IACC-Logo, back to IACC-Home

Programme Papers from the 9th IACC
past IACCs



Privacy Policy


The 9th International Anti-Corruption Conference

The Papers

The Need for Strong Corporate Governance

RM Newsome - KPMG

The recent pronouncements on corporate governance (including the draft CACG Guidelines -principle 10) have provided a new focus on internal audit and a window of opportunity for internal audit to properly establish itself throughout the World. The purpose of this article is to set out my views of how internal audit can maximise the opportunity presented and provide demonstrable value to the users of internal audit services.

1. What is corporate governance?

In order to understand the internal audit role we need to work from a common definition of corporate governance. I believe the definition set out in the Dey report (issued by the Toronto Stock Exchange) provides a practical definition that will set the scene.

"… the structure and the process used to direct and manage the business affairs of the corporation with the objective of enhancing shareholder value…"

For the purpose of this paper I will focus on the processes management adopts to manage an entity, as this is where internal audit provides the most value. The structures such as Board composition, Board committees and Director remuneration are largely out of the hands of the internal audit.

2. Governance fundamentals

An analysis of the fundamentals of corporate governance, as set out in King, the Combined Code and other such pronouncements can be summarised as follows:

  • Setting corporate culture
    • Values
    • Ethics
  • Strategic direction
  • Risk management
    • Risk identification
    • Risk management/control
    • Audit
  • Senior management effectiveness and succession
  • Communication
    • Internal
    • External

3. Internal audit role in Corporate Governance

I believe the role of internal audit as set out in the South African Institute of Chartered Accountants (SAICA) Guide to Directors on Internal Audit clearly establishes what internal audit should be doing in terms of corporate governance namely:

"To support the Board of Directors, Audit Committee and management in identifying and managing risks and thereby enabling them to achieve corporate objectives. This is achieved by:

  • Enhancing the understanding of risk management and the underlying concepts and assisting to implement an effective risk process; and
  • Providing objective feedback on the quality of organisational controls and performance "

How internal audit can fulfil this role given the governance model established above is explained below.

4. Setting corporate culture

The Board is responsible for setting the 'tone at the top.' This is most often achieved through the Vision, Mission and Values statements as supported by the Code of Ethics.

Internal audit can add value to management in this area by being actively involved in the implementation of values and ethics programme plus their ongoing maintenance. In addition they can provide

  • Ethics feedback on issues such as expense claims and conflict of interests.
  • As the eyes and ears of management, feedback to management on the grapevine. This feedback is useful to management in assessing the extent desired values are being experienced.

5. Strategic direction

A fundamental function of the Board and management is the setting of strategic direction. Internal audit can assist by ensuring the process followed is sufficiently robust in considering all factors affecting the business that they are aware of. In addition they can introduce strategic management concepts/methodologies for executive consideration and benchmark the strategic plans against accepted models (if not part of the strategic process) such as the Balanced Scorecard.

6. Risk management

Management and the directors are acutely aware of their responsibilities towards risk management, as this is effectively the day-to-day business of the operations. The King report, and more recently the UK's Combined Code, requires management to formally attest to this responsibility thereby enforcing accountability through disclosure. As set out above, risk management is the area where internal audit are expected to make the most contribution through helping identify risks and providing feedback on the effectiveness of risk management activities.

Practically what does this mean?

  • Ensuring management has a formal process by which risks are identified and assessed and this process has a framework that ensures completeness of the risk assessment. This is an area where control self assessment is often used.
  • Evaluating the risk management activities against recognised control models (e.g. COSO, CoCo) to enable best practices to be adopted and to provide a basis for directors to report on the effectiveness of controls as is increasingly required by corporate governance disclosure.
  • Assessing the results of the risk analysis to ensure the strategic objectives are appropriately covered by the risks evaluated.
  • Establishing an audit plan that links to the risk assessment where internal audit have the necessary skills to provide the relevant assurance.
  • Performing and reporting the planned work in a manner that addresses the identified risk and enhances the understanding of the risk itself.
  • Ensuring continued relevance of the risk management framework and audit plan.

7. Senior management effectiveness and succession

The Board of Directors is responsible for ensuring the entity is effectively managed and will continue to be so in the future.

Internal audit can add considerable value to the direction in this area by;

  • The verification of performance criteria per performance contracts.
  • Providing input for self assessment criteria of various committees etc.
  • Identifying management/succession issues e.g. key dependencies.

An area where internal audit is becoming increasingly active is in providing criteria to enable the effectiveness of corporate governance structures to be assessed - usually on a self assessment basis. Such structures include the

  • Board of Directors
  • Audit Committees
  • Senior management forums
  • Remuneration Committees

8. Communication

The directors and management have a major role to play in effectively communicating to the stakeholders. Typically such communication includes:

  • External communication
    • Public image
    • Annual Financial Statements
    • Press releases
    • Prospectuses
  • Internal communication
    • Strategic direction translated into business plans
    • Culture, ethics and values
    • Management forums/briefings
    • Giving effect to participation/consultation in management decisions
    • IR processes
    • Management accounts

There is increased pressure on management and directors to be more transparent and report more extensively than set out above. Such pressure has resulted in the following reports becoming more common.

  • Reporting against objectives
  • ISO 9000/TQM reporting
  • Social reporting
  • Environmental reporting
  • Stakeholder reporting

The Combined Code, Turnbull, King, Stock exchange listing requirements, and shareholder activism have increased the extent of corporate governance disclosures to force acknowledgement of director accountabilities.

The internal audit can clearly establish a name for themselves by:

  • Verifying the matters reported (often an area of overlap with external audit)
  • Benchmarking matters reported against performance criteria - for example CCAF (Canadian Comprehensive Audit Foundation - criteria for effectiveness)
  • Reviewing the appropriateness of accounting policies and impact on reported results etc.
  • Participation in Corporate Governance awards etc.

9. Summary

At a recent workshop hosted by the South African Reserve Bank the Registrar of Banks, Mr Cristo Wiese, stated that the challenge for internal audit was to be actively involved in assessing the effectiveness of the stewardship function. His concern was whether or not internal audit would accept the challenge!!

The approach set out above provides a basis to meet the challenge. However, the credibility of internal audit is at stake if the involvement in governance activities is tackled by those without the necessary skills or competencies.

return to table of contents