CGF Articles & Editorials
INTERNAL AUDIT REQUIRE GREATER REPRESENTATION ON THE BOARD (2019-08-05)
By Terrance M. Booysen and peer reviewed by Jene’ Palmer CA(SA) (CGF Lead Independent Consultant)
A plethora of corporate governance codes has been written across the world, and in spite of their recommendations which inter alia seek to protect stakeholder interests and shareholder value, many governance failures and organisational collapses continue seemingly unabated.
To use the Eskom debacle in South Africa as a recent example; notwithstanding their public claims of being compliant with numerous legislation -- including the provisions of the King Code for Corporate Governance for South Africa, 2016 (‘King IV™’) -- it is alarming that this organisation is ostensibly at polar opposite sides to good governance. Despite scooping a number of awards for their annual integrated reporting in 2015, the on-going revelations of poor governance at the organisation appear to indicate that the information disclosed in their annual report was either misleading, inaccurate or incomplete. It has become clear that the integrity of the organisation’s external reporting cannot be relied on by stakeholders. In the absence of accountability, this situation is unlikely to improve.
Poor management controls and incomplete information
It is disturbing to note that many directors (in both the public and private sector) complain that they are not adequately inducted to the affairs of the company, nor are they being provided with sufficient, timely, relevant and / or reliable information to make proper and informed decisions on behalf of the organisation. This implies that the board may in fact simply be relying and acting upon the boardroom discussions being led by the executive directors, supported by the board pack information. Expectedly, with differing or competing agendas, conducting the business of the organisation in this fashion will inevitably lead to disaster.
This dire situation is compounded if there is an overly dominant and controlling Chief Executive Officer (‘CEO’) who only offers certain or guarded information to the board in order to protect themselves from the likely consequences of their actions and poor leadership. Added to this reckless behavior, the CEO in these cases is likely to also have instructed key employees on the extent to which they may divulge and or share sensitive information as a mechanism to safeguard the CEO’s own misdemeanours.
The Corporate Governance Framework® contributes to the organisation’s combined assurance principles
Expectedly, in the event that these employees were to be invited to the board meeting, the threat of over-sharing sensitive operational information will have been limited by the CEO’s veiled threats, however these may have been cast.
The overall result of this sort of behavior will result in the board only having limited, or worse, incorrect information. Ultimately, through this sort of modus operandi, any decisions taken by the board on behalf of the organisation will be fatally flawed.
One must not blindly assume that all directors fundamentally know what information must be called for to make proper risk judgements and informed decisions, and what aspects of such information may be relevant or not. Indeed, many non-executive directors may not actually know what they don’t know, and therefore they will not necessarily call for more information if same was missing in the first place. Clearly, this situation is exacerbated where the non-executive director occupies multiple board positions across different organisations.
Proper oversight is key to good governance
One of the primary reasons for introducing a Chief Audit Executive (‘CAE’) to the organisation’s key leadership structures, was to ensure a better way of balancing the power and command at board level, including a more objective manner of reporting various risks to the board. The CAE has an administrative reporting line to the CEO, but reports functionally to the Audit Committee. The CAE together with their internal and external audit providers acts as “the eyes and ears” of the board. In order to do justice to their function, it is imperative that they have a complete and independent overview of the entire organisation such that they are able to provide assurance over the organisation’s risk management, governance and internal control processes. To achieve this objective it is therefore critical to ensure that the scope of the organisation’s audit arrangements is not limited to merely ‘tick-boxing’ certain mundane items that have been ring-fenced by the CEO or which continue to appear on the audit plan year after year. Comprehensive governance, risk and compliance assessments should be performed annually and should be used to inform the internal and external audit plans.
Understanding the GRC issues is key to risk mitigation
With the introduction of the Corporate Governance Framework®, organisations and their boards -- including key stakeholders -- are assured that the governance, risk and compliance (‘GRC’) position of all the areas of the business are being subjected to regular assessments. The credibility of these assessments is strengthened when the evidence underpinning the framework is corroborated by internal audit or independent assurance providers. The framework contributes to the organisation’s combined assurance principles and allows the board to draw comfort by knowing that there is agreement on which areas of the business are being well governed and which need to be prioritized for further intervention and oversight. The levels of combined assurance must be reported upon within the organisation’s annual reporting. In other words, stakeholders need to know that there are sufficient, effective and efficient controls that defend the organisation against numerous known risks, and these assurances must be provided by inter alia; the executive and non-executive directors, the board and management, the internal and external auditors, as well as the organisation and its regulators. Anything short of a combined assurance approach is no longer acceptable, and professional bodies such as IRBA (the Independent Regulatory Board for Auditors) and IIA SA (the Institute of Internal Auditors South Africa) play a critical role in ensuring that their members adhere to and report on the implementation of combined assurance principles within their clients.
With a Corporate Governance Framework® in place, all the vested parties will have access to the necessary and relevant GRC information, and the board in particular, will have the benefit of knowing that the auditors have fulfilled a broader and greater value-added purpose which will go a long way to providing greater levels of assurance to the organisation’s stakeholders.
For further information contact:
Follow CGF on Twitter: @CGFResearch
Click below to read more...