An Eminent Governance Authority Speaks Out on the Role of Internal Audit

Those of us who attended the IIA International Conference in Kuala Lumpur were treated to an energizing – and very challenging — opening keynote from Lord Smith of Kelvin. Who is he and why did he merit the opening keynote? Why should we listen to what he has to say?

  • He led the team that developed the Smith Report on corporate governance, focusing on audit committees, which has now been included in the UK Combined Code.
  • He is a past president of the Institute of Chartered Accountants of Scotland.
  • He has held various positions as CEO and board member.
  • He is an Honorary Fellow of the Chartered Institute of Internal Auditors (UK).

The main point that Lord Smith made was that the greatest risk to any organization is the behavior of the executives. He believes internal audit should be alert to this risk; monitor it; and be ready, willing, and able to let the audit committee know as soon as it becomes of concern.

With the help of the wonderful people at IIA–Malaysia, I was able to obtain a copy of Lord Smith’s speech. Key sections (with my highlights):

  • Corporate failure is not caused by fraud or inadequate controls. They may contribute the killer blow or make a bad situation worse, but they do not put companies out of business.
  • The real cause of major corporate scandals and failures — Enron, Worldcom, Swissair — is a series of unwelcome behaviours in the leadership culture – greed, hubris, bullying and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons.
  • As the saying goes, the fish rots from the head down. That’s why it is crucial for the role of internal audit to have corporate culture at the heart of its considerations and processes.
  • Audit committee members, as well as checking that the annual report and accounts are fit for publication and the external auditor is doing their job properly, must understand the culture of the business that they are involved with.
  • Supporting this understanding, to my mind, is the most crucial role of an effective internal audit function.
  • Internal auditors need the ability to put their organisation on the couch. You have to understand what motivates the place, as well as the processes that keep the wheels on the tracks. You can’t just be a workhorse to process and reporting.
  • You must understand the strategy of the business and how your leadership is going about getting you there…. a close reading of the culture of the organisation — does it ‘smell’ right, are people working under too much pressure, is the CEO hiding something?
  • Internal audit requires real bravery. In turn, this should mean strong support from the audit committee.
  • Have to understand internal politics, how the tone at the top develops. They must possess the ability to grasp why certain things, which may not always appear logical, are happening. They must manage skillfully how they bring this to the attention of the stakeholders who need to know.
  • The role to play as a ‘canary in the mineshaft’ for corporate culture appears to me to be the area in which internal audit can increasingly develop and, from a non-executive standpoint, is arguably of the greatest value.
  • The IA role is ultimately there to safeguard the sustainability of the business.
  • If internal audit is seen as a good conscience and not a pushover, if it is seen as an effective check on management as well as contributing to strong controls and processes, the entire business will have a better culture.
  • A truly effective set of executives should be grown-up enough to encourage and accept challenge from internal audit and not present barriers to the function’s strong relationship with the audit committee chair.
  • Auditors should keep up with a dynamic strategy and be alive to the changes in the risk profile that this may present.
  • My view is that internal audit has come an awful long way from the beginning of the new millennium. It is very much part of the fabric of any substantial organisation and the quality of the people in the function rises with every passing year. Management attitudes to internal audit are changing and audit committees’ communication and relationships with internal audit teams continue to mature.
  • There is still some work to do by auditors in getting under the skin of a business to truly understand the leadership behaviours, cultural issues and incentives that drive operations and strategy. When it comes down to it, it’s my personal view that these are the things that really matter.
  • Internal audit should deliberately seek out the unmanaged risks; it should ask the ‘what if’ questions and it should be able to describe the economic reality of the products and services of the business it is a part of. This is where the big post-crisis opportunity lies for the future of internal audit.
  • The audit committee must be a champion, ensuring that the appropriate standard of person and intellect exists. Management must include internal audit in strategy discussions and product development to enable a ‘big picture’ understanding of where the business wishes to head and the means by which it intends to get there. Auditors must understand the risk appetite, the overall quality of corporate governance, the financial leverage in the business and have a nose for overstretch.
  • If the financial crisis does not provide a platform for the profession of internal audit to broaden its focus, I don’t know what will.
  • You need to understand what you’re auditing. To achieve that, you need to have quality people with access to the right information, involvement in the right discussions and the licence to operate in a way that supports objectivity.
  • Risk management should never be about being defensive — it’s about how you continuously improve the understanding of your strategic and operating environment to enable you to invest in the future.
  • Internal audit, when it’s done properly, valued properly and truly risk based — should be all about looking forward.
  • Audit assurance should focus on what matters to Boards and audit committees.
  • Internal auditors need also to develop their status to become trusted advisers. To fully exploit the unique position in the organisation, put that objectivity to even better use by communicating more regularly with the audit committee chair on the culture as well as the controls. Explain how a change in operational approach fits in with strategy. Give your own views, based on your internal reporting, on how management is progressing with key issues.
  • The internal audit team must communicate without fear, no matter how unpalatable the information being passed on.
  • Above all, have candid discussions on key risks and, consider yourself the eyes and ears of the committee on any issues within the company, on a daily basis. That is the beauty of internal audit – it should be, in essence, a completely objective scrutineer of how and why the business is progressing. If that means telling me the CEO has bought a brand new Ferrari, I’ll only think you’re doing your job properly!
  • Undoubtedly, internal audit is a key pillar in effective corporate governance and risk management. My personal view is that it may be the most important. It occupies a unique position in any business.
  • There is sufficient flexibility in the function to cover much broader risk areas than any external audit could. The eyes and ears of the internal audit team are inside the business throughout the year, providing a closer and clearer view than any other risk management and assurance process into developments in the business.
  • How can it move to the next level? More attention on behaviours and culture — not necessarily at the expense of process, but I think we all understand that ticking boxes in the run-up to 2008 didn’t help the banks. What I feel is needed is an incremental move towards gaining a clear understanding of the underlying motivations that drive projects and transactions, an objective view on why leaderships make the decisions that they do.

What is your opinion of this?

  1. Do you agree that the greatest risk in inappropriate executive behavior?
  2. More to the point, should it be internal audit’s role to monitor this and report on it to the audit committee?
  3. Do we have the courage to do this?

Posted on Aug 22, 2011 by Norman Marks

Share This Article:    

  1. As Roberts, McNulty & Stiles (2005: Beyond Agency Conceptions of the Work of the NED: Creating accountability in the Boardroom, British Journal of Management) already noted: The key to board effectiveness lies in the degree to which ned's are able to to create a culture of accountability within the boardroom. That can be achieved through the appropriate behaviour of the ned's. If that is the case there should be no need have a standing order for the internal audit to monitor the executives. That is not inducive for a culture of accountability. It requires courage from the ned's to conduct themselves in such a manner that it is clear that their questioning, challenging and probing of th etop management team is not out of mistrust, but from a need to convince themselves that the executive team demonstrates the appropriate behaviour and is in control. 

  1. John, thank you for sharing this. I appreciate your point of view, but how can NEDs understand what is happening beneath the surface of the corporation - which is all they can see? Their involvement is limited to a few hours each month/quarter and they need somebody to provide them with reliable information on the true state of affairs.

    I have seen many executives speak with confidence, exuding integrity and knowledge, about the state of risks and controls - while being quite ignorant of what is actually happening.

    In addition, we have seen many highly-regarded boards fooled by unethical executives.

    I welcome your comments.

  1. My dear little old men don’t you know that new generation of auditors came in. Those who reports (talks about all these silly corporate processes) instead discussing the weather during lunch time in the millionaire shareholders’ clubs where a lot of auditors’ brand new Ferrari and Hummers are parked.

  1.  I agree that the CEO unethical behaviour is the key risk but when the CEO plays a great political game, the CEO is rock solid hence the chain reaction. Tell tale sign when Internal Auditor resign one after another because the CEO finds fault (IA doing a good job) and inform the Regional IA, now comes the political connection, let the IA resign and get a new one.

    I know of a CFO resigned from his job because of unethical practice being forced to be carried out, CFO has to sign for it, rendering the CEO clean!

    Strong political connection provides the bullets for unethical behaviour executive to shoot whoever disrupts his objectives.

  1. Where can i see the presentation of Lord Smith's speech?

  1. If you clink where the post says "copy of Lord Smith's speech" you will be able to see the transcript. I don't have a copy of his slides. 

  1.  If you click where the post says "copy of Lord Smith's speech" you will be able to see the transcript. I don't have a copy of his slides. 

  1. I agree that unethical & inappropriate behaviour of senior management executives is a great risk as we can also see from the past trends of corporate frauds wherein Executives have been involved.

    As regards the duty of Internal Audit - yes it is their duty to report any such instance to Audit Committee (AC) if it has come to their notice. Now the point is about "monitoring" - how does IA do that - if the indications are very apparent viz buying a Ferrari or attrition at high level or mngt hiding facts with AC etc, then IA can suspect a foul play & raise a flag with AC. Otherwise, as rightly said by Norman that it would be difficult to understand what's happening beneath surface - eg can IA monitor the living standards of executive, can IA check their bank balances, can IA keep a tab on their e-mails etc.

    Here, the courage factor comes in, that to what extent IA can monitor & question the executives and go beneath the surface. Even if IA has been able to monitor, does s/he have the courage to report it. Here I agree with Gary that if political games are played, then even the courageous Internal Auditor can do very little.

    Then what's the solution - IA cannot just sit lame by accepting political games or saying that it do not have courage to speak against a CEO or CFO as it may cost his/her job - here even IA has to be tactical atleast for the cases where it is sure that some foul play is taking place. 

    In my opinion, in cases reported by Gary, IA should resort to Ombusdman route by wearing the shield of an anonymous whistleblower rather than an IA. S/he should report to Ombudsman/ Whistleblower Committee alongwith facts, figures & reasons of suspicion. This way atleast the matter will be reported to an independent committee which reports finally to  AC & will ensure that unethical behaviour & malicious motives of  executive does not remain hidden & gets reported.

  1. Interesting discussions esp issues raise by Gary and Deepti. Over in my country there are many public listed companies that is run by dominant shareholder or founder, this will give additional challenge for IA to overcome the huddle and uphold objectivity.

  1. I agree with Deepthi. IA independence should enable IAA to effectively carryout it's responsibilities. If there are political games IAA can wear the shield of Whistle blower. This can serve as a short term tactic. But the in the long run Audit Committee effectiveness is the best option.
  1. It is expected to have a financial expert in AC, but why not an audit expert in audit committee. The auditor most of the time get very little share of time in the entire meeting, where the financials are also being discussed. The auditor most of the times uses words that are carefully selected and misses the target. Should an auditor of some past experience be a mandatory requirement in a audit committee?

  1. This article hammers the nail just on the top, understanding the behaviours of the executives / senior management is very vital, its behaviours that drives policies, unethical behaviours drives policiles that encourages unethiclal practices, this allows gaps which creates space for scandals, and sometimes it pays to get down and understand the biographies of the executives, i had hands on experience with this, for, i worked for  an executive with a questionable past practices, and the more you emphasized strong controls, the more they deviate for best practices, i had to tighted my audit belts.

  1.  Interesting article! Many of the comments raised some insighttful points. Boards govern corporations with shareholders' best interests at heart, yet, to be even more value-added to its constituents, including shareholders, management, employees and fellow Directors, Boards should be comprised of Non Execs whose combined collection of backgrounds, experience and skills are relevant to and therefore align well with what the company does, its strategy, opportunities and challenges.

Leave a Reply