​An Eminent Governance Authority Speaks Out on the Role of Internal Audit​

Comments Views

​Those of us who attended the IIA International Conference in Kuala Lumpur were treated to an energizing — and very challenging — opening keynote from Lord Smith of Kelvin. Who is he and why did he merit the opening keynote? Why should we listen to what he has to say?

  • He led the team that developed the Smith Rep​ort on corporate govern​ance, focusing on audit committees, which has now been included in the UK Combined Code.
  • He is a past president of the Institute of Chartered Accountants of Scotland.
  • He has held various positions as CEO and board member.​
  • He is an Honorary Fellow of the Chartered Institute of Internal Auditors (U.K.).

The main point that Lord Smith made was that the greatest risk to any organization is the behavior of the executives. He believes internal audit should be alert to this risk; monitor it; and be ready, willing, and able to let the audit committee know as soon as it becomes of concern.

With the help of the wonderful people at IIA–Malaysia, I was able to obtain a copy of Lord Smith's speech. Key sections (with my highlights): 

  • Corporate failure is not caused by frau​d or inadequate controls. They may contribute the killer blow or make a bad situation worse, but they do not put companies out of business.​​​​
    ​​
  • The real cause of major corporate scandals and failures — Enron, Worldcom, Swissair — is a series of unwelcome behaviours in the leadership culture — greed, hubris, bullying and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons.​
  • As the saying goes, the fish rots from the head down. That's why it is crucial for the role of internal audit to have corporate culture at the heart of its considerations and processes.
  • Audit committee members, as well as checking that the annual report and accounts are fit for publication and the external auditor is doing their job properly, must understand the culture of the business that they are involved with.
  • Supporting this understanding, to my mind, is the most crucial role of an effective internal audit function.
  • Internal auditors need the ability to put their organisation on the couch. You have to understand what motivates the place, as well as the processes that keep the wheels on the tracks. You can't just be a workhorse to process and reporting.
  • You must understand the strategy of the business and how your leadership is going about getting you there … a close reading of the culture of the organisation — does it "smell" right, are people working under too much pressure, is the CEO hiding something?
  • Internal audit requires real bravery. In turn, this should mean strong support from the audit committee.
  • Have to understand internal politics, how the tone at the top develops. They must possess the ability to grasp why certain things, which may not always appear logical, are happening. They must manage skillfully how they bring this to the attention of the stakeholders who need to know.
  • The role to play as a "canary in the mineshaft" for corporate culture appears to me to be the area in which internal audit can increasingly develop and, from a non-executive standpoint, is arguably of the greatest value.
  • The IA role is ultimately there to safeguard the sustainability of the business.
  • If internal audit is seen as a good conscience and not a pushover, if it is seen as an effective check on management as well as contributing to strong controls and processes, the entire business will have a better culture.
  • A truly effective set of executives should be grown-up enough to encourage and accept challenge from internal audit and not present barriers to the function's strong relationship with the audit committee chair.
  • Auditors should keep up with a dynamic strategy and be alive to the changes in the risk profile that this may present.
  • My view is that internal audit has come an awful long way from the beginning of the new millennium. It is very much part of the fabric of any substantial organisation and the quality of the people in the function rises with every passing year. Management attitudes to internal audit are changing and audit committees' communication and relationships with internal audit teams continue to mature.
  • There is still some work to do by auditors in getting under the skin of a business to truly understand the leadership behaviours, cultural issues, and incentives that drive operations and strategy. When it comes down to it, it's my personal view that these are the things that really matter.
  • Internal audit should deliberately seek out the unmanaged risks; it should ask the 'what if' questions and it should be able to describe the economic reality of the products and services of the business it is a part of. This is where the big post-crisis opportunity lies for the future of internal audit.
  • The audit committee must be a champion, ensuring that the appropriate standard of person and intellect exists. Management must include internal audit in strategy discussions and product development to enable a "big picture" understanding of where the business wishes to head and the means by which it intends to get there. Auditors must understand the risk appetite, the overall quality of corporate governance, the financial leverage in the business and have a nose for overstretch.
  • If the financial crisis does not provide a platform for the profession of internal audit to broaden its focus, I don't know what will.
  • You need to understand what you're auditing. To achieve that, you need to have quality people with access to the right information, involvement in the right discussions and the licence to operate in a way that supports objectivity.
  • Risk management should never be about being defensive — it's about how you continuously improve the understanding of your strategic and operating environment to enable you to invest in the future.
  • Internal audit, when it's done properly, valued properly, and truly risk based — should be all about looking forward.
  • Audit assurance should focus on what matters to boards and audit committees.
  • Internal auditors need also to develop their status to become trusted advisers. To fully exploit the unique position in the organisation, put that objectivity to even better use by communicating more regularly with the audit committee chair on the culture as well as the controls. Explain how a change in operational approach fits in with strategy. Give your own views, based on your internal reporting, on how management is progressing with key issues.
  • The internal audit team must communicate without fear, no matter how unpalatable the information being passed on.
  • Above all, have candid discussions on key risks and, consider yourself the eyes and ears of the committee on any issues within the company, on a daily basis. That is the beauty of internal audit — it should be, in essence, a completely objective scrutineer of how and why the business is progressing. If that means telling me the CEO has bought a brand new Ferrari, I'll only think you're doing your job properly!
  • Undoubtedly, internal audit is a key pillar in effective corporate governance and risk management. My personal view is that it may be the most important. It occupies a unique position in any business.
  • There is sufficient flexibility in the function to cover much broader risk areas than any external audit could. The eyes and ears of the internal audit team are inside the business throughout the year, providing a closer and clearer view than any other risk management and assurance process into developments in the business.
  • How can it move to the next level? More attention on behaviours and culture — not necessarily at the expense of process, but I think we all understand that ticking boxes in the run-up to 2008 didn't help the banks. What I feel is needed is an incremental move towards gaining a clear understanding of the underlying motivations that drive projects and transactions, an objective view on why leaderships make the decisions that they do.

What is your opinion of this?

  1. Do you agree that the greatest risk in inappropriate executive behavior?

  2. More to the point, should it be internal audit's role to monitor this and report on it to the audit committee?

  3. Do we have the courage to do this?

 

 

Comment on this article

comments powered by Disqus
  • SCCE_Sept IAO_Blog 1
  • IIA AEC Center_Sept IAO_Blog 2
  • IIA CAE-Audit-Intelligence_August2018_Blog 3