The collapse of Carillion has cast a long shadow. As two parliamentary select committees sifted through the wreckage last year to determine what went wrong, attention inevitably turned to internal audit. Deloitte had provided the company’s internal audit services on an outsourced basis and a representative told MPs that the firm was more likely to have assessed labour conditions on Qatari sites or the validity of drivers’ insurance policies than it was to dig into the weeds of the company’s finances.
From the outside, it would appear that Carillion’s primary risks were in fact financial, namely poor debt recovery management and an overdependence on a small number of high-value, low-margin contracts – and the likelihood of those contracts not completing, and therefore not paying out, on time. In an indictment of Deloitte’s role in one of the UK’s largest corporate failures in recent memory, the select committees summarised that the firm was “either unable to identify effectively to the board the risks associated with their business practices, unwilling to do so, or too readily ignored them”.
As internal audit increasingly shifts its attention away from financial assurances to myriad emerging risks, from cyber security to digitalisation and competitive disruption, Carillion offers a valuable case study in corporate governance and the importance of close alignment between boards and effective, insightful internal audit departments to prioritise correctly the risks that businesses face.
The significance of this audit-to-board relationship is central to two recent publications produced by the Chartered IIA in collaboration with the Institute of Directors (IoD). Harnessing the Power of Internal Audit: a Good Corporate Governance Guide for Audit Committees and Directors and its accompanying “thinkpiece”, Partners in Governance: Shaping a New Relationship Between the Board of Directors and Internal Audit, are aimed at informing board directors about how to make the most of audit.
“We all know that a strong internal audit function should be one of the best defences against corporate governance deficiencies. It would appear in the case of Carillion that the company’s board and directors weren’t working with their internal audit function as effectively as possible,” says Gavin Hayes, head of policy and external affairs at the Chartered IIA. “The purpose of the new publications is to promote best practice so that directors work closely with their internal audit functions to ensure that they are identifying and managing all the risks appropriately.”
One obvious question to emerge from Carillion’s demise is whether outsourcing audit services weakens this working relationship with the board. Would the company’s primary risk – financial risks pertaining to debt management and contract delivery – have been identified by an in-house audit team working in closer collaboration with the board?
“The parliamentary inquiry was critical of the company’s outsourced internal audit function and posited that red flags might have been raised if there was a more fluid and responsive relationship with the audit committee,” says Hayes. “That might have allowed internal audit to move more rapidly and proactively to investigate and assess new and emerging risks, rather than merely focusing on contractually defined workloads formulated a year in advance.”
In a webinar that accompanied the release of the two publications, Liz Sandwith, chief professional practice adviser at the Chartered IIA, cautioned against advising companies not to outsource audit services altogether, because it may be a valuable and necessary supplement, especially for smaller organisations.
“Internal audit adds value to all organisations, regardless of their size,” she says. “Therefore, if the institute says that you can only have in-house internal audit, smaller organisations will lose the benefit of having internal audit because they won’t be able to afford an in-house function.”
Roger Barker, head of corporate governance at the IoD, who wrote the Partners in Governance thinkpiece echoes this point. “Outsourcing internal audit is not a problem per se. What is a problem is internal audit having poor communication and a weak relationship with the board, and lacking the courage and integrity to bring significant risks and problems to the board’s attention, instead insisting that risks are being addressed when in fact they’re not.”
While no definitive conclusions can be drawn from the Carillion debacle, at the very least it presents a compelling argument that a well-resourced in-house audit department can develop a clearer view of its company’s key risks, deliver deeper, more relevant insights and foster a closer relationship and stronger alignment with the board. All of this should, in principle, result in stronger corporate governance.
Internal auditors and non-executive directors (Neds) have similarities. Both must maintain independence and objectivity and take a holistic view of the organisation. They should also both be prepared to read between the lines to identify the key risks and opportunities inherent in the organisation’s business model and strategy, and have the fortitude and moral integrity to challenge management when necessary. And just as Neds “must find a way to narrow their information asymmetry relative to senior executives”, in Barker’s words, so too must internal audit independently close this information gap.
The audit committee and internal audit need to see each other as interdependent components of a larger whole in corporate governance, rather than as separate units that go off and for most of the year do their own thing, only reporting back from time to time, he says. “There needs to be a much more interactive relationship with two-way communication on a regular basis, not only so that internal audit can highlight issues and concerns to the board, but also so that the board can keep internal audit very much aware of its own priorities and where its concerns lie.”
“The danger is that these two groups drift apart, pursuing their own agendas, and live in their own bubbles, when really they should see themselves as part of the same team, which is all about delivering good governance for the organisation,” he adds.
This is especially pertinent in light of the revised UK Corporate Governance Code, which came into force on 1 January this year.
Among the changes to the code is the board’s “responsibility for workforce policies and practices which reinforce a healthy culture”. In practice, this is all but impossible for directors to fulfil unaided.
First, there is the question of time. Directors provide this kind of oversight on a part-time basis, often checking in with the business no more frequently than every quarter. Second, asking senior management for evidence proving how policies support good culture, or any other assurances for that matter, is, as Barker writes, akin to “allowing pupils to grade their own homework”. This is where a properly constituted internal audit function
can provide independent evidence of such policies, acting as a barometer for corporate culture.
As a former senior executive and Ned in the investment banking sector, Barker has seen how internal audit adds value with his own eyes. He recounts sitting on the board of an international company when internal audit brought to his attention not only financial reporting and controls weaknesses at an overseas subsidiary, but major cultural deficiencies that were inconsistent with the espoused values of the organisation.
“That was something we otherwise would have known nothing about,” he recalls. “This was a relatively small subsidiary and as board members we hadn’t had any direct contact with the people in that country. That report from internal audit really enabled us to focus our attention on this subsidiary as a source of risk to the organisation.”
Internal audit was not the only target for criticism in the case of Carillion. External audit, performed by KPMG, was censured for approving the company’s accounts as a “true and fair” reflection of its financial position – including reported profits of £150m – when four months later these earnings failed to materialise.
In Harnessing the Power of Internal Audit, the Chartered IIA makes it clear that, while internal audit can include external audit’s work and assessments in delivering the organisation’s assurance map, these annual sign-offs, which in reality are little more than a sense check of the reported finances, are of limited value and that boards and audit committees should be careful not to view the work of external audit as solid assurance that financial controls are functioning soundly. “The audit committee needs to be satisfied that the relationship between the internal and external auditors does not become too interdependent or cosy,” the report reads.
While it’s impossible to say for certain what happened behind the closed doors of Carillion’s boardroom, it is clear that the attention of the company’s directors was not focused on the appropriate risks and that this is a prime example of what can happen when the power of internal audit is not harnessed to
its full potential.
Both the Harnessing the Power of Internal Audit report and the Partners in Governance thinkpiece are available in full at iia.org.uk/HPIA
This article was published in July 2019.