A Closer Look at Governance

In my last blog, I promised a look at the elements of governance - a logical next step. Back in December 2007, in the "Governance Perspectives" column of Internal Auditor magazine, I wrote about auditing governance. The article included a sidebar that showed where I see the primary governance activities occurring. Today, I want to review that and go a little deeper. I will use a definition of governance as including the activities of the board and its committees, plus those of the internal audit function and an ethics/compliance officer.

First, here is a functional view of responsibilities:
Full Board
        Board structure, objectives, and dynamics
        Hiring of top executives
        Assessment of CEO performance
        Oversight of organizational strategy, budgets, risk management, operational performance, acquisition success
        Delegation of authority
        Tone at the top
Governance Committee
        Board committee structure, charters, memberships
        Board and committee self-assessment
        Board education and training
        Awareness of governance best practices
Nominating Committee
        Hiring process for new directors
Compensation Committee
        Executive assessment and compensation
        Incentive programs
Audit Committee
        Ethics Policies
        Whistleblower process and investigations
        Awareness and understanding of ethics policies and whistleblower process
        Oversight of external and internal auditors
        Oversight of financial reporting
        Oversight of financial forecasting
Internal Auditing
        Assurance over the adequacy of governance and risk management processes, and related controls
        Consulting services to add value and improve governance and risk management processes, and related internal controls
Ethics/Compliance Officer
        Ethics policies
        Whistleblower process and investigations
        Awareness and understanding of ethics policies and whistleblower process
        Compliance audits
        Reporting to the board and executive management
        Shareholder meetings
        Shareholder communications
A second view is by COSO layer:
Control Environment
Board of Directors
        Corporate organization, strategy, tone, delegation of authority
Audit Committee
        Oversight of external auditing and internal auditing, reviews of financial reporting, etc; ethics program oversight
Compensation Committee
        Executive compensation
Governance Committee
        Board structure, etc.
Risk Assessment
Board of Directors
        Oversight of risk management
Audit Committee
        Reviews of financial reporting and financial management risks
Control Activities
        Annual ethics certifications
        Budget approvals
        Preparation of materials for board or committee review (by extension)
        Recruiting of C-level executives and directors
Information and Communications
        Shareholder meetings
        Board of Directors:
          Reviews of operating performance and executive performance
        Audit Committee:
          Oversight of external reporting, external auditors, internal auditors, etc.
        Governance committee
        External auditors
        Internal auditors
Is this consistent with your view of the elements of governance?

Posted on Jan 18, 2010 by Norman Marks

Share This Article:    

  1. Hello Norman:  This is a very good list.   I like how you sliced it by topic/process and by COSO component.  A couple of clarifications or additions:

    1) "Hiring of top executives" - I would just add the words "and succession planning" or use "Selection and replacement" of top executives.

    2) "Acquisition success" - I think boards should review significant acquisitions and divestitures (before and after).

    3) Under the Ethics & Compliance officer, I think there should be a bullet around review of significant litigation & responses to that.  I've seen such litigation go to the A/C, but in some companies maybe there is a different group.

    4) Risk assessment, board of directors: "Oversight of risk managment" - I would suggest adding "strategic planning" or "objective setting" to that.

    I'll keep your list handy should I ever attempt a direct governance audit!


  1. Norman:

    This is an important topic that deserves lots of exposure and discussion.  Has the IIA published any official guidance in the area that members can use that details how to tackle a governance audit?

    I would be interested to learn how many internal auditors have the mandate and/or done a comprehensive review of their company's governance processes?  Not many internal audit charters I have seen explicitely include cover the areas above and many organization's I know would see this as outside of IA's mandate..  Has the IIA done a survey to try and get a baseline on current work being done in this area?

    I think the list should  also explicitely include oversight of risk in the company's compensation structures. This should logically be done by the compensation committee although it overlaps with risk management oversight. This is a new and direct responsibility in the new SEC proxy requirements effective for years after Dec 15, 2009

  1. Tim, thanks for asking an important question. The IIA issued a paper on Internal Audit's role in Organizational Governance (see the IIA web site), and the Professional Issues Committee is working on two areas of guidance: audits of governance (expect a Practice Advisory in Q1 and a Practice Guide later this year), and auditing the control environment (later this year).

  1. Hello Norman: 

    For your audience, there is also some IIA-sponsored research with PWC called "Corporate Governance and the Board - What Works Best" that has some good information in it.  There is a similar book for Audit Committees.  I'll look forward to the practice advisory.

  1. Norman, this topic is very timely for our organization.  Every CPA firm, both large and small, as well as co-source organiztions have a take on this.  I think yours is the most useful and practical.  It is important to note that your list can be adjusted to fit each organization's needs.  Thus is serves as a very good tickler list.


  1. Norman

    I have a horrible sensation that this a very activity/process centric view of governance. Governance needs to be cultural as well as process centric, and it needs to relate to how the board, as the main fulcrum in this, deals with other stakeholders.

    Incidentally, I think that much of this also needs to be seen to permeate into the fabric of the organisation, otherwise it is all meangingless - as indeed it was in many cases in the run up to the financial crisis. I also think that you are missing the vital compliance aspect which drives boards and directors to want to comply with CG requirements.

    But my main concern, is please, please, please can we avoid driving this down to a tick-list?



  1. Richard, I 100000% agree that we cannot devolve down to a checklist or tick-list approach when assessing governance processes. The audit has to assess whether the governance processes provide reasonable assurance that the desired results and level of performance will be achieved.

  1. What is the source of information by which Governance is able to fulfill their role for Risk Oversight?

    I think IA should play a significant role in creating the framework for Risk Oversight expectations, as well as the source of information needed to meet those expectations. I also believe that the Audit Committee must be a conduit for this information.

Leave a Reply