GOVERNANCE, BUSINESS ETHICS, RISK MANAGEMENT, AND INTERNAL CONTROL

GOVERNANCE AND INTERNAL CONTROL

Objectives:
1. To describe the different characteristics and principles of corporate governance.
2. To define internal audit.
3. To discuss the scope, importance and elements of internal audit.

Introduction
Conceptual Framework

VMOS (Vision, Mission, Objectives, and Strategies)

Governance

Risks

Controls

Process

Initiation Authorization Recording Processing Reporting

Entries Trial Managem

Balance ent Report

Financial
Report
Overview of the Course
In 1966, the American Accounting Association (AAA) defined accounting as 'the process of
identifying, measuring and communicating economic information to permit informed judgments and
decisions by users of information'.
Accounting is known as the "language of business". Accounting is a means through which
information about a business entity is communicated. Through the financial statements, the end-
product reports in accounting, it delivers information to different users.
Thus, these elements- governance, ethics, risk management, and internal control are the factors
that consequentially affect the information that is to be reported to the stakeholders whether internal or
external users.

Abstraction
According to SEC Code of Corporate Governance:
… the system of stewardship and control to guide organizations in fulfilling their
long-term economic, moral, legal and social obligations towards their stakeholders.
Corporate governance is a system of direction, feedback and control using regulations,
performance standards and ethical guidelines to hold the Board and senior management accountable for
ensuring ethical behavior – reconciling long-term customer satisfaction with shareholder value – to the
benefit of all stakeholders and society. Its purpose is to maximize the organization’s long-term success,
creating sustainable value for its shareholders, stakeholders and the nation.
The OECD says corporate governance is a:
…set of relationships between a company’s directors, its shareholders and other
stakeholders.

Page | 1
 …structure through which the objectives of the company are set, and the means
of obtaining these objectives and monitoring performance.
The IIA says governance is:
…the system by which a company is controlled and directed.
Governance includes the rules and procedures for making decisions on corporate affairs to
ensure success while maintaining the right balance with stakeholders’ interest.
Governance is the leadership and direction given to a company so that it can achieve the
objectives of its existence.
COMPONENTS OF GOVERNANCE
Strategic Direction- refers to the actions you are taking to achieve the goals of your
organizational strategy. Some companies use a “vision statement” or “mission statement” to define where
the company wants to be. In short, this statement is a way for the company to set the direction that the
company wants to go, and define what it wants to be in the future.
“What is the big picture for wanting to be in business?”
VISION – “WHY?”
MISSION- “WHAT?” (tangible way of making your vision into reality)
Oversight - refers to the actions taken to review and monitor public sector organizations and their
policies, plans, programs, and projects, to ensure that they:

 are achieving expected results;

 represent good value for money; and,
 are in compliance with applicable policies, laws, regulations, and ethical standards.
Oversight is composed of “over,” meaning above, and “sight,” meaning looking, but not
touching. Indeed, those in charge of oversight functions are asked to look at a process,
program, or project from above, but not to get involved in its day-to-day management.
In other words, oversight (or watchful care) is a safety net to ensure the following:
 Due diligence takes place before key decisions are made.
 Policies and strategies are being implemented as intended.
 Key risks are identified, monitored, and mitigated.
 Business processes and systems are working well.
 Expected results are being achieved.
 Value for money is obtained.
 Activities comply with policies, laws, regulations, and ethical standards.
 Developing areas of concern are being dealt with.
 Assets are being safeguarded.
 Continuous improvement is taking place.
In practice, oversight can be conducted through various functions, including:

Planning Deciding
Defining information needs Monitoring
Challenging Reviewing
Advising Taking corrective actions
Approving

Who are the STAKEHOLDERS?

Any individual, organization or society at large who can either affect and/or be affected by
the company’s strategies, policies, business decisions and operations, in general. This includes, among
others, customers, creditors, employees, suppliers, investors, as well as the government and community
in which it operates.

Page | 2
 Simply put, stakeholders are parties (both internal and external) who have an interest in
well-being of the company.
Who are the BOARD OF DIRECTORS? (TCWG or THOSE CHARGED WITH GOVERNANCE)
The governing body elected by the stockholders that exercises the corporate powers of a
corporation, conducts all its business and controls its properties.
The Board of Directors is the primary direct stakeholder influencing corporate governance.

Why is it important?
Corporate governance became a pressing issue in the United States at the turn of the 21st century,
after fraudulent practices bankrupted high-profile companies such as Enron and WorldCom. It resulted
in the 2002 passage of the Sarbanes-Oxley Act, which imposed more stringent recordkeeping
requirements on companies, along with stiff criminal penalties for violating them and other securities laws.
The aim was to restore public confidence in public companies and how they operate.

Separation of Ownership and Control over the Business Activity.

The shareholders own the company but generally do not run the company. There is a
separation of ownership and control. In order to maintain control over the company, shareholders elect a
board of directors who have oversight authority. The board then hires the CEO who is then responsible
for putting together the management team to run the company. Since management does not have a
vested interest in the company, they might not care as much whether the objectives of the company are
met.

Agency Theory
Agency theory is a theory of the relationship between the principal and an agent.
In limited companies, the directors and senior managers act as agents of the shareholders, who
own the company.
Agency theory is based on the view that when an agent represents a principal, the self-interest of
the agent is different from the interests of the principal. Without suitable controls and incentives, the agent
will make decisions and actions that are in his or her own interest rather than those of the principal.
Why is agency theory relevant to corporate governance?
Agency theory is relevant to corporate governance because many of the measures recommended
for good governance are concerned with controls and incentives that will persuade agents to act in the
shareholders’ best interest.
For example, controls are applied through accountability and incentives are given in remuneration
packages.

Page | 3
MERALCO’s Corporate Governance Structure
Guided by the principles of Fairness, Accountability, Integrity, Transparency and Honesty
(FAITH), Meralco’s governance structure plays a critical role in championing ethical and sustainable
practices across the enterprise.

Audit Committee
Members of the audit committee shall be members of the board of directors of the issuer but
otherwise shall be independent.
An AC should liaise with external audit, supervise internal audit and review the annual accounts
and internal controls.
The external auditor reports directly to the audit committee.
There are several reasons why an audit committee is beneficial to an organization.
1) Independence of the external auditors. The committee selects the external auditor and thus can
eliminate some pressure that the executive management might try to apply.
2) Competence of the external auditor. The committee also assesses the competence of the external
auditor.
3) Providing an assessment of the financial statements and audit process. The committee reports
to the board on matters that they consider relevant, with regard to financial statements and audit process.
Its responsibility is to ensure that the statements are reliable.
4) Independence of the internal auditor. The committee helps to ensure the independence of the
internal audit function by having the IAF functionally report to the committee and not to someone in
management.
5) Increase public confidence.

Compliance Officer- monitors, reviews, evaluates and ensures the compliance by the corporation, its
officers and directors with the relevant laws, rules and regulations and all governance issuances of
regulatory agencies; reports violations of the aforementioned rules to the Board and recommends the
imposition of appropriate disciplinary action.

Page | 4
Management – a group of executives given the authority by the Board of Directors to implement the
policies it has laid down in the conduct of the business of the corporation.
Independent director – a person who is independent of management and the controlling shareholder,
and is free from any business or other relationship which could, or could reasonably be perceived to,
materially interfere with his exercise of independent judgment in carrying out his responsibilities as a
director.
Executive director – a director who has executive responsibility of day-to-day operations of a part or the
whole of the organization.
Non-executive director – a director who has no executive responsibility and does not perform any work
related to the operations of the corporation.
Internal control – a process designed and effected by the board of directors, senior management, and
all levels of personnel to provide reasonable assurance on the achievement of objectives through efficient
and effective operations; reliable, complete and timely financial and management information; and
compliance with applicable laws, regulations, and the organization’s policies and procedures.
Enterprise Risk Management – a process, effected by an entity’s Board of Directors, management and
other personnel, applied in strategy setting and across the enterprise that is designed to identify potential
events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable
assurance regarding the achievement of entity objectives.
Related Party – shall cover the company’s subsidiaries, as well as affiliates and any party (including their
subsidiaries, affiliates and special purpose entities), that the company exerts direct or indirect control
over or that exerts direct or indirect control over the company; the company’s directors; officers;
shareholders and related interests (DOSRI), and their close family members, as well as corresponding
persons in affiliated companies. This shall also include such other person or juridical entity whose interest
may pose a potential conflict with the interest of the company.
Related Party Transactions – a transfer of resources, services or obligations between a reporting entity
and a related party, regardless of whether a price is charged. It should be interpreted broadly to include
not only transactions that are entered into with related parties, but also outstanding transactions that are
entered into with an unrelated party that subsequently becomes a related party.

Professional accountants carry out a range of roles in relation to governance – for example, in external
or internal audit, in managing risk and developing internal controls – while also abiding by professional
and corporate ethical frameworks.

Professional accountants in the governance field face many challenges as organizations and
workforces become increasingly global and mobile. Individuals sometimes encounter a gap between
ethical theory and reality. Professional accountants face particular challenges when working in
countries where bribery and corruption are widespread or where local cultural traditions in relation to
religion, ethnicity and politics can conflict with otherwise widely accepted governance practices.
Emerging frameworks for corporate social responsibility and integrated reporting might help close the
theory-reality gap and help to improve corporate governance and risk management. The management
of non-financial risk in areas such as strategy, operations, technology and reputation is also becoming
more important for professional accountants.

Developments in technology are also having an impact, changing the way that professional
accountants can work by creating new opportunities for virtual collaboration and data analysis. At the
same time, the spread of social media is supporting increased stakeholder engagement and activism,
which needs to be monitored and managed. Virtual and crypto-currencies are also creating new
challenges. For example, how should companies that accept bitcoin payments conduct compliance
checks on the sources of the funds?

Page | 5
Internal Audit
It is an independent and objective assurance activity designed to add value to and improve the
corporation’s operations, and help it accomplish its objectives by providing a systematic and disciplined
approach in the evaluation and improvement of the effectiveness of risk management, control and
governance processes.
Governance of Risk: Three Lines of Defense
Internal audit has a key role in the corporate governance structure to assure on the effective management
of risk:
The board provides direction to senior management by setting the organization’s risk appetite. It also
seeks to identify the principal risks facing the organization. Thereafter, the board assures itself on an
ongoing basis that senior management is responding appropriately to these risks.
The board delegates to the CEO and senior management primary ownership and responsibility for
operating risk management and control. It is management’s job to provide leadership and direction to the
employees in respect of risk management, and to control the organization’s overall risk-taking activities
in relation to the agreed level of risk appetite.
To ensure the effectiveness of an organization’s risk management framework, the board and senior
management need to be able to rely on adequate line functions – including monitoring and assurance
functions – within the organization.
The IIA and the IoD endorse the 'Three Lines of Defense' model as a way of explaining the relationship
between these functions and as a guide to how responsibilities should be divided:
The first line of defense – functions that own and manage risk
The second line of defense – functions that oversee or specialize in risk management, compliance
The third line of defense – functions that provide independent assurance, above all internal audit.

1. First line of defense

Under the first line of defense, operational management has ownership, responsibility and accountability
for directly assessing, controlling and mitigating risks.
2. Second line of defense
The second line of defense consists of activities covered by several components of internal governance
(compliance, risk management, quality, IT and other control departments). This line of defense monitors
and facilitates the implementation of effective risk management practices by operational management
and assists the risk owners in reporting adequate risk related information up and down the organization.
3. Third line of defense
Internal audit forms the organization’s third line of defense. An independent internal audit function will,
through a risk-based approach to its work, provide assurance to the organization’s board of directors and
senior management. This assurance will cover how effectively the organization assesses and manages
its risks and will include assurance on the effectiveness of the first and second lines of defense. It

Page | 6
encompasses all elements of an institution’s risk management framework (from risk identification, risk
assessment and response, to communication of risk related information) and all categories of
organizational objectives: strategic, ethical, operational, reporting and compliance.

The Role of the Three Lines of Defense

Internal audit is uniquely positioned within the organization to provide global assurance to the
audit committee and senior management on the effectiveness of internal governance and risk processes.
It is also well-placed to fulfil an advisory role on the coordination of assurance, effective ways of improving
existing processes, and assisting management in implementing recommended improvements. In such a
framework, internal audit is a cornerstone of an organization’s corporate governance.
The use of the three lines of defense to understand the system of internal control and risk
management should not be regarded as an automatic guarantee of success. All three lines need to work
effectively with each other and with the audit committee in order to create the right conditions.
In some organizations the role of internal audit is combined with elements from the first two lines
of defense. For example some internal audit functions are asked to play a part in facilitating risk
management or managing the internal whistleblowing arrangements. Where that happens, boards need
to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity
of internal audit.

Four key issues for directors monitoring internal audit's effectiveness

Before considering the detailed recommendations of this guidance, it is important to stress the
four fundamental issues that should be considered by directors in order to ensure that internal audit
maximizes its contribution to good governance:
Internal audit should have a functional reporting line to the board or one of its committees, making
it independent of the executive, able to make objective judgements, and giving it the authority to conduct
its work across the whole organization without constraint. To work effectively it also needs a close
relationship with the Chief Executive and should have access to management information going to the
executive committee and board.
Internal audit must be properly resourced, including ensuring a consistently high level of
professionalism and quality based on the International Standards, plus appropriate knowledge, skills and
experience.
Internal audit should use a risk-based approach in developing and executing the internal audit
plan in order to focus on the greatest threats to the organization.
Internal audit’s scope should be unrestricted, including all areas of risk – such as key corporate
events, culture and ethics, reputation, new products and the outcomes of processes. The following
recommendations for directors are consistent with the globally recognized International Standards.

Corporate social responsibility (CSR)

It refers to the responsibilities that a company has towards society. CSR can be described
decision-making by a business that is linked to ethical values and respect for individuals, society and the
environment, as well as compliance with legal requirements.
CSR is related to the idea that as well as their responsibilities to shareholders, boards of companies are
also responsible to the general public and other stakeholder groups. Carroll’s model of social
responsibility suggests there are four ascending levels of social responsibility. Lower levels should be
generally addressed first, although true responsibility can only be demonstrated with reference to all four.
1) Economic responsibilities: Companies have economic responsibilities to shareholders who
require a good return on their investment, to employees who want fair employment conditions
and reasonable wages, to customers who want value for money, the suppliers who want to get
paid on time and others.

Page | 7
 2) Legal responsibilities: Companies have an obligation to respect society’s moral views as
expressed in legislative codes. Obeying these laws must be the foundation of an organization’s
compliance with social responsibilities.
3) Ethical responsibilities: Apart from compliance with legal requirements, companies should
act in a fair and just way even if the law does not compel them to do so.
4) Philanthropic responsibilities: According to Carroll, these are desirable requirements as
opposed to mandatory. They include charitable donations and contributions to local community
projects.
The principles of CSR. There are five main aspects.
1) A company should operate in an ethical way, and with integrity.
2) A company should treat its employees fairly and with respect.
3) A company should demonstrate respect for human rights. For example, a company should
not tolerate child labor.
4) A company should be a responsible citizen in its community.
5) A company should do what it can to sustain the environment for future generations. This
could take the form of:

 Reducing pollution of the air, land or rivers and seas.

 Developing a sustainable business, whereby all the resources used by the company
are replaced.

 Cutting down the use of non-renewable (and polluting) energy resources such as oil
and coal and increasing the use of renewable energy sources (water, wind).

 Re-cycling of waste materials

Discuss and critically assess the concept of stakeholders and stakeholding in organizations
and how this can affect strategy and corporate governance.
The concept of corporate citizenship and corporate social responsibility is consistent with a stakeholder
view of how a company should be governed. A company has responsibilities not only to its
shareholders, but also to its employees, all its customers and suppliers, and to society as a whole.
In developing strategies for the future, a company should recognize these responsibilities. The
objective of profit maximization without regard for social and environment responsibilities should not be
acceptable.
Problems of dealing with stakeholders: When dealing with stakeholders, certain problems
could arise, such as:

 Dealing with stakeholders may be time consuming and expensive.

 Could be a culture clash between company and certain groups of stakeholders.

 There may be a conflict between company and stakeholders on certain issues when they are
trying to collaborate.

 Full consensus is difficult or impossible to achieve and the solution may not be strategically
desirable.
Social Responsibilities can impact what companies do in a number of ways, such as:

 Objectives and mission statements. A company that publicizes a mission statement and
mentions its social objectives is a sign that the board believes that they have a significant
impact on strategy.

 Ethical code of conduct. Having a code a conduct is a way for the company to signify its
pursuit of good corporate behavior.

 Corporate social reporting and social accounts. As part of social responsibility, a company
may decide to report on its ethical and social conduct, or possibly produce social accounts
showing quantified impacts on each of the organization’s stakeholder constituencies.

Page | 8
  Corporate governance. Impacts on CG could include representatives from key stakeholder
groups on the board, or perhaps even a stakeholder board of directors.

Explain and analyze ‘best practice’ corporate governance disclosure requirements.

 Annual reports must convey a fair and balanced view of the organization. They should state whether
the organization has complied with governance regulations and codes. It is considered best practice to
give specific disclosures about the board, internal control reviews, going concern status and relations
with stakeholders.  CG codes recommend that the annual reports of listed companies should state the
extent to which the company has complied with relevant laws, regulations and CG codes, the areas of
non-compliance and reasons for such non-compliance.

 Recommended disclosures include: o Information about the board of directors.

o Reports from the Audit Committee, Nomination Committee, and Remuneration Committee.
o An explanation of directors’ and auditors’ responsibilities in relation to the accounts.
o Details of the external auditors, noting any changes and steps taken to ensure auditor objectivity
and independence when non-audit services have been provided.
o A statement from the directors as to the effectiveness of internal controls, including risk
management.
o A statement on relations with, and dialogue with shareholders.
o A statement that the company is a going-concern.
o A sustainability report, including the nature and extent of social, ethical, health and safety and
environmental management policies and procedures.

 Good disclosure helps reduce the gap between the information available to directors and the information
available to shareholders, and addresses one of the key difficulties of the agency relationship between
directors and shareholders.

Page | 9