In February, the Organisation For Economic Co-operation and Development (OECD) released a very interesting document, "Corporate Governance Lessons From the Financial Crisis." It can be found at http://www.oecd.org/dataoecd/32/1/42229620.pdf (PDF).
The report concludes that:
"The financial crisis can be to an important extent attributed to failures and weaknesses in corporate governance arrangements. When they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies. A number of weaknesses have been apparent. The risk management systems have failed in many cases due to corporate governance procedures rather than the inadequacy of computer models alone: Information about exposures in a number of cases did not reach the board and even senior levels of management, while risk management was often activity rather than enterprise-based. These are board responsibilities. In other cases, boards had approved strategy but then did not establish suitable metrics to monitor its implementation. Company disclosures about foreseeable risk factors and about the systems in place for monitoring and managing risk have also left a lot to be desired even though this is a key element of the [Basel] Principles. Accounting standards and regulatory requirements have also proved insufficient in some areas leading the relevant standard setters to undertake a review. Last but not least, remuneration systems have in a number of cases not been closely related to the strategy and risk appetite of the company and its longer term interests." (emphasis added)
I believe that now, more than ever before, it is critical for internal audit leaders to:
- Remember that the IIA definition of internal auditing and the International Standards for the Professional Practice of Internal Auditing require that we assess governance and risk management processes, not just perform audits of controls in specific higher-risk areas.
- Talk to our boards and top executives about the importance of providing governance, risk management, and control assurance.
- Be prepared to "tell it like it is" when these processes, no matter the level, are deficient.
This new publication is an excellent document to use in this effort.