By Richard F. Chambers – President and CEO, The Institute of Internal Auditors
When a major retailer’s point-of-sale (POS) system was hacked during the holiday season, exposing tens of millions of payment card credentials and customer records, people were shocked to eventually learn how the cyber hackers had entered the system: via the stolen credentials of a supplier that had been accessing the retailer’s network through an external vendor portal.
That data breach raised a host of governance-related issues, including the need for extensive supply chain vetting and proper security controls around remote access to digital networks. A more basic concern was related to company culture: the cost of silos within an organisation.
When the head of operations had a new facilities system installed in a couple of the retailer’s stores, according to media reports, nobody would have expected that he also should have been an expert in cybersecurity. Nor would most people have expected the head of information security to be aware that operations had purchased the new system, especially one that could be programmed from outside the network.
I asked Larry Harrington, former chief audit executive at Raytheon Corp. and Aetna, his thoughts on the issue: “The operations guy wasn’t thinking of it from a cyber standpoint, and the cyber folks had no idea what the operations folks were doing. So, these silos ended up getting them into trouble. Internal audit cuts across all of those organizations, and one of our roles is the ability to bring people together.”
It’s a key reason why a board’s audit committee should want a strong, well-resourced internal audit function in place. “We see it all,” Harrington said. “When you do that, you create greater relationships, greater partnerships, and greater transparency.”
In preparing audit plans, internal auditors will typically talk to people in every department of a company, getting a thorough understanding of significant projects each department is working on and the risks and opportunities they may pose.
The data breach at the retailer, as well as at a host of other companies over the past several years, also underscores the need for ongoing evaluation of directors’ skillsets to ensure the board is equipped to address evolving risks that can easily disrupt a company’s business strategy or harm its reputation. A new survey of more than 360 directors by the EY Center for Board Matters and Corporate Board Member finds that less than half those polled (48 per cent) are confident their boards have the appropriate resources, including board education and internal and external tools, to move their companies forward in the current era of digital disruption.
During his last 10 years at Raytheon, Harrington’s team would spend a little time of each audit, no matter the business unit, trying to understand the culture in that organisation, he said. Over a period of time, his team was able to tell how well the vision at the top of the company was being communicated all the way down and how well feedback was making its way back up to senior management.
“We could start to see, business by business or function by function, do we have the kind of leaders who stood for what the company really believed in and wanted to have happen,” he said.
Internal audit has valuable insights to offer the board when it comes to how aspects of company culture apply when considering risks and opportunities. Conferring with internal audit during the due diligence period on a pending acquisition, for example, can end up saving a company a lot of time, money and effort by preventing a cultural mismatch, says another former chief audit executive, Doug Anderson.
Anderson recalled that, early in the due diligence period for an acquisition that one company was considering, he and other business leaders visited the target company’s headquarters to meet with the executive leadership team.
“My job was to sniff around and look at governance,” he said. “Basically, I realised there was something here that’s going to be an issue as we go down the road. Nobody else was thinking that way. They were all thinking about liabilities and product growth.”
Anderson said his focus as an internal auditor was on the history of the board. He looked at board minutes and footnotes on other documents ‘to get a picture and a feeling for how the upper echelon ran the company. How do they look at things? How do they structure things?’.
The deal the company was contemplating was less a simple acquisition than an intricate blending of two companies’ businesses. “I said we’re going to have to insert ourselves. We’re going to have to change a few things because they don’t run their business the way we’re used to running it and it’s just going to cause frustration and difficulty down the road,” Anderson recalled.
“That’s the kind of thing you can do as an internal auditor. You can look at the [business] structures. You can look at the culture of what’s going on,” he said.
Fighting fraud and corruption
A central aspect of corporate governance is having a programme in place to prevent or combat corruption and fraud. This is often a greater challenge when a company has operations in remote geographic regions where local cultural customs can cloud employees’ commitment to a code of ethical conduct. Some companies have come under investigation after their employees in far-off parts of the world resorted to less-than-legal means to secure government permits for business operations, after being told it’s a normal way of doing business in that country.
Lauren Cunningham, director of research at the Neel Corporate Governance Center at the University of Tennessee at Knoxville, explains: “In some situations, boards are asking the internal audit group to either do cultural surveys to better understand how culture does differ across geographic locations, or boards are asking internal audit to go in and do field testing. This isn’t the type of testing you can do in two days. You really have to stop and get to know the people and really understand the culture that’s going on around you.”
Cunningham and Terry Neal, director of the Neel Corporate Governance Center, have been interviewing chief audit executives about how companies evaluate their corporate governance programmes, as part of a partnership with The Institute of Internal Auditors (IIA) to gauge the health of corporate governance among publicly held companies in the United States.
“One of the things the CAE should be telling the chair of the audit committee is what internal audit isn’t doing, or what’s being postponed until a later time because it lacks the resources”
Insight gained from chief audit executives (CAEs) is crucial, because internal audit is usually in a better position to ensure good governance when the chief audit executive is invited to participate in a company’s strategic planning process, Harrington said.
“By listening to strategies being put together, you learn what the company’s strengths and weaknesses are, what its opportunities and threats are,” he told me. “You start to think as you listen: ‘Where might I add value as an auditor?’ You’re also able to add insight and foresight to the strategy.”
One thing that can help internal audit earn a seat at the table is a sense of responsibility to report not only the negative things with the board’s audit committee, but also the areas within the company that are demonstrating leadership and innovation. The chief audit executive is able to create added value by recommending to the board how to leverage the strengths of thriving business units in other areas of the company that are not doing as well, Harrington said.
Adding such value demands adequate resources. But there is no simple rule for allocating resources to internal audit. Instead, resources should be based on the kind and level of risk the business is facing and on a determination of the capabilities of internal audit to address those risks.
Boards typically don’t have enough information to do their jobs properly, and they generally get most, if not all, of their information from the executive team. That means the information will be only from senior management’s perspective.
“You need someone who can look at the information in an objective way and determine if the right information is going to the board,” Anderson said. “And is it the full information? Does it deal with all aspects of that topic? And are there things you’re not looking at?”
Yet, in IIA’s 2019 Pulse of Internal Audit survey, 57 per cent of chief audit executives reported they rarely or never discuss with the board or management the accuracy, completeness, timeliness, truthfulness and transparency of information going to the board.
One of the things the CAE should be telling the chair of the audit committee is what internal audit isn’t doing, or what’s being postponed until a later time because it lacks the resources. Anderson said that opens a ‘rich discussion’ with the audit committee about what internal audit should be focussing on, given the resources it has available.
Anderson told me that, when he used to present his annual plan and give quarterly updates to the audit committee, he would ‘talk about how the risks are changing and how my audit plan was changing’. In the more robust discussions at the start of the year, he would present for five to seven minutes and leave the rest of the time allotted for discussion. He’d start the conversation by asking the committee members if they believed he had identified the proper risks, or whether there were some he wasn’t giving enough attention to.
Key to strong governance is access by the chief audit executive to the chair of the audit committee. “One CAE said that, if they didn’t have that level of access, they probably wouldn’t want that job,” Neal said.
Internal auditors also see board independence and the way in which board members are selected as essential aspects of governance in a company. Academic research finds that nominating committees still rely on the CEO or other board members to identify an initial pool of candidates for an open board seat, while fewer than 20 per cent use a search firm, Cunningham said. “That’s telling,” she said. “I don’t think there’s much outreach that goes into continually creating those initial pools. I think it’s more built on senior management’s and the board’s personal and professional networks.”
One research study that examined selection of board members found that interviewees prioritise ‘chemistry and comfort’ with other board members and the CEO as the key goals when recruiting directors, Cunningham said.
“As I was reading that, I thought to myself, ‘then how does anyone ever stand up to challenge the CEO and senior management?’ If they’re all worried about being nice to each other and having chemistry, I don’t know how you’re ever going to have a tough conversation.”
Anderson agrees that senior management has too much influence in the selection of directors, but he thinks they should be able to offer suggestions. A more effective way to recruit new members is to hire a reputable professional search firm that will study and report on the dynamics among current board members and suggest candidates based on who they know and who is available in the marketplace.
One of Cunningham’s and Neal’s findings from their research as part of the partnership with The IIA is that, despite CAEs’ access to diverse parts of the company and knowledge of both business and governance, “they’re not often being tapped to actually go in and do rigorous evaluations around full aspects of governance”, Cunningham said.
Their interviews with CAEs suggest that the reason may be that it’s not a priority for the allocation of resources to the internal audit function. That appears to be confirmed by IIA’s 2019 Pulse survey, which found a very low allocation of time in the audit plan to governance and culture (3.8 per cent on average), compared with higher time priorities, such as financial reporting (14.5 per cent), compliance/regulatory (15.5 per cent) and operational (16.4 per cent).
CAEs believe they have more to offer in evaluating the quality of company-wide governance programmes. Cunningham said she thinks they could help the board decide whether the board itself, senior management, and the company’s culture are effective. But that would require buy-in from senior management and the board, which would mean both would have to be open to criticism. Where a board and senior management team genuinely wants to know how they can do better, she said: “I think CAEs can help.”
About the Author:
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and CEO of The Institute of Internal Auditors (IIA), the global professional association and standard-setting body for internal auditors. Chambers has more than four decades of internal audit and association management experience, mostly in leadership positions. Prior to taking the helm of The IIA in 2009, he was national practice leader in Internal Audit Advisory Services at PricewaterhouseCoopers; inspector general of the Tennessee Valley Authority; deputy inspector general of the U.S. Postal Service; and director of the U.S. Army Worldwide Internal Review Organization at the Pentagon.
He currently serves on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Board of Directors; the International Integrated Reporting Council (IIRC); and The IIA Board of Directors, as well as the Georgia State University School of Accountancy Advisory Council and the University of Alabama Culverhouse School of Accountancy’s Professional Advisory Board.Chambers also has served on the U.S. President’s Council on Integrity and Efficiency. Accounting Todayranks Chambers as one of the Top 100 Most Influential People shaping the accounting profession, and he is recognized by the National Association of Corporate Directors (NACD) as one of the most influential leaders in corporate governance. Chambers is an award-winning author, writing The Speed of Risk: Lessons Learned on the Audit Trail, 2ndEdition (2019), Trusted Advisors: Key Attributes of Outstanding Internal Auditors (2017); and Lessons Learned on the Audit Trail(2014), which is currently available in five languages.
The Head of operations had taken indedependent decision of installing new facilities system without consulting other stakeholder – Head of Information Security
The faultlines get exposed only after it is hacked
Comments are closed.