At a conference at which I was speaking recently, one discussant complained that the report by Sir David Walker on corporate governance in banking firms (then in draft; now issued as a final report) had overlooked the critical role of internal audit to bank governance. Has Walker overlooked internal audit and does that affect the impact or validity of his findings and recommendations? The answer is simple but misleading. Understanding it fully requires examining the subtleties of Walker and leads to a surprising conclusion: the Walker Review may just sign-post one of the biggest changes in internal audit in a generation.
What does Walker say about internal audit?
Nothing, at least he didn’t in the July consultation paper. The final report refers to internal audit only to acknowledge that point:
Some concern was also expressed [among submissions received] at the very limited discussion of audit, in particular internal audit, in the July consultation paper – though this in fact reflected judgement that the principal failures that afflicted problem banks did not principally arise under the rubric of “audit”.
This reinforces the problem highlighted by the ever-perceptive Tim Leech in this ebulletin in July 2009. Tim put it this way:
Not being fingered for even a portion of the blame in a catastrophic situation is a good thing for the internal audit profession, isn’t it? Unfortunately, I don’t think so. I think the absence of even mild criticism of the internal audit profession is an indictment of the profession’s track record assessing and reporting on the effectiveness of their client’s risk management systems to help prevent catastrophic risk and control governance failures before they occur.
Like Tim, I draw the conclusion that the financial crisis represents a failure by internal audit just as much as other risk control functions. That failure is not unique to internal audit and simply reflects the application by internal auditors of the same mental models that bedeviled other control functions: not singularly culpable, but culpable nonetheless.
So . . . ?
Walker’s point was not about internal audit. Nonetheless, his report addresses two areas of critical significance to internal audit: first, the role of audit committees versus risk committees and secondly the organisational structural position of chief risk officers.
On audit committees, Walker stated:
the audit committee has clear responsibility for oversight and reporting to the board on the financial accounts and adoption of appropriate accounting policies, internal control, compliance and other related matters. This vital responsibility is essentially, though not exclusively, backward-looking, relating to the effective implementation by the executive of policies decided by the board as part of the strategy of the entity.
He contrasted this with the role of risk committees, thus:
in parallel with, but separately from, compliance and audit the board has responsibilities for the determination of risk tolerance and risk appetite through the cycle and in the context of future strategy and, of critical importance, the oversight of risk in real-time in the sense of approving and monitoring appropriate limits on exposures and concentrations. This is largely a forward-looking focus. There is an important concentricity between these functions, above all in assurance from internal audit that the processes in place for the management and control of risk are fully adequate to the overall strategy decided by the board and in assessment of appropriate reserving in respect of potential loss resulting from past decisions. But a clear differentiation is needed to in ensuring that appropriate and separate attention is given to backward and forward-looking risk functions.
the potential or actual overload of the audit committee and the need for a closely-related but separate capability to focus on risk in future strategy leads this Review to the conclusion that best practice in a listed bank or life assurance company is for the establishment of a board risk committee separate from the audit committee.
Hence, if the regulator (the Financial Services Authority) implements the recommendation of the Walker Report (which they will), the risk committee will become a standard part of the corporate governance landscape for financial services firms.
Should the trend spread more broadly? Commentators have been quick to underscore that Walker is focused only on the financial services sector and to distance corporate sectors from such debates. However, the logic is unassailable: the role of the audit committee is backward-looking; risk is a forward-looking issue. The two focuses should not be confused; risk oversight should not be conflated with control oversight. Concerning board structure: draw your own conclusions!
This will be uncomfortable reading for many internal auditors and is highly contentious. But, frankly, the track record of most audit groups in corporate risk is not proud; the conceptual underpinnings of most corporate risk practice are readily challenged and the results of corporate risk practice highly debatable. Non-banking corporate businesses may not have caused the financial crisis, but many corporate firms have been wrong-footed. This is not the time for turf protection. The announcement by the Financial Reporting Council of its intention to review the Turnbull guidance on internal control is a welcome sign. The FRC’s recently released report reviewing the Combined Code states:
The FRC does not . . . propose to extend all of the recommendations on risk in the Walker report to non-financial listed companies. It does, however, propose to make the board’s responsibility for risk more explicit in the Code through a new principle and provision. It also proposes during 2010 to carry out a limited review of the Turnbull Guidance on internal control to ensure that it adequately addresses some of the specific issues raised during the current review, for example, processes for ensuring that emerging risks were brought to the board’s attention in a timely manner. The majority of commentators considered that the guidance remained fundamentally sound and that a major overhaul was not required.
While I do not share the view that the Turnbull Guidance is sound – on the contrary, I considered it fundamentally flawed, at least as it has been implemented, and its effect overwhelmed by unintended consequences – I welcome the FRC’s intention to review the Guidance; the more thorough-going the review, the better.
Although it will not be popular with the internal audit profession, this insight of Walker of backwards- versus forward-looking roles of audit and risk governance activities respectively is a major milestone in the governance debate. Of course, it does not clarify the role of internal audit in relation to review of risk, where internal audit validly has both focuses – forwards and backwards, but it provides at long last a sound and simple logical underpinning of the respective focuses.
But it is in the area of the chief risk officer role where Walker’s report may have the greatest long-term impact on internal audit. Walker’s recommendation 24 states:
In support of board-level risk governance, a [bank] board should be served by a CRO who should participate in the risk management and oversight process at the highest level on an enterprise-wide basis and have a status of total independence from individual business units. Alongside an internal reporting line to the CEO or CFO, the CRO should report to the board risk committee, with direct access to the chairman of the committee in the event of need. The tenure and independence of the CRO should be underpinned by a provision that removal from office would require the prior agreement of the board. The remuneration of the CRO should be subject to approval by the chairman or chairman of the board remuneration committee.
Just like an internal audit director! However, Walker did not accept the suggestion of the Institute of Chartered Secretaries and Administrators (ICSA) that the same provision should be made for corporate secretaries: that they should report jointly to the Chairman with similar provisions for independence and remuneration. I believe that is a lost opportunity; it is an idea that is both sensible and necessary in that it provides a direct and clear path for non-executive directors to access information and support that is being denied them by senior executives. The dangers of this are usually grossly overplayed.
If – when – the ICSA proposal is adopted, combined with the Walker CRO recommendations and existing provisions for internal audit directors, the financial services sector will have a triumvirate of ‘governance officer’ roles: the secretary reporting jointly to the CEO and Chairman, the CRO reporting jointly to the CEO and chair of the risk committee and the director of internal audit with a joint reporting line to the chair of the audit committee. This will provide a far more coherent and effective assurance base for non-executive directors and the board than is available currently. By refocusing these roles, reforms to governance rules would create a presumption in favour of meaningful, effective, independent assurance for non-executives and the board and the organisation structures to support that assurance. It would remove the inevitable (even if innocently intended) filter of executive preview of assurance and would provide conditions under which NEDs could pose penetrating questions independently of executive management and expect robust responses. This cycle is an essential element of independent challenge of management assumptions by non-executive directors. It is an idea whose time has come.
What next Hector?
It is this aspect of Walker that will provide his greatest lasting contribution to governance – the addition of the CRO to the list of ‘governance officer’ roles. Where the banks have led (or will be required to lead), other sectors will follow. The reform to ‘governance officers’’ roles is welcome, even if it is only partial. The FRC and financial regulator, the FSA, should finish the job as ICSA recommends. This would provide internal audit directors, even if only in banking initially, with real support for their independent assurance activity. That would show real leadership; that would be a real change.