Ideas and opinions about corporate governance are in constant flux, making the concept difficult to describe and explain. And at the moment, economic disruption is accelerating the pace of change. Here, we summarise the key concepts and look at internal audit's role.
Corporate governance primarily refers to organisations with commercial and business operations, in particular limited companies. We use the term in its widest sense, applying it to all types of private and public sector organisations.
The Financial Reporting Council (FRC) issued an updated version of the UK Corporate Governance Code in September 2014. This significantly enhances the quality of information investors receive about the long-term health and strategy of listed companies.
The FRC has also published new guidance on risk management, internal control and related financial and business reporting, which reflects the changes made to the UK Corporate Governance Code. This guidance revises, integrates and replaces two of its earlier publications:
- Internal Control: Revised Guidance for Directors on the Combined Code
- Going Concern and Liquidity Risk: Guidance for Directors of UK Companies
We understand that the FRC will now be working on updating the guidance for audit committees to reflect the new Code, and that this will cover the role of internal audit in some detail.
The IIA definition of corporate governance, included within the International Standards is:
Governance is the combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.
Although there is no universally accepted definition, the first version of the UK Corporate Governance Code was produced in 1992 by the Cadbury Committee. Its paragraph 2.5 is still a classic definition:
Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders’ role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place.
The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. The board’s actions are subject to laws, regulations and the shareholders in general meeting.
Corporate governance is therefore about what the board of a company does and how it sets the values of the company, and is to be distinguished from the day to day operational management of the company by full-time executives.
Recent events have highlighted the critical role of directors in promoting good corporate governance. In particular, boards are charged with ultimate responsibility for the effectiveness of their organisations’ internal control systems. These events have highlighted the key role that internal audit can play in supporting the board in ensuring adequate oversight of internal controls and the effectiveness of corporate governance.
How an organisation designs and practices the principles of effective governance vary depending on the size, complexity, and life cycle maturity of the organisation, its stakeholder structure or legal and cultural requirements.
The head of internal audit should work with the board and the executive management team, as appropriate, to determine how governance should be defined for internal audit purposes and the extent and expectations of internal audit assurance and consultancy needed to satisfy the internal audit charter.
The definition of internal auditing and International Standards identifies that internal audit has a role to play in evaluating and helping to improve governance processes.
The International Standards make specific reference to assessing and making recommendations for:
- promoting appropriate ethics and values within the organisation
- ensuring effective performance management and accountability
- communicating risk and control information
- coordinating the activities of the board, external and internal auditors and management, and communicating what they do
The internal audit charter should make reference to the scope of the work of internal audit and this should include corporate governance activities and processes.