Corporate governance: Show and tell – why the internal audit function should be enhanced

There is an assumption within the corporate governance world
that independence is absolutely paramount. But there is growing evidence, in the
wreckage of the banking crisis, that this may not always work the way regulators
fondly believe.

Take the report from the Treasury Select Committee on reforming corporate
governance as a result of the banking crisis. As the hearings with bank auditors
and City regulators unfolded, a very different picture emerged. And much of that
was down to an over-reliance on the concept of independence. Effectively, the
hearings revealed that, since the inception of the Financial Services Authority,
independence has gotten in the way of an informed understanding of what was
happening within the banks and where risks might be arising. The useful exchange
of confidential information which would have informed any views about problems
brewing ahead had been forced to come to an end: that sort of thing isnít
independent, you see.

As the report said: ‘The FSA has the power under section 166 of the Financial
Services and Markets Act 2000 (FSMA) to request from banks’ auditors reports on
areas such as financial information, fraud, internal controls or compliance with
particular regulations. However, the ICAEW said that these powers were used
‘infrequently’ and that the current regime contrasted with that which operated
under the Bank of England’s supervision of banks, in which auditors were
‘routinely requested’ to conduct such work.’

Indeed, usefulness has been squeezed out of the system by the regulatory
process. The reportís final conclusions underline this. ‘The FSA’s piecemeal
approach to garnering auditor knowledge about individual banks indicates to us a
wasted opportunity to improve the effectiveness of bank supervision,’ the report
said. ‘In future, the FSA should make far more use of audit knowledge on a
confidential basis.’

This, in fact, harks back to the days when much of the real work in re
gulation went on behind closed doors, to the days when amid a bank rescue, the
chairman of one of the biggest banks could be ushered out of the back door of
the Bank of England late on a Friday night with a coat over his head. But that
was back in the mid-1970s.

These days, the concept of independence is even more prized than the concept
of effectiveness.

We are also now in the midst of the process of looking again at the Combined
Code, that sacred document enshrining the principles and concepts of UK
corporate governance. This has proved itself to be a highly effective system,
but it is not possible in the current climate to say that something is just
fine. Revisions must be made, and to be fair, some reforms in the system should
be made. But the danger is that the ideas which are useful will be discarded in
favour of those which, to the outside world, look rather more draconian.

The comments are now all safe and secure at the Financial Reporting Council
and a report will duly appear later this year. But perhaps one area which could
be usefully looked at is who is likely to be more effective, in the light of the
disasters in the banking world over the last few years, at spotting that the
culture of an organisation is changing and that problems are starting to appear
on its horizon.

You would hope that it would be the board of directors, prompted perhaps by
the finance director, which would be the prime group to carry out this role. But
the tales of board meetings such as those at Northern Rock or Royal Bank of
Scotland, with bullying chief executives hectoring a hapless board whenever
risks or some potential difficulty was being pointed out, rather put the lid on
any such hopes.

Then there are the non-executive directors. Here again, much hope had been
put in that quarter, particularly with regard to spotting growing risks. But the
crisis has disappointed those who believed audit committees were a panacea.
True, audit committees have proved incredibly useful and in the vast majority of
cases, really raised the corporate governance game. But within the banks they
have had difficulties. The organisations within a global banking monster proved
so disparate, disconnected and in many cases simply made up of liars hiding the
evidence, that audit committees were no match.

External auditors are now so heavily set about with regulatory shackles that
they find it extraordinarily difficult to fulfil the simple advisory and warning
roles that come naturally to them.

Instead, it seems that corporates have to look elsewhere. If there is one
lesson learned in all this, it’s that it is not processes or systems that bring
an organisation to its knees. It is the culture turning rotten that does it. And
to spot that, you need insiders. Step forward the internal auditors. Directors
need to enhance the internal audit function and use it effectively as the
corporate eyes and ears.