A New OECD Report Points the Way: The Opportunity, If Not the Obligation, for Internal Auditors

In February, the Organisation For Economic Co-operation and Development (OECD) released a very interesting document, “Corporate Governance Lessons From the Financial Crisis.” It can be found at http://www.oecd.org/dataoecd/32/1/42229620.pdf.

The report concludes that:

 “the financial crisis can be to an important extent attributed to failures and weaknesses in corporate governance arrangements. When they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies. A number of weaknesses have been apparent. The risk management systems have failed in many cases due to corporate governance procedures rather than the inadequacy of computer models alone: Information about exposures in a number of cases did not reach the board and even senior levels of management, while risk management was often activity rather than enterprise-based. These are board responsibilities. In other cases, boards had approved strategy but then did not establish suitable metrics to monitor its implementation. Company disclosures about foreseeable risk factors and about the systems in place for monitoring and managing risk have also left a lot to be desired even though this is a key element of the [Basel] Principles. Accounting standards and regulatory requirements have also proved insufficient in some areas leading the relevant standard setters to undertake a review. Last but not least, remuneration systems have in a number of cases not been closely related to the strategy and risk appetite of the company and its longer term interests.” (emphasis added)

I believe that now, more than ever before, it is critical for internal audit leaders to:

  1. Remember that the IIA definition of internal auditing and the International Standards for the Professional Practice of Internal Auditing require that we assess governance and risk management processes, not just perform audits of controls in specific higher-risk areas.
  2. Talk to our boards and top executives about the importance of providing governance, risk management, and control assurance.
  3. Be prepared to “tell it like it is” when these processes, no matter the level, are deficient.

This new publication is an excellent document to use in this effort.

Posted on Mar 5, 2009 by Norman Marks

Share This Article:    

  1. I also recommend reading and using the new, and still draft, King III report.  It has strong language on the role of internal audit and the need for it to provide assurance on governance, risk management, and internal control.

  1. The report can be found at www.iodsa.co.za.

  1. Norman - delighted you like the document. One small point, I think the square brackets are yours? If so, I suspect that Grant was talking about the OECD Principles rather than the Basel Principles, although, interstingly, the approach for Basel Supervisors is set out in the following document, which does address risk management as well: http://www.bis.org/publ/bcbs129.pdf. It is a shame they have not paid more heed to their own advice!

  1. While the OECD document was interesting, I'm not sure it added anything to the general knowledge related to the financial crisis.  Certainly most of the banks had effective risk management processes in place -- the Fed tends to require it of their member banks.  Unfortunately, the actual risk from the derivative investments (now "toxic assets") was not really measurabledue to the relative newness of the investment and the complexity of what it represented.  Very few risk managers have advanced degrees in both finance and mathematics, so they were relying on second-hand infromation.

    The bottom line for me is, what could IA have added to the process?  Even knowing what we know now, what will we change in our audit program or risk assessment to find these issues in the future?  Anything?

  1. On Richard's question of "what could IA have added to the process", I think that IA can look at whether management appears to have a reasonable risk management process in place. 

    IA will not generally be able to test management's decisions made using the process, just as it won't test management's decisions using the supply chain process.  But, it can see if the decisions were made using reliable information - and, in this case, whether risks were actually being monitored and updated as events occurred. 

    For example, Citi's directors were sued because risks were not being updated (or at least no changes were being reported to them) even as adverse events were hitting the newspapers.

Leave a Reply