This article was first published in the November/December 2019 UK edition of
Accounting and Business magazine.

Following the collapse of the FTSE 100 multinational facilities management and construction company Carillion, the Institute of Internal Auditors (IIA) has published a draft code of practice for internal audit to strengthen corporate governance and reduce the risk of major corporate collapses. IIA’s principles-based approach covers what are major challenges for many chief audit executives (CAEs).

Brendan Nelson, chair of the IIA steering committee developing the new code, explains: ‘One of the best ways to help organisations better protect their assets and manage risk is to boost the status, standards, scope and skills of internal audit. The draft code contains 30 recommendations to strengthen corporate governance, key among them being unrestricted access for internal audit, full access for internal audit to senior meetings, and full access for internal audit to key management information.

‘The draft code offers invaluable guidance about raising internal audit performance to help businesses and other organisations protect their assets, reputation and sustainability.’

But will the code meet those commendable aims? As someone who has been both an executive and a CAE, I think that the real heart of the matter is being missed once again: it’s not about more or different guidance or regulation; it’s fundamentally about people, and that’s because it’s bad behaviour that brings about poor corporate practice and collapse. If there’s one thing that repeatedly happens it’s that money usurps morality.

The reaction to corporate failure is nearly always to pile on more regulation and guidance. But regulation and guidance take a logical approach, and people are not always logical, which is a real problem. What’s more, while audit has improved since the financial crisis, it remains subjective rather than systemic, dependent on good behaviour, and retrospective – yet the past is an unreliable guide to the future, and cannot provide assurance.

As far as people’s behaviour is concerned, the IIA draft code looks to bolster independence. It declares that ‘the primary reporting line for the chief internal auditor should be to the chair of the audit committee’ and ‘must avoid any impairment to internal audit’s independence and objectivity’. But over the question of whether the secondary reporting line should be to the CEO, it appears to dilute the critical issue by adding that while that is now common practice in the financial services sector, other organisations will often have a secondary reporting line to another member of the executive management team such as the CFO.

Concerns have been voiced in recent years about the independence of chief audit executives. In a 2012 article, Time to Face Facts About CAE Independence, Norman Marks calls into question independence in general, and in particular ‘the dismal record of CAEs being pushed out the door after reporting significant issues’.

In a 2015 article, Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit, IIA president and CEO Richard Chambers said that creating a new internal audit department that reports to an independent director outside the company and with the resources and independence to carry out its work will improve matters.

Macro risks

Tim Leech, another critic of regulation and guidance, wrote in 2011: ‘A sample of macro-level risks at the root of some of the most significant accounting mis-statements in history… include:

  • CEO and CFO have significant financial incentives to falsify or inappropriately manage financial results.
  • Senior management has major financial incentives to direct backdating of stock options.
  • Senior management directs improper/fraudulent post-close journal entries to manage profits and/or hit earnings targets disclosed to the market.
  • Management overrides controls to hit bonus targets or prevent loss of positions.
  • Audit committees have financial incentives not to ask management tough questions.’

A 2017 survey of ACCA members that explored the pressure on CAEs found ‘serious issues’: concerns over audit committees’ understanding of internal audit’s role; occasions where ethical pressures affected internal auditors; internal auditors who had quit their jobs or witnessed unethical behaviour due to pressures placed on them and colleagues; and careers being negatively impacted.

The investigations into Carillion produced what can be seen as damning verdicts on the limitations of audit and its role in corporate governance. The MP Frank Field called Carillion’s auditors ‘mere spectators’ as the company collapsed, while MP Rachel Reeves scathingly remarked: ‘Audits appear to be a colossal waste of time and money, fit only to provide false assurance.’

A self-regulating body can publish a code of practice, with members undertaking to comply as a condition of membership. But organisational codes of practice have no legal authority, while internal (and, indeed, external) auditors are paid by the organisations they’re auditing and risk losing their jobs if they’re completely honest.

Becoming activists

Internal audit will be useful and meaningful in corporate governance only when it is a mandated requirement, reporting to shareholders and investors. In particular, internal auditors must be more activist and have a whistleblowing role, liberated from company management to provide a framework that helps managers demonstrate they’re doing the right things.

As both a GRC (governance, risk and compliance) professional and an investor (as we all are, through our pensions, ISAs, etc), I want internal audit to be agile, transparent, integrated and predictive. I want the organisation to have a specific and measurable picture of future outcomes, and the activities and resources required to deliver them, its grounds for success identified, the risks against achieving the outcomes clearly shown, and an assurance of the quality of the business model and the delivery of the outcomes. This needs to be continual, not just for a point in time. It needs to cover all connectivity and interdependencies, not just the small percentage of business activity covered in an annual audit plan. And it needs to be direct, not encumbered through a chain of command and reporting.

Unless this is mandated by the regulators, the concerns will remain. It’s the people thing, not the logic.

Neville de Spretter FCCA is chair of ACCA’s internal audit network panel and director of consultancy AdLibero2. The views expressed here are his own.