Internal Audit’s Seat At The Governance Table

In June 1999, the Institute of Internal Auditors approved a new definition for internal auditing. Internal auditing was described as “an independent, objective assurance and consulting activity,” which isn’t exactly news.

Instead, the telling phrase came at the end of the revised IIA definition—which said internal auditing should be brought to bear on a company’s risk management, internal control, and governance processes.

For many years, the IIA has advocated that internal audit should be one of the cornerstones of good governance. The IIA has recently issued a global position statement regarding organizational governance that discusses the many roles that internal auditing can play in an organization’s governance effort; a few are discussed in this month’s column.

You Can Audit Governance?

Governance activities exist to help a company meet its objectives in being well run and accountable to its stakeholders. Just like in any other activity, management and the board will want to articulate their objectives in each area and put programs in place to achieve those objectives.

An often-used definition of organizational governance comes from the Paris-based forum of democratic markets, the Organization for Economic Co-operation and Development (OECD): “Corporate governance involves a set of relationships between a company’s management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

Components of governance that internal audit can provide assurance or consulting services include:

Board structure, objectives, and dynamics

Board committee functions

The board policy manual

Processes for maintaining awareness of governance requirements

Board education and training

Proper assignment of accountabilities and performance management

Completeness of ethics policies and codes of conduct

Communication and acceptance of ethics policies and codes of conduct

Management evaluation and compensation

Recruitment processes for senior management and board members

Employee training

Governance self-assessments

Comparison with governance codes or best practices

External communications

What Internal Audit Brings To The Table

Typically, internal auditors operate in two capacities regarding governance. First, auditors provide independent, objective assessments on the appropriateness of the company’s governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization’s governance structure and practices. By providing assurance on the risk management, control, and governance processes within an organization, internal auditing is one of the cornerstones of effective organizational governance.

In auditing the risk management processes used by the organization, internal audit might recommend that a more formal enterprise-wide, risk-management program be considered by the board and management. In consulting with the CEO or CFO, internal audit could recommend that the terms of reference for key organizational oversight committees (management’s and the board’s) be updated—and most likely expanded—to tackle the many emerging governance requirements facing most organizations today.

How To Earn That Seat At The Table

Auditing the financial transactions that have been processed within accounting is straightforward: Review for proper authorization, assess supporting evidence for appropriateness of transactions, test for accuracy and completeness of financial reporting, and then communicate your findings to management. By comparison, auditing governance can be complex and somewhat subjective. For example, try evaluating whether a proper “tone at the top” exists in the organization, or that the board and management reinforce the code of conduct properly—and follow it themselves!

Defining the scope of governance processes is a first step. What are we looking at, and who is responsible for what? Obtaining a consensus on what the performance measures are can be another challenging planning activity. Remember, in auditing governance you want to ensure the areas selected for review are ones that have the largest potential for improvement, or are in highest need of confirmation that they are operating effectively.

Obtaining the support of your audit committee chairman and your CEO is absolutely critical. Having the skills and experience required to perform the audit task is also a must.

What role internal audit plays in governance is highly influenced by the maturity level of the organization’s governance processes and structure and the role and qualification of internal auditors. When there is much to do in formalizing and strengthening governance efforts, internal audit will likely focus more on providing advice regarding best structure and good practices to consider. Where governance is very structured and operating relatively effectively, the audit would likely focus on identifying further improvement opportunities and assessing the performance of key controls and practices.

Benchmarking the company’s governance practices to similar organizations could be very beneficial. Assessing compliance with published and respected governance codes could offer another quick win for internal audit and the organization.

Bringing Transparency To Governance

Ask for a report card from internal audit; identifying improvement opportunities is the first step in continuous improvement. Consider inviting your chief audit executive to provide an opinion on the organization’s governance practices; it certainly will provide a learning opportunity for all the stakeholders involved in your organization, and obtaining an independent and objective assessment of this key activity (governing the organization) might just be what’s needed to take your governance practices to the next level of transparency.