control, and governance
control, and governance
October 2006
On the Road to Good Governance
Internal auditors need to make sure they're moving in the right direction when reviewing corporate practices and behaviors.
Tim McCollum
Senior Editor
It's not easy asking the board of directors hard questions about governance, but honest answers to such questions can generate positive change. At Her Majesty's Prison Service in the United Kingdom, a focused assessment of the board and audit committee last year led to a complete restructuring of the board and a clearer understanding of its responsibilities.
Head of Audit and Corporate Assurance Joyce Drummond-Hill asked board members to complete a self-assessment, which rated their performance on a five-point scale in areas such as strategy and planning, risk management, tone at the top, management performance, and board dynamics. Not surprisingly, board members gave themselves good marks, but upon closer investigation, Drummond-Hill found a less-rosy picture. The Prison Service board lacked independent directors who could objectively assess board performance, as well as that of the organization overall. Moreover, a plethora of committees with overlapping responsibilities had developed over time, and members had given little thought to whether they were needed and how they supported the board. For example, the finance committee was highly effective, but it never reported what it was doing to the board. "It just didn't seem logical," Drummond-Hill says. "They weren't even thinking to themselves, 'Do I serve a useful purpose?' 'Do I make a difference?'"
Drummond-Hill's assessment opened board members' eyes. Led by the Director General, members agreed to strengthen the board by adding three nonexecutive directors and raising the total number of directors to nine. They also revised governance processes to create greater scrutiny on board and committee performance and risk management. "It's quite a noticeable difference when you have nonexecutives looking at performance," Drummond-Hill notes.
For Drummond-Hill and other chief audit executives (CAEs) worldwide, the roads to regulatory compliance, organizational performance improvement, and corporate sustainability intersect at corporate governance. The fallout from corporate scandals has led to governance reforms in nations throughout the world and greater disclosure about how organizations are run (see "Global Governance Trends" below). The global focus on governance has, in turn, spawned a need for organizations to assess the effectiveness of their governance structure, programs, and processes. In many cases, internal auditing is becoming the "go-to" group on governance issues.
|
Global Governance Trends |
|
|
The global demand for improved corporate governance couldn't be greater. In a recent study of large investment organizations by Rockville, Md.-based research and consulting firm Institutional Shareholder Services, 70 percent said governance was an extremely or very important factor in their investment decisions, and 63 percent said governance would be more important to them in the next three years. Publicly listed companies throughout the world increasingly mention governance in their annual reports — but they don't include much detail, says Hanif Barma, a partner with Independent Audit Ltd. in London. A new study by the firm found that many publicly listed FTSE 100 companies in the United Kingdom still provide only "boilerplate" information about governance in annual reports, although they include considerably more detail about audit committee activities. "One of the problems with the annual reports is a lot of them don't provide information about what the board has actually done," Barma explains. He notes that even fewer companies discuss specifics of internal auditing's role in governance. The extent to which internal auditors are involved in assessing governance differs from organization to organization and country to country. The United Kingdom's Combined Code places great emphasis on governance, taking a principles-based, "comply or explain" approach. Australia has followed a similar path, says Michael J.A. Parkinson, director, government, with KPMG in Canberra, Australia. The Australian Stock Exchange enacted its Corporate Governance Principles in 2003, while the Australian Prudential Regulation Authority tightened risk management requirements for financial and insurance companies effective Jan. 1, 2006. Australia's government has increased oversight of small government agencies by larger agencies and will require the heads of all agencies to certify their compliance with financial reporting legislation beginning with the 2006-2007 fiscal year. As a result of these rules, corporate boards and government authorities in Australia have begun to review their own governance activities through self-assessments and external assessments, Parkinson says. However, he says internal |
auditors aren't usually part of this process. "It is common for boards and senior managers to seek internal audit input on the governance of large projects," Parkinson explains. "It is less common for this advice to be sought in relation to the organization as a whole." Following the financial market collapse in the late 1990s, market regulators in many countries throughout Asia have adopted corporate governance reforms for publicly listed companies, says Wee Hock Kee, partner with CG Board Asia Pacific Sdn Bhd in Kuala Lumpur, Malaysia. Countries such as India and Japan have passed or are considering legislation similar to Sarbanes-Oxley that would hold boards and management more accountable for the effectiveness of internal controls, while others are leaning toward a less-stringent "Sarbanes-Oxley light" approach. Although new regulations have brought greater focus on governance, many countries in the region still don't require publicly listed firms to have an internal audit department, he says. Just as internal auditing's role in governance depends on the maturity of governance processes within an organization, so does it depend on the maturity of governance within the business environment of countries, Wee explains. In Malaysia, for example, many publicly listed companies — particularly in the technology sector — are fast-growing entrepreneurial or family-run companies with immature business processes and no firm internal control environment. "The maturity model of governance in Asia is not as advanced as in the United States," he says. "That is where internal auditing needs to be more careful in how we take that governance role." Even so, Wee says many Asian companies are looking for internal auditors to help them with governance concerns. Internal auditors are providing assurance on internal controls at the business-unit level and, to a lesser extent, providing independent assurance to the audit committee on management's governance activities. But internal auditing hasn't become a full partner in governance by advising management and the board on sound governance processes, he notes. |
FINDING THEIR ROLE
|
Standards Set Auditor's Governance Role The IIA's International Standards for the Professional Practice of Internal Auditing weighs in on internal auditing's corporate governance role in Standard 2130: Governance: The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Standard 2130.A1 further calls on the internal audit function to "evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities." Standard 2130.C1 clarifies the auditor's consulting role by saying that consulting objectives should be consistent with the organization's overall values and goals. |
Although internal auditing is considered one of the four cornerstones of corporate governance — along with the board, management, and external auditors — many CAEs are deliberating over what role their departments should play in governance audits. The governance structure and practices are a key part of guidance such as The Committee of Sponsoring Organizations of The Treadway Commission's (COSO's) Internal Control–Integrated Framework and Enterprise Risk Management–Integrated Framework and the UK Combined Code on Corporate Governance, as well as regulations such as the U.S. Sarbanes-Oxley Act of 2002 and Australian Stock Exchange Corporate Governance Principles. Moreover, The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) clearly claim a role for internal auditing to assess the organization's governance framework and provide recommendations for improvements (see "Standards Set Auditor's Governance Role" at right). "The drive toward a governance partnership with management and the board is beginning to take off in many countries," says Wee Hock Kee, partner with CG Board Asia Pacific Sdn Bhd in Kuala Lumpur, Malaysia, and president of the Asian Confederation of Institutes of Internal Auditors. "There's a great opportunity for internal auditors to take a lead role in governance."
Compliance activities have led many CAEs to take a closer look at the larger issue of governance. Like many of his peers, Dow Chemical Co. Corporate Auditor Douglas J. Anderson became involved in corporate governance issues through audits related to Sarbanes-Oxley Section 404 compliance. In recent years, he and his staff have been immersed in internal controls, but the closer they examined the effectiveness of Dow's controls, the more questions they raised about high-level corporate governance. "The biggest risk of something going wrong at Dow is not going to be with some accounts payable person not checking the delegation of authority on a disbursement," Anderson says. "It's going to be at a higher level. So, as I've looked at my audit plan, and where we give time and effort, it's clear we need to make sure we give sufficient attention to governance and not just become enamored with looking at detailed transaction controls."
At the same time, changes in the way Dow manages its business are raising new governance questions. Although Dow has operations located throughout the world, nearly all of its operations are managed by a small group of executives based at its headquarters in Midland, Mich. New Chief Executive Officer (CEO) and Chairman of the Board Andrew N. Liveris has championed a culture that would move some decision-making authority to local managers. "Andrew wants to hold people accountable for their decisions and results, which is a very good thing," Anderson says. "However, an accountability culture can lead some people to do the wrong thing."
Anderson's governance concerns dovetailed nicely with an external review of Dow's ethics compliance program commissioned in 2004 by the audit committee. Although the consultant's final report lauded Dow's ethics program, it stressed that the program's future performance should be monitored. As many of the ethics issues fell into the larger area of governance, the audit committee charged internal auditing with the job.
Anderson's early experiences with governance audits led him to co-author a recent IIA position paper, Organizational Governance: Guidance for Internal Auditors, along with Clay Chilton, vice president of internal audit at ProLogis, a Denver-based commercial real estate investment company. The paper is intended to help CAEs understand the different ways they can be involved in governance, which overlaps key organizational initiatives such as compliance, internal control assessment, enterprise risk management (ERM), quality, and transparency and disclosure. According to the paper, internal auditing's specific governance duties should be driven by the maturity of the organization's governance framework and processes. Auditors may act more as advisers in organizations where governance is less structured, the authors explain. As the structure matures, auditors may be responsible for auditing the design and effectiveness of specific governance processes.
AUDIT RESPONSIBILITIES
Once the board, management, and CAE have decided on the role internal auditing will undertake in governance, the next step is determining the function's specific governance responsibilities. Here, the tone at the top is key, Chilton says. Internal auditors should work closely with the audit committee to establish the audit department's responsibilities, and the board and management should back those duties. At ProLogis, internal auditing's governance activities are described in both the audit committee and internal audit charters. "There needs to be an explicit document that spells out the responsibilities and boundaries for the internal audit organization," Chilton says.
He says ProLogis' board and senior management have given internal auditing a clear mandate to perform governance reviews. Like Anderson, Chilton's governance audits sprung from his Sarbanes-Oxley compliance activities. Even before Sarbanes-Oxley took effect in 2002, however, the ProLogis board decided to update the audit committee charter and prepare charters for the Compensation and Nominating committees to meet New York Stock Exchange requirements. Management and the audit committee asked the audit department to investigate what other companies were doing and what they expected of their committees; later, they asked internal auditing to review the company's governance guidelines and recommend improvements. Internal auditing also assists the administrator of the company's ethics program by investigating reports received through the whistleblower hotline and periodically evaluating the contents of the ethics policy and handbook to ensure they include the latest required information. "Internal auditing was in the best position and had the most experience in looking at regulatory obligations," Chilton says, "so management and the audit committee told us to take the first cut at understanding what the requirements are and then devise a recommendation on how the company should respond."
Using compliance as a stepping-stone to governance audits can be risky if the review isn't sanctioned by the board or if an audit with a different objective "drifts into" governance, according to Michael J.A. Parkinson, director, government, with KPMG in Canberra, Australia. "In dealing with high-level governance issues," he cautions, "the internal auditor needs to be particularly careful to present the situation as it is accurately and compare this situation with well-established guidance. This is not an area where the average internal auditor has enough authority or experience to provide his or her own view of what is appropriate."
Hanif Barma, partner with consulting firm Independent Audit Ltd. in London, says internal auditors must be careful to ensure that the board and management are comfortable with the scope of governance audits and that such reviews are considered valuable. CAEs are best suited to lead governance audits because they have working relationships with board members.
Another danger area for CAEs is maintaining auditing's independence and objectivity when performing governance-related activities. Just as many audit departments found themselves owning Sarbanes-Oxley and other compliance initiatives because of their skills and knowledge of business and internal controls, audit functions that advise the board and management on governance may be expected to take over those activities. It's a tempting prospect that should be avoided, Anderson says. It's not unusual for internal auditing to draft a policy for the board or management or act as a thought leader — but it can be a slippery slope. "The key is not having responsibility for the final decision," Anderson advises. "Be very explicit that management owns this, not internal auditing."
WHAT TO AUDIT
With their scope of responsibilities in place, audit committees and CAEs must identify the governance activities that should be audited. The board should make the ultimate decision of what to audit, says Rick Julien, executive, corporate governance, with Crowe Chizek LLC in Chicago. "You need to start with the board members to understand what their expectations for the review are," he says. "Then, you need to define what governance means to the organization and confirm a framework you're going to use."
Organizations such as COSO, the UK Cadbury Commission, and the Organisation for Economic Co-operation and Development, as well as stock exchanges in several countries, have all defined corporate governance for organizations and their stakeholders. Julien and Crowe Chizek advocate a corporate governance framework that looks at the interconnections among seven elements: the board and its committees, legal and regulatory concerns, business practices and ethics, disclosure and transparency, ERM, monitoring, and communication. He suggests that internal auditors review each of these elements and report their findings on a scorecard, rating their maturity along a scale as "compliant," "developed," or "advanced." At the outset, he recommends that CAEs review key organizational documents such as articles of incorporation, board and committee minutes, the annual report, investor relations policy, codes of conduct and ethics, shareholder rights, and board calendar of events.
Guidance such as the COSO frameworks and Combined Code also can be used as frameworks for assessing governance. In addition, the IIA's Organizational Governance position paper lists 16 governance-related activities that internal auditors can review, including board structure and functions, policy, ethics, and best practices. Audit practitioners, consultants, and various guidance documents point to several areas where internal auditors can assess governance.
Risk Management
Governance concerns are increasingly becoming an issue in risk management, because such risks may point to larger governance issues, Parkinson explains. Julien notes that internal auditors' risk management skills provide a foundation for assessing governance and recommending ways to improve it. For example, auditors can evaluate how business and process owners are taking responsibility for ERM. Anderson says governance questions often arise at Dow during internal auditing's annual risk assessment, when auditors are encouraged to think about the larger issues in the company that should concern the audit department, board, and management.
Compliance Activities
Like risk management, internal auditors can examine governance issues during Sarbanes-Oxley and other compliance reviews. Julien says auditors can verify that the organization has identified and addressed key regulatory requirements and find opportunities for the organization to build on compliance activities to be more productive. When it became apparent that the U.S. Congress would pass Sarbanes-Oxley, ProLogis' management and audit committee asked the audit department to conduct a survey based on the draft bill to determine what the company would need to do to comply with the law and how it could implement those changes, as well as the potential impact of any noncompliance, Chilton explains.
External Auditors
Evaluating the work of external auditors can be an important governance function for internal auditing, Barma says. However, he points out that many organizations don't have a formal means of evaluating external auditor performance, and the costs of such services are rising. A recent Independent Audit survey of FTSE 100 companies in the United Kingdom found that two-thirds of companies that mention assessments of external audit performance in their annual report fail to indicate how they performed such reviews. Barma suggests that internal auditors could facilitate these reviews under the audit committee's supervision through questionnaires or interviews of people who have interacted with the external auditors.
The Board
Internal auditors can help the board and its committees by ensuring that they are fulfilling their key responsibilities. Chilton says the audit committee at ProLogis asked the audit department to review its audit calendar to make sure the committee was doing everything over the course of the year that was authorized in the audit charter. Internal auditing also can contribute by ensuring that the audit committee and internal audit charters are aligned, Julien adds.
Reviewing board performance is a riskier area for internal auditors. In Australia and the United Kingdom, it is common for organizations to evaluate board performance through self-assessment questionnaires that are coordinated by the corporate secretary. However, as Drummond-Hill found at the Prison Service, an internal audit-led review can reveal issues that might be overlooked in the board's self-assessment.
Independent Audit recently published a framework for assessing board performance that asks questions such as:
- What is the board's role, and what did it do?
- What gives the board confidence it has the right people?
- How did the board work together?
- How did management support the workings of the board?
- How did the board make sure it was fully effective?
- How did the dialogue with shareholders help the board meet its objectives?
Although intended for large investors, Barma says the framework could be useful in organizations where internal auditing plays a more advisory role to the board.
Interrelationship of Governance Activities
Internal auditing can fill an important governance need by taking a step back and looking at how the various governance related activities work together. In many cases, assessment of individual governance activities will be performed by a variety of internal and external parties, as well as through self-assessments, Barma explains. He says what's needed is someone who can look at the big picture and show how the various activities fit together. That job falls on Chilton at ProLogis. "The individual activities of governance have to be driven by the total governance umbrella," he says. "You have to understand who's responsible for them and how management views those activities."
WHERE TO START
As with most projects, the hardest part of auditing governance may be deciding where to begin. While some governance audits evolve from other work or follow up on external assessments, Drummond-Hill took the full plunge with her first governance review at the Prison Service in 2002. The ambitious audit was spurred by the changing landscape in governance practices both in the United Kingdom and globally, as well as the need to get risk management more onto management's agenda.
Using the COSO internal control framework as a guide, supplemented by guidance from the UK Central Government Treasury, Drummond-Hill looked at the full spectrum of governance processes throughout the organization. Although many of the findings related to operations were positive, the audit highlighted strategic problems, including weaknesses in the audit committee and a lack of an information technology strategy. For the most part, board members were satisfied with the report - particularly its balance, Drummond-Hill says. The audit taught her a valuable lesson, though: Don't try too much at once. "I felt like I was just skimming the surface," she admits.
For her second governance audit, Drummond-Hill focused only on board performance. She plans to do a follow-up audit this year to see if the board changes have made a difference. After that, she expects to examine board member qualifications. "Every year on the audit plan, there's something to do with governance," she says. "I don't think you can do an audit of corporate governance in its entirety, but every year, you can tick off one area."
CAEs taking their first steps toward evaluating governance should be careful not to take on areas where their department lacks the necessary skill and expertise, cautions consultants Julien and Parkinson. Anderson suggests conducting a pilot audit on a governance activity where the audit department can best leverage its expertise and score an early success. He says Dow's audit department started small by auditing the effectiveness of its whistleblower hotline. It was an easy first project, but it allowed internal auditing to gain valuable experience, explore some new governance issues, and prove its capabilities to the board and management. "To jump feet first right into a very complex project where your competency isn't strong, and then run into resistance," he says, "that's a hard thing to do all at once. It's more manageable if you start where the technical side of the auditing is easy and you can deal more with the management side, which might be more complex."
Anderson and Chilton note, though, that there is no one correct way to approach governance reviews. The decision on how internal auditing will be involved and how the auditors will conduct their work will depend on what fits their organization's needs and the appetite of the board and management to take a closer look at governance issues.
To comment on this article, e-mail the author at tim.mccollum@theiia.org.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
