Over the years, I have spoken to countless board members about their roles and expectations for internal auditors. Most are complimentary of the internal auditors in the organizations they oversee. They often refer to the auditors as their “eyes and ears,” and stress how much they depend on the internal audit department.
But there is one expectation by board members that causes me concern: They often emphasize that they look to internal auditors to help them avoid surprises.
I can’t help but cringe when I hear that, especially in an era of risks that seem to emerge out of thin air and catch everyone by surprise. Even when an issue might be foreseeable, it’s important to note that, while internal auditors can audit anything, they cannot audit everything.
Just look to the shocking number of damaging corporate scandals from the past decade: Toshiba’s accounting debacle, Volkswagen’s dieselgate, Wells Fargo’s fake accounts, Carillion’s collapse, Nissan’s CEO salary fiasco.
Proponents of good governance — investors, regulators, compliance and risk managers, and providers of independent assurance — have been deeply troubled by those high-profile incidents. What’s more, the governance failures of those mature and highly sophisticated corporations had a common and troubling subplot: In every case, the boards were largely in the dark about significant flaws in risk-management and culture that eroded shareholder value.
In their wake is a question that I refer to as the five scariest words in the English language for our profession: “Where were the internal auditors?” In response, I often ask (under my breath), “Where was the board?”
A boardroom should be filled with highly skilled individuals who have deep business acumen, a willingness to challenge management, and a healthy dose of professional skepticism. A boardroom shouldn’t be lined with potted plants dependent solely on internal auditors and external auditors as a source of light.
I have given a lot of thought to this issue. When a major corporate failure catches board members totally by surprise, there are at least three possible reasons:
Board members have their heads in the sand. The modern board member’s job is increasingly complex and time-consuming amid a risk landscape that is dynamic, technology-driven, and fast-paced. The era of a board focusing primarily on financials is no more. This new reality is driving calls for change to the typical board profile, to make its members more diverse, tech-savvy, and younger.
But diversity of experience and youthful perspective alone cannot address a more basic problem: Boards that fail to critically question information brought to them by executive management may never get a complete and accurate picture of risk and risk management. Too often, board members lack an appropriate level of professional skepticism.
A significant contributor to that shortcoming is the way many — if not most — executives end up on boards. Too many are either hand-picked by the chairman/CEO or they have some other preexisting connection to the organization, CEO, or fellow board member. For too long, the path to the boardroom has been less about what you know than who you know. That cozy arrangement makes for boards that may feel beholden to management and, therefore, less likely to ask probing questions.
The C-suite practices “don’t ask, don’t tell.” An IIA report in 2020 looked at how boards, executive management, and internal audit rated 11 key risks in terms of risk-management maturity. It found that boards viewed their organization’s ability to manage risk more optimistically than the C-suite.
That was quite telling. When the board consistently rates risk-management capabilities at a higher level than those working in the trenches, so to speak, it suggests that management isn’t being fully transparent.
That is understandable, if not excusable. Executives who have limited face time with boards that gather only two or four times a year must cover a great deal of information at those meetings. It is not surprising, then, that some risks may not be conveyed as thoroughly as they should be. But frankly, I believe it is more likely that executive management takes these limited opportunities to put its best foot forward and downplay the negatives.
The CAE doesn’t speak up. As the lone voice providing independent assurance on risk management, internal audit has an obligation to speak up when boards are not getting a complete, timely, and accurate picture.
Of course, that is easier said than done. Often, internal audit is not in a position to evaluate information going to the board. Indeed, various studies show that CAEs rarely address with either the board or management the completeness and timeliness of information being submitted to the board. Internal audit must do better.
This exercise demonstrates two things: The question that we should be asking is not, “Where was the board?” It should be, “Who is at fault for the board’s skewed view on risk management?” The answer is clear: The board, executive management, and internal audit each has some culpability.
The solution should be equally clear: Accountability and transparency around an organization’s risk-management efforts are vital for proper understanding and alignment among the board, executive management, and internal audit. Anything less is an unacceptable threat to good governance. As always, I look forward to