Assessing the Effectiveness of Governance - How Effective Is the Board?

The IIA Standards require internal auditors to assess the effectiveness of their organization’s governance processes. It’s an understatement to say this is a challenge.

One place to start is with the board of directors (or equivalent). How effective are they in performing their duties?

A leading practice is for boards to perform self-assessments — of the operation of the board, each of its committees, and of individual directors. Perhaps a good place for the auditor to start is by evaluating and providing feedback to the board on the adequacy of board self-assessment processes.

An excellent source for many governance-related topics is the Canadian Institute of Chartered Accountants. In 2005, they released “20 Questions Directors Should Ask About Governance Assessments”.

I suggest reading this and considering whether this represents a valid standard against which you can assess the effectiveness of the board self-assessment process.

Here are some other resources for your consideration:

If you have good guides for board self-assessment, please share — for mutual benefit.

Posted on Jan 24, 2011 by Norman Marks

Share This Article:    

  1. Norman:

    Thanks for this important post. It raises the question of how practical is the IIA standard re governance.  Based on my experience Internal Auditors should be very cautious doing anything in this area in the absence of it being specifically contemplated in their audit charter and endorsed as something the board wants.

    SOX has required companies and external auditors assess the effectiveness of the audit committee as part of SOX 404 effectiveness assessments since inception.  Based on the research I did a few years ago it appears that, amazing as it may seem,  virtually all public companies have effective audit committees.  This is to be expected since it is politically infeasible for internal audit or a company's SOX team to suggest the audit committee is "ineffective" and constitutes a "material weakness" even when history suggests strongly that this is true.  

    External auditors, not surprisingly,  have also not shown much willingness to report that the audit committee that hired them is ineffective.

    Internal auditors that want to tackle an audit of their board should proceed very cautiously, if at all unless they personally have a high risk appetite.

  1. Tim, you raise an excellent point. Thank you!

    It is hard, if not impossible, to ignore the potential impact of a failure in governance processes and practices on the organization. I know you are not an admirer of the COSO Internal Control Framework, but its discussion of the Control Environment layer is rich - and not limited to "tone at the top". I recommend everybody re-read that section of the Framework.

    I agree that too few audit functions have addressed this major source of risk. Fortunately, the IIA is in the process of finalizing a Practice Guide that will provide some practical guidance for practitioners and boards.

    We, as auditors, cannot afford to ignore governance any longer. How can we hold our heads up and say we are assessing how risk is managed when we don't address the effectiveness of the board and other governance processes?

    On the point of the external auditors and their assessment of the audit committee: I leave that to them to explain.

  1. By the way, I want to congratulate Tim Leech on being made a Fellow of the Open Compliance and Ethics Group. Tim has been a passionate advocate for internal audit and risk management for a long time, and its good to see this recognized.

  1. Norman;

    Thanks for the congratulation note. 

    The internal audit profession needs considerably more and better advocacy to avoid being considered irrelevant as evidenced by the new CICA exposure draft on board risk oversight and other US Commissions that have studied major governance failures.  The authors of the CICA exposure draft and, presumably, their advisory board, see no signficant role for internal audit. This needs to change.


Leave a Reply