In my last two columns I’ve been delving into the challenge of auditing governance, risk, and compliance in a unified fashion. I still have a final column to write on that subject (auditing GRC from a governance perspective) but I want to interrupt things this month to talk about the skills and knowledge an auditor needs—because auditing GRC is not for the faint of heart.
The task isn’t something that should be delegated to the less seasoned, as it requires considerable knowledge and savvy to recognize governance vulnerabilities as well as fortitude and deftness to influence action when needed. In evaluating organizational governance (I use “organizational” to include non-corporate entities such as non-profits), internal auditors are examining a company’s decision-making and control processes. Governance involves a company’s relationship with a wide range of powerful participants in addition to board directors, such as shareholders, management, external auditors, legal counsel, regulators, standard setters, and others. To audit GRC is to probe the checks and balances that establish responsibilities, require accountability, and enforce consequences. That’s pretty heady stuff.
Fundamentally, internal audit exists to provide assurance to senior management and the board that key processes are working effectively as intended. And of utmost importance should be the organization’s GRC and related internal control systems. In fact, the internal auditors’ primary professional body, the Institute of Internal Auditors, expects its members to “evaluate and improve the effectiveness of risk-management, control, and governance processes.” You don’t get much clearer than that.
But the extent to which internal auditors scrutinize GRC is questionable. Several surveys and studies suggest that internal audit departments remain focused more on performing individual audits rather than providing a level of overall assurance on GRC processes. Why? I believe that a lack of a coherent understanding of governance has resulted in auditors unable to grasp their own role. That has contributed to the profession’s inability to conduct robust reviews of risk-management, control, and governance processes.
Auditors who understand GRC will know that their function is indeed to assess the adequacy of GRC processes and practices. Poor governance means, among other things, that a company’s internal audit or risk-management functions failed to find a major risk as worth monitoring; or, if it did, that information did not get to the board; or that the board didn’t understand it; or if the board did understand it, then management ignored the board or its own risk or internal audit reports. But if internal audit found that the governance and risk-management processes were reasonably effective, and that the failures were due to mistakes in judgment by management, then that would not be an internal audit failure—because internal audit can only assess the governance processes itself, and there is always a risk that effective processes will fail due to human error.
Start With Governance
I recommend internal auditors study corporate governance principles including classical corporate governance theory. It would be valuable to better understand the role of the board and how directors serve as objective and active monitors of management. Articles from leading governance experts like Charles Elson, Ira Millstein, and Martin Lipton are insightful.
Tensions and differing opinions remain over whether a board’s purpose is more about monitoring or about advising, but regardless, the internal auditor still must understand the liability exposure directors face. Be familiar with the business judgment rule and common governance practices for your company’s size and industry.
I believe that a lack of a coherent understanding of governance has resulted in auditors unable to grasp their own role.
Unfortunately the United States does not yet have any uniform governance standards similar to those for financial and internal controls. Still, internal audit can assess whether the company has tailored its governance practices and structures to the company’s unique needs. The “Key Agreed Principles to Strengthen Corporate Governance of U.S. Public Companies” published in October 2008 by the National Association of Corporate Directors reflects an effort to distill and articulate fundamental principles-based aspects of governance that have broad consensus. The Key Agreed Principles capture the current baseline consensus among boards, managements, and shareholders on a range of effective governance practices. Auditors should gain familiarity with the principles and consider them when evaluating their own governance structures and practices. For global companies, a useful comparison of other countries (like the Combined Code in Britain) and of international standards such as the Organization for Economic Cooperation and Development Principles can be found in “Corporate Governance Guidelines and Codes of Best Practice” compiled by the law firm Weil, Gotshal and Manges.
I also recommend familiarity with the factors used by corporate governance rating organizations such as Risk Metrics, The Corporate Library, and Governance Metrics International. Although linking your governance rating to company performance is controversial, it is worthwhile to know the emerging metrics being used to determine governance effectiveness.
Risk Management
Once you understand the broad context of organizational governance, that should help you recognize why risk management is a critical subset of it. Internal audit can determine if risk oversight is on the board’s agenda as a matter of substance and process. Commentators have noted that while risk models can fail due to technical assumptions, the problem usually involves a governance failure of how the risk information was used.
Clearly, auditors should be familiar with the New York Stock Exchange rules that impose risk oversight obligations on the audit committee of an NYSE-listed company. In the highly regulated banking industry, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corp. routinely publish circulars, manuals, and other guidance prescribing effective risk-management frameworks for banks. Further, various industry groups and specialized risk-management organizations have produced manuals or guidelines outlining best practices for managing risks specific to certain industries.
Compliance and Ethics
Similarly, a good understanding of governance will help the auditor understand the critical role of ethical leadership and the positive effect that formal ethics and compliance programs can have. Internal audit should evaluate whether the board promotes an appropriate tone of compliance, control, and integrity throughout the organization. The corporate culture should emphasize a measured approach to risk taking and a lack of tolerance for excessive business, financial, compliance, and other risks (note the GRC integration here). This tone should be reflected in management incentive programs that discourage excessive risk-taking, as well as in financial reporting and controls designed to provide accurate disclosure and mitigate risk.
It seems to me that a whole body of knowledge from the compliance discipline is consistently ignored in the internal auditing literature. Reams of academic and public research address the key features of a compliance and ethics program as defined by the U.S. Federal Sentencing Guidelines. For example, more organizations are conducting ethical climate surveys and trending their data internally over time as well as benchmarking to external data such as the National Business Ethics Survey periodically performed by the Ethics Resource Center. Academics such as Linda Klebe Trevino and Lynn Sharp Paine have done substantial research that describes the nuances and impact of ethics and compliance program activities. The Conference Board has a research working group studying ethics and compliance criteria in government enforcement decisions—that is, what ethics and compliance program elements are viewed favorably by enforcement agencies? Studies have shown that the perception of ethical leadership, including whether direct managers have the trust and respect of their employees, is a significant factor, so that should (and can) be measured as well. Studies also strongly indicate that employee concern about retaliation is, by far, the single leading indicator of potential misconduct.
Internal auditors can and should be providing the formal assurance on their organization’s governance, risk management, and related internal control processes. And they can do so more effectively when they stretch their sphere of knowledge beyond the internal audit profession. More and more GRC internal auditors will need to understand human behavior to know when something is amiss and to be able to exert influence to confront difficult situations. Finally in Part III of my series (coming in October), I will explain how governance (the “G” in GRC) provides the overarching foundation that brings these disciplines together in a coherent way.
No comments yet