Introduction

This is the second of a series of articles on how internal auditors (IAs) can better communicate with non-executive directors (NEDs) – NEDucation, if you will! The first article addressed conversations with NEDs, and how better understanding their backgrounds and expectations can improve the relationship.

We also touched on the fact that NEDs face increasing responsibilities, which IAs can help them meet. We can best do this through encouraging and persuading NEDs to ask the first (and second) line searching questions that require credible answers.

However, this raises further questions about accountability. In any organisation, good governance is based upon clear roles, responsibilities and accountability. NEDs play a key role in establishing the governance framework, and IAs see first hand how well the organisation puts it into practice.

In this piece, we will cover:

• What role does internal audit play in assessing (and improving) accountability?
• Do internal audit’s reports and other communications make individual managers or other audit clients accountable? 
• How clearly do IAs make the link between controls and the people establishing or operating them?
• How can IAs work with NEDs to enhance governance?

Internal audit and accountability

Internal audit functions play an important, sometimes complex, role in an organisation’s governance structure. Any IA charter should describe and reflect this clearly, setting out the function’s purpose, authority and responsibility.

The main purpose of IA is to provide independent, objective assurance about the organisation’s risk and control framework. This means – following the three lines of defence model – that IAs assess and provide opinions, but do not directly create, put in place, manage or otherwise take responsibility for an area’s risk assessment or controls. Those are tasks for the first line’s managers.

Describing roles and responsibilities within an area is standard when conducting an assurance engagement, leading to IA’s assessment of it as an adequate and hopefully effective control. If IA finds to the contrary, then recommendations are common – but it must be clear that IA is simply stating what the first line should aim for in resolving the matter. It is not down to IA to create an action plan.

Sometimes things become more complicated. It could be complicated for a good reason – IA is working with an area in an advisory or consultancy capacity, for instance. In this case, it would be normal for IA to collaborate with first-line managers on an action plan, while making clear IA is not responsible for owning and implementing it.

Then there’s complicated – for a bad reason. This can take the form of senior managers disputing roles and responsibilities. Perhaps there’s been a recent restructure, with resulting gaps and duplication. Perhaps the senior managers know a particular control or project is dysfunctional or thankless, and don’t want to be associated with it. It’s even possible that those responsible and accountable aren’t actually competent. 

In these circumstances, IAs must use all their insight and personal skills to get to the root cause. If indeed certain managers are unable or unwilling to carry out their assigned controls, IA needs to report this. But how to do so without creating unnecessary conflict?

Who is accountable?

This is a difficult point for many people – especially in the second and third lines. It is necessary to be clear about who is responsible for what, but also important to maintain relationships. This section will give you practical tips on how to discover and articulate accountability.

First, using the active voice more will make your writing easier to understand. Even more importantly, it will help avoid any confusion or ambiguity about accountability. To put it simply, in an active sentence, you must say who is doing what.

Again, IAs often feel uncomfortable about reporting in the active voice – they fear it is finger-pointing, especially to individuals. However, we rarely mention individuals in reports, especially when communicating with NEDs; we talk about divisions, business areas or teams.

So why does it matter so much? Here’s an example, taken from a real IA report.

Version 1: The IT Services Team does not adhere to Control A. Controls B and C are not adhered to, either.

In this version, most reasonable people will assume that the IT Services Team is not adhering to any of the three controls mentioned. The reason the second sentence is passive is to avoid too direct a message.

However, that’s a big assumption. When asked, the IAs who had written this version stated that another team – unnamed – was responsible for Control B. This second team was also responsible – with support from yet another team, also unnamed, for Control C. So it should have read:

Version 2: The IT Services Team does not adhere to Control A. Mystery Team 1 does not adhere to Control B or C (which requires support from Mystery Team 2).

Here’s a writing tip that will help your fieldwork and analysis. Using the active not only makes your sentences clearer. It also helps you, throughout your audit engagement, spot gaps or inconsistencies. If material you receive from the first line – whether policy and process documents, reports, or information in interviews – is mostly in the passive voice, be alert. It could be corporate habit – most organisations, after all, usually use the passive, wrongly thinking it sounds more professional or stately.

However, it could be a sign that whoever has written the document, or answered your question in person, doesn’t actually know how a process works, or what happened at a certain point. When you hear someone use the passive voice, unless it’s 100% clear who’s doing what, ask them to tell you more. If they can, then you may want to suggest they revise process documents using the active, so everyone can understand. If they can’t, then it may be they don’t know!

Why does this matter? Because unless you know exactly where controls (and any problems related to them) sit, you cannot begin to understand root cause. One team’s failure to adhere to multiple controls implies a problem with the team. Several teams’ failures to adhere to controls imply a wider organisational problem – exactly the kind of thing IAs should be reporting. It’s this kind of information – about accountability – that helps organisations target problems, fix them, and improve.

Governance: communicating it to its creators

Who do you want to inform and influence with your high-level reports? Board members, including NEDs – which means the very people who establish the organisation’s governance framework, including accountability. Remember, according to ACCA,

NEDs are now looked to to provide special input to the process of governance. The fact that NEDs are not involved with their company on an executive, day-to-day basis means that they can offer, and are today expected to offer, a more detached, objective and comprehensive view of how the company’s affairs ought to be directed than might be possible if the company’s board consisted solely of executive directors.  [1]

This ‘detached, objective and comprehensive view’ should equip them to see clearly where conflicts of interest and gaps in accountability lie. Their legal obligations should further prompt them to be aware of the pitfalls or absent or flawed accountability. However, what if this isn’t the case?

As mentioned in the first article, you may work with a NED who comes from a different country, culture, sector or organisation. His or her view of accountability could be out of date, misaligned to regulatory and legal requirements, or otherwise inappropriate. 

Even within the same country, region, sector and business, a NED may come from an organisation where accountability sits in one of two extremes. When accountability is concentrated in the hands of a very few at the top, there will be bottlenecks and groupthink – neither is good for a healthy organisation. On the other hand, when accountability is always assigned to the most junior staff, they can become scapegoats for managers’ poor decisions. Poor morale, high turnover and even fraud are all risks in this situation.

Reporting clearly and factually about accountability will help NEDs and therefore the organisation as a whole. 

Conclusion

Just as IAs must provide assurance regarding the organisation’s risk and control framework, NEDs must take business-critical decisions. How we communicate directly affects their ability to discharge their regulatory duties.

It can be difficult to agree on accountability with the first line, who may wish others – even IA – to be responsible. Persuading a NED to change his or her view of accountability within the organisation may be even more sensitive – but it’s necessary.

This is the second in a series of three articles about IAs and NEDs. The third will address reports and the reporting process. 

Sara I. James, PhD, CIA, is the owner of Getting Words to Work (www.saraijames.com) and a member of the Chartered Institute of Internal Auditors.

[1] ACCA, A guide to directors' responsibilities under the Companies Act 2006, p.11