Following on the heels of the collapse of the FTSE100 multinational facilities management and construction company Carillion plc, the IIA has published a draft Internal Audit Code of Practice. Neville de Spretter, FCCA, CPFA, chair of ACCA UK’s Internal Audit Network Panel, comments.
The draft Code contains commendable objectives. It seeks to “strengthen corporate governance and help reduce the risk of major corporate collapses by boosting the status, standards, scope and skills of internal audit”. IIA’s focus on a principles-based approach, covering what for many Chief Audit Executives (CAEs) are major challenges, should be encouraging.
The Internal Audit Code of Practice Steering Committee Chair, Brendan Nelson, explains it like so: “One of the best ways to help organisations better protect their assets and manage risk is to boost the status, standards, scope and skills of internal audit. The draft…Code…contains 30 recommendations to strengthen corporate governance, key among them being unrestricted access for internal audit, full access for internal audit to senior meetings and full access for internal audit to key management information. The draft Code offers invaluable guidance about raising internal audit performance to help businesses and other organisations protect their assets, reputation and sustainability.”
But, will it meet those objectives? From the standpoint of someone who’s been both a CAE and an executive, it appears that the real heart of the matter is being missed once again – it’s not about more or different guidance or regulation, it’s fundamentally about people, and that’s because it’s bad behaviour that results in poor corporate practice and collapse, and if there’s one thing I’ve seen repeated it’s that “money usurps morality”. Looking back over decades of corporate failures, there’s nearly always been the reaction of adding more regulation and more guidance. Regulation and guidance are conjectural, but with the authors’ confidence that they’re also logical. But people are not logical, and therein lies the real problem. Furthermore, while audit has improved since the financial crisis, it remains retrospective, dependent on people behaving properly, subjective, and un-systemic. It examines what has happened, and the past is an unreliable guide to the future. It can’t provide assurance.
Regarding people’s behaviour, the draft Code looks to tackle the challenge of independence. Section 17 outlines that “The primary reporting line for the chief internal auditor should be to the chair of the audit committee” and “The reporting line must avoid any impairment to internal audit’s independence and objectivity”. But question 5 (Should the secondary executive reporting line be to the CEO, or should we adopt a more flexible approach in the new Code?) appears to dilute the critical issue adding that, “However, whilst a secondary reporting line to the CEO is now common practice in the financial services sector, for other organisations it is often the case that they will have a secondary reporting line to another member of the executive management team such as the CFO.”
Several commentators and thought leaders in the internal audit arena have voiced concerns in recent years about CAE independence. Among them, Norman Marks, commenting in his 2012 article in the IIA, Time to Face Facts About CAE Independence, calls into question the mythology around independence in general, and how, in particular, there’s “the dismal record of CAEs being pushed out the door after reporting significant issues.”
Another commentator, president and CEO of The IIA Richard Chambers, in his 2015 article, Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit, explains “creating a new internal audit department…that reports to an independent director outside the company” and with “the appropriate…independence to carry out its work”, “will be the better for it and possibly serve as that shining example that other…corporations should emulate. In the meantime, there are lessons in the Toshiba scandal for all of us who seek to modernize internal audit functions.”
Tim Leech, another vocal critic of regulation and guidance, wrote in 2011, “A sample of macro-level risks at the root of some of the most significant accounting mis-statements in history…include:
CEO and CFO have significant financial incentives to falsify or inappropriately manage financial results.
Senior management has major financial incentives to direct backdating of stock options.
Senior management directs fraudulent post-close journal entries to manage profits and hit earning targets disclosed to the market.
Management overrides controls to hit bonus targets or prevent loss of positions.
Audit committees have financial incentives not to ask management tough questions ...”
ACCA has also examined the matter. A survey of members before the 2017 annual Internal Audit conference, examined the pressure on the CAE and reported in its Internal Audit e-bulletin that “serious issues” were raised: the survey highlighted that there was pessimism, including concerns over audit committees' understanding of internal audit’s role; and, a small but significant number of occasions where ethical pressures impacted on internal auditors. A small but significant number quit jobs or witnessed unethical behaviour due to pressures placed upon them and colleagues. Careers have been negatively impacted - long-serving internal auditors were unsure about whether they would remain in role; five long-servers wanted to change career; and two respondents raised doubts about their future.
It’s also hugely telling when the Chief Executive of ICAEW observed about both external and internal audit that “The latest joint hearing into Carillion by the Work and Pensions and the Business Select Committees produced some damning verdicts on the limitations of audit and the role it plays in corporate governance. Frank Field MP called the auditors ‘mere spectators’ to the company’s collapse; if anything, Rachel Reeves MP was even more scathing, commenting that ‘audits appear to be a colossal waste of time and money, fit only to provide false assurance’.”
Of course, a self-regulating body can publish a Code of Practice for its members to follow. Members generally undertake to comply with the code as a condition of membership. But, organisational codes of practice don’t have legal authority. And, critically, audit can’t be effective because internal (and external) auditors are paid by the organisations they’re auditing and risk losing their jobs if they’re completely honest about the state of the organisation.
Are there any answers? In short, Internal Audit will be useful and meaningful in corporate governance when it is a mandated requirement, reporting to shareholders and investors. In particular, internal auditors should be more activist and have a beneficial whistleblowing role, liberated from company management, to provide a framework that facilitates company managers to demonstrate that they’re doing the right things.
As both a GRC professional and an investor (aren’t we all through our pensions, ISAs etc?) I want Internal Audit that is agile, transparent, integrated and predictive – I want to see that the organisation has a specific and measurable picture of its future outcomes, and the activities and resources required to deliver them, its causes of success are identified, the risks against achieving the outcomes are clearly shown, and internal audit is using a platform to assure the quality of the model and that the outcomes are being delivered. This needs to be continual, not point-in-time, covering all connectivity and inter-dependencies, not the small percentage of business activity covered in an annual audit plan, and be direct, not encumbered through a chain of command and reporting.
Unless this is mandated by the regulators the concerns will remain. It’s the people thing, not the logic.
Neville de Spretter, FCCA, CPFA, chair of ACCA UK’s Internal Audit Network Panel
If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.