A risk-based approach to auditing governance processes
One of the significant changes in the draft Global Internal Audit Standards (GIAS) is the removal of these “must” statements.
2110 – Governance
The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes.
2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.
2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
I have for a very long time criticized these standards. It is not because these are not very serious potential sources of huge risk to the organization. It is because they should only be included in the audit plan when related risks merit.
While organizations usually die from the head down, is it necessary to audit governance processes every year? Is it necessary to audit every aspect of governance? In fact, very few internal audit functions ever audit the composition, operations, and effectiveness of the board of directors and their committees!
Similarly, I have said that if internal audit doesn’t assess the effectiveness of risk management activities (how risks and opportunities are addressed, rather than any risk function), they deserve a seat at the children’s table.
If there is no assurance (at a reasonable level) that the right risks are taken to achieve enterprise objectives, serious harm and sub-optimal performance is almost inevitable.
But is it necessary to audit risk management every year? Is it necessary to audit every aspect of risk management every year?
No to both annual audits of all governance and risk management processes.
Include audits in the audit plan where there is a heightened likelihood of a failure in one or more aspects of governance or risk management that would seriously affect the achievement of enterprise objectives.
This is what I wrote for the IIA’s magazine in 2011. Amazing to think it’s a dozen years old.
====================================================================
A risk-based approach to auditing governance processes
Should internal audit departments audit governance processes? Can they effectively assess board operations? Isn’t that the responsibility of the board itself, generally through a governance committee? Are we sufficiently independent, because we report to the audit committee of the board, and do we have the necessary skills?
These are questions I hear when leaders of our profession suggest we need to include audits of governance processes in the audit plan. For example, Richard Chambers (IIA CEO) referenced CBOK at the IIA’s 2011 GRC Conference (he was speaking on the topic of The New Corporate World Order: How Does Internal Audit Fit In?) and pointed out that the #1 Imperative for Change was “Sharpen your focus on risk management and governance.” He also noted that CBOK ranked as the #1 internal audit activity in the near future (next five years) will be “corporate governance reviews”.
IIA Standards (Section 2100) require: “The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.” This is extended in revised Standard 2110 (formerly Standard 2130), which states:
“The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
- Promoting appropriate ethics and values within the organization.
- Ensuring effective organizational performance management and accountability.
- Communicating risk and control information to appropriate areas of the organization.
- Coordinating the activities of and communicating information among the board, external and internal auditors, and management.”
So the Standards mandate audits of governance processes and our leaders encourage us to take on the challenge. Is that enough, when we espouse a risk-based approach to internal auditing? A risk-based approach means building our audit plan so it assesses how management addresses the more significant risks to the organization: the controls it has to manage those risks within desired levels. Where do audits of governance fit?
In his presentation, Richard referenced the work of the Organization for Economic Cooperation and Development (OECD). In their 2009 report, The Corporate Governance Lessons from the Financial Crisis, the OECD concluded that “the financial crisis can be to an important extent attributed to failures and weaknesses in corporate governance arrangements. When they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies.” While they focused on financial services companies, they also said that the “weaknesses extended to companies more generally.”
Failures in governance are perhaps the greatest single cause of corporate failures. This was reinforced by Lord Smith of Kelvin (author of the UK’s Smith Report on corporate governance) when he keynoted the 2011 International Conference in Kuala Lumpur. He said:
“Corporate failure is not caused by fraud or inadequate controls. They may contribute the killer blow or make a bad situation worse, but they do not put companies out of business. The real cause of major corporate scandals and failures – Enron, Worldcom, Swissair – is a series of unwelcome behaviours in the leadership culture – greed, hubris, bullying and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons. As the saying goes, the fish rots from the head down.”
The consulting firm of McKinsey & Company reported in Governance since the economic crisis that “Just one-quarter characterize their boards’ overall performance as excellent or very good”. They reported that “only 21 percent of directors surveyed claim a complete understanding of their companies’ current strategy”. Apparently, 32% said they have limited or no understanding the risks faced by the company, and 26% were ignorant of how their company created value.”
What this tells us is that we should consider risks related to failures in organizational governance when we build and update the audit plan. In fact, because of their potential impact, these risks may well warrant being rated at the high end.
When identifying the governance-related risks to consider, it is useful to keep an open and skeptical mind. Even the best boards, with the most experienced and competent directors, can fail. Here are a few examples of risks that might be considered:
- Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely and useful information
- There is too great a focus on short-term results without sufficient attention on long-term strategies
- Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience
- The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors
- Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing
- The external auditors fail to detect a material misstatement because part of their global team lacks the necessary industry experience and understanding of relevant accounting standards
- Board oversight of risk management is constrained by a lack of risk management experience
- Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments
- IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs
- Employees do not understand the corporate code of business conduct because it is not in their native language and/or clearly explained to them
While internal audit is responsible for its plan (including its assessment of risk), it is important to work with management and the board. Their insights and their assessment of risk levels should be taken into consideration. However, an independent internal audit function should make the final decision.
Having said which, it is not so easy to be unilateral when it comes to determining how to audit the governance-related risks. The questions at the beginning of the article are important: will management and the board accept internal audit meddling in these areas? Is internal audit sufficiently independent and do we have the skills and experience to be effective assessors of board processes? Is it not the responsibility of the governance committee of the board to assess board performance?
I suggest that it is necessary to find a way around these potential obstacles. If we are to provide assurance on the more significant risks to the organization, how can we do otherwise?
My suggestion is that once the governance-related risks have been identified and the more significant ones assessed, internal audit management should take each in turn and determine how they can be addressed. Options include:
- Performing a traditional assurance or consulting engagement. Many of the risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without significant problems with traditional audit approaches.
The auditor is likely to find useful a 2006 IIA Position Paper: Organizational Governance: Guidance for Internal Auditors. It draws an important distinction between the relative values of assurance and consulting engagements when it comes to governance processes. In a relatively mature organization, the more valuable role for the internal auditor is likely to be providing assurance that governance policies and practices are appropriate to the needs of the organization (including compliance with applicable laws and regulations) and operating effectively. However, if the organization is still in the process of refining its governance processes, the auditor may more effectively contribute in a consulting capacity. As the IIA Position Paper says, the internal auditing function is in an excellent position to serve as “catalysts for change, advising or advocating improvements to enhance the organization’s governance structure and practices.”
- Outsourcing the engagement. To overcome the perception that the internal audit team lacks either the necessary independence of skills, it may be appropriate to engage an expert third party to perform the work. As distinct from option 4(b) below, internal audit selects the consultant, approves the scope of work and the selection of individuals to perform the work, and dictates the form of the report.
- Using surveys and self-assessment questionnaires to obtain the information necessary for the engagement. This can be especially valuable for audits of areas such as employee understanding of the corporate code of conduct, whether managers understand organizational strategies and their incentive programs are aligned, or whether managers believe the external auditors have a sufficient understanding of the business.
One variation of this option is to collaborate with the organization’s human resources (HR) department to include desired questions in an HR employee survey. Many organization’s HR functions perform periodic employee surveys to gauge employee satisfaction, confirm understanding of corporate policies, for other purposes. It can be very effective to include questions in the survey that relate to the risk area being assessed.
- Relying on work performed by others. There are a couple of variations on this theme:
- Relying on board self-assessments. Several of the risks are likely to be covered by board self-assessments. However, there is a risk that the board’s assessment of its own performance (including that of its committees and members) may not be objective. It may also not have sufficient insight into best practices and the ability to understand its own failings. Before relying on board self-assessments, the internal auditor should endeavor to assess the self-assessment process to reduce the risk of a poor result to a minimum. The auditor should consider partnering with the board.
The board might direct internal audit to rely on the board’s self-assessment. In that case, the internal auditor should ensure the audit committee understands that related risks are not being addressed in the audit plan.
- Relying on board self-assessments. Several of the risks are likely to be covered by board self-assessments. However, there is a risk that the board’s assessment of its own performance (including that of its committees and members) may not be objective. It may also not have sufficient insight into best practices and the ability to understand its own failings. Before relying on board self-assessments, the internal auditor should endeavor to assess the self-assessment process to reduce the risk of a poor result to a minimum. The auditor should consider partnering with the board.
- Relying on the work of other assurance providers or consultants. The board may decide to engage a third party (such as a consulting or law firm) to assess certain governance processes and practices. The IIA has provided guidance on relying on the work of others in Practice Advisory 2050-3. The auditor should ensure the scope of work will be sufficient to cover the risk, that the other assurance provider’s process will be adequate, and that the individuals involved can provide a quality assessment. If the internal auditor has concerns about any aspect of the engagement, these should be reviewed with the appropriate committee of the board (generally, either the audit committee or the governance committee).
- Partnering with others. Again, there are a couple of variations:
a. Partnering with the board or committee of the board. This can be a highly effective approach, and I have used it to great effect in the past. The involvement of internal audit can provide a reasonable level of assurance that the board’s self-assessment process will be reasonable. For example:
• When the practice of self-assessments first became popular and recognized as bet-practice, I worked with the board at my company (together with general counsel) to develop the self-assessment questionnaires and process. I then facilitated the program for the first year.
• I worked (as the head of internal audit (CAE)) with the audit committee of the board to facilitate their annual self-assessment process. I interviewed each of the members individually and summarized the results for discussion by the committee. One of the actions was to implement a program of ongoing education and information for the committee on business issues and company operations. (The story was captured in an article in Internal Auditor in December, 2003).
o One of the responsibilities of the audit committee is to oversee the work of the external auditor. At three different companies, as CAE I supported this activity by surveying management in all significant locations, summarizing the results, obtaining responses to issues from the external audit partners, and then facilitating a discussion by the audit committee.
b. Partnering with another, internal or external, assessor. There are times where the board or general counsel wants the assessment of a particular governance risk area to be performed by the legal department or by a third-party expert. Full reliance on another assurance provider or consultant was discussed earlier, but there can be significant advantages to partnering with that other expert and do what amounts to a joint audit of the area. They may include:
• Ensuring that the engagement team has excellent subject matter expertise (through the consultant) as well as knowledge of the company (from internal audit).
• Exercising more control over the scope of work, the way the engagement is performed, the conclusions drawn, and the report itself. For example, some consultants might be reluctant to actually express an opinion on whether the risk is effectively managed.
• Learning from the expert so that future audits can be performed in-house.
c. Excluding the risk area from the scope of internal audit’s work. To my mind, this is the least preferred option. But, internal auditors may find that their board does not believe internal audit would add value, or that it should be part of their remit. The board might even ask that the internal audit charter exclude certain areas of the business, such as the adequacy of board processes.
The audit engagement will have to be ‘sold’ to executive management and the board, who are probably not used to internal audit taking on these areas. Governance is a politically-charged area and many of the activities are performed or managed by individuals at the top of the organization, including the Board and its key committees. As the Position Paper says: “The CEO, CFO, general counsel, and other top executives may not react with enthusiasm to the prospect of being the subject of an audit.”
Planning for an audit of a governance risk area should take this into account, with early engagement of those on the board or in key executive positions (such as the general counsel) who might sponsor and support the engagement. The planning should also address the issues of:
- How the results will be communicated. Not only may the results be sensitive, because of the people who own the governance processes, but also because they might have an impact on other matters. For example, an audit that finds defects in the audit committee process could affect the assessment of internal control over financial reporting for Sarbanes-Oxley compliance purposes. Strong consideration should be given to consulting with the general counsel and agreeing on the most appropriate manner for reporting the results, which might be under client-attorney privilege.
- Whether access to sensitive and confidential information may be needed. Discuss up-front whether the audit team will need to review documents such as board minutes or assessments of individual director performance.
- Who should be on the audit team. In addition to ensuring that the team includes individual with sufficient experience and expertise in the subject risk area, it may be prudent for the CAE or other senior audit executive to participate. Some of the documents and discussions may be at a level of sensitivity that it makes sense for the CAE to perform that part of the audit herself.
Summary
A risk-based audit plan is probably not complete unless it includes consideration of the risks inherent in governance processes. Selecting which areas of governance to audit should be based on the assessed level of risk, determined with the assistance of input from management and (in all likelihood) the board. Different governance risk areas may merit different audit strategies, but whatever approach is taken careful planning is required.
Audits of governance, whether assurance or consulting in nature, may not be easy and they often carry political risk. However, they are clearly important and should be given strong consideration in the audit plan – not just because they are required by our Standards, but because governance process failures can be high risk and, as Lord Kelvin said, “the fish rots from the head down”.
====================================================================
The draft of GIAS doesn’t mandate audits anymore.
But does it provide sufficient guidance on when to audit what?
Have they gone too far by removing these standards?
What do you think?
Do you agree with the approach I espoused in 2011 and repeat now?