risk management writing question and need an explanation and answer to help me learn.
Read the article. repeat the title, give a quick two to three sentence summary, give three or four main points in bullet form, and let me know what you thought about the article and why.
Requirements: Enough explanation
By the Book
When auditing governance, diplomacy and following established procedures are more effective than confrontation.
Russell A. Jackson
In pursuing governance audits, aggressive tactics akin to those of investigative reporters uncovering a scandal involving the powerful may appear necessary. Reticent C-suite executives may seem, at times, like the reluctant witnesses that intrepid reporters badger into telling their tales, and boards of directors may stonewall, refusing access to meeting minutes or other necessary documents. But internal auditors don’t operate in a gray area where specific tactics may or may not meet with their superiors’ approval.
Rather, auditors conducting governance audits must follow specific procedures. They shouldn’t resort to subterfuge or “back door” access to information, experts advise, nor should they convince a rival of a recalcitrant executive to provide the details the executive won’t. Instead, auditors should follow the guidance provided by professional organizations, such as The IIA’s International Professional Practices Framework — commonly known as the Red Book — and stick to the established processes for getting the information they need.
Governance audits — including assessments of tone at the top, board activities, and corporate charters — are not part of every internal audit department’s engagement calendar, but they are squarely within internal audit’s professional ambit (see “Audit’s Governance Mandate” at right). Not including governance elements in the audit universe and risk-based plan is a common gap found in external quality assessments, says Carmen Rossiter, managing director at Protiviti in Toronto. One lesson from the financial crisis was “there was a gap in governance at many organizations — the effectiveness and involvement of directors in providing oversight to the organization was lacking, especially in times of crisis,” she explains.
Internal auditors are tasked with providing assurance on the state of governance, risk management, and control in the organization, but many have “neglected their responsibility for governance at a time when their insight was most needed,” Rossiter adds. “Internal audit is the last line of defense in the organization, with responsibility for providing assurance on the state of governance, risk management, and control, acting as the eyes and ears of the audit committee and the board.”
CONTRIBUTING TO EXCELLENCE
Rossiter says adding governance and risk management to its audit universe and risk-based plan represents an improvement opportunity for internal audit. “For the typical organization, governance should be more than a one-line item in the audit universe,” she says. Instead, it should be broken out into elements such as:
A corporate policy framework that provides for policies approved by the board to govern all the organization’s major risks and activities.
Board and committee structure with defined charters and mandates for the chairs.
An oversight matrix that defines the board’s responsibilities and tasks and guides the agenda-setting flow of information to board members.
A framework for board approval and oversight of significant transactions, new initiatives, and change management.
Director selection and recruiting criteria and standards.
Director orientation and continuous education program.
A board, committee, and director assessment process.
An ethics program and activities.
A whistleblower hotline and a mechanism to handle complaints.
Internal audit contributes to excellence in governance in two ways, says Norman Marks, author of InternalAuditorOnline’s “Marks on Governance” blog and a former chief audit executive (CAE): by providing assurance that governance policies and practices are appropriate to the needs of the organization and by providing consulting services to assist management in implementing or improving on existing processes. A risk-based audit plan includes audits of governance processes based on the level of risk they represent, just like audits of accounts payable, for example, or inventory. However an audit department chooses to approach governance, it’s critical to be aware that it is “a politically charged area,” he says. “The activities are performed or managed by individuals at the top of the organization, including the board and its key committees. And to assess the effectiveness of governance activities may require access to highly confidential and sensitive information, including board and committee self-assessments, results of internal investigations into violations of the organization’s code of ethics, and board assessments of the chief executive’s performance.”
That’s why internal audit should ensure top management and the board support a governance audit, including a commitment to providing the auditor with access to necessary information, as well as respect for the results of the audit, Marks emphasizes. That could entail working with the organization’s general counsel to provide attorney-client privilege for the work, he says, especially if it’s possible that one or more board committees have not met their responsibilities adequately. Also, internal audit needs to communicate the plan for performing the assignment and ensure that everyone involved understands his or her role. “Individual meetings may be required to ensure availability of key personnel and information,” he points out.
Why bother with such efforts? Because even the best boards and the most experienced and competent directors can fail in executing their duties to the organization. Some common problems a governance audit may turn up include:
Organizational strategies approved by the board and management without reliable, current, and useful information.
Board oversight limited by directors who lack the required business, industry, technical, IT, or other experience.
Board dynamics that don’t include sufficient challenges and skeptical inquiry by independent directors.
Board-approved strategies that are not linked to the individual goals of operating department managers.
Material misstatements missed by external auditors because their team lacks necessary industry experience or understanding of relevant accounting standards.
EVIDENTIAL ROAD BLOCKS
Of course, not every internal audit department runs into roadblocks in attempting to access information necessary to complete its work. As part of their risk-based audit plan, auditors at Ottawa’s Canadian Commercial Corp. (CCC) audit various components of the governance process such as the enterprise risk management framework. CCC is a “crown corporation” of the Canadian government that acts as its international contracting and procurement agency. The company’s internal audit director, Kaveh Rikhtegar, explains that because of its small size, its tone at the top and board activities are transparent. “We have no trouble getting access to any information that is held by the corporation, the executives, or the board members,” Rikhtegar says. “Management and the board are very open with the internal audit department, and we have a board-approved charter that allows us to have access to any information corporatewide.”
Other organizations aren’t as fortunate. “We’ve faced executives forbidding access to minutes or confidential information since the dawn of the internal audit profession,” Marks says. Human resources departments are trouble spots in some organizations, for example, because of the sensitivity of the records they house. “I had a chief financial officer once who denied access to minutes just on general principle,” he adds.
George Thomas, senior vice president and corporate audit executive at First Data Corp., a financial services technology company based in Greenwood Village, Colo., hasn’t had to face such situations; his company and its customers are regulated. “Internal audit at First Data is fortunate to have the required visibility,” he points out. “We have access to company minutes, board minutes, finance committee audits, and other committee minutes that might be relevant because we’re in a highly regulated industry.”
But Thomas has heard tales of governance audit tribulations at forums with other audit executives and in informal peer discussions. One executive wanted to maintain visibility in a governance audit and so insisted on having a senior member of his or her staff accompany auditors while they reviewed relevant documents. Another executive didn’t have experience with audits in a regulated environment and viewed such audits as intrusive. In such a case, the executive faced with a governance audit may take a position about information access that is “suboptimal” for both the organization and its shareholders. “If you’re talking about a health-care executive” — who is likely to be familiar with audits — “he or she will say, ‘Go ahead and do it,’” Thomas says. “But if you’re trying to talk to someone from an unregulated technology company who’s moved into a regulated environment, that can become a real challenge.”
He adds: “While in the financial services and health-care industries it’s a rare occurrence, we do hear horror stories from less-regulated industries about executives who direct auditors as to what to do and how to do it in an audit environment. They view internal audit as an extension of management.”
And there are cases where an executive will simply stonewall. When that happens, it’s often smaller, less-critical data that is held back. “It depends on what the executive perceives as a conflict,” Thomas says. “Financial reporting is so well-regulated that it’s usually not the issue.”
What can internal audit do to overcome obstacles to information access? First, make sure it isn’t creating challenges that don’t need to exist. “Internal auditors shouldn’t get involved in some assessment situations that compromise independence,” Thomas says. “Tone at the top, for example, is not something auditors can quantify. An auditor may see evidence of, ‘Do as I say, not as I do.’ In a sense, that’s a tone issue, but it’s not one internal audit can deal with.” Rather, internal audit’s role is to shine a light on anything that seems out of the norm in the context of the organization’s policies. “If the board provides direction to internal audit, it’s not up to internal audit to challenge the board’s direction,” he says.
It’s also critical to build interpersonal relationships in advance as a way to develop information inroads for governance audits. “You need to be in a position to ask people, ‘What do you think of this?’” Thomas advises. “Keep the communication channels alive and well, or people will try to use internal audit as a stick.” For example, sources may point out when someone isn’t following a process so that person will be blamed, rather than to address a systemic issue. But internal audit should not create rifts in management to accomplish its objective. “A back channel is not the way to go,” Thomas stresses. “Instead, use a systematic and neutral escalation of the communication process.” It’s seldom good practice to leverage the element of surprise to catch executives off guard; rather, it’s up to the internal audit executive to balance that risk with the need for information access.
The key is planning, Marks emphasizes. “It’s all in the creation and maintenance of a risk-based audit plan and review of that plan with the audit committee to get its buy-in,” he says. “If you’ve done that, all the rest is easier.” After all, how can the audit committee deny access to minutes after approving the audit plan? “The challenge is more in selling the fact that you’re going to do governance audits,” he adds. “If you don’t have the approval of the audit committee, then you likely won’t have access to the information you need.” One way Marks advises internal audit to win audit committee approval is by partnering with a third party, the governance committee, the general counsel, or the audit committee itself when performing governance audits.
THE CAREFUL PATH
Of course, some executives simply will not give auditors the information they need. In such cases, Marks advises sitting down with them for a straightforward, nonthreatening conversation to listen to their concerns. Too many internal auditors in such situations “fight their way through the wall instead of trying to listen,” he says. “Instead, get them to explain why they have that position. Try to reason with them. You don’t meet confrontation with confrontation. You meet confrontation with reason and understanding so you can cross the hurdle without creating an enemy.” If the executive still won’t be forthcoming, “escalate the process and go over his or her head,” Marks advises. “We’ve got to remember that we’re there for the long haul, not just to complete that audit.”
People don’t just block the way — sometimes they lie. If auditors believe that’s the case, the first step is to talk to the CAE immediately, Marks says. “As CAE, if I believe it, too, I would move it into more of an investigation, and I would take whatever steps are appropriate to make sure the people performing the work are the right people.” If a junior internal auditor is assigned to the case, and the person suspected of lying is a relatively senior executive, the CAE should consider supplementing the auditor with a more seasoned person who is better equipped to take on an investigative role. “If you have a reasonable belief that someone is being deceitful, there’s no point in getting into a shouting match,” Marks adds. “Rather, start talking to other people and look at other evidence. All the red flags should be waving in the wind, and all the internal auditor antennae should be up.” Of course, auditors also should wonder why that executive is lying, he notes. Auditors shouldn’t launch an investigation just because they think someone is lying about a governance activity, but because it could indicate inappropriate behavior in another area as well.
And don’t assume anything without all the facts, he cautions. “Like any investigation in its early stages, you can’t jump to conclusions and start interrogating everybody. The bottom line is this: Don’t do something unethical, which could jeopardize not only the reputation of the internal auditor and the entire internal audit department, but also possibly the results of any further investigative work the department might carry out.” In other words, don’t go rogue in search of the truth. Instead, auditors should hew closer than ever to established processes for getting the information they need.
Russell A. Jackson is a freelance writer based in West Hollywood, Calif.
Also in this issue:
247 Maitland Ave, Altamonte Springs Florida, 32701
Key Points (3):
Feedback/Thoughts on Article