Murdoch and News Corporation Case Shows Need to Revisit Role of Internal Audit

Whether you believe the Murdochs, Rupert and James, knew about the alleged bribes and hacking or not, it seems clear that News Corporation would have benefited from a strong, independent internal audit function that assessed and reported on the corporate culture to the board.

But can internal audit effectively assess the culture of the organization, including the tone at the top of the executive tree, in its current state?

At the IIA International Conference in Kuala Lumpur, Lord Smith (of the UK Smith report on corporate governance) suggested that internal audit should be able to stand up and tell the board that there was a risk to the company because the CEO was a "bully". I agree that an ineffective CEO can be a tremendous threat to effective performance. But how many CAEs have the ability to say something without dire consequences, even if given credibility by the board? In the words of a former audit committee chairman I worked with, the CEO has a "bigger business card". It takes a lot to criticize either the CEO or CFO in your report to the audit committee and the board is always reluctant to go against its top executives.

Professor Andrew Chambers strongly believes that internal audit should not only report to an independent chairman of the board, or lead independent director if the CEO chairs the board, but be funded as part of board operations. The compensation of the CAE should be set by the board, not by management.

While a handful of companies (apparently including Novartis) have internal auditing reporting to the board, most CAEs report administratively to the CFO and functionally to the audit committee.

Is it time to make a change and have the CAE report both functionally and administratively to the independent members of the board, with funding set by the board? In other words, should the board hire the CAE and his team as their 'independent experts'?

I think this can be done and it is time to give it strong consideration. What do you think?

Posted on Jul 19, 2011 by Norman Marks

Share This Article:    

  1. A very interesting article that highlights the importance of having independent board members. Thank you.

  1. The role of the independent director should also be questioned. See this great post by Lucy Marcus: http://blogs.hbr.org/cs/2011/07/independent_directors_need_to.html

  1.  Check this out on the company's audit committee: http://goingconcern.com/2011/07/lets-meet-the-news-corp-audit-committee/

  1. Hi Norman Not sure if you're aware but I was CAE of Fairfax Media - Newscorp's arch rival in Australia. As such I've got a lot of inside track on this one. As you'll know better than most, I'm normally a tough critic, so it's rare that I'll come out in support of a company in a situation like this. My immediate reaction however is to defend their audit team and their audit committee. I know a lot of these people. I like them, trust them and respect them. Many of their practices are upper quartile. There are bigger issues around governance at News which wouldn't have dealt with this issue, but investors know this when buying into a family business, and is part of the comply or explain principles on corporate governance here in Australia. When people buy Newscorp, they are going long on the Murdochs and most would understand the risks of closely held companies. If people want to dig into the governance issues at News, I'd recommend my colleague's blog - http://www.maynereport.com/. Stephen Mayne has had more stand-up public arguments with Rupert about governance than anyone on the planet, including all the proxy advisors and the like. There are also some bigger issues coming out from the News story which affect every audit shop, and there is a really big elephant in the room for everyone. I'll aim to find the right soapbox for these in the next few days and share the link here.
  1. Todd, thanks for sharing this and I am looking forward to more insights. Frankly, I doubt that any respectable audit committee would accept what seems to have been the culture - if they knew about it. Assuming they did not, is it reasonable to expect an internal audit department to know? If they suspected something, did they have the access and resources to address this risk? The public may never know, but I am sure that it would be a lot easier to address culture issues if internal audit was free from any undue influence from management, including having proper resources and access.

  1. Since 2008 I have been asking similar questions. On a panel discussion at the IIA International Conference in Kuala Lumpur, I argued for the incorporation of the internal audit function as a subsidiary professional corporation answerable only to the audit committee of the parent corporation (to be mandatory for all major organizations in the banking and insurance industries, optional for others). The purpose would be to formalize the independence of the function, provide necessary legal mandates to evaluate key business areas including senior management, promote audit committee evaluation of internal audit by internal and external parties as required by SOX, and enhance transparency with investors, governmental agencies, and the general public. As the COSO fraud studies indicate, most major frauds have involved executives in senior management. If events of the past few years are to serve as a lesson, my view is that it is time to create sufficient formal separation between the internal audit function and senior management.

  1. The more independent Internal Audit is, the better, no doubt about that. Otherwise its objectivity is impaired, it becomes irrelevant and its purpose is defeated.  

    Great article, as usual 

  1.  Norman/Todd/Luke:

    What a mess this situation is that continues to unfold day by day. I do not believe that changing the reporting relationship of internal audit may necessarily be the answer. it could but then again, there is so much that we do not know. We do not know what internal audit knew and what they were tasked to do. We do not know their reporting relationships. We do not know extent of a comprehensive risk management system including the external auditors and what they should have ostensibly been able to pick up( eg. were the bribes properly recorded and if so to what account?)

    Norman- those two reports you reference above are excellent and Todd- the Mayne Report contains some really brutal questions for Mr. Murdoch ( shocking questions). I think that if you step back from this, there are  important questions and these are:

    What did you need to have in place within the company so that it would be readily apparent if bribes were being made and as well to communicate that making bribes was against company policy and laws/regulations?

    Were such things in place? If not, why not?

    If yes, then explain whether bribes were identified and if so  were these handled in such a way so as to comply with all laws and regulations?

    If not, why not?

    I am certain that we will get answers to these questions and much more in the ensuing days.

     

    Arnold

     

     

     

     

     

  1.  

    What a mess indeed. Yes Internal Audit needs to be as independent as possible, but there are so many exigent circumstances that are at interplay here.  News Corp. is a publicly traded, yet tightly held family enterprise, run by a very aggressive, demanding and somewhat bullying CEO. Add to that the fact that it is a media conglomerate that prides itself in getting “the story” and influencing government leaders as well as a voting public and it is not surprising that the Internal Audit may have been intimidated, or even numb to all that was going on. If an auditor is expecting to use their position as a step up the corporate ladder they are less likely to point out risks associated with the CEO’s (and family) bullying behavior. To think the board and the audit committee didn’t already know what the culture was is unlikely. It is more likely that this particular culture is what attracted them as investors in the first place.
  1. It’s interesting that the discussion centres on reporting lines. I personally wonder if the internal audit function considered an evaluation of the strategic plan/intent. If a core component of strategic planning is for leaders to drive strategy throughout the organisation, align organisational structure, culture, functions, processes and systems with strategy; and manage the politics of strategy implementation. Then should an internal audit function consider evaluating these areas to determine deficiencies and future risk impacts? If so, wouldn’t the cultural and leadership aspect within News Corporations arisen. As we now know, in order to deliver performance and strategic outputs management were overriding controls which should have had a risk implication in the Internal Audit reports over this period.  

     

  1. I have strong doubts about the definition of independence used above. Internal audit gives assurance to the board so the board can fullfill its formal responsibilities in the governance structure of the organisation. In other words: internal audit should be dependent of the needs, wants and choices of the board: nothing more, nothing less. External audit, on the other hand, has a different, more public responsibility. For them, unlimited indepence is much more a necessity. Therefore it's impossible to judge internal audit in this case without considering the role and choices of the board.  

  1. Norman,

    You are absolutely right and linked to this must be an accreditation for the function (like ISO Standards)  so that the Audit Committee can be assured that the CAE is doing his job properly.  I am on a 3yr contract and currently having to undergo a second set of interviews for my position.  In the meantime, I have recently brought some significant issues to the Audit Committee's attention and now could well find myself out of a job because of my principles.  Only having the mandatory reporting line to the Board can safeguard a CAE in such circumstances.

     

  1. Following on from my comment above, I've written an article on the topic, which made the cover of this month's edition of Risk Magazine (Australia). In essence I'm saying that there's not much IA could have done there on this specific situation. From what I've seen they're a pretty good audit shop - they tick most of the boxes and have a number of innovative practices. In other words, if they're having challenges, we probably all are. RM are having some challenges with their online version, so I've put the article up on my blog for those who are interested. http://www.todddavies.com.au/2011/08/21/internal-audit-news-corp/ Norman - as usual, your blog has prompted some healthy discussion about some important issues and pushed some of us to stop and think about these, and put them to a wider audience. This does great things for us all, as well as for the shareholders who we ultimately represent.

Leave a Reply