According to the Chartered Institute of Internal Auditors (IIA), companies could avert another Carillion-style disaster by providing internal auditors with “unrestricted access” to the workings of their businesses. Auditors should also be allowed to attend all executive committee meetings, a new draft code from the IIA proposes.
The draft code has been published as part of a public consultation which will run until 11 October 2019. Consulting widely on these proposed changes is a wise move. In order for the new code to become respected and used in practice, it must be practical and user-friendly. Businesses and executive management, as well as practising auditors and accountants, should engage with this consultation to ensure that the IIA’s new code ultimately strikes the necessary balance between being effective, and yet not too draconian or overly prescriptive.
The IIA’s draft code is a necessary and welcome development, since strengthened corporate governance and greater accountability will indeed reduce the risks of future corporate collapses – and so help avoid the economic disruption and the devastation of livelihoods that these can entail. As the UK enters a period of significant economic and political uncertainty, businesses would be wise to actively embrace such increased standards. The new draft Internal Audit Code of Practice seeks to “strengthen corporate governance” and so to reduce the risk of corporate collapses.The draft code will be the first comprehensive set of audit benchmarks for non-financial services firms. It makes thirty recommendations to strengthen internal audit, including allowing auditors full access to senior meetings, a right to attend board and executive committee meetings, and full access to all key management information.
The Carillion collapse evidently provided the fundamental motivation for the new draft code. Indeed, in his forward to the draft code, Brendan Nelson, Audit Committee Chair at BP and the IIA’s Practice Steering Committee Chair, specifically said that, “The collapse of Carillion has led to a wide-ranging review of the UK’s corporate governance framework, including the audit regime. This creates challenges for internal audit, but equally it provides an opportunity to enhance the role of the internal audit profession as a cornerstone of good corporate governance.”
“That is why we are now responding to this challenge by consulting with relevant stakeholders – both inside and outside of the profession – on the development of an Internal Audit Code of Practice. This new Code aims to embed best practice and raise the bar right across the profession.”
‘Making tomorrow a better place’ – the Carillion debacle
The Carillion debacle does indeed provide a recent and very clear reminder that no business is too big to fail. After all, in 2016, Carillion was the UK’s second largest construction company with annual revenue over £5 billion and 43,000 staff globally. It held public contracts to build Crossrail, HS2, hospitals, schools, roads and other critical infrastructure. It was responsible for maintaining railways, 50,000 military houses and half of the country’s prisons.
Carillion’s 2016 annual accounts carried the now-ironic tagline: “Making tomorrow a better place”. By mid-2017, the company was issuing profit warnings. By January 2018 it collapsed completely, leaving debts of £7 billion in its wake. MPs blamed the “recklessness, hubris and greed” of Carillion’s directors for the debacle.
A joint report by two House of Commons select committees stated that “The chronic lack of accountability and professionalism now evident in Carillion’s governance were failures years in the making.” Carillion’s auditors, KMPG, also were sharply criticised, with one MP commenting that he would not trust the firm to audit the contents of his fridge. The Carillion collapse helped to highlight the importance of internal audit as a lynchpin in good corporate governance, since without high quality information, business leaders cannot make high quality decisions.
In the wake of the Carillion collapse, the House of Commons joint committee recommended a wide-ranging overhaul of the UK’s systems of corporate accountability. The Financial Reporting Council’s revised Code of Corporate Governance, issued in July 2018, was a modest first step in the right direction. The IIA’s draft code represents a significant further step in improving standards. It takes inspiration from the IIA’s successful 2013 Financial Services Code, which set standards for effective audit in the financial services sector.
The IIA’s 2013 Financial Services Code significantly increased standards, as well as the standing and involvement of auditors in the leadership of financial services companies. The IIA says that within two years of the 2013 code being adopted, the number of Chief Audit Executives attending Executive Committees in financial services companies increased from 48% to 84%.
The IIA will hope that the new code will be similarly impactful, especially since it is the first time that a comprehensive code will have been set out for internal audit benchmarks more broadly. The IIA’s continued ambition to increase the prominence and standing of the audit function is reflected in the draft code’s statement that, “The chief internal auditor should be at a senior enough level within the organisation to give him or her the appropriate standing, access and authority to challenge the executive.”
Internal audit should be independent of management
A strong theme throughout the draft code is the need for internal audit to be sufficiently independent of management in both thought and action. The draft code states that, “internal audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the organisation. It should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. Internal audit’s independent view should be informed, but not determined, by the views of management. In setting out its priorities and deciding where to carry out more detailed work, internal audit should focus on the areas where it considers risks to be higher.”
The principles-based draft code also sets out specific guidance relating to interaction with the businesses’ risk management, compliance and finance functions, and in relation to quality assurance. The benefits of the code’s principles based approach is that the code is sets clear aims, but is not didactic as to how they should be achieved. Businesses remain free choose the precise methods that works best for them in terms of how the code’s fundamental objectives are to be met.
However, while the draft code is clearly a step in the right direction, businesses should not see it as representing a new minimum standard. Instead, businesses should consider looking elsewhere to implement even higher standards, to better ensure their long-term sustainability. For example, other sectors may look to the financial services industry, which is tightly regulated, and has become more so since the 2008 financial crisis. From observing best practice there, businesses can explore ways to implement more rigorous checks and measures.
In this time of increasing economic uncertainty, companies can stay ahead of the curve by actively embracing higher standards. Instead of seeing increased transparency and higher standards of governance as a regulatory burden to be minimised, businesses can instead regard higher standards as an important way of ensuring their long-term viability. At the end of the day, embracing higher standards of transparency and governance is to the benefit of all stakeholders in a business, including shareholders, employees and the wider community in which a business operates.
Published in Finance Digest – 14.8.19