What the Audit Committee Needs to Know State of Oregon Audit Committee Training Salem, Oregon November 3, 2010

2 Training Objectives Assess the impact of current economic conditions on board and audit committee performance Examine how governance is the enabler of any entity’s strategy Understand governance, risk management, and compliance (GRC) responsibilities of the Audit Committee

3 Training Objectives Examine a model that will provide reasonable assurance to the Audit Committee (AC) and governing body that the GRC processes are robust Understand roles and responsibilities of the AC in their oversight of internal audit and external audit Consider an AC calendar Review current developments for ACs

4 Agenda 1. Current Economic and Business Environment 2. High Performance Business Model 3. Corporate Governance Framework 4. Audit Committee Oversight and Monitoring 5. Best Practices for Oversight of Internal Audit

Current Economic and Business Environment Unit 1

6 Crisis in Confidence Public is skeptical Financial system stressed Business failures continue Risks neither understood nor managed Governance mechanisms suspect  Ratings agencies  Credit analysts  Commercial banks  Investment banks  Regulators  Lawmakers  Boards of Directors

7 Board Effectiveness Questioned “Effective governance by a board…is a relatively rare and unnatural act…(and) are often little more than high-powered, well-intentioned people engaged in low level activities.” Chait, Holland, and Taylor, 1996) “There is one thing all boards have in common…They do not function.” Drucker, 1974

8 Board Effectiveness Questioned “Ninety-five percent (of boards) are not fully doing what they are legally, morally, and ethically supposed to do.” Geneen, 1984 “Boards have been largely irrelevant throughout most of the twentieth century.” Gilles, 1992 “Boards tend to be…incompetent groups of competent individuals.” John and Miriam Carver, 2001

9 Conference Board Comments The audit committee plays a key role, standing at the intersection of management, independent auditors, internal auditors, and the board of directors. But the proliferation of corporate scandals, new legislation, and stock exchange rules are creating critical new roles and responsibilities.

10 Conference Board Comments Traditional role of Audit Committee  Oversee, monitor, and advise company management and outside auditors in conducting audits and preparing financial statements

11 Conference Board Comments New role of the AC  Discharge new duties and responsibilities and to shift to a more proactive oversight role  Ensure accountability of management and internal and external auditors  Ensure all groups involved in financial reporting and internal controls process understand their roles  Gain input from the internal auditors, external auditors, and outside experts when needed  Safeguard objectivity of the financial reporting and internal controls process

12 NACD Blue Ribbon Commission on the AC It is not a stretch to say that the financial and economic crisis and ensuing volatility and uncertainty in the US have put audit committees, and the financial systems they oversee, through a gauntlet. If it’s complicated and requires a lot of time and detailed focus, it usually lands on the audit committee’s plate.

13 Questions for Audit Committee What keeps you up at night? What risks are over the horizon? What risks are not assessed? What processes are not assured? What is your business model white space? Are your Governance, Risk Management, and Compliance (GRC) structures robust enough to support your strategy?

High Performance Business Model Unit 2

High Performance Business Model Monitoring Risks/Controls Objectives/Metrics Governance/Organization/Processes Strategy/Risks Vision/Values/Culture

16 Questions for Audit Committee Do Oregon State Government entities have compelling visions? Are the entities’ values understood and internalized? Does the operating culture promote appropriate understanding of governance, risk, and compliance? How robust is your strategic planning process? Who owns the process? What are the metrics to measure performance against the strategy?

Corporate Governance Framework Unit 3

18 What is Corporate Governance? The combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. IIA’s International Standards for the Professional Practices of Internal Auditing, December 2003, effective January 1, 2004.

19 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

20 Roles and Responsibilities Stakeholders Governance board and audit committee* Executive management* Creditors Credit analysts Process owners, managers, and staff* Legislators Regulators Internal audit* External Audit

21 Roles and Responsibilities Governance Board  Review and ratify strategy and concur with risks  Establish governance structures to enable strategy execution Audit and compliance Compensation Governance and nominating Asset and liability Loan review Risk

22 Roles and Responsibilities Audit Committee  Assure effectiveness of governance, risk management, and compliance (GRC) processes Over strategic, financial, operations, and compliance objectives

23 Roles and Responsibilities Executive management  Define vision and values  Develop strategy and assess risks to it  Assess current organizational performance  Perform gap analysis against the vision  Determine risk appetite  Establish strategic objectives  Identify critical processes to support strategic objectives  Hold process owners accountable

24 Roles and Responsibilities Process owners, operational management, and staff  Develop, own, and implement robust business processes to support strategic objectives  Align them with entity strategy  Establish operating objectives (operational, compliance, reporting)  Develop process rules  Identify risks to operating objectives  Design and implement efficient, effective, ethical, and economical controls  Assess periodically

25 Roles and Responsibilities Internal Audit  Assure (or coordinate assurance) of governance, risk management, and compliance processes  Act as catalyst to support audit committee and management to deploy risk management and governance processes if absent  Coordinate—with management—the development of strategic, operational, compliance, and reporting risk universe

26 Roles and Responsibilities Internal Audit  Conduct annual risk assessment (significance and likelihood of risk events)  Develop risk-based audit plan  Deploy competent and capable staff  Execute risk-based audit engagements  Report observations quickly and concisely to management and AC  Follow for management resolution of residual risks outside risk appetite of the entity

27 Questions for Audit Committee How do you gain assurance that roles and responsibilities are appropriately articulated and understood throughout the organization? What charters, committees, and councils are in place? How is accountability assured?

28 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

29 Legal, Regulatory, Standards US Securities and Exchange Commission Sarbanes Oxley Act of 2002 Dodd-Frank Act of 2010 OMB Circular A-133 Oregon Internal Control Guidance Public Company Accounting Oversight Board International Standards for the Professional Practice of Internal Audit (Red Book) Government Auditing Standards (Yellow Book) Multiple financial professional associations

30 Internal Audit Standards Definition: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

31 Internal Audit Standards Standard 2110: Nature of work – Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:  Promoting appropriate ethics and values within the organization  Ensuring effective organizational performance management and accountability  Communicating risk and control information to appropriate areas of the organization  Coordinating the activities of and communicating information among the board, external and internal auditors and management

32 Questions for Audit Committee How does your audit committee gain assurance that all legal, regulatory, and Standards requirements are known and followed? Has your Internal Audit function had an external quality assurance review? Does your board have ready access to independent legal, accounting, and auditing resources?

33 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

34 Ethics and Business Conduct Tone at the Top  The message delivered by the senior management of any entity, the degree to which they live that message, and the degree to which the rank and file staff trust the message and the messenger ultimately determine the ethical climate of any institution.

35 Internal Audit Standards Standard 2110.A1: Governance The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities

36 What Investors (Stakeholders) Want To Know Organizational Culture Scope of ethics program and how it relates to strategy Structure and resources of ethics function Ethics policy and who is bound by it How communicated to stakeholders How issues raised and handled How evaluated and by whom Open Compliance and Ethics Group

37 Questions for Audit Committee How do you gain assurance that rank and file staff trust the message and the messenger regarding the ethical climate of the institution? What are the metrics for fraud and ethics incidents? How robust is the ethics training? How do whistle blowers contact the board?

38 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

39 Transparency and Reporting Understandability  Clean and concise using language appropriate to the stakeholders competence Relevance  To decision-making needs of stakeholders Reliability  Accurate, faithful representation  Substance over form  Neutrality, freedom from bias  Prudence, conservatism  Completeness Comparability  Between periods, between similar entities -

40 Questions for Audit Committees How do you gain assurance that transparency and reporting are adequate and appropriate for all stakeholders? Who owns responsibility for stakeholder relations?

41 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

42 Enterprise Risk Management Benefits: Identify and manage cross-enterprise risks Provide integrated responses to multiple risks Seize opportunities Rationalize capital

43 Enterprise Risk Management Benefits: Align risk appetite and strategy Link growth, risk, and return Enhance risk response decisions Minimize operational surprises and losses

44 Enterprise Risk Management Assumptions: All entities exist to add value to stakeholders All entities face uncertainty Value is created, preserved or eroded by management decisions ERM is an enabler of the management process Interrelated to governance Interrelated to performance management

45 Enterprise Risk Management Internal Environment Objective Setting  Strategic  Operations  Reporting  Compliance Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

46 Enterprise Risk Management Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY

47 Questions for Audit Committee How do you gain assurance that the risk management process identifies, considers, assesses, and manages all strategic, operational, reporting, and compliance risks? Who owns risk management in your entity?

48 Governance Model Strategy Monitoring & Communication Enterprise Risk Management Transparency & Reporting Ethics & Business Conduct Legal, Regulatory, Standards Roles and Responsibilities

49 Monitoring and Communication Assurance of Governance, Risk Management, and Compliance by Internal Audit and others Self-assessment by Board and Committees Tracking incidents of ethics violations, fraud activity, and investigations External Audits Regulatory Audits Hotlines Training activity on governance, ethics, fraud, risk, and controls

50 Questions for Audit Committee How do you gain assurance that monitoring and communication activities are sufficiently robust? How do you gain assurance that your internal audit function is compliant with Standards and has appropriate competencies and capacity? How do you gain assurance that all employees, contractors, consultants, suppliers, and vendors understand your vision, values, strategic direction, and the importance of GRC?

Audit Committee Oversight and Monitoring Unit 4

52 Board Responsibilities Obedience  To the law, to constituted documents, to policies of the company Care  Attend meetings, prepare by reading materials before meetings Loyalty  Be an advocate, do no harm

53 Audit Committee Responsibilities “Own” GRC responsibilities on behalf of Board and stakeholders  Empower IA and others to assure the effectiveness of Corporate Governance  Hire legal, accounting, investigation professional services as deemed appropriate  Consider how to incent an Enterprise Risk process  Understand fully the regulatory environment and meet with regulators routinely not just when there are issues

54 Audit Committee Responsibilities Identify financial experts and rely on them for financial guidance  Education and experience as a public accountant or auditor or as a principal financial officer, comptroller or principal accounting officer of an issuer or from a position involving the performance of similar functions  An understanding of generally accepted accounting principles and financial statements.  Experience in The preparation or auditing of financial statements of generally comparable issuers. The application of such principles in connection with the accounting for estimates, accruals and reserves.  Experience with internal accounting controls. An understanding of audit committee functions

Audit Committee Oversight of Internal Auditing Fundamental and Leading Practices NACD Blue-ribbon Report October 2010

56 IA Charter and CAE Reporting Relationship Approve the internal audit charter and review it annually to ensure that it is aligned with the Audit Committee’s Charter and adequately articulates the Audit Committee’s needs and expectations from internal audit. (Fundamental) Ensure the administrative reporting relationship of the CAE is aligned at a level within the company that will permit internal auditing to fulfill its responsibilities free from interference in determining the scope of internal auditing, performing work, and communicating results. (Fundamental) Meet with the CAE to receive updates on internal audit at each regularly scheduled meeting and hold an executive session with the CAE as appropriate. (Fundamental)

57 IA Charter and CAE Reporting Relationship Approve the hiring and removal of the CAE. (Fundamental) Approve compensation decisions affecting the CAE. (Fundamental) Interview any departing CAE in an executive session to ascertain the reason they are leaving and obtain any parting perspectives on the company’s risk, controls, or governance processes. (Leading) Provide input into, and approve succession planning for, the CAE. (Leading)

58 Internal Audit Planning and Reporting Provide input to, and approve the results of, the annual internal audit risk assessment. (Fundamental) Approve the annual internal audit plan and any changes proposed during the course of the year. (Fundamental) Receive periodic status updates from the CAE on: (Fundamental)  The status of executing the internal audit plan  Internal Audit strategy, goals and performance metrics  Resources, including budget (annual)  Significant risk exposures, and control issues, including fraud risks, and governance issues as appropriate (at least annually is fundamental; more frequent is leading)  Results of internal audit engagements  Follow up on internal audit engagements

59 Internal Audit Planning and Reporting Audit Committee and CAE engage in dialogue on risk management/control environment. (Leading) The Audit Committee Chair, and the whole Committee, should periodically informally meet with Internal Audit personnel beyond the CAE. This is to: (Leading)  Provide the Audit Committee with transparency to the resources in Internal Audit, and  To show support to the internal auditors.

60 Internal Audit Quality Assurance and Improvement Ensure that Internal Auditing undergoes an assessment of its quality by an independent external evaluator at least once every five years. (Fundamental) Approve the appointment of the external quality assessment provider. (Fundamental) Review the results of the external quality assessment. (Fundamental) Review the results of periodic internal audit quality assurance self-assessments. (Leading) Hold a private session with the quality assessment provider to review the results of the review and obtain any additional perspectives not noted in the formal report. (Leading).

61 Other Potential CAE Assistance to the Audit Committee The CAE may organize Audit Committee Meetings, such as agendas, materials for meetings, and drafting of minutes. (Leading) The CAE may assist the Audit Committee with its self assessment of its effectiveness as a Committee and its compliance with the Audit Committee Charter. (Leading) The CAE may provide other assistance to the Audit Committee on issues and special requests of the audit committee that are Internal Audit related. (Leading)

62 Strengthening Audit Committee’s Role Governance environment - The culture, structure, and policies that provide the foundation  Assess overall governance structure and policies  Assess governance environment and ethics  Assess specific audit committee activities  Assess risk management structure and activities  Assess internal audit’s structure and organization

63 Strengthening Audit Committee’s Role Governance processes - Specific activities that support environment  Assess fraud control and communication processes  Assess compensation policies and related processes  Assess financial governance processes  Assess governance activities for strategic planning and decision making  Assess governance performance

64 Strengthening Audit Committee’s Role Governance procedures - Specific procedures critical to implement governance activities  Assess internal and external governance reporting procedures  Assess procedures to escalate and track governance issues  Assess governance change and learning procedures  Assess governance support software and technology PricewaterhouseCoopers, 2007

Best Practices for Oversight of Internal Audit Unit 5

66 Audit Committee calendar  Financial disclosures (quarterly)  Charter review (annually)  Internal assessment by IA (annually)  External assessment of IA (every five years)  Review risk universe (annually)  Approve audit plan (annually)  Review assurance activity (as occurs) Audit Committee Oversight of IA

67 Audit Committee Oversight of IA Audit Committee calendar  Review competencies and capacity of staff (annually)  Benchmark to other IA (every three years)  Review open action plans (every meeting)  Meet in executive session with CAE (every meeting)  Participate in CAE performance and salary review (annually)

68 Audit Committee Best Practices Meet privately with CAE every meeting Meet privately with external auditor periodically Meet privately with key operational and financial executives periodically

69 Questions for your Chief Audit Executive What is the criteria for establishing the annual and long-range audit plan? What assurance do you have that you are in compliance with Standards? Does your risk assessment include all known risks to the organization? How do you prioritize IA efforts? Are there areas of high priority where IA work has been deferred?

70 Questions for your Chief Audit Executive What is the level of respect internally for IA? What are management’s practices for responding to IA reports? Who in management has reviewed the risk assessment? What risk factors do you consider in developing the audit plan? How will you provide assurance for governance processes?

71 Questions for your Chief Audit Executive Has IA identified areas of serious concern relative to the corporate internal control environment? Are there other matters that you believe should be of concern to the committee? Putting yourself in the audit committee’s position, are there questions you believe we should ask?

72 Questions for your Chief Audit Executive What processes are not being assured this year due to resource constraints? What processes have never been assured? What are your risk-assessment and risk- based auditing methodologies? What professional certifications do you and the staff hold, e.g. CPA, CIA, CISA? What are the metrics to ensure the audit processes meet objectives?

73 Questions for your Chief Audit Executive How much resource and time does it take to publish a final audit report? What is the process to follow with management to complete actions to resolve residual risk? How do you track and report aged open actions? Do you believe that management is taking risk beyond their delegation levels or in excess of the organization’s risk appetite?

74 Best Practices The Institute of Internal Auditors National Association of Corporate Directors Open Ethics and Compliance Group PricewaterhouseCoopers

75 Contact Information Jim Key, Partner Shenandoah Group, L.L.P. PO Box 1323 Beaufort, SC U.S.A