Governance to the power of four - KPMG€¦ · Governance to the power of four KPMG’s 4D governance solutions: Pioneering support, ... all four areas of corporate governance, namely

Governance to the power of fourKPMG’s 4D governance solutions: Pioneering support, new standards

November 2016

All set for the governance of tomorrow

The managers of companies in the middle of the last century would be astonished by the obligations imposed upon today’s supervisory boards, management boards and management teams. With ongoing globalisation, digitisation and ever increasing complexity as a result of new business models, a company’s management is faced with concrete demands in terms of the effectiveness of its corporate governance sys-tems. And the pressure placed on them continues to grow: In addition to ever-greater statutory and regulatory requirements, the expectations of the public, suppliers and customers are steadily increasing, too.

Effective governance is already about more than merely com-plying with regulations. It is increasingly becoming an explicit ‘health factor’ for companies, which they need to take into account in order to be successful. If a governance system is implemented effectively and with perceptiveness and is incor-porated into the business processes in a targeted manner, the costs involved can be contained.

But how can a company’s management prove it has met its due diligence obligations and has effective systems in place? The Institute of Public Auditors in Germany (IDW) has already delivered on this front with its Assurance Standard 980:

IDW AssS 980 is a standardised approach to assessing compliance management systems (CMS), which has been very well received by companies.

The IDW has now expanded this approach, giving a com-pany’s board and management, with the draft standards DAssS 981, 982 and 983, that complement AssS 980, the opportunity to prove that they fully meet the requirements in all four areas of corporate governance, namely risk manage-ment, internal control systems, compliance management and internal audit.

Based on this, we have developed a comprehensive audit approach which takes on a pioneering role in terms of corpo-rate governance development. We call it ‘security across all dimensions’ and we look forward to taking you through this development, which points the way ahead.

Jens C. Laue Head of Governance & Assurance Services

2

© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

You should never relieve someone of their responsibilities. But you can help them bear them.



Even the calmest of waters can contain eddies.

5© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

The four pillars of a governance systemFrom legislation to changing social norms and volatility on the business side, external factors and occurrences such as corporate scandals and the lessons learned from the financial crisis are making preventative systems increasingly necessary within a company.

Supervisory board:

» Germany’s Accounting Law Mod-ernisation Act (BilMoG) prescribes the obligation of a company’s supervisory board to monitor the effectiveness of the corporate governance systems (Section 107 [3] sentence 2 German Stock Corporation Act [AktG]).

» The non-fulfilment of this obligation can lead to serious reputational damage and liability losses (Sec-tion 93 [2] in conjunction with Sec-tion 116 AktG). Supervisory board members are personally liable.

Management board:

» The management board is obliged to deliver proof of the safeguarding of the effectiveness of all the corporate governance systems for the supervisory board (Section 90 [1] AktG, Section 43 [1] German Limited Liability Companies Act [GmbHG]).

» The non-fulfilment of due diligence obligations can lead to reputational damage and liability losses and significant fines (Sections 30, 130 German Administrative Offences Act [OWiG], Section 93 [2] AktG, Sections 831, 823 ff., 31 German Civil Code [BGB], Section 43 [2] GmbHG). The management board is also liable towards the company.

Problem:

There are significant overlaps in the activities, remits and goals of the individual governance functions. A lack of coordination of the responsibilities and measures results in duplicated activities in the four areas of risk management, internal control systems, compliance management and internal audit. The consequences: greater costs coupled with excessive control of the risks or a lack thereof and reduced transparency for the target audience. There is often a lack of synchronisation of the results in these four areas.

6


Solution:

Establishment of a standardised, optimised governance structure and ongoing monitoring of its effectiveness. To achieve this, the IDW has developed three new standards to complement AssS 980, which governs assurance engagements relating to compliance management systems, with the new standards focusing on the remaining governance systems:

» IDW DAssS 981 (Risk management)

» IDW DAssS 982 (Internal control systems)

» IDW DAssS 983 (Internal audit)

Objectives:

Preventing and controlling risks while complying with the increasingly stringent statutory and regulatory rules and safe-guarding quality and transparency.

Advantages:

» Early prevention of penalties, corporate scandals and damage to the company image.

» Elimination of uncertainty due to elaboration of the systems and their effectiveness.

» Greater cost efficiency. » Greater transparency regarding

the processes and controls within a company.

» Increasing confidence in the com-pany by internal and external stake-holders and by the public.

» Achieving security within the business processes and reporting reliability.

Source: KPMG, 2016

CORPORATE GOVERNANCE FUNCTIONS

SUPERVISORY BOARD // MANAGEMENT BOARD

INTERNAL AUDIT

Settingtargets

Assessingrisks

Implementingmeasures

Monitoringsystems

Compliance managementRisk management Internal control systems

7


IDW AssS 980 as a framework for auditing compliance management systems

Assurance Standard 980 (AssS 980) published by the IDW in April 2011 serves as the basis upon which auditors can audit compliance management systems (CMS). It defines the funda-mental components of a CMS and the framework in accordance with which it is audited.

The standard is suitable for the auditing of the compliance management systems of any company, irrespective of size or the sector they are in.

In practice, the CMS subsections, which a company determines based on its risks, frequently include legal issues such as corruption, competition law, export controls, data protection, money laundering, taxation, etc.

8


Basic elements of a compliance management system pursuant to IDW AssS 980

Source: KPMG, 2016

What are the specific advantages for you in having your CMS audited by KPMG in accordance with IDW AssS 980?

» Evidence of the fulfilment of due diligence and organisational obliga-tions regarding the limitation of risks relating to possible violations of legal provisions and internal guidelines (compliance)

» Greater transparency regarding internal processes and the organi-sation’s risk awareness

» Identification of potential weak points of the existing CMS and recommendations for action based on this

» Avoidance of liability losses and reputational damage

Is compliance integrated in the corporate culture?

Are clear goals defined for the compliance management system?

Have the compliance risks been sufficiently determined?

What measures and controls have been implemented within the company for

observance of the compliance rules?

Does the organisation offer sufficient scope for the compliance regulations to be observed? Have clear roles and responsibili-ties been defined for the entire company? (This relates to, for example, the centralised and decentralised structure of the compliance department, lines of reporting, and infrastruc-ture such as databases and hotlines)

Are the communication and reporting channels for (and within) the compliance organisation clearly defined, including specifications regarding regular and ad hoc compliance reporting?

Are the compliance management system and its implementation monitored?

Monitoring Culture

Goals

Risks

Programme

Organisation

Communi-cation

9


IDW DAssS 981 as a framework for auditing risk management systems

The IDW’s draft Assurance Standard DAssS 981 creates a binding basis and a standard framework concept for the elaboration and auditing of risk management systems (RMS). An RMS comprises all the rules that guarantee the structured management of op-portunities and also the strategic and

operating risks inherent to a company. The purpose of the audit is to assess the extent to which significant risks (that stand in the way of the goals of the RMS being achieved) are identified, appraised, managed and monitored. The analysis also includes general and key risks, and therefore goes above and

beyond the requirements made of a risk early warning system for ongoing cor-porate risks. IDW DAssS 981 serves as a concrete guideline for companies of all sizes and in a vast number of sectors.

10


Integrated RMS set-up based on eight basic elements

What are the specific advantages for you in having your RMS audited by KPMG in accordance with IDW DAssS 981?

» Structured and clearly defined approach to setting up and running an RMS

» Added certainty regarding your due diligence and organisational obliga-tions concerning the management of strategic and operating risks to protect the company from unforeseen events and incidences of damage

» Recommendations for action regarding shortcomings and gaps in the system identified in all eight basic elements of the RMS

» Risk plausibility check in the manage-ment report

Source: KPMG, 2016

Risk culture

Goals

Organisation

Risk identification

Risk assessment

Risk management

Risk communica-

tion

Monitoring

Attitude and conduct of all the employees within the company regarding the handling of risks

Risk strategy including risk appetite and tolerance

Transparent and clear areas of responsibility and roles

Systematic analysis of the causes of risks and of early warning indicators

Quantitative and qualitative evaluation of risks and aggregation of individual risks

Measures and controls for the avoidance, reduction, division and acceptance of risks

Reporting obligations and channels for the communication of risks to the relevant bodies within a company

Regular monitoring of the controls intrinsic to the processes (for example by the internal audit function)

11


IDW DAssS 982 as a framework for auditing internal control systems

The IDW’s draft Assurance Standard DAssS 982 covers the auditing of inter-nal control systems (ICS) regarding com-pany reporting, i.e. information about the core business processes and supporting processes, which is relevant to decisions concerning the goals set. The audit can comprise all the (distinct) processes within a company.

As such, it goes above and beyond the legally prescribed auditing of the account-ing-related ICS during the auditing of the annual financial statements. It is effected in line with the basic elements of the 2013 Internal Control Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and therefore consists of more than merely control activities.

For example, a stringent ICS manage-ment process and the regular monitoring of its functionality are relevant to the effectiveness of a control system. IDW DAssS 982 is aimed at companies of all sizes and in all sectors.

12


What are the specific advantages for you in having your ICS audited by KPMG in accordance with IDW DAssS 982?

» Broad scope and flexible demarcation of the subject of the ICS audit

» Auditing of your ICS which is based on needs and the target audience, in particular taking into account your specific requirements regarding the subject of the audit

» Examples of good company practice for the optimisation of your ICS, taken from broad auditing and con-sulting experience

» Process transparency and security as well as approaches to improve the internal control system

» Security regarding your due diligence and organisational obligations in relation to the ICS for your company reporting, so as to avoid erroneous representations, fraud or economic losses

Employees’ basic attitude, awareness of the problems and conduct relating to the ICS

Company reporting requirements derived from needs pertaining to

information relevant to decision making

Identification and evaluation of risks that jeopardise the process of

producing company reports and achievement of the ICS goals

Management and control measures in order to tackle the identified and assessed risks adequately, for example by means of the separation of duties, the four-eye principle or IT authorisation concepts

Adequate flow of information within the ICS so that the necessary information is shared in just the right format and tailored to the target audience (for example by means of training sessions or guidelines)

Objective assessment of the effectiveness of an ICS, performed for example by process-independent company employees or by the internal audit function

Monitoring Control environment

ICS goals

Risk assessment

Control activities

Information and commu-

nication

Basic elements of ICS pursuant to IDW DAssS 982

Source: KPMG, 2016

13


IDW DAssS 983 as a framework for auditing internal audit systems

The internal audit function is an indepen-dent entity that serves as the third line of defence within a corporate governance system alongside the control activities of the internal control system and the monitoring activities of the compliance management system (‘Three Lines of Defence’ model). The IDW’s draft Assur-ance Standard DAssS 983 demonstrates a systematic approach to assessing the

activities of a company’s internal audit function. Based on more than 80 criteria in line with the relevant quality manage-ment auditing standards of the German Institute of Internal Auditors (DIIR), the minimum criteria for an effective internal auditing system (IAS) were defined in a criteria catalogue (IPPF).

The catalogue is kept general and is therefore suited to companies in various sectors and of various sizes and organi-sational forms.

14


What are the specific advantages for you in having your IAS audited by KPMG in accordance with IDW DAssS 983?

» Targeted, comprehensive and standardised auditing of your internal auditing system by an auditor regarding the criteria defined in the basic IAS elements (the International

Professional Practices Framework [IPPF])

» Certainty regarding the suitability and effectiveness of the internal audit function – and thus of its process-independent monitoring function in line with the ‘Three Lines of Defence’ model

» Quantitative and qualitative assess-ment of the criteria based on the basic IAS elements; this also allows for a meaningful overall evaluation of your IAS compared with others in your field and in terms of better practices

– Basic attitude of the management and the supervisory board/audit committee regarding the necessity of internal auditing

– Approval of rules by the management

– Definition and stipulation of the audit universe (audit areas and topics)

– This includes assessment of the effectiveness of the measures to identify fraudulent activities

– Risk-oriented general planning based on the audit universe and the identified and assessed risks

– Systematic annual audit planning

– Audit preparation and follow-up work with the determining of milestones and the audit duration and definition of the audit procedures and follow-up

– Communication within the audit team and with the relevant stakeholders

– Including the internal audit function in the distribution list for key com-pany information

– Continuous improvement process combined with internal and external quality audits

– Feedback talks

– Definition of roles and responsibilities, and provision of the necessary resources by the management

– Binding auditing guidelines in writing

Audit monitoring and optimisation

approaches

Audit culture

IAS organisation

IAS goals

Audit planning and programme

Audit implementation

Audit communication

Source: KPMG, 2016

15


It takes solutions that hold water to demonstrate depth.© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

Common features of the IDW’s assurance standardsThe IDW’s four assurance standards share a common conceptional composition and are based on the relevant basic elements.

The key similarities at a glance

Source: KPMG, 2016

Commonalities AssS 980 – CMS DAssS 981 – RMS DAssS 982 – ICS DAssS 983 – IAS

Support for management from the auditor

An auditor can be contracted to audit individual or all four corporate governance elements. Efficient and comprehensive evidence of effectiveness is ideally achieved for the entire company by combining the four corporate governance audits.

Audit scopeThe audits can be designed as an appropriateness test (for a specific date) or as an effectiveness test (for a specified period).

Possibility of limiting the audit to specific subsections

Legal matters (e.g. anti-corruption), companies, business units, countries

Selected operating risks (e.g. purchasing risks), strategic risks

Processes (e.g. the purchasing process) Processes

First-time applicationAudits since 30 September 2011

Audits contracted after 31 December 2016. Early application on a voluntary basis is possible at any time.

17


4D governance – security across all dimensions

What are the characteristics of the 4D governance model developed by KPMG? The model’s key characteristic is the co-ordination of four dimensions to achieve the best possible alignment of the audit with a company’s security needs. Why are regular follow-up audits important?

» There is significantly less work in-volved in follow-up audits in compari-son to the initial audit, as they can be based on the audit procedures and findings of the initial audit.

» Follow-up audits maintain security regarding the effectiveness of a corporate governance system and provide companies with evidence of this.

The 4D governance model harmon-ises the four pillars of a governance system.

If the four assurance standards are applied and coordinated intelligently, demonstrably effective governance divisions without overlaps can be creat-ed within a company in the long term. The model further allows the integration and streamlining of process structures,

all the way up to the pooled manage-ment of all the governance areas in a single function. We see this as the path to the governance of the future, and we want to accompany you on this path with pioneering solutions. We look forward to doing so!

18


First immerse yourself in the subject matter, then increase the pace.

1. Selection of the system areas and cor-porate governance system elements to be audited.

2. In accordance with a company’s require-ments, focusing on the relevant sub-sections of the selected system area, such as the purchasing process (ICS reporting) or competition law (CMS).

3. Stipulation that selected companies/business divisions be audited or auditing of entire company.

4. Definition of the effectiveness period and corresponding follow-up audits.

Source: KPMG, 2016

4D governance

model

1

2

3 4

© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of indepen-dent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

ContactKPMG AG Wirtschaftsprüfungsgesellschaft

Tersteegenstraße 19 – 2340474 DüsseldorfDeutschland

www.kpmg.de

www.kpmg.de/socialmedia

The information contained in this brochure is general in nature and does not relate to the specific situation of an individual or a legal person. While we endeavour to provide reliable and up-to-date information, we are unable to offer a guarantee that said information is still as applicable as it was when incorporated or that it will continue to be just as applicable in the future. Nobody should act on the basis of this information without first seeking appropriate expert advice and without thoroughly assessing the situation.

© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, a member of the KPMG network of independent member companies affiliated to the KPMG International Cooperative (‘KPMG International’), which is a legal person in accordance with Swiss law. All rights reserved. Printed in Germany. The name KPMG and the logo are registered trademarks of KPMG International.

http://www.kpmg.de

http://www.kpmg.de/socialmedia

https://www.facebook.com/KPMG.AG.WPG

https://www.linkedin.com/company/kpmg-deutschland?goback=%252Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1&trk=company_name

https://twitter.com/KPMG_DE

https://www.xing.com/companies/kpmgagwirtschaftspr%C3%BCfungsgesellschaft/updates

https://www.youtube.com/user/KPMGinDeutschland

Documents

Governance to the power of four - KPMG€¦ · Governance to the power of four KPMG’s 4D governance solutions: Pioneering support, ... all four areas of corporate governance, namely