Organizational governance is a broad concept that ensures superior strategy formulation, development, and execution in ways that balance performance, conformance, and accountability. It includes systems, controls, and associated processes that promote ethics and values, performance and accountability, and risk communication and coordination among the board, external and internal auditors, and management in meeting and exceeding stakeholder expectations. Internal audit’s role in organizational governance has always been recognized and valued, but it has become increasingly important in the wake of governance failures in financial and public sectors throughout the world. As a result, more and more boards as well as executive management are turning to internal audit for assurance on governance effectiveness, culture, and strategy implementation.
The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey assesses the current role of internal audit in the governance process and how it can better position itself to contribute to effective organizational governance. Through their work, internal auditors can help achieve a balance between value creation (i.e., profitability and growth) and value preservation (i.e., sustainable, long-term performance). Governance reviews give internal audit the opportunity to help prevent governance failures and improve strategic performance. However, to take advantage of these opportunities, internal audit must continue to embrace these assurance and advisory roles related to governance and adapt and evolve globally.
The survey’s key findings include:
- Four out of 10 internal audit functions say a governance code is in place at their organization.
- About 27 percent say internal audit conducts extensive reviews of organizational governance.
- More than six out of 10 say their organization has a long-term strategic plan in place.
- Only 16 percent say internal audit conducts reviews of their organization’s strategy.
The fact that less than one in five internal audit functions conduct extensive reviews of their organization’s strategy is problematic, because it is impossible to provide assurance without fully understanding the organization’s strategy. Specifically, in such a scenario, it becomes difficult to identify when executive management is pursuing riskier strategies at the expense of stockholders, or inappropriately placing a premium on short-term risk taking rather than long-term, sustainable value creation.
Corporate governance failures can be viewed through the prism of “information integrity,” as executives and boards use information to make decisions. Information integrity failures can be traced back to information errors, ethical lapses, integrity failures, or a combination of these factors. Accordingly, governance audits and reviews primarily focus on validating the information used for strategic decision-making, or provide the context in which relevant information can be meaningfully interpreted.
The Governance Audit Approach
Assurance activities are intended to protect against governance failures, while advisory activities permit superior execution of strategy for growth, performance, and overall success. Both activities rely on a deep understanding of how organizational culture can be a driver and enabler of effective governance and superior performance.
Owing to political and cultural barriers within organizations, it may be difficult to have an audit plan approved with a separate comprehensive audit of governance. The chief audit executive (CAE) may be more successful using a strategy that incorporates governance reviews and recommendations as part of routine audits.
Using this approach, internal auditors address governance as a part of assurance or advisory services, rather than launching an enterprisewide governance audit or a comprehensive governance review. Conducting smaller, more digestible governance reviews during routine audits can serve to change attitudes from within the business organization and help lay the foundation for a subsequent comprehensive governance audit when the time is right.
Internal auditors in highly regulated organizations often find it easier to incorporate governance reviews into their audit universe, especially if the regulatory agencies express specific expectations for governance activities to be performed and monitored.
Governance audits must be based on two pillars:
- Auditing governance structures and processes by providing assurance about information used for strategic decision-making (mostly based on hard controls where an analytical approach can be helpful).
- Auditing organizational culture where qualitative factors may need to be assessed and interpreted contextually to assess risk (mostly based on soft controls where intuition, common sense, and understanding of human behavior are indispensable).
Governance Structures and Processes
Ensuring that an organization has a sound governance structure with effective and ethical policies and practices — along with decision-relevant information that is accurate, reliable, and timely — is critical to the organization’s success. These combined factors, including a credible attitude of transparency and accountability, impact the company’s reputation, stakeholder satisfaction, and overall growth and profitability. A wide swath of stakeholders, including the board of directors and executive management, seeks assurance about the information they use for strategic decision-making. They also need assurance that the organization’s governance structures and processes, founded upon a well-established system of internal controls, operate effectively to achieve objectives, increase company profit, and ensure sustainability.
Organizational Culture Organizational culture and tone at the top play a significant role in how involved the internal audit function is in reviewing and adding value to organizational governance. Culture embeds many intangibles, including soft controls. As referenced in the CBOK report, Promoting and Supporting Effective Organizational Governance, some of the soft controls that can be audited to help improve organizational governance include:
- Management and board competence, philosophy, and style.
- Mutual trust and openness.
- Strong leadership and a powerful vision.
- High performance and quality expectations.
- Shared values/understanding.
- High ethical standards.
These are areas in which most internal auditors lack audit experience and for which there are less formal training and tools, making such culture audits much more challenging.
Periodic culture and ethics audits are one way to assess the ethical climate and control environment. Audits of incentives and compensation, as well as their alignment with the strategic plan and capital structure among key stakeholders, may also be helpful. For example, if the company is financed primarily through debt, the strategic plan should be more conservative and the executives’ compensation should be more salary or bonus and less stock. Otherwise, there is an inherent conflict between what is desired and what is incentivized.
Clearly, the audit of soft controls embedded within organizational cultures consists of many intangibles that do not lend themselves to quantitative measurement and analysis. Accordingly, to be successful, internal auditors must possess soft skills, such as relationship-building acumen, political and cultural savvy, interpersonal communication abilities, diplomacy and tact, and an ability to read people and situations quickly and correctly.
Assurance and Advisor Roles
Internal audit can undertake specific activities as part of their assurance and advisory work in supporting organizational governance (see “Internal Audit Activities for Organizational Governance Assurance and Consulting” below). Many organizations enlist the assistance of internal audit to provide fraud risk awareness training, or help divisional units carry out control self-assessments by systematically conducting risk and control mapping in their specific context.
Assurance Services When providing assurance with respect to organizational governance, internal audit assesses the processes used to obtain relevant, reliable, and timely information for strategic decision-making. By providing assurance regarding the accuracy, consistency, and reliability of information, internal audit can help mitigate information for decision-making risk. Internal audit’s work in assuring the quality of information used for decision-making allows the board and executive management to use information with confidence.
Advisory Services Internal audit provides consulting and advisory services to improve governance without assuming management responsibility. The types of consulting and advisory services that internal audit can offer include advising the board and executive management on decision-making processes, providing information on best practices, and offering interpretation/insight. Advisory services also encompass internal audit facilitating board and executive management awareness and education, instilling best practices in governance, and providing briefings on trending topics.
All over the world, internal audit seems to take action more on risk indicators from perceived or actual weaknesses in internal controls over financial reporting, rather than those pertaining to strategic performance and operational risk factors, as indicated by the CBOK survey. This happens even though internal audit acknowledges the importance of strategic risk and believes that management and the board place a high priority on strategic risk. In other words, internal audit may not be meeting stakeholder expectations when it comes to strategy audits (i.e., how well is the planned and approved strategy being executed?).
A huge gap exists in terms of internal audit undertaking comprehensive strategic reviews, even where a long-term strategic plan is in place. According to the CBOK survey, while approximately 50 percent or more of respondents’ organizations around the world have a long-term strategic plan in place, internal audit only conducts strategic reviews 11 percent (South Asia) to 28 percent (Sub-Saharan Africa) of the time. Just as they do for general governance reviews, Sub-Saharan Africa and Middle East/North Africa have the highest levels of activity for reviews of strategy linked to performance.
Most surprising is that in North America, an average of 71 percent of respondents report having a long-term strategic plan in place, but only 8 percent of internal auditors report that they actually review the organization’s strategic plan. The reasons for this gap in the “strategic plan existence vs. extensive strategic reviews” could be that they perform such reviews as part of other routine audits and make governance recommendations along the way rather than comprehensively, have immature or inexperienced internal audit functions that are not adequately supported or confident to carry out such strategic reviews, or strategic risks are given a low priority because they are not perceived to be a matter for concern. It could also be that managment does not support internal audit being in this space, that internal audit lacks support of the audit committee, or it doesn’t have sufficient resources.
In the future, more reliance will be placed on strategic and operational risk and performance data (forward looking) and on internal audit functions for more effective monitoring and governance oversight. Operational data provide a closer look at what is really happening with the business, but they also provide early warning signs of emerging risks that, if heeded, can prompt a critical and timely assessment of the business model and potentially preempt or avert business and governance failures. With internal audit’s help, organizations can adapt to changing conditions in the marketplace, such as shifting consumer tastes and preferences and making needed course corrections to strategy, which can ensure continued growth and success.