Sir Adrian Cadbury defines corporate governance as “the system by which companies are directed and controlled”. The proper corporate governance structure specifies the distribution of rights and responsibilities among the different parties in the organization; this includes the board, managers, shareholders and other stakeholders. It will also lay down the rules and procedures for decision-making within the organization.
Putting the right controls and making sure they work has always been in the heart of corporate governance. Companies usually therefore have multi-layer systems of controls. The first layer lies usually within each department where work procedures ensure the presence of controls aiming to minimize the space for errors and misconduct. The CEO gets the assurance that internal controls are sufficient and are working well through the internal audit function. But since the board is ultimately responsible for the governance of the organization, establishing an effective audit committee is the key tool that the board has in order to oversee that the organization is well governed and that the numbers and information coming to the board and going out to other stakeholders are accurate and trustworthy. Share-owners, on the other hand, would like to make sure that their money and interests are well-protected, and that various systems within their companies are sufficient and are functioning the way they should be. They therefore appoint the external auditor who evaluates such systems, gives recommendations or assurances to the owners
Given that the role of the internal audit function is ever evolving with respect to its role in governance, recently the Financial Reporting Council, UK, has revised its corporate governance code for UK companies, which came into effect on 1 October 2014 and in which it states that “ The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting, risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditors.”
As defined1 by the Institute of Internal Auditors “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”. This clearly indicates that the role of the internal audit function must be set and looked at positively rather than negatively. That positive role must go beyond the traditional concept of controlling and safeguarding corporate assets, regulatory compliance and enforcing corporate policies. The role of internal audit is rather to focus on value creation for an organization, and on evaluating and suggesting improvements to corporate governance systems of organizations. The value creation concept of internal audit will therefore be an integrated part of making sure that the company achieves long-term success and that it is creating value for the society at large.
An effective Internal Audit function plays a fundamental role in assisting the Board to discharge its governance and control responsibilities. The Board must, however, set the right ‘tone at the top’ and to ensure support to be extended to the internal audit at all levels within the organization. It should be communicated and understood that internal audit helps the Board and the executive management in protecting the assets, reputation and sustainability of the organization. The internal audit’s role therefore extends beyond financial controls to include audits of non-financial information and the controls surrounding the production of this information as well.
Internal audit plays a crucial role in ensuring the success and sustainability of any organization
Recognizing the important role that the internal audit function plays in a corporate governance system of an organization, the Institute of Internal Auditors has issued a standard no. 2110 on ‘Governance’ which states that “An effective internal audit function provides assurance that there are appropriate corporate governance processes and internal control procedures in place. The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and accountability
Effectively communicating risk and control information to appropriate areas of the organization
Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.”
Various Codes of Corporate Governance issued have also echoed the fact that internal audit function is an integral part of the corporate governance system of any organization. The South African King III report of Corporate Governance (King III Code) recommends that internal audit should be strategically positioned in order to achieve its objectives. The code further suggests that the internal audit should report functionally to the chairman of the audit committee. Given that functional reporting line for the internal audit function is the ultimate source of its independence and authority, the Institute of Internal Audit also recommends that the chief audit executive reports functionally to the audit committee, board of directors, or other appropriate governing authority. Subsidiary, branch and divisional heads of internal audit should also be sufficiently senior as compared to the senior management whose activities they are responsible for auditing. This point of view is getting more popular among central banks and financial regulators. One of the lessons learnt from the banking sector/ financial crisis that started in 2007 onwards was that certain “risk takers” can’t be left to the control of the CEO or senior management, they must report directly to the board or one of its committees. This includes chief risk officers, chief financial officers, and chief auditors. Recent bank collapses clearly indicated that it is way too risky for the CEO or top management to be in control of these functions.
The internal auditor should, at least annually, carry out an assessment of the overall effectiveness of the governance, risk and control frameworks of the organization
Internal auditor, with the help and guidance of the audit committee, must be able to set the right priorities. Therefore it is recommended that internal audit follows a risk based approach, focusing on the high risk areas, going down the ladder as much as possible. The audit committee also assists the internal audit by discussing with him/her the adequacy of resources and skills available to address risk identified with the audit committee. It is the role of the board/ audit committee to make sure that internal audit has enough resources and calibers to do their job right, keeping in mind that the failure of internal audit is a failure of the board itself and may represent high risk on the organization.
The internal auditor should, at least annually, carry out an assessment of the overall effectiveness of the governance, risk and control frameworks of the organization, together with an analysis of themes and trends emerging from internal audit work and their impact on the organization’s risk profile. A comprehensive report is then presented to the audit committee and the board with the results and recommendations as well as the challenges that may need board interventions to handle.
The Institute of Internal Auditors has issued Standard No 2060 on internal audit reporting to senior management and to the board, which specifies that “the chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.”
Due to their important role, it is recommended that the Chief Audit Executive, and other senior managers within Internal Audit, have an open, constructive and co-operative relationship with regulators which supports sharing of information relevant to carrying out their respective responsibilities. In such cases, however, it is important that this be done within the framework of corporate governance of the organization, the one that is approved by the board of directors and endorsed by the owners if necessary.
Since the quality of the carrying out the internal audit function may have serious implications on the company and on its stakeholders, the internal audit should establish and maintain a quality assurance and improvement program. Where the internal audit function is outsourced to an external provider, Internal Audit’s work should be subject to the same quality assurance work as the in-house functions and the results of this quality assurance work should be presented to the Audit Committee at least annually for review.
Internal Audit must also maintain an up-to-date set of policies and procedures, and performance and effectiveness measures for the Internal Audit function. Internal Audit should continuously improve these in light of industry developments. Due to its complexity and importance, it is recommended that the role of internal audit is articulated in an Internal Audit Charter that is reviewed annually, possibly by a third party, in order to make sure that it is matching with the evolving best practices.
Finally, it is worth noting that internal audit acts as an important line of defense for any company and its failure may lead to the failure of the organization itself. The recent corporate governance scandals under investigation such as Tesco and Mobily, have one issue in common; misstatement of the financial figures. The internal auditors thus may have a responsibility in educating audit committees on what is important and the questions audit committees are supposed to raise at their meetings. Historically, when internal audit focused on monitoring business operations, processes and internal control functions, it examined whether a control was being performed or procedures were followed and report either in affirmative or in negative. Whereas now internal audit’s focus is not on whether a control is being performed but on whether it is the right control and if it is being performed correctly and cost effectively. The internal audit activity and certainly audit committees should be more forward than backward looking.
DR. ASHRAF GAMAL is the Chief Executive Officer of Hawkamah, The Institute for Corporate Governance.