You are here
You'd better watch out; the Internal Auditor is coming to town
He's making a list
He's checking it twice
He's gonna find out
Who's naughty or nice …
IS CHRISTMAS early and you-know-who is coming to town? No, it isn't Santa Claus, at least not yet. It's the internal auditor and he knows when you have been bad or good.
Last year's changes to the Singapore Code of Corporate Governance and the Singapore Exchange (SGX) Listing Rules made it abundantly clear that the internal auditor is not just coming. He is here to stay for good - an issuer must establish and maintain, on an ongoing basis, an effective internal audit function that is adequately resourced and independent of the activities it audits.
At least Santa gets to go home to the North Pole after squeezing through chimneys.
In a previous article, I wrote (Internal audit mindset should be part of corporate culture, BT, Aug 14, 2018), I provided some guidance for issuers on what is meant by an effective, adequately resourced and independent internal audit function. Notwithstanding whether the internal auditor is a checklist ticker, an advocate for internal controls, or an adviser and consultant to the company, internal audit is not only a function, but a mindset that should be part of the corporate culture - the shared values, attitudes, standards and beliefs that characterise the organisation and define its nature.
Internal audit is often relegated to the governance section of the annual report where the Audit Committee summarily states that it is satisfied that the company has established and maintained, on an ongoing basis, an effective internal audit function that is adequately resourced and independent of the activities it audits. This is often embellished by paragraphs on the first, second and third line of defence, by which time readers' eyes would be glazed over.
It starts at the top
Where does culture begin? Faced with the global crisis of diminishing trust, the importance of building a culture of trust has never been more relevant, and one of the ways companies can build and cultivate trust is through the tone at the top.
The Singapore Code of Corporate Governance 2018 "takes as its starting point a recognition that the Board has the dual role of setting strategic direction, and of setting the company's approach to governance. This includes establishing an appropriate culture, values and ethical standards of conduct at all levels of the company".
The role of leadership is imperative in enhancing transparency and building trust and confidence among stakeholders. Leadership statements are a good opportunity for the chairman and CEO to take ownership of key issues and to promote a healthy culture by addressing their organisation's culture and values, especially attitudes towards risks, internal controls and internal audit.
Traditionally, the chairman sets the tone for the company's culture while the CEO implements it. In a 2019 research conducted by the Black Sun Group on the SGX STI30 annual reports, only 22 per cent of chairmen and chief executives mentioned culture in their leadership statements in the annual reports.
Wells Fargo scandal
The Wells Fargo account fraud scandal involved the creation of millions of fraudulent accounts on behalf of customers without their knowledge. The root cause stemmed from Wells Fargo's pressure cooker sales culture, whereby employees were threatened with the sack, should they not hit quotas. Regional bosses wanted hourly conferences on each branch's progress towards daily quotas of opening accounts and selling to customers extras such as overdraft protection. Employees who lagged behind had to stay late and over the weekend to meet targets.
To meet quotas, employees even begged family members to open ghost accounts. Over time, this culture battered employee morale and led to ethical breaches, customer complaints and lawsuits. To avoid detection, "branch managers were warned 24 hours before internal auditors showed up to conduct inspections. Employees were sometimes ordered to work into the night or all night to shred documents and forge signatures so the branch would pass inspection".
There are many instances of behaviour that do not make the headlines, but are real everyday challenges faced by internal auditors when the corporate culture is misaligned.
Senior management browbeating internal auditors into changing the ratings of their findings, dismissing internal audit findings as administrative and low value items, kicking the can down the road by failing to implement or delaying implementation of internal audit recommendations and just being plain uncooperative and difficult - many of these behaviours do not reach the ears of boards because they are silenced by the culture.
No man is an island, and neither should be internal audit. Besides being an integral part of corporate culture, internal audit should engage with stakeholders. Principle 13 - Engagement with Stakeholders of the Singapore Code of Corporate Governance also states: "The Board adopts an inclusive approach by considering and balancing the needs and interests of material stakeholders, as part of its overall responsibility to ensure that the best interests of the company are served." Similarly, internal audit should take reference from the Code in engaging with its material stakeholders.
Stakeholder engagement is essential for sustainable growth and companies need to work in partnership with a wide range of stakeholders. By understanding and defining the needs and interests of stakeholders, internal audit can ensure they remain relevant and evolve their priorities to meet their expectations. This receptiveness to feedback alludes to a culture of collaboration and accountability within the company.
In the research conducted by the Black Sun Group, 73 per cent of STI30 companies have shown their commitment and discussed their stakeholder engagement plans and processes in their annual reports. However, there is still room for improvement as only 27 per cent go on to deliberate how they plan to respond to the feedback gathered from engagement.
Much like the tradition of leaving milk and cookies out for Santa Claus on Christmas Eve, corporate cultures should encourage stakeholders to look forward to internal auditors. Milk and cookies will be appreciated by internal auditors as their job is tougher than squeezing through chimneys.
- The writer is CEO, Asia-Pacific at Black Sun Group, and a past president of The Institute of Internal Auditors Singapore