Where angels fear ... internal audit and board effectiveness
How should internal audit review board effectiveness?
My firm is a rare beast in that we are one of the UK’s leading firms of board effectiveness review, but also look at internal audit functions for those that want something different from the usual suspects’ offering. So we sometimes get asked by internal audit for advice on the 'interesting' question of how internal audit should review board effectiveness.
Yes, that’s 'interesting' in the Chinese curse sense … and at its simplest, the best advice to any head of internal audit is to stay well away from it. There are three exceptions to this general rule.
The first is when the head of internal audit is only a year or two from retirement, with a secure pension, and combines great sensitivity with a thick skin. With these qualifications, you are admirably placed to undertake a rigorous review of the board’s effectiveness.
You need freedom from career anxiety because a good review of your board’s effectiveness might require you to tell directors that they aren’t pulling their weight, or that they need to talk less and listen more, or give more attention to the discussion than to their iPad, or that their mannerisms are really annoying everyone else. Now imagine yourself having that conversation with the CEO, or the CFO, or the Chairman, or the Audit Committee Chairman…
The second pair of qualifications to this first exception is more subtle. You need great sensitivity because a board is, more than anything else, a social system. Structures and processes can help or hinder its effectiveness, but, more than anything else, what will make it work well or badly is its people and their relationships.
Consequently, board effectiveness doesn’t lend itself to anything resembling a conventional audit approach. When so much of the evaluation is qualitative, standard approaches to evidence aren’t much use. You can audit compliance with the corporate governance code but that is at best remotely connected to effectiveness. Effectiveness means achieving good outcomes – but how do you define those for a board? Good decision-making, perhaps. Risk oversight that contributes to the success of the business. Challenge that stimulates management to do better than they would otherwise do… and so on. All very situation-specific and difficult to measure, and what good looks like will vary from day to day and person to person.
So looking at a board’s effectiveness means looking at what it’s doing – and how its people are behaving – in its own circumstances, and thinking about how they might do better. That takes a high degree of sensitivity, and even more sensitivity to frame any suggestions for improvement in a way that will land well. Hence the need for a thick skin, to enable you to take it in your stride when your bright ideas are dismissed on the grounds that you haven’t had the experience of boards to know how they really work.
You should by now have got the point, that looking at boards is tricky and that being a good auditor isn’t necessarily the most appropriate qualification for it. But we said there were three exceptions to the general rule of staying well away from it, and so far we’ve only looked at the first. The others have a bit more mileage in them for internal audit. These are audits of the processes that support board effectiveness – most importantly, the board information – and the special case of subsidiary boards.
Good information is an absolutely vital enabler of board effectiveness. Heads of internal audit have a special role as informal providers of insight into the organisation, quite apart from the formal reporting. A good audit committee will value the private sessions just for this, so don’t be coy about it. Just make sure the audit committee understands when you move from evidence-based to intuition, and knows to respect your confidences.
And make sure the audit plan includes board information. No, not just once every five years. If the board is dependent on it, how can you define it as low risk? Are you really saying that a misinformed board would be low impact? If that were the case, then you’d be better off moving your job and your pension to a company whose board actually helps it to succeed, rather than joining an ineffective lot in going through the motions.
But it’s more likely that internal audit’s – very common – assessment of board information as low risk reflects an assumption that, because of its sensitivity, there will be a high level of management control, so the probability of error is low.
Wrong. If you think that, you’re using the wrong definition of error. Don’t ask 'can this information be reconciled to the source data?' or other such audity questions. Instead, ask 'does this information equip the non-executive directors to contribute well?' Does it help them understand the risks and opportunities, judge the performance of management and provide good challenge? Is it balanced, particularly in its assessment of pros/cons and risks?
And when answering this question, remember who you’re asking it on behalf of. One of the most common failings of board information is that it’s actually management information. (If everyone calls it MI, that’s a clue.) But management information is for management, who live in the business every day and need a high level of detailed knowledge to enable them to be making a never-ending stream of large and small decisions.
Non-executive directors, by contrast, dip in and out, typically between four and eight times a year. In the long intervals between board meetings they will be off attending board meetings at other companies, usually several other companies. So they have neither the time nor the mental bandwidth to handle information at the level of detail that is useful for the management of a single company.
Even if NEDs did have the capacity to absorb and understand management information at that level of detail, it’s not what they should be doing. Only the most hopeless CEO benefits from having an array of ex-CEOs second-guessing him or her (and if things were really that bad then there is a better solution than relying on the NEDs to prop up management). NEDs need to operate at a strategic level, ensuring that everything – including quality management – is in place to give the company the best chance of success. So they need information to be distilled and presented in a way that makes it easy for them to see what the really important things are. And they need it to be set in context – the story so far – to remind them of the board’s previous work on the topic and of what management has done since then.
The most common failing we see in board information is not that the data is suspect but that it simply hasn’t been put together with any thought to the particular needs of non-executives. If internal audit can help address this it will make a real and lasting difference to board effectiveness.
And finally – the special case of subsidiary boards. This situation arises most often in financial services firms, and increasingly in other regulated industries too, where the regulator requires locally incorporated businesses to have 'real' boards (as opposed to the rubber-stamping variety found in most unregulated corporate subsidiaries).
Just because they are subsidiaries doesn’t mean they’re straightforward. On the contrary, these reviews can be particularly tricky. There is always a tension between the regulator’s desire for an independent board that is solely responsible for the business and the parent’s desire to control its subsidiary and ensure its strategy and risk-taking conform to group policy and meet the group’s goals. That’s another topic in its own right – for now, the point is that it’s not uncommon for group audit to be asked to look at the effectiveness of subsidiary governance, including the subsidiary boards and committees.
Group audit is probably responsible – often directly, sometimes indirectly – for the quality and extent of audit that local boards rely on, so there’s a bit of a conflict. But that can be managed by having a subsidiary board review done by auditors from another part of the business. And the fact that their reporting lines are independent of the subsidiary means they are protected from the career-limiting risks of criticising the board.
More important, and more difficult, is to ensure that the audit team has the necessary capability. As described above, understanding the effectiveness of a board is more of an art than a science. While there are aspects, such as board information, that lend themselves to audit experience and approach, there are others that don’t. So the old advice of 'Know thyself' applies in spades here. Know your strengths and limitations, and plan to make the most of the former while bringing in outside expertise to make up for the latter. If you get that right, you can add real value.