An uncertain economic environment punctuated by financial scandals has pushed the concept of corporate governance to the forefront. Internal audit, with a clear mandate from The Institute of Internal Auditors (IIA), has a role to play; and internal audit departments are taking a fresh look at governance as they make it an integral part of their internal audit universe and risk-based plans.

As defined by The IIA, governance is the combination of processes and structures implemented by the board of directors in order to inform, direct, manage and monitor the activities of the organisation toward achieving its objectives. The Definition of Internal Auditing tells us that internal audit “helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Furthermore, IIA Standard 2100 (Nature of Work) also makes it clear that “the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach.” Internal audit has an obligation to look at governance – it is not optional.

To succeed, an organisation’s governance process needs to rest on four interrelated pillars represented by the board of directors, management, internal audit and external auditors. Each pillar must be effective and, most importantly, all pillars need to work well together to support the achievement or organisational strategy and objective – with ethics and integrity. For a classic example of how things can go wrong when this model is out of kilter, look no further than the meltdown that occurred at Enron where each of the pillars was not particularly effective and where the external auditors and internal auditors were both the same firm. In this example, the table supporting the company had only three somewhat shaky legs – hence, it is no surprise that governance was compromised. One needs all the pieces to be effective for governance to work.

Governance is the domain of internal audit. Standard 2110 tells us:

• The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

1. Promoting appropriate ethics and values within the organisation;
2. Ensuring effective organisational performance management and  accountability;
3. Communicating risk and control information to appropriate areas of the organisation; and
4. Coordinating the activities of and communicating information among the board, external and internal auditors, and management (i.e. the four pillars of the organisation’s governance framework).

Findings from quality assurance reviews show that internal auditors typically earn a passing grade when it comes to including control elements in the audit universe and in their risk-based plan. The problem, however, is that governance and risk management are often inadequately addressed. There are many opportunities for improvement and internal audit can play a key role in being an agent of positive change in the organisation.
 
A Suggested Approach to Auditing Governance
Governance continues to evolve. There are many good governance materials available – yet there is no generally accepted authoritative governance framework. We offer the following 15 governance principles for public companies to help focus internal audit efforts in the area:

• 1) Create a framework for oversight and accountability – A company should establish the respective roles and responsibilities of the board and executive officers.
• 2) Structure the board to add value – The board should be comprised of directors who will contribute to its effectiveness with attention to competencies; independent, objective and sound judgment; commitment; board interaction; board size; and board committees.
• 3) Attract and retain effective directors – A board should have processes to examine its membership to ensure that directors, individually and collectively, have the necessary competencies and other attributes.
• 4) Continuously strive to improve the board’s performance – A board should have processes to improve its performance and that of its committees, if any, and individual directors. Related to this are training and awareness; access to information and advice; board processes and workflows; and assessing performance.
• 5) Promote integrity – The board should actively promote ethical and responsible behavior and decision-making. This includes compliance with laws, regulations and ethical standards and adoption of a whistleblower program.
• 6) Recognise and manage conflicts of interest – A company should establish a sound system of oversight and management of actual and potential conflicts of interest.
• 7) Recognise and manage risk – A company should establish a sound framework of risk oversight and management. Note: The Committee of Sponsoring Organisations of the Treadway Commission (COSO) underscored its support for improved board risk oversight in a 2009 publication.
• 8) Oversee strategy and its implementation – The board should oversee the strategy development process, resulting strategy, plans for its implementation, and related annual plan and budget.
• 9) Oversee the organisation’s performance – The board should monitor the organisation’s performance in the best interests of the company and for the benefit of shareholders.
• 10) Compensate appropriately – The board should ensure the policies for determining compensation are based on performance and aligned with the best interest of the company.
• 11) Engage effectively with shareholders, government and the community – The board should keep shareholders informed of relevant information and endeavor to stay informed of the views of shareholders, government and the community.
• 12) Approve significant transactions and events – The board should approve significant transactions and events; ensuring that they are supportive of the organisation’s strategic direction.
• 13) Oversee and evaluate the external auditor – The board (audit committee) should appoint, monitor and evaluate the external auditor.
• 14) Oversee and evaluate the IA function – The board (audit committee) should oversee and evaluate the organisation’s internal audit activity.
• 15) Oversee and evaluate internal and external legal counsel – The board needs to oversee and evaluate the relationship between the organisation’s internal and external legal counsel.

Internal auditors seeking to comply with The IIA Standards and provide value to their organisation must include governance in their audit universe and risk-based internal audit plan. Governance is a category under which auditable elements must be defined.  Typically, the board and its committees have a charter with a mandate as to what they do and what is important. In this instance, governance involves assuring that the mandates make sense and are approved and reaffirmed on a regular basis. Another key element is the succession plan for an organisation’s CEO and executive officers. Making sure a succession plan is in place, reviewed and refreshed is important to the continuity and future of the organisation. 
 
Another high-value governance element is the authority matrix. Internal audit needs to be asking: What powers have been delegated from the board to management in order to manage the affairs of the corporation? For example, who are the authorities for cheque-signing, purchases, acquisitions, contracting, etc? Have they been defined, approved and communicated?
 
Having a corporate policy framework approved by one’s board of directors to govern major risks and activities of the organisation is also important. Internal audit should ensure there is a policy or policy statement that exists for each major risk and activity. If one exists, then internal audit needs to be asking if it has been approved, reviewed and reaffirmed lately or if it’s complete.
 
Still other high-value governance components include: director selection and recruiting standards; director orientation and a continuous education program; oversight matrix to guide agenda setting; a board/committee/director assessment process; compliance oversight; ethics program; whistleblower program; IT governance; risk oversight; strategic direction and planning; flow of information to the board; framework for approval and oversight of significant transactions; new initiatives and change management; and GRC integration opportunities for the organisation.
 
GRC integration is an interesting component and represents a great opportunity for internal audit to be an agent of positive change in facilitating the co-ordination, convergence and integration of the organisation’s various governance, risk, compliance and control functions. GRC’s value proposition offers three key benefits; Convergence and integration lead to efficiency, economy of scale and cost savings. In addition, effectiveness improves and more timely information results in better, timelier decision-making. Also, the business focus sharpens as front-line revenue generating personnel are left with more time to concentrate on their jobs.
 
A Failure to Act
What are some of the possible negative consequences that could result if internal audit does not put enough emphasis on the governance process? As noted, if nothing is done, the internal audit activity is out of compliance. The IIA Standards focusing on governance have a “must do” attached to them. Beyond mere compliance (and most important) it provides value to the organisation which in turn assures them things are happening as they should.
 
In making sure that the governance process is operating as it should, organisations ought to have three lines of defense. The first has to be on the front line: the people who originate transactions; that’s where the action is and where control is most necessary. The second line of defense is a monitoring role in the business; checking processes after the fact. The third line, the icing on the cake in a sense, is internal audit examining everything in the audit universe over a reasonable period of time – the riskier items more often – which means governance must be included.
 
A capability maturity model can function as a helpful tool in measuring the governance process.  Picture, as a model, a tree that compares the existing level of competence (from ad hoc to sophisticated) against six key elements: business policies, business processes, people and organisation, management reports, methodologies, and systems and data. You look for each one and ask, “Where am I now and what’s the desired state?” Being at the lowest ad hoc rung is not a desirable position, but attaining the top spot, while it might be ideal, is sometimes a prohibitively expensive proposition. You also need to have a goal aligned to what makes sense for the organisation. If you have a strategy and policy that targets the highest level but your processes are at a basic ad hoc level, achieving such a goal becomes an unlikely prospect. All the pieces need to be aligned – not exactly at the same level, but so the whole picture makes sense.
 
 
Spotlight on Governance
The spotlight has definitely turned to governance and the role internal audit is expected to play in this context. The more an organisation is regulated, the more focus is expected on governance. Internal audit must consider how it has incorporated governance into its audit plans, the priority it assigns to various governance elements, and the appropriate framework, approach and measures to auditing governance elements. It must coordinate with other assurance activities considering the need for an assurance map; for improved performance risk integration and streamlined compliance and, as always, a focus on continuous improvement.
 
It is general practice to have all elements of the audit universe covered every three years with higher-risk items being covered more frequently; perhaps even annually.