible for guaranteeing the conditions and structure INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 27 Internal audit relationships necessary for the independent work of the in- ternal audit team, the internal audit area shall state to the audit committee the conditions needed for an adequate operation. In turn, the audit committee should request reports on the work done by the internal auditors and ana- lyze whether the working plan is achieving its objectives. The audit committee may use key performance indicators (KPIs) to evaluate data such as: percentage of the audit plan complet- ed, satisfaction with the results, rate of adop- tion of the recommendations made, and the lapse of time between conclusion of the audit and presentation of the outcomes. Some topics permanently focused by the internal audit area, such as internal controls, compliance and risks, are also the exclusive focus of other committees advis- ing the board, such as the risk and internal controls committees. These committees shall have direct access to the internal audit team, which should, however, continue to report to the audit committee, whose scope is broader than that of other committees. Maintaining performance THE STATUTORY AUDIT COMMITTEE SHALL MONITOR AND SUPERVISE THE INTERNAL AUDIT Audit committee duties have increased over time. They have moved from merely su- pervising the process of preparation of financial statements and the work of internal and independent auditors to oversee risk, ombudsman, complaints channel, compli- ance and internal controls’ issues. These enlarged duties shall not, however, compro- mise audit committee adequate monitoring of the internal audit, which is one of its functions either by view of law or regulations. ! 3.3. Fiscal Council S ome of the duties of the fiscal council relate to activities carried out by the in- ternal audit team, since the former shall su- pervise the acts of the administrators, check whether they fulfill their legal and statutory duties, report errors, fraud or crimes and sug- gest the adoption of measures useful to the organization. The fiscal council shall therefore have an easy access to the work of the internal au- dit team, which may help it fulfill its own du- ties, facilitated by management. In addition to examining the audit reports and issues presented, the fiscal council may gather from the audit team a clear view of the internal controls and of the activities carried out to ensure their effectiveness. It is recommended, therefore, that the board of directors, whenso requested, estab- lishes and maintains open channels of com- munication between the fiscal council and the internal audit team, aiming to ensure in- dependent monitoring of the organization’s activities. To this end, the board of directors may have the assistance of the fiscal council, in addition to meeting with the fiscal council, leading to important inputs to strengthen the work of the internal audit team. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE28 Internal audit relationships 3.4. Executive management and other areas of the organization T he internal audit area should report to the audit committee or to the board of directors. Therefore, its relationship with the executive management, which is in charge of management, materializes as administra- tive reporting. In day-to-day operations, the internal audit area interacts with the execu- tive management in order to solve doubts and make operational demands, since the board of directors and audit committee are not present at all times, and communica- tion with such instances usually depends on scheduling meetings. But this adminis- trative reporting relationship between the internal audit team and the executive man- agement shall not compromise the inde- pendence of the former. Meetings between auditors and managers shall be informative. In other words, the internal audit team clears doubts and requests information, in addi- tion to notifying managers of the results of their assurance works. The internal audit team shall not allow management to inter- fere with its conclusions, so that the support of the board of directors and of the audit committee is essential. There shall be an interaction between the organization’s top executives and the in- ternal audit team, so that auditing actions go through all the processes necessary for the best possible preparation of its action plan. This process starts with the recommen- dations made by the internal auditors after their work in a particular area and continues when these recommendations are sent to the managers for their comments. After receiving these comments, the auditor analyzes them and considers whether there is any need to make any adjustments to their recommen- dations or keep them as they are. It must be emphasized that, in this process the auditors need to preserve their independence and ob- jectivity when analyzing management’s com- ments. Subsequently, managers prepare an action plan to fill the loopholes found during audit, and the internal audit team then opines on the effectiveness of the plan and its ability to mitigate risks. The audit report is thereafter sent to the board of directors via the audit committee. This is, therefore, a process conducted by four hands; namely, directors and auditors, encouraging meet- ings between auditors and the managers of the processes for clarity, discussion and the alignment. All stages in this entire process, which begins when the recommendations are submitted to managers and ends with pre- sentation of the audit report to the board of directors, shall be formalized and document- ed. There may be cases in which the audited area does not agree with the issue reported by the internal auditors. In such situations, it is important that the board of directors or the audit committee are notified and that the disagreement is documented. Although the audit evaluates man- agement processes, the board of directors shall understand its role in the governance structure. It must, therefore, regard audit as a function capable of making its activities safer and more comfortable to the extent that audit works hard to improve internal controls and value generation processes, and not as an activity posing obstacles and uncovering potentially negative evidence. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 29 Internal audit relationships 3.5 External audit A lthough the focus of external audit is different from that of the internal audit - the former focuses more on financial statements and the supporting internal con- trols, while the latter concerns processes, risks, compliance and internal controls - the two activities are complementary, and the work of one can provide the other with in- formation and specific examinations, thus avoiding duplication. There is still little in- teraction between the two audit functions, even though it may be rich and productive, so the board of directors should encourage this connection. The Federal Accounting Board (CFC) regulates the use of internal audit work by the independent auditors. Standard NBC TA 610 considers that the independent auditor can use the work of internal auditors. “This includes: (a) using the work of the internal audit function to obtain evidence of auditing; and (b) using internal auditors to provide di- rect assistance to the independent auditor, forming part of the team and working under the direction, supervision and review of the independent auditor.” Similarly, the work of the independent auditors can also be analyzed and used by the internal audit team to monitor or deep- en tests and assessments. The results of the work of the independent auditors shall be part of the process by which internal auditors identify of risks. Independent auditors generally assess internal services and identify which can be used in their work. A good interaction between the two audits is beneficial, to the extent that their approaches are complementary. 3.6 Second line of defense bodies (risk management, internal controls, compliance) I n addition to auditing risks, internal con-trols and compliance functions, the in- ternal audit area may benefit from the work performed by the second line of defense. To define the processes that should be subject to priority assessment, the audit relies on the risk matrix and the assistance of the second line of defense itself. The information pro- duced by these functions (internal controls, risk management and compliance) serves as a source for preparing audit plans and pro- grams. In turn, these plans and programs test the controls and identify critical points and factors exposing the company to risks that may prevent it from achieving its objectives. In this close contact, it is important that the internal auditors preserve objectivity of their work. By sharing the vulnerabilities en- countered with the second line, auditors help increase effectiveness of the management of new risks and timely adjust the most import- ant internal controls. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE30 Internal audit relationships 3.7 Shareholders/Investors The internal audit team shall report to the board of directors or the audit com- mittee, if existent. However, when the organi- zation does not have a board of directors, the audit team shall have direct access to the orga- nization’s highest governing body (for exam- ple, the annual general meeting of partners/ shareholders), so the latter can guarantee the former’s independence. In this case, the part- ners/shareholders shall perform the role that the board of directors and the audit committee usually perform. In addition to supporting the work, they should receive a technical and func- tional report from the auditors. Likewise, the internal audit team needs to build rapport with the partners/shareholders, explaining how it can assist the organization to improve processes, and must, in turn, listen to such partners/shareholders to understand their concerns and priorities. If there is no board of directors, the internal audit function shall en- sure that the critical points - audit plan, budget, monitoring of action plans - are dealt with and approved directly by the shareholders to guar- antee independence vis-à-vis management. When the internal audit is truly inde- pendent and objective, it may provide special reinforcement and clarify compliance, risk management and bestgovernance practices issues. 3.8 Regulatory and supervisory bodies & See, for example, BIS, The Internal Audit Function in Banks, 2012. B ecause of their important role in orga-nizations’ internal control systems, it is natural that regulatory and supervisory bod- ies be interested in establishing relationships with the internal audit team, which should al- ways occur in a transparent manner &. Direct access to internal auditing al- lows regulators and supervisors to better understand the functioning, not only of the internal audit function itself, but of the entire organization, which shall not compromise the independence of any of the parties. The regulatory body may for example request inclusion of certain works within the scope of the internal audit and performance of specific tasks, with the aim of improving internal audit processes. What is important is that regulators and supervisors are able to discuss with internal auditors the risks they have identified and the mitigating measures, as well as how the organization implements the recommendations proposed by regula- tors and by the internal audit team. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 31 Ensuring effectiveness of the internal audit A n effective internal audit implies that the area or professional will adequately play their role in the third line of defense: be capable of evaluating and detecting problems and suggesting corrections in internal controls, risk management, fraud prevention and compli- ance. But that is not all: in a world of rapid and profound changes in the business environment, the area is increasingly being required to act in a more preventive and advisory manner. To properly perform its role as guardian in the third line of defense and at the same time be able to meet the growing need to anticipate problems and contribute to generate value, it is recommended that the internal audit prepares a set of regulations (sometimes called bylaws, which should not be confused with the organization’s bylaws). These bylaws are approved by the board of directors and detail the activities of the function, as well as its operating pro- cedures µ. The internal audit team shall also be well-prepared from a technical standpoint (qualifications and assurance) and capable of dealing with aspects related to governance, such as meeting the requirements of independence, acknowledging the organization’s culture and connecting with other stakeholders to actually create value. 4.1. Promoting independence T he work of internal audit can only lead to an improvement in processes if carried out without interference and pressure. Only if they are independent and objective can au- ditors gain the trust of the organization. When professionals from the various areas in the or- ganization know that the audit findings meet impartiality criteria, they seek to implement the Ensuring effectiveness of the internal audit 4 µ Some of the main topics of the rules and regulations of internal auditing can be found in Appendix 2 of this document. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE32 Ensuring effectiveness of the internal audit auditors’ recommendations and the improve- ment process naturally ensues. The organization’s daily routine shows that the matter of independence is far from trivial: the existence of pressures on the work of the audit team is more frequent than one might imagine. A study titled The Politics of Internal Auditing, published by the Institute of In- ternal Auditors Research Foundation (IIARF) in 2016, showed that 55% of internal audit leaders have been pressured to omit or modi- fy audit findings at least once in their careers, while 17 % indicated that these pressures happened on three or more occasions. Other reported forms of pressure were to avoid au- diting areas considered to be high risk, or to investigate low-risk areas as a form of person- al retaliation against another executive. More than five hundred chief audit executives (CAE) from the United States were interviewed for the study. To foster an environment conducive to independence, the board itself, as the highest collegiate body in the organization (or the au- dit committee advising it), shall ensure that the internal audit is truly immune from retal- iation when reaching results and conclusions deemed unwanted by the areas and activities it audited. Management, the audit committee and the board can operate efficiently if they can trust the internal audit function. Actions required to foster internal audit independence: • Maintain direct reporting to the board of directors or to the audit committee. When neither exists, reporting should be to the organization’s highest gov- erning body. • Encourage both formal and informal communication between the audit lead- er and the audit committee coordinator, with periodic meetings between the area and the advisory body. • Appoint to the position of audit leader only those professionals who have the credibility and ability required to objectively and impartially judge and who are capable of enduring pressure situations. • Conduct performance evaluations of the audit function headed up by the au- dit committee and complemented by consultations with managers. • Clearly define the conditions under which the board of directors might con- sider replacing the leader of the internal audit team. ! Although the focus of internal audit discussions centers on independence, it is worth reminding that objectivity is also a fundamental characteristic of an auditor’s work, as the auditor must come to a person- al conclusion based on individual judgment capacity, with no reliance on the opinions of third parties. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 33 Ensuring effectiveness of the internal audit 4.2 Focusing on the culture of the organization M uch of the internal audit work focus-es on objective issues, such as oper- ational processes efficiency, internal controls, risk management and compliance. However, for an effective work, it is not only objective aspects that need to be taken in account, but also intangible aspects, such as the culture of the organization. Culture comprises, or is formed by, the principles, values and essential beliefs of the organization that outline how its internal prac- tices are carried out. It indicates how people should respond to the issues and problems they encounter, particularly when they faced with dilemmas or contradictory situations. In other words, culture is related to ethics and the means for achieving the desired ends. The corporate governance scandals undermining organizations are connected to the organizational culture and when transpar- ency, accountability, equitable treatment and corporate liability are ignored, organizations lose credibility and their value is destroyed. It is important to remark that the commitment and support of the administrators (boards directors and of officers) are essential to es- tablish an ethical culture and a value-abiding conduct. Positive examples of leadership (tone at the top) shall be accompanied by formal and effective processes in the quest for incor- ruptible organizations &. An organizational culture that is strongly aligned with compliance will encourage both acceptance and imple- mentation of the internal au- dit’s recommendations. As those responsible for the third line of defense, internal auditors are independent and have the capacity to & See IBGC, Compliance in the Light of Corporate Governance, 2017. understand and monitor the organizational culture, as they identify the alignment of situ- ations and behaviors with expectations. They check whether the discourse of the leaders effectively materializes into appropriate ac- tions, and if the different management levels mirror the behavior sought by the top of the organization, or whetherit departs from what is desired. Audit works should presumably bear an understanding of the culture and this should not be just an annual exercise; it should rather serve as an alert before prob- lems escalate. To know the culture of an organization, the internal audit team shall understand the work environment to identify the implicit rules governing the relationships and prac- tices established, as well as communication barriers. The team shall report unacceptable risk-related behaviors, attitudes and deci- sions and make recommendations for solv- ing the problems. When monitoring the culture, internal auditors should use the same good practices they use in any other type of audit. The most important and quantifiable items can be de- fined in conjunction with the board of direc- tors, the audit committee and the executives, but it is important to have deep knowledge of the values and behaviors expected in the organization. Despite the effort needed to achieve objective metrics, the subjectivity of topic audited has to be considered. The internal audit team must be notified of any cultural peculiarities of the organization and rely on supervision to ensure that subjective aspects lacking an apparent explanation do not lead to hasty conclusions. BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE34 Ensuring effectiveness of the internal audit When it comes to culture, another item should be evaluated by the internal audit team: the risk culture; in other words, the aggregate of acceptable and encouraged be- haviors, discussions, decisions and attitudes toward risk management. While the defini- tion of organizational culture is broader, the Methods and practices for gathering evidence about the organiza- tional culture: • Customer satisfaction surveys; • Internal employee surveys, used to measure job satisfaction; • Existence of training courses; • Frequency of legal proceedings; • Employee turnover; • Dismissal interviews; • Negative media coverage; • Implementation of an operative complaints channel; • Results of internal audit assurance; • Existence of an ombudsman. ! definition of risk culture specifically relates to how the risks are managed. Assessment of the risk culture Ü is already a practice in many internal audits, which evaluate it along with other routine activities. Internal auditing should monitor risk culture as part of its work routine. In the Ü There are three basic topics indicating an organization risk treatment and risk culture and they should be addressed during a risk culture audit: • Tone at the top: the goal is to check whether the board considers risk management a priority, which is its risk appetite, how it communicates with employees on this issue and relevant fac- tors for raising everybody’s awareness of the ethical conduct demonstrated and encouraged in the organization. • Risk management: the idea is to evaluate how risk is managed on a day-to-day basis at man- agement level. Topics that may be considered include: existence of regular meetings on the subject; involvement of the risk management and compliance departments in major changes; managers’ perceptions of the importance of risk management; and the flow of information to senior levels, and whether, in fact, they acknowledge the issues reported and act to solve them in an effective and ethical manner. • People management: the goal is to assess whether the organization encourages its em- ployees to adopt an appropriate risk culture. This can be evaluated through the existence or inexistence of incentive programs that reinforce the culture of risk management and the adoption of attributes related to such culture in the hiring and the employee development program. INTERNAL AUDIT: ESSENTIAL ASPECTS FOR THE BOARD OF DIRECTORS 35 Ensuring effectiveness of the internal audit µ The Financial Stability Board, a body created in the United States to monitor the health of systemically important financial institutions, provides guidance on monitoring risk culture. financial sector, for example, where a weak risk culture can lead to a global financial cri- sis, risk culture assessment is a particularly relevant activity µ. 4.3 Acting timely and creating value F or the internal audit to add value to or-ganizations and act effectively, it shall be agile and flexible in suggesting adjust- ments to the audit plan, so that changes can be made in a timely manner. The internal audit team must be able to adjust whenev- er there is a change in the organization’s strategic direction. The audit plan shall not, therefore, be a factor that curtails the internal auditors’ actions. Rather, they must be atten- tive to the relevant issues arising, even if not originally included in the plan. The internal audit team shall take the lead on issues pertinent to it and play an active and relevant role in the organization, heading the suggestions for improvement or correction. Ideally, it should become a refer- ence for matters within its competence. It must also be aware of the expecta- tions the board of directors and the audit committee have with regard to its work. In- ternal audits are increasingly expected to add value by providing advisory services. Examples of this are advice on: simplifying and improving compliance functions, which helps improve the information used for de- cision-making; checking the reliability of the performance measures, monitoring systems and analytical tools used by the organization; and efforts for improving cooperation and the efficiency of the three lines of defense in or- der to minimize work overlaps or neglecting certain risks. The fact is that internal audit is being urged to keep expanding its activities and go beyond a role that focuses on operations, compliance, problem reporting, fraud and error prevention and financial statements role. Assessing “just” these items is no longer sufficient. The broader focus of audit has shifted to strategic risks and non-financial matters - the area or the professional shall favor a more stra- tegic thinking when managing risks and de- fining audit plans. One of the important tasks of audit is, for example, to identify signs of deterioration in the risk management culture. Internal auditors should account for their work communicating in a timely and clear manner with the board, the executives and other stakeholders. Along with other manners of demonstrating accountability, this communication includes preparing re- ports (such as the audit report and executive summary), sending emails and making pre- sentations. The manner of communication shall always be aligned with the recipients of the information. It is important that the results of the internal audit work are contemplated in two reports; a short, executive summary, -like report covering the critical issues that need to be dealt with, and a longer one, containing the audit scope , its assurance of the risks and the quality of the controls and the process in general. With these two reports, it is possi- ble to ensure adequate communication on critical issues and also provide details of the audit that was carried out. Another way of making the audit more effective is by using technology. By automat- ing operational processes and focusing on BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE36 Ensuring effectiveness of the internal audit data analysis, the auditor can spend more time on strategic and relationship issues, thus strengthening the area. Technology should also be used to improve and simplify the in- ternal controls structure. The audit must be capable of understanding technological inno- vations directly impacting the business world. Audit committees must encourage the internal audit team to keep up with the pace of technological evolution and be pre- pared to deal with an increasing amount of data and future innovations, achieving agility and gaining depth when
Compartilhar