Given the events and headlines of recent years – think Tyco, Enron, and WorldCom, and more recently, Parmalat, Refco, and Bayou Management – it would be easy to assume that corporate governance is a relatively modern concept. It’s just as easy to assume that the pressures, moral challenges, and ethical issues facing companies today are equally unique to our modern era.
Or are they?
A quick stroll through history reveals another possibility:
- “The success of any great moral enterprise does not depend upon
- numbers.” - William Lloyd Garrison
- “A long habit of not thinking a thing wrong gives it a superficial appearance of being right.” - Thomas Paine
- “When morality comes up against profit, it is seldom that profit loses.” - Shirley Chisholm
- “Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.” - Plato
If the term “corporate governance” is new, the underlying forces that have made it a modern reality are not.
History in the making
Likewise, it is possible to turn to the past to gain insight into the evolution of internal audit and its processes. Internal audit activity and the establishment of the profession began in the mid-20th century. Initially, it was a very substantive activity that focused on reinspection and rechecking; it also assisted external auditors with clerical tests and tasks. With the publication of Victor Brink’s book “Modern Internal Auditing” in 1942, the era of control focused auditing was underway. This era saw a shift from service to management, the start of operational auditing, and a new focus on adherence to controls and policies.
Another major transformation took place in the 1990s, with the advent of risk-based auditing. The COSO Internal Control – Integrated Framework was launched. And risk came to be redefined in broader terms, well beyond the previous limits of financial reporting. Internal audit was now focused on limiting risk through the effective design and operation of controls.
And the next step?
The opportunity at hand
Today, internal audit faces another fork in the road and must decide where the profession will head.
Corporate governance presents a remarkable opportunity. By becoming more involved in this arena, internal auditors will better fulfill the complete definition of internal auditing.
There are, of course, many reasons to refrain from seizing this opportunity. It’s easy for internal auditors to feel like a cork bobbing in the ocean, battered on all sides by forces beyond their control.
Consider the many tasks and challenges internal auditors must contend with:
- developing risk control specialists to assist with Sarbanes-Oxley
- creating processes for continuous monitoring of control issues
- increased contact with external auditors, audit committee members, and the like
- performing explicit fraud risk assessments
- monitoring “whistleblower” hotlines
- increasing the use of self-assessments
- focusing on IA roles in Enterprise Risk Management, or ERM
- consolidating risk assessment endeavors
- addressing the increased complexity of information technology
All are important, even urgent, items. But it’s possible that the need for internal audit involvement in corporate governance is just as critical to our profession and its future.
What’s hot?
Here’s the short list of key issues confronting internal auditors today:
- SOX
- rebalancing beyond SOX
- ERM
- continuous monitoring, automated testing
And here’s the short list of key issues pertaining to corporate governance:
- SOX
- rebalancing beyond SOX
- ERM
- continuous monitoring, automated testing
Notice the similarities? Indeed, internal audit is inextricably linked to the notion of corporate governance.
What do we mean by corporate governance?
Corporate governance is a process. Taking the COSO framework and wording style, consider this self-developed definition of corporate governance: “Public company corporate governance is a process, effected by a company’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to provide reasonable assurance regarding the achievement of entity objectives in the following categories:
- Transparency and reliability of all public reporting
- Compliance with applicable laws and regulations
- Acknowledgement of and action taken on shareholder rights
- Protection and increase in shareholder value
- Proper functioning of the entity, including:
- Compensation and evaluation of management
- Positive impact on the community
- Fair and honest dealing/competition
- Ongoing successful existence
- Effectiveness and efficiency of operations
- An appropriate control structure and environment”
Corporate America is responding
Even the most cursory reviews of company annual reports, Web sites, and proxy statements reveal that corporations are already responding the demand for corporate governance activity.
One way is through the formation or addition of a board-level committee, often referred to as the corporate governance committee. In some cases, it is combined with the nominating committee.
This committee typically has several charges, none of them simple. Among them are the evaluation of management, succession planning, and evaluation of the board. Furthermore, it is responsible for evaluating adherence to the corporate governance guidelines established by the board. This committee is clearly one where internal audit can add substantial value.
Perhaps not surprisingly, stock exchanges are responding as well, which further assists in moving the meter on corporate governance. The New York Stock Exchange has moved to incorporate a number of additional listing standards, for example, such as requiring companies to have a majority of independent directors and an internal audit function; adoption and disclosure of corporate governance guidelines and key committee charters; and annual certification, by the chief executive officer, that states he or she is not aware of any violation by the company of the NYSE’s corporate governance standard. Here again, internal audit can play a meaningful role in helping to ensure compliance.
Recently, Harvey Pitt, the former SEC chairman, stated, “Boards should consider creating a legal and compliance committee as the preferred vehicle for achieving this objective, and stop putting so much burden on the audit committee. Audit committees have a very tough job to do.”
SOX - another piece of the puzzle
Sarbanes-Oxley also adds to and supports corporate governance, as a quick review of several key sections reveals.
- 301 Accounting and Auditing Complaints Hotline
- 302 Disclosure Procedures and Controls- quarterly CEO/CFO certification
- 404 Internal Control over Financial Reporting certification and attestation
- 409 Rapid Disclosure of material events
- Audit Committee independence and expertise and external auditor relationship
- Establishment of the Public Company Accounting Oversight Board (PCAOB)
SOX, in fact, was almost a point-by-point response to specific offenses and issues: poor disclosure, self-dealing, and deceit; abuse of employee loans and spending; cooking the books at the top; outright fraud and bid-rigging; and much, much more. Linking them all is corporate governance, or rather, extremely poor corporate governance.
Putting all the pieces together with enterprise risk management [ERM]
As discussions of corporate governance have evolved, so has the concept of risk - specifically, ERM. In many cases, it was a lack of a holistic, consistent, enterprise-wide risk identification, assessment, prioritization and monitoring that created a lackluster corporate governance environment and allowed corporate governance failure to occur.
The COSO ERM framework incorporates a handful of strongly linked concepts. Each entity exists to provide value for its stakeholders. At the same time, each entity also faces uncertainty. That leaves management with a tough task: to decide what level of uncertainty is acceptable, recognizing that uncertainty provides potential to add value as well as risk. Eliminating risk completely - if that were even possible - would wipe out opportunities for improving value. Embracing risk foolishly, of course, would do the same.
ERM’s benefits are legion. Management can use ERM to align an enterprise’s appetite for risk with its corporate strategy, linking growth, risk and return. ERM can enhance risk response decisions. It can also minimize operational surprises and losses by identifying potential risk events, analyzing risk, and establishing intelligent responses.
ERM takes a broad view, identifying and managing risks that criss-cross an enterprise. It offers integrated responses to multiple risks, effectively reacting to real-world issues with real solutions. It also enables companies to look ahead to seize opportunities and rationalize capital.
Given these benefits, it’s not unreasonable to ask whether ERM could have played an important role in deflecting the issues and offenses that bubbled up in the pre-SOX era.
How to get started
It’s also reasonable to ask, Where to begin?
The answer may be surprising, given the broad scope of corporate governance. But perhaps the best place to start is with a few simple steps.
Begin with the COSO ERM framework (available at
www.coso.org). Study it, and use it to launch discussions within the organization. What are the risk concepts, as outlined in the framework - and which ones have the potential to torpedo the organization? Does the company have a list of key risks? How are they monitored? How is the audit committee and even the full board involved in this process?
It helps to think small, at least initially. ERM doesn’t have to be launched enterprise-wide, its name notwithstanding. Instead, pick one piece of the enterprise and use it to pilot the initiative, as if one small portion represents the whole.
Remember the journey
Bear in mind that ERM represents a starting point. Just as the concept of risk has evolved, so, too, will corporate governance. New challenges will arise, and with them will come new approaches to managing risk. In fact, that’s the very nature of risk - it’s focused on the future, which always involves uncertainty. That means organizations will need to adapt to ERM and corporate governance as their methods respond to new risks and uncertainties.
Additional reforms are almost a given. Mandatory board rotations, with one-year terms, are one possibility, as is mandating a split of the board chairman and CEO positions. Companies may also face increased pressure to meet additional certification and reporting requirements.
Nor are shareholders standing idly by. Their proposals are an accepted part of the dialogue, and they are demanding improved shareholder-board communications. Moreover, governance ratings are driving shareholder voting.
While change can be paralyzing, it’s important to recognize that ERM is an important first step toward further corporate governance in any organization.
The stakes remain high for any organization that doesn’t embrace corporate governance. What can go wrong? For starters, fraud, restatement, loss of reputation and confidence, loss of competitive position, and loss of key personnel.
The time to begin is now. Do so by asking:
- What are your company’s top 10 risks?
- Is your organization a leader or a laggard when it comes to demonstrated corporate governance?
- How is the board made aware and engaged?
- And so, what do you need to change?
(5 pages, 140 KB)