Introduction

1Strategy

2Corporate Governance

3Performance

Resources

Menu

Corporate Governance

Control Environment

Internal control is a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance

Reporting Elements for the Board of Directors

01
Internal Control System

Internal control is a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.

02
risk governance

Risk governance is the companywide system and structure for identifying and managing current and emerging risks, including the role of the board in setting the company’s risk appetite and overseeing the risk management process.

03
compliance

Compliance is the process through which companies demonstrate that they have conformed to specific requirements in laws, regulations, contracts, strategies and policies.

04
subsidiary governance

Governance of subsidiaries is critical as they can represent a large share of a company’s value and consolidated financial results. As separate legal entities, subsidiaries present inherent conflicts with minority shareholders and intercompany transactions.

Leadership Practices

COSO Internal Control Framework helps companies design and implement internal controls that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance.

Internal Control Systems And Internal Audit Function

Internal Control SystemInternal Audit FunctionAudit committeeexternal auditor

Internal Control System

The report should describe the roles of the board, audit committee, and senior management in the internal controls of the company, including the following:

  • Financial accounting and reporting controls;
  • Nonfinancial accounting and reporting controls;
  • Operational controls, including sustainability and stakeholder risks (worker, consumer, community health and safety);
  • Compliance controls, including ethics and compliance: code of ethics, whistleblower systems, anticorruption measures.

Internal Audit Function

The report should describe how the board is carrying out its responsibility to ensure the financial integrity and the integrity of its operations, including:

  • Auditor’s reporting to the audit committee, and relationship with management;
  • Main activities, challenges, and findings of the internal audit;
  • How the internal audit function is carried out, including by an external firm;
  • Assessment of ESG policies and practices and IT and security systems;
  • Corrective action on control deficiencies, including those highlighted in the external auditor’s letter
Leadership Practices:

The internal audit function should:

  • be independent, objective, risk-based, and empowered with an unlimited scope of activities
  • be subject to periodic quality assessment by a third party
  • report directly to the audit committee and administratively to management

audit committee

The report should describe the role and deliberations of the audit committee, including oversight of the following:

  • accurate financial statements
  • internal and external audit process,
  • related-party transactions
  • quality of sustainability information
  • if there is no risk committee, risk oversight and management.

Sometimes more justification may be necessary in situations where independence seems compromised.

External Auditor

The report should describe:

  • Tenure, qualifications, and independence of the external auditor, and the effect of any long association on independence;
  • Non-audit work by the external auditor and its impact, if any, on the independence of the audit, plus a breakdown of audit and non-audit fees
  • Periodic assessment of the quality of the external audit;
  • Corrective actions taken on issues raised in the external auditor management letter;
  • Any Audit Quality Indicators used in monitoring the effectiveness of the External Auditor.
  • Role of audit committee overseeing the external auditor and in agreeing to the audit plan.
Examples Of Reporting

Internal Controls—Mondi, 2018 Annual Report

This example describes typical elements of a company’s internal controls, including financial, operational, and compliance controls and risk management.

Risk Governance

risk appetiterisk assessment and Managementrisk oversight

risk appetite

Risk appetite is the aggregate level and type of risk that the organization is prepared to accept in pursuit of its strategy. The report should address:

  • Overall risk appetite, risk capacity, and the risk profile of the organization;
  • Maximum risk tolerance for each material risk;
  • How risk appetite is determined;
  • Quantitative and qualitative measures used;
  • Whether the organization’s risk appetite was approved by the board.

Risk Assessment and Management

The report should describe the methodology for identifying, monitoring and controlling risk, including the determination of response to risk events. It should also address how the company evaluates the effectiveness of its risk controls to determine whether the risk level is within the organization’s risk appetite.

Integrating Sustainability. The report should address how sustainability risks have been integrated into the risk management framework.

risk oversight

The report should describe the responsibility of the board for oversight and control of risk management, either through a formal risk management committee, or through the audit committee.

The IIA’s Three Lines Model is an international standard for risk governance, emphasizing the relationships between people involved in risk management to ensure effectiveness of risk management and the control system and accountability for its oversight.

Examples Of Reporting

Three Lines Of Accountability For Risk—Woolworths Australia 2020 Annual Report

Compliance

Management Systemintegrating sustainability

Management System

The report should describe the management system to ensure compliance with the law, company’s charter and corporate governance policies, and code of ethics. This includes Employee training, auditing and monitoring systems, company “hotline”, guidance for conflicts of interest, and sanctions and disciplinary action.

integrating sustainability

The report should describe the role of compliance in managing E&S issues: - respect of internal codes of conduct or ethics, including in the supply chain- compliance with rules and regulations associated with E&S issues (pollution, corruption, and workers’ treatment, etc.)

Subsidiary Governance

The report should provide organizational charts of the organization including its subsidiaries and the degree of control. It should also include information on subsidiaries’ jurisdiction, line of business, assets and revenue.

The annual report should also include a description of the subsidiary governance framework as part of the control environment, covering the following:

  • Creation and dissolution of legal entities
  • Structure and composition of subsidiary boards
  • Subsidiary categorization based on its strategic importance and complexity
  • Subsidiary oversight at the board level
  • Application of parent’s audit and internal control processes to the subsidiary
  • Escalation procedures for transactions that require approval by the parent company
Leadership Practices:

A parent company should use its internal audit function to evaluate the robustness and compliance of governance practices of its subsidiaries.

Examples Of Reporting

Governance Of Company Groups—HSBC  2019 Annual Report