As internal auditors, we know we need to be governance-savvy. Governance is specifically mentioned in 11 of our professional Standards and in the official Definition of Internal Auditing. But effective governance is not as simple as applying a one-size-fits-all formula. And it’s more than policies, processes, procedures and controls.
Governance encompasses all of the systems by which our organisations are directed and controlled. It’s about working relationships and how we motivate, reward and discipline behaviours. It’s about how we establish objectives and how we make decisions, accomplish objectives and monitor their achievements.
The scope and complexity of governance assurance can be daunting, and governance systems vary. Like our organisations, they are constantly changing. Rights and responsibilities are shared among directors, managers, regulators, shareholders, auditors, creditors and others – each of whom might interpret differently what makes governance effective. On one day we might focus on social responsibilities, while on the next we might evaluate the impact of changes to the UK Corporate Governance Code.
While governance codes can establish minimum expectations, they cannot create exact requirements that are an optimal fit regardless of industry, company maturity, size, complexity and extent of international operations. Regulations change, securities exchange listing requirements evolve and the marketplace can be a moving target. It’s not easy to be a governance guru.
Even with superb professional skills and constant vigilance, providing assurance about governance issues can be challenging. Does the board include enough independent directors and what exactly constitutes independence? Should the CEO’s position be separate from the chairman’s? Do compensation packages reward the right behaviours? The answers to such questions are often controversial.
It takes courage to address governance shortcomings. Few of us, for example, would want to tell the board that the organisation’s culture is unhealthy
or question management’s integrity. It can be daunting to question the board’s independence or objectivity, or to query the adequacy of their education and training.
It’s easy to make excuses for ignoring sensitive issues. But internal auditors are specifically charged with assessing the adequacy and effectiveness of governance. Our Standards require that chief audit executives/heads of audit report periodically to senior management and the board on significant risk and control issues, including those involving governance. And there’s no doubt that governance issues can be significant. Reported governance failures at FTSE-100 firms demonstrate that the risks are neither remote nor inconsequential.
The stakes are high, and we are the final line of defence.
If management or the board do not want internal auditors to evaluate governance issues, it’s time to ask why. If the problem is that the internal audit function does not have the skills, the Standards state: “The internal audit activity collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities.” Do some additional training, call in a consultant or talk to a more experienced audit executive, but don’t just ignore governance risks.
Boards need our help. They must ensure that the organisation regularly evaluates the entire governance system to ensure that individual components are operating as intended. They must be informed on relevant issues, particularly those involving potential or existing crises. They must ensure that management exhibits integrity and competence. They must ensure that key stakeholders are identified and that policies and procedures fulfill stakeholder needs. They must be aware of potential social and environmental impacts. And they must ensure that the organisation maintains a sustainable strategy focused on long-term performance and value.
No group of professionals is better suited to this task than internal auditors. We have an in-depth understanding of our organisations’ processes, policies, procedures, risks and controls, and our objective viewpoint is invaluable. Comprehensive governance assurance may be the most important service we provide.
For further information
Richard F Chambers writes a blog at chambersontheprofession.org and tweets at https://twitter.com/rfchambers. His third book, The Speed of Risk: Lessons Learned on the Audit Trail, 2nd Edition, is available at theiia.org/bookstore
This article was first published in September 2019.