It often takes a crisis to make people aware that the status quo is inadequate and to resolve to improve things. The collapse of Carillion, among other high-profile recent corporate failures, is such a crisis. Not only did it undermine trust in the reports and accounts that are supposed to assure creditors, investors, employees and customers that a huge business is solvent and able to carry out its obligations, but it also raised questions about strategic decisions made by senior executives and the quality of the contracts they took on. This time, as before in similar situations, people asked what is the point of all the official checks and balances required of large organisations – from external audit to the annual report – if they miss the most important issues or prove to be works of optimistic fiction. What, they could also ask, were the internal auditors doing – and, if they were raising concerns, was anyone listening? If they’re not asking this, they should be.
We’ve been here before, after all. In the wake of the 2007 financial crisis, the Chartered IIA developed a new code of best practice designed to boost the performance, resourcing and status of internal audit in financial services organisations. Officially titled “Effective Internal Audit in the Financial Services Sector”, the code was launched in 2013 and set out a series of best-practice guidelines against which organisations could benchmark their own performance, and which heads of internal audit could use to encourage less well-informed boards about the uses and value of a strong internal audit function, and how it should be positioned in the business.
Brendan Nelson was on the committee that helped to draw up the code and he admits he was surprised and delighted at the effect that it has had on the sector. This is why he agreed to chair a committee to develop a similar code focused this time on large private-sector organisations. He explains what this involves, why we need a new code and what the committee needs from members to support it and ensure that it has a similar impact to its predecessor.
It’s interesting to look back on where we were when we created the financial services code. That came about because after the financial crisis the regulator judged that some of the internal audit functions in these organisations were not fit for purpose. This was damning. It found that some functions were focusing too much on low-risk issues, their leaders had no seat at the top table and they were not sufficiently aware of some of the critical risks their companies faced.
We saw that things needed to improve, but when we put the financial services code together we were worried that we would come up against problems. Many internal audit teams did not have the scope, coverage and resources they would need to do what we were recommending and were not operating at a senior enough level. However, we pressed ahead anyway.
And it has been a huge success. The code has helped to reposition internal audit in these organisations and has made it a desirable career that people really want to do. It’s transformed perceptions of the role of internal audit and has put the function clearly at the governance level, reviewing the information that goes to the key governance bodies, such as the risk committee, audit committee and the board. This puts internal audit at the heart of the governance structure and makes it a serious role that is listened to.
There have also been a host of ancillary benefits – management believe they get better service from internal audit, the board thinks they get more reliable assurance about the right things and internal auditors are enjoying a far higher profile as well as the knowledge that they are making a real impact on decision-making. Further benefits have included the way in which the code has encouraged firms to boost the skills of their internal audit functions and to invest in them to ensure they are well resourced and qualified. Everyone won.
I saw all of this in progress at RBS and I’m now working with a great internal audit team at BP, so I was delighted when Ian Peters, CEO of the Chartered IIA, asked me to chair a group that would develop a similar code for private-sector businesses. If ever there was a right time to reposition internal audit in large organisations and set clear parameters showing what we think a fully developed internal audit function should look like and what it should be doing, it’s now.
Recent crises, such as the collapse of Carillion, have shown there is a clear need, and our experience with the financial services code shows how defining the role of internal audit and where it sits in an organisation,
and giving it a clear remit to work in business-critical areas and a place at the table when the biggest decisions are discussed, is crucial. The benefits will be similarly wide ranging. Large companies that already have well-resourced internal audit functions will be able to assess where they are against the framework of best practice. Smaller companies, where the internal audit function isn’t yet so mature, will be able to see where they have gaps – and can plan to fill these.
More generally, we can point to the financial services code to show how boards and investors will benefit. Of course, many large organisations will have highly professional internal audit functions that will fit comfortably within all the recommendations of the code, but we expect that others will find some areas where they fall short and this will show them how they can improve these areas dramatically.
For example, the new code will say that the chief internal auditor should report to the audit committee chair with a secondary reporting line to the CEO. There are lots of large companies I know where this is not yet the case.
We will also say that the chief internal auditor should attend the highest management committees and that is similarly nothing like as common at the moment as we think it should be. It is all about putting internal audit leaders on a par with top management in organisations and this is not yet the situation in too many organisations.
Like the financial services code, this code will be voluntary, but we believe that companies will have to take it seriously. It sets out our goals and the standards companies should be reaching – so if they choose not to do these things they should be prepared to explain why not.
We are at an interesting time in corporate governance because there are also many questions being asked about the quality of external audit. Sir Donald Brydon is currently heading a review of this and I believe that this review should consider how internal audit can contribute to the work of external audit. In this way, the code may end up forming part of a wider review and general guidance for good governance internally and externally.
We should be asking why internal audit didn’t see problems emerging at Carillion and other failed companies. Shareholders need to have confidence in our businesses – and they therefore need a framework by which they can assess the competency of the internal audit function and the governance of organisations. They should know what to ask and should be able to trust the answers.
This is also why it’s important to have regular external quality assessments of internal audit performance. In the long run, everyone benefits and these changes are well overdue.
Of course we won’t expect everyone to comply overnight, but we want them to know what good practice looks like and what they should aim for. I also believe that companies should be talking far more openly about the quality of their internal audit functions and what their auditors are doing. This is frequently barely mentioned except in a short statement in the annual report. It should be something that companies talk about proudly and that stakeholders question intelligently and seriously.
Stakeholders also need to be educated. Too often, when they think about it at all, they still believe that internal audit is there to stop fraud. Yet fraud isn’t even one of the biggest risks for most organisations. For example, at BP one of our main concerns is safety and our internal audit team has to ensure that we are providing the right assurances of safety for all our staff. The external auditors don’t look at this, it’s down to internal audit, as are other key issues, such as whether the organisation’s risk appetite is defined and understood, whether the organisation is focusing on the most important risks, and whether management is mitigating and managing these risks adequately.
In a few years, I would like to see all our major organisations progressing towards full compliance with the new code and their heads of internal audit all sitting at the top table. I would like to see smaller organisations that have not had internal audit functions start to see a need for them, and I want experience in internal audit to be seen as an essential part of a career path to senior management roles. I’d like to see a period in internal audit as a key part of management development programmes, because we need to emphasise that first-class managers have a good awareness of the role of governance and control issues.
I also want to see more people wanting to go into internal audit – and more jobs created in internal audit in our largest businesses. And, if the UK decides to introduce a Sarbanes-Oxley-style regime in future, then this will be a fantastic opportunity for internal audit to expand.
If large companies do not have a correspondingly large, well-resourced and high-functioning internal audit team then I think this should be disclosed. Why not?
This code is important because it will define what good looks like not just for internal auditors, but for stakeholders and management. After all, if managers have never experienced excellent internal audit they won’t have high enough expectations. In the end, everyone stands to benefit – there are no downsides. This is the perfect time to take internal audit in business to a new level – for everyone’s sake.
Brendan Nelson is chair of the audit committee at BP and former chair of the audit committee at RBS. He will be speaking at Internal Audit 2019, which takes place on 29-30 October at London’s QEII Centre. Visit iia.org.uk/internalaudit19 to book your place.
The consultation on the new internal audit code of practice will be available at iia.org.uk/codeofpractice
The closing date for comments is 9 September.
This article was first published in July 2019.