The last year has provided directors with considerable food for thought in terms of how they should fulfil their governance responsibilities. Boards continue to grapple with significant uncertainties, such as the management of risks relating to cybersecurity, digitalisation, data security, the supply chain and the uniquely uncertain political environment.
Furthermore, a range of new governance requirements and best practices for directors have been published and must now be digested and applied, including a new edition of the UK Corporate Governance Code, the brand new Wates Corporate Governance Principles for Large Private Companies and an updated edition of the Chartered Institute of Internal Auditors/IoD’s own guide to how boards and audit committees should optimise their relationship with internal audit: ‘Harnessing the power of internal audit: A guide for audit committees, non-executive directors and senior management’.
This think piece offers some reflections for directors, particularly in terms of how they can take forward their relationship with internal audit in the current business environment, learning both from the past and looking to the future.
At the start of 2018 we witnessed one of the largest corporate collapses of recent years – the descent of Carillion into liquidation. In their report on the collapse, published in May 2018, the Work and Pensions and BEIS Parliamentary Committees reserved particular criticism for the board’s relationship with its outsourced internal audit function, which had been operated by Deloitte during the preceding eight years.
Although the internal auditor was supposed to be responsible for advising on financial controls such as debt recovery, they appeared not to be aware of major debts owed to the business by large Middle Eastern clients. They also did not appear to have expressed concern in their reports to the board regarding an existential risk to the business – the significant risk of a small number of contracts not being delivered. This would suggest poor communication between the outsourced internal audit function, the board, Audit Committee and senior management.
The report concluded that internal audit was “either unable to identify effectively to the board the risks associated with their business practices, unwilling to do so, or too readily ignored them”1.
Both boards and internal audit functions are now seeking to learn lessons from the Carillion collapse. One important reflection for audit committees may be that a contracted internal auditor may find it more difficult to provide agile “free range” risk advice to boards in comparison with an in-house function with strong and ongoing links to board members2.
In the case of Carillion, the parliamentary discussions suggest that internal audit might have performed better if it had enjoyed a more fluid and responsive relationship with the audit committee. This might have allowed it to move more rapidly to investigate and assess new and emerging risks rather than focusing on a contractually-defined workload formulated a year or more in advance (and, in Carillion’s case, as part of a three year audit plan).
However, more fundamentally, the Carillion case has emphasised, once again, the importance to good governance of a close and engaged relationship between board members, particularly the audit committee, and the internal audit function, which was apparently so lacking at Carillion.
In principle, board members and internal audit are obvious partners in governance, given the inherent challenges which are faced by part-time nonexecutive directors in fulfilling their duties. NEDs must continually confront the profound difficulties involved in understanding what is happening in large and complex business entities. Somehow, they must find a way to narrow their information asymmetry relative to senior executives.
The UK Corporate Governance Code assigns to all directors a wide range of substantial responsibilities, including annually reviewing the company’s internal controls and risk management system, and ensuring that the annual report, accounts and other material disclosures are fair, balanced and understandable to shareholders.
But in most organisations, these are not responsibilities that most board members can fulfil themselves. Non-executives cannot directly check or second guess the functioning of accounting systems or compliance mechanisms aimed at controlling operational or financial risk.
Of course, in most cases, they will look to management in the first and second lines of defence to provide them with reports or data concerning the performance of various systems and procedures. However, regardless of whether this information is provided in good faith or otherwise, it can never be regarded as providing entirely independent assurance. Just as it is inadvisable to allow pupils to grade their own homework, a board that is committed to fulfilling its duties in a competent manner should not rely entirely on management for confirmation that management itself is doing a good job.
A properly constituted internal audit function, with joint reporting lines to the board as well as senior management, is therefore the obvious partner for the board in helping them to ensure that the organisation’s risk management, governance and internal control processes are operating as intended.
Unlike board members, internal auditors are “inside” the business – ideally with unrestricted access to people and information – and therefore well placed to support the board in its oversight role. At the same time, internal audit will share the mindset and incentives of board members in wanting to truly understand what is going on within the organisation in its wider interest.
In many respects, a good internal auditor will share many of the characteristics and attitudes of a good non-executive director. They will understand, and be committed to, the company’s overall purpose and objectives. They will be able to cut through the noise to identify the key risks and opportunities that are implied by the company’s business model and strategy. They will be equipped to constructively challenge management and be ready to ask tough questions if something doesn’t seem right.
Furthermore, like a good director, they will have a strong sense of moral integrity and be ready to deliver difficult news and perspectives to the board and management, even in situations where the reception may be less than welcoming.
The board should therefore view internal audit as a unique ally in its mission to deliver first class governance. However, as Carillion demonstrates, the right type of relationship does not necessarily emerge of its own accord. As with any relationship, the prerequisites are engagement and communication between the two parties.
The audit committee should regularly meet with the head of internal audit, and provide ongoing feedback as to whether the focus is on the right risks and the right activities. There should be a back and forth dialogue, not merely a once a year sign-off on an annual audit plan.
In practice, this will require the audit committee to move beyond a distanced one–way reporting relationship with internal audit. It should start to view itself as the function’s direct boss with regular meetings and dialogue. The two sides should be invested in the success of each other, and develop a strong sense of mutual partnership.
From the internal audit perspective, the audit committee relationship is likely to be richer and more involved if internal audit can move beyond a checklist approach to its work, and broaden the scope of its advice and assurance beyond backward-looking financial auditing.
Internal audit should also be ready to rapidly adjust its workflow if new concerns about emerging risks are raised at board level. And it should provide the board with no doubts or flickering uncertainties as to its independence, integrity and commitment to fulfilling the board’s interests. Mutual trust and respect are the foundation of the relationship.
According to the UK Corporate Governance Code, one of the main tasks of the audit committee is to review and monitor the effectiveness of the internal audit department, and – if one does not exist – to consider annually whether there is a need for one. However, this kind of evaluation process should also work in the opposite direction. There is a need for the board and the audit committee to assess if it is doing enough to foster a rich and meaningful dialogue with internal audit.
This issue could be considered as part of the board’s own periodic evaluation, and ideally the head of internal audit will be one of the key board stakeholders invited to contribute (typically on a confidential basis) into the board evaluation process.
An aspect of the board-internal audit relationship which is often neglected is the achievement of a shared understanding of the company’s purpose, values and strategy. Defining these in the first place is obviously a board responsibility. But then they have to be clearly communicated to internal audit as well as the rest of the organisation.
Quite often, a misunderstanding concerning the nature of the organisation’s objectives – and what is truly important to the board – can cause internal audit to misallocate its resources, focus on the wrong things, and over time lose its relevance to the board. The only way to counter this risk is for the board to spend sufficient time with key internal audit executives – this will enable internal audit to maximise its support of the board’s agenda.
Of course, if internal audit feels that the company’s purpose, values and strategy have not been clearly communicated to them or the rest of the organisation, or that they have yet to be explicitly defined by the board in the first place (which is a responsibility for the board defined in Section 1 of the UK Corporate Governance Code), it should have the courage to bring these concerns to the board’s attention.
Although it is the board that has ultimate responsibility for such basic features of an organisation’s governance, the internal audit function can legitimately act as its conscience and adviser on this and other aspects of the board’s own role.
An area of current debate in the internal audit profession relates to the balance that should be struck between providing the board (and the CEO or CFO) with assurance about the state of the business on the one hand, and advisory services and internal consultancy on the other.
There is no doubt that assurance lies at the heart of what internal audit is there to do. However, many would argue that failing to make use of internal audit’s knowledge, experience and unique vantage point as a resource to advise the business, particularly in the field of risk management, would be a wasted opportunity.
Internal auditors themselves often see advisory work as an area where they can add significant value to the organisation and increase their relevance and reputation, particularly with executive management.
The counter argument to this approach is that, by involving itself in business advisory activities, internal audit may compromise its independence and impartiality – and thereby diminish its credibility as a provider of independent assurance to the board. Furthermore, such activities could ultimately overstep the boundaries between the second and third lines of defence, with internal audit effectively taking over risk management responsibilities.
Just as a key task of the audit committee is to make a judgement concerning the balance between audit and non-audit activities for the external auditor, it needs to make a similar explicit assessment for internal audit.
Furthermore, it is important for the board to ensure that, when internal audit is involved in offering advice or opinions, it is clear that they are not the ultimate decision-makers. Managers should be held accountable for the controls that are chosen and implemented, not internal auditors. Maintaining clear boundaries between internal audit and risk management is essential for the integrity of both functions.
Many commentators see internal audit as a function that is ripe for disruption through the greater use of digital technology, artificial intelligence and data analytics. This will undoubtedly create challenges for the profession, but it will also give rise to opportunities.
Technological automation has the potential to remove much of the routine audit work from the day-today activities of the internal auditor, with the result that they can pursue a more directly supportive role of the board in assessing principal risks.
However, these changes will also require the board to think carefully about the kind of persons and skills that they need in the internal auditor role. In particular, it is likely that future boards will see more value in bringing people into internal audit who are less focused on financial assurance, but who can act as the eyes and ears of the board in areas such as behaviours, corporate culture and technology.
The board may also want to locate talent in internal audit that is more forward than backward looking in terms of its assessment of the business – once again, to assist the board in fulfilling its key task of ensuring that the principal risks are being identified and managed.
Increasingly, the key risks for many organisations are not seen to be the traditional financial risks, such as fraud, weak financial reporting or inadequate financial controls. Rather they are technologically driven risks relating to cyber or data protection. Or they relate to managing corruption or health and safety risks across a global organisation, or the governance of the supply chain.
Internal audit is well-placed to offer the board assurance and advice in these areas if it has access to the necessary resources and skills, and can demonstrate its broad-ranging mindset.
With the publication of the latest version of the UK Corporate Governance Code, the board has now assumed an explicit responsibility to assess and monitor the culture of the organisation. However, it is less clear how board members will be able to fulfil this requirement in practice, given their distance from day-to-day activities.
Assessing the attitudes in the middle and lower levels of the organisational hierarchy is especially challenging for part-time non-executive directors, who often struggle to engage with the wider organisation beyond the bubble of the boardroom.
The FRC published some useful guidance in 2016 concerning ways in which boards can oversee corporate culture. A practical implication of this report would be for the board to develop an intelligent partnership with internal audit. A more broadly defined internal audit function is well-placed to take the temperature of the organisation in terms of prevailing attitudes and norms of behaviour, and communicate its findings to the board.
In many cases, a formal audit-style approach to monitoring culture may not be necessary. Internal audit can act as a more informal source of informed opinion and insight for the board in respect of attitudes, motivation and behaviour, and the extent to which management is encouraging the right behaviours or remedying any deficiencies. A key emphasis of recent professional guidance and research published by the Chartered IIA has been on how to audit corporate culture, and this offers a useful starting point for boards as they approach this tricky issue.
Ultimately, however, it all depends on whether internal audit has the right kind of relationship with the board. And for this kind of emerging role, internal audit may find it more useful than at present to prioritise the acquisition of psychological rather than financial skillsets in team recruitment and professional training processes. The internal auditors of tomorrow are just as likely to be specialists in organisational behaviour or digital technology as financial management.
To conclude, the role of board member is rapidly evolving in terms of scope and complexity. This reflects the disruptive impact of new technology, regulation and ways of doing business.
An internal audit function that has evolved to address these new risks and challenges will be particularly well-placed to offer support to the board in this environment, both in terms of assurance and advice. But it seems likely that the activities – and the human and technological profile – of such an internal audit function will be different to that of the past.
Based on a unique governance partnership with the board, internal audit is poised to further expand its position as a key corporate influencer.