​​​​Can We and Should We Rely on Third-party Ratings of Governance and Risk Management?​

Comments Views

​A colleague shared this link (subscription users only) with me today. It's an article from the Financial Times (FT) about a study into corporate governance standards: the Resources Global governance index. According to the FT article, corporate governance standards are higher among the 100 largest companies on the UK stock exchange (FTSE) than in other European companies. Individual company performance is rated and publicized.

​My question is whether we can actually rely on this study to assess and compare corporate governance.

Standard & Poor's Rating Services (one of the major credit risk rating agencies) has started to assess corporate risk management programs. 

​Again, my question is whether we can rely on S&P for an accurate assessment of companies' risk management practices.

Whether these studies are of governance or risk management, they are being performed by outsiders. Outsiders assessed the governance practices at Enron as being world-class, and they had similar praise for risk management at a number of now-failed financial services corporations.

Outsiders can only see the veneer of governance or risk management. They can only assess the cut of the clothes being worn, not the strength and integrity of the body within.

This what internal auditors provide: they examine the body within. They can provide the board and management with assurance not only that the structure is sound (which is what outsiders can see) but that the heart (the control environment, the tone at the top), blood (the flow of information), and muscles (the controls and processes) are operating as intended.

In my ideal world, management includes in the financial statements a set of assertions around the adequacy of governance processes, risk management, and the related internal controls. The assertions are not limited to financial reporting, but address all risks of significance to the enterprise. Management relies on the work of the internal audit group to provide assurance that these processes are operating as intended. The board also relies on internal audit for its oversight of these assertions.



Comment on this article

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3