A Real Look at Real World Corporate Governance by David Larcker/Brian Tayan

Preface. How do you assemble the best board of directors? How do you pick the best CEO? This books examines the factors for corporate success.

Introduction. Societal leaders should do more. Lehman Brothers went under and there was a need to shake up the industry. The Dodd-Frank Wall Street Reform and Consumer Protection Act was passed in 2010. Is this the solution to all problems? There is an issue of ‘procedure over substance’. There might be unintended consequences to improving corporate governance. High-level ideas might not be met well at the ground level. As it is empirical in nature, corporate governance can be research and studied. This is better than just theory. It is essentially the theory of separation between owners and the management. The fear is that the management protects self-interest at the expense of shareholders. This is essentially an agency problem that needs to be solved. One will want to do so in a cost effective manner. The requirements must be clear as those that are ambiguous are not effective in the long run. The issue of poor corporate governance is actually quite poor in recent times. The problems are there but finding the solutions are much harder. We need to focus on the big-picture issues.

Board of Directors. Most of the board members should be ‘independent’ of management. They are elected by shareholders. The board’s role is to advise and monitor management. They have a right to question management’s plans in order to ensure that it is adding to shareholder value. Sometimes, they can also offer strategic advice to management. They are also expected to maintain an oversight function and monitor management. What does it mean when a board is functioning well? How do you know that the board selected can perform all of the above satisfactorily?

Lehman Brothers – A Case of Form over Substance. A board also has to provide oversight so that regulatory and legal requirements are being met. Some of the ‘best practices’ in the market have not been proven before and appear vague. There are issues when choosing board members as giving them a 3 year term might seem too long. Does independence standards help to improve corporate performance? Very little. Interlocked directors might lack independence but they have the know-how of the two companies and can form synergies. How can you tell whether a board is effective? The Lehman Board had diverse directors on-board. What went wrong? Upon closer inspection, you will realize that there is no one of financial expertise on-board. In addition, there is a lack of people with current business experience. Some of them were also well into retirement and couldn’t be expected to understand complex finance. Those with non-profit backgrounds didn’t help to value-add as well. The guy appointed to chair audit committee didn’t know about finance. There were also not many finance committee meetings. Structure of the board is important. However, there is little evidence to show that it is effective.

Are CEOs the best Directors? A CEO is very important as a candidate for a director in another company. This is because he has the right experience in making decisions etc. It is not uncommon for CEOs to sit on the boards of other organizations. However, this trend is declining. This is because companies have guidelines that prohibit outside directorships for their current CEO. Now, the trend is to recruit more junior senior management or retired CEOs. Current CEOs may not be the best bet. This could be because they are too busy caring about the affairs at their current company. CEOs have the ability to deal with failure/crises. In recent studies, there is little evidence to show that hiring CEOs as directors can positively contribute to operating performance. Is there a shelf life to director experience? Earning fees elsewhere might also impair their independence.

Are the Directors of Failed Companies Tainted? After a failure or scandal, the stock price will plunge. The damage might be long-lasting as well. The company might face lawsuits as well. Lastly, there might be turnover in the company too. Non-executive directors from failed banks managed to find directorships elsewhere. The reputation of the directors might get hit. Is it the directors’ responsibility to detect any malfeasance? There is some evidence that shows that executives of failed companies are treated more strictly. The Board is assumed to have less time to detect problems and hence cannot be fully blamed for any malfeasance. This is an issue that must be discussed in greater detail.

Part II: Accounting and Controls. Hiring an external auditor has a deterrence and detection help. External auditors only check on a sampling basis. They tend to focus on revenue accounts that rely on management estimates. This leaves room for manipulation. Auditors are expected to maintain professional scepticism throughout the audit. Accounting requires discretion at times and there might not be ‘correct’ accounting. Malfeasance can still occur even in the audited accounts. Revenue recognition/expense recognition/misclassification/OCI/tax accounting are all areas that can go wrong.

What’s Wrong with GAAP? In the US, GAAP is used. Companies can still retain considerable discretion over financial reporting. Non-GAAP information might also be reported as a supplement. These often include non-cash items, amortization, restructuring etc. Non-GAAP often paint a rosier picture of the company. SOX requires a company which non-GAAP earning to reconcile them with GAAP earnings and provide both figures. Often, one-time costs are included in the GAAP earnings. It is important to try and steer clear from non-GAAP adjustments. However, non-GAAP earnings might have higher information value. Non-GAAP earnings usually do not include one-off items that are unlikely to recur. Fluctuations on mark-to-market instruments also hit GAAP earnings even though contracts specify that some options cannot be exercised until expiration. Companies have to report a gain when their credit quality deteriorates as they can repurchase their bonds in the open market at a discount.

Royal Dutch Shell: A Shell Game with Reserves. For investors, it is difficult to know the frequency to which accounting manipulation occurs. Management is often involved in accounting fraud. There often has to be multiple failures of governance issues. The organization might have poor culture. Fraud escalates over time. Shell overstated their oil reserves by over 23% in 2004. How did such an incident occur? Governance and leadership failures occurred. Royal Dutch Shell was known for their scenario planning. Decision making was institutionalized. Lower oil prices in the 1990s and 2000s put pressure on profits. Standards for rigorous training fell and managers were given less autonomy. Employees were asked to contribute ideas on operating. The culture was shifting unknowingly. Management also promised investors unrealistic results on looking for new oil reserves to replenish used ones. Oil companies are required to disclose their proven reserves as it indicates their future profitability. These do not affect the current balance sheet though. Reserve calculations are not audited. Valuers’ are supposed to select the most conservative estimate. Management did not communicate important information to the board. There was a lack of oversight by the Board. How do auditors satisfy themselves that estimates are accurate/reasonable.

Baker Hughes: De-Corrupting Foreign Practices. What can a company do to fix its problems? How did Baker Hughes respond to FCPA violations? It improved its practices. Effective governance solutions are business-like. It is common to accept bribes etc. FCPA was enacted in 1977. It was illegal for a US company to offer payments to a foreign official for the purpose of ‘obtaining or retaining business’ or ‘securing any improper advantage’. If your company has dealings overseas, it is very difficult to track. There is a fine line between facilitating payment and a bribe. The company, Baker Hughes, started strengthening their reforms. Before hiring agents, sufficient due diligence according to FCPA must be conducted. Compliance will review large value transactions etc. The company’s business operations improved thereafter. Division managers were more aware of the regulations etc. Controls should not just restrict activity, it should promote positive performance. Can company’s act and improve controls even before a crisis emerges? That is the challenge. What metrics should be measured.

Even at its best, there is a limit to how effective internal controls can be. Controls restrict activity but they cannot prevent malfeasance. At some point, an awareness of correct behaviour needs to be ingrained in the culture of the company. – David Larcker and Brian Tayan

Part III: CEO Succession Planning. The CEO is extremely important for the company. There are 4 ways to select: 1) CEO-in-waiting; 2) horse race; 3) external recruit; 4) inside-outside approach (two-prong). Board members tend not to favour external candidates. As for internal candidates, there is a risk that they may not perform as they have not assumed such a role before. Succession planning is a process that must be managed well. It is the board’s responsibility to choose well. The right structure must be set and be in place.

Sudden Death of a CEO. A well groomed company might learn to adapt to changing situations. Most boards require at least 90 days to find someone. This is a topic that not many boards spend sufficient time on. For sudden death cases, it is imperative to find someone suitable fast. Internal candidates should be constantly groomed to take up greater leadership roles and responsibilities. Poor succession planning can have an effect on future profitability of a company. Succession planning should be treated seriously. Disclosure of such plans may not be wise as well. The stock price immediately after the sudden death of the CEO reflects whether the company had good/poor governance mechanisms. The benefit of hiring internally is that it is much faster.

HP: The CEO Merry-Go-Round. The Board must plan for contingencies. The current CEO must also be open and receptive about such discussions. HP is an example where multiple breakdowns occurred. HQ acquiring Compaq was a major issue as the board didn’t agree with it. It appeared that HP was moving away from its core business model. There was a HP tried to grow through external acquisitions rather than grow organically. There were also issues with disclosure of financial information with the board and a sexual harassment scandal with the ex-CEO. There were frequent changes in CEO from 2000 to 2011. The board were not clear on their strategy of hiring a CEO. Is it right to constantly view internal candidates as bad?

Apple: Is CEO Health Public or Private? The SEC encourages companies to disclose information about whether a company will be adversely affected due to vacancy in leadership. Health information is private in nature. Should such information be disclosed? When Steve Jobs’ health failed in 2008, the Board covered it up. In Jan 2009, Apple claimed that it was a hormonal imbalance that caused him to lose weight. Warren Buffett had no qualms about disclosing his state of health to his shareholders. He felt that such information would allow shareholders to make informed decisions of the company. How extensive should the disclosure be?

Part IV: Executive Compensation. This is a controversial process indeed. Compensation must be at a level where it attracts, retains and motivates people. It should be paid in a manner that encourages unnecessary risk taking. The compensation committee should design a suitable package. It should use benchmarking and evaluation against the external labor market. The plan must be approved by the Board. Now, shareholders can give their ‘say on pay’. The Board must consider what reactions their pay package will have on significant shareholders. What is a ‘correct’ pay package?

What is a CEO Talent Worth? Some believe that CEOs are over-paid. In such cases, shareholder activism is encouraged. Is the rise in CEO compensation commensurate with the growth rates in revenue of the company? The highest paid CEOs and celebrities earn about the same amounts. There is a distinction as CEOs of large companies earn substantially more than CEOs of small companies. It is important for a certain amount of pay to be based on performance.

What does it make to make $1 million? There are various methods to calculating executive compensation. It is not so straightforward as there might be vesting periods, contingent payments and accruals. The first method is the ‘expected compensation’ for the year. The next method is ‘earned compensation’ for the year. This refers to those that an executive ‘earns the right to keep’ as cash. The last method is ‘realized compensation’, meaning how much executive can keep as cash for a given year. Which is preferred? It depends on whether you are forward or backward looking in nature.

Netflix: Equity on Demand. It is important to align compensation with corporate objectives. Netflix offers a lot of flexibility and room for empowerment in their culture. They treat employees like adults. Pay is very attractive at Netflix as they do not want employees to leave. However, they expect employees to work hard and to do the job of 2 normal workers. Only the best performers get retained. Their involuntary turnover is higher than the industry. However, those that get cut receive a severance package. Employees are definitely receiving a competitive wage. They have unlimited vacation time. They are however, expected to take as much as they deem is necessary. They also can choose how to be compensated, either via cash or stocks. Usually, one will not be able to exercise stock options immediately. If you expect the company stock price to rise, it might not wise to exercise it so soon. Many companies use BS model to estimate liability at balance sheet date for financial reporting. Stock options are good because they encourage risk taking and provide better alignment to company’s objectives. Netflix doesn’t offer cash bonuses. Employees can choose a compensation mix that is right for them.

Conclusion. The board must be qualified and engaged in their work. They have possess the requisite skills and knowledge. Case-by-case analysis must be made in order to assess board quality. Controls can only do so much to protect the organization against fraud. Succession planning is an on-going process and must be executed well. There is no ‘one-size-fit-all’ governance solutions that can be implemented. To have effective governance, one needs to learn from case studies etc.

World-class Internal Audit by Norman Marks

We were a world-class audit team. There is always a need to change and seek improvement. Solve departments solve their problems. Learn to be innovative in your work. This book features highlights of my career. Hopefully, the reader will be able to gain insights. Learn from your mistakes and learn from those I made too.

In the Beginning. I joined PwC straight out of college. I learnt to treat audit partners with respect. Gutter Brothers were an audit firm. Back then, I was just labelled as an ‘other’, which was even a lower rank than the receptionist. I was doing an apprenticeship by then. Respect must be earned through your actions.

I learned a valuable lesson from this. No matter how high you see yourself, how magnificent you look in the mirror of your vanity, others may see you as a pompous nitwit or worse. – Norman Marks

Another situation, many years later, reminded me never to think too highly of yourself. – Norman Marks

I am obdurate. Later on, I worked under a number of audit seniors and supervisors. One of my appraisal was rated as below average and that I was ‘obdurate’. My manager thought that I was inflexible. He believed that I was stern. Asking questions was a must. I asked to ask managers why must I do certain stuff. Do not follow the procedures last year blindly as last year’s work might not be done properly. Never simply follow a checklist without understanding what it is about. Simply use standard audit programs as a tool and a checklist. It is important to understand and appreciate the business. This is a powerful checklist. Keep asking ‘why’.

I believe very strongly that only when people have a solid understanding of why something needs to be done will they do it well. – Norman Marks

Too much quality. Sometimes, people in positions of authority do not have the right experience and ability. Learn to use analytics, trends and rations as an audit technique. Use performance indicators to detect unusual patterns in inventory level. Analytics is useful to save time during the audit. Once, the audit partner said my work-papers were great but I took too much to perform the work. Time taken to perform the work was a cost to the client. My work was apparently ‘too good’ and it didn’t have to be that that good. For internal auditors, the focus on documentation is not as great as for external auditors. IA’s work is not reviewed by examiners or regulators. Our audit opinion is for internal use. Internal auditors are rarely sued. If there are dispute in findings, it is important to have working papers as evidence. Interpreting the audit findings is also an issue. Working papers are crucial if there is a fraud investigation. You can review by talking to the audit team. If external auditors are going to rely on internal auditors’ work, documentation is important. Creating working papers should not be very ‘costly’ and the time wasted could be used for another audit. Apply ‘stop and go auditing’. This means extending the audit if risk was higher than expected but shorten an audit if the risk was lower than anticipated. Sometimes, cutting short an audit is useful. The CAE must balance the value and cost of developing working papers.

There is no way that audit documentation should take such an enormous percentage of total audit engagement time. If my internal auditors spent more than 10% of their time on working papers, I would need to know why. – Norman Marks

The value of criticism. I was good at flow-charting and completing ICQs. I received a lot of comments from the CAG specialist and requested for a meeting with him. All the review notes made sense. Luckily, he was patient and explained what I had done wrong and what should have been done. Later, I re-did the working papers and in future, I did not receive that many review notes. I realized that my flowcharting systems was lacking. I needed to have a better grasp of the fundamental principles. Technical skills are important too. I respected the CAG specialist and learnt a lot from him. Criticism can educate and change you. Later, I was hired by the CAG team as they were impressed with my knowledge.

The value of writing and teaching. I loved history. I was a gifted programmer and knew how to use the computer auditing sessions. To my superiors, I was an expert in the subject manner. For new technology, it is best to implement in stages. IT systems must be built on a solid foundation. The foundations and fundamentals don’t change. For example, you must understand internal controls, risk management, IS, cash management etc. Later on, I was interested in microprocessors. Tell people why the tasks they are doing are important. Avoid technical language and use ordinary English. In order to teach, you have to learn the fundamentals. Therefore, there is huge benefits for learning to teach. Use examples and diagrams when teaching.

The value of Curiosity and Research. I was the IT auditor for a large insurance firm. Keep asking and make sure that audit tests are not run on old data or old systems. From then now, I had a keen interest in ITGC. Sometimes you need to look deeper and not be fooled by the name of a system or report. Someone could have changed the name of the report but the data was not relevant. My common sense impressed him.

The executive attention span. I drafted ICQs to those programmers who had power to change many elements of the IT environment. There was once when I had to explain my work to a senior partner but I realised that he was not paying attention. I realized that once I had hesitated, the senior partner stopped listening to me. Senior management wants you to explain your point succinctly and quickly. They don’t like to hear things that they don’t want to hear. He wanted to size me up. Senior management only wants to know whether there are any issues in the audit. You should conclude what the effectiveness of controls meant for the organization as a whole.

You are how others see you. I was about to receive my annual evaluation from David. However, apparently, I had offended a senior colleague of David. I appeared arrogant in front of that colleague. When I approached my other colleagues, I realized that that was what they were saying about me too. Charisma is important in audit. When climbing the corporate ladder, you need to learn to be a charismatic leader.

Showing that you are the best at what you do may win you a job, but will rarely win friends or influence people. If we are to be successful, we need to surround ourselves with people who are interested in our success as well as their own. Arrogance turns them away. – Normal Marks

The search for charisma. I learnt charisma from leaders during my short stint in the US office. A large part of it is smiling. You need to behave in a way where people find it appealing. Demonstrate that you place value in your staff and you can trust them. Everyone is valuable and interesting in their own way. I have been enlightened by conversations. You should talk to everyone if you want to find out more about the organization’s problems. Listen to people on the ground. Show respect to others and listen well.

I have learned that people love those who will listen to them. You can be charismatic by listening actively, showing respect and attention to another’s views. – Norman Marks

The Root Cause. You cannot report the symptom. You need to dig to the root cause of the problem. Keep saying ‘why’. This is the 5 ‘why’ method.

If the auditor reports a problem that is only a symptom, management is unlikely to take the actions necessary to fix the problem permanently. Only when the root cause is treated, rather than the symptom, is the deficiency addressed. – Norman Marks

Do we speak the same language? The English spoken in America and England have slight differences. For instance, to the British, ‘ta’ means ‘thank you’ to the British people. Make the effort to speak clearly so that others can understand you. Do not assume that everybody understands each other. Take responsibility for what you say.

WIIFM. Sometimes, if you want to climb the corporate ladder, connections matter. Is this behaviour consistent with your values and principles? It was against my principles to steal others’ credit. People usually only care about themselves. They think in this perspective ‘What’s In It For Me?’ You need to understand how people act. Over time, playing office politics will create enemies.

Where do I go from here? I decided the life of a partner was not for me. The opportunities and salary are more important than the title awarded to you. You must look forward to the next role before jumping in.

Only take a job when you see yourself excited and running towards it. Don’t take a job just to escape your current position. – Norman Marks

Wearing a White Hat. People make mistakes and controls are important.

Awkward Days. If you can’t trust people, you can’t expect them to be loyal. If you have a bad boss, you will see that people will start leaving.

When you can’t trust your own people, especially when there is no good reason for mistrust, they will neither trust you nor owe you loyalty. – Norman Marks

Some measure their value and effectiveness by the number and significance of their audit findings. I measure my value and effectiveness in terms of how management trusts and looks to me to help them be successful. – Norman Marks

A great but unlikely compliment. I wanted to move into line management before wanting to consider whether to be an IA head. The CAE should report administratively to senior management and administratively to the Audit Committee. Compensation for the CAE should be set by the Audit Committee. Internal auditors should be experts in internal controls and processes. Workload assignment is important.

When to suggest an answer. It is good for auditors to have some line experience. First, one needs to assess the design of the controls. Learn to create a control matrix. The control matrix can help you make an assessment and prevent excessive audit. Be wary of backlog requests. Do not be quick to suggest answers before understanding the problem. Do not suggest a solution if you know just the symptom.

Learning about Limits. Common sense, together with logic, can help one accomplish a lot in life. Sometimes, it is better not to set limits for yourself. If you enforce the HR policies too strictly, some people might not like it. This might make you more enemies.

Empathy. Walk in someone else’s shoes before you criticize them. Understand what others are going through and the challenges they face. Walk around and ask others how they are doing and show some concern. When they know you care for them, they tend to be more loyal towards you. Sometimes, you need the humanistic and caring approach of management.

Empathy, understanding what it was like to walk in the auditees’ shoes, would help me craft a report with recommendations that were practical, business-oriented, and achievable. Having empathy would help me influence and effect the change I desired and felt was necessary for the business. – Norman Marks

The Customer. It is important to follow-up with the customer and update them if the query is still in progress. The person who made initial customer contact should take ownership of the case.

The lesson was that hiring motivated and experienced people may cost a little more per person, but they need little supervision or management, are far more productive, and in general create products that are practical, relevant, and useful to the business. – Norman Marks

The Best Job I ever had. The best way to know a job is through a network. Tosco did well due to strategic management decisions. I was given room to grow as the head of Internal Audit. IA should be able to effect change and adapt to changing business conditions. The staff need to be talented and also be able to communicate well.

Hiring the Best. I started off as the CAE with no staff under me. Eventually, I hired 3 experienced people. In IA, both hard and soft skills are necessary. In addition, being intelligent and having a curious mindset is necessary. Auditors need to think for themselves. During the interview, ask what the candidate reads. Ask the candidate audit-related questions and dig out more information on him. Think about a situation where you have never encountered before. A way to approach auditing is to evaluate the risks and to better manage them. Sometimes, if the risk are at an acceptable level to management, then no further testing is required. Having experienced staff is important.

Too many auditors are trained not to think. They are told to follow an audit program or checklist that somebody else created. – Norman Marks

Humility and Respect. I was the director of IA at Tosco. Even if you are very senior, always act with humility and respect. Trust your employees to work diligently. I was proud of the management team, who placed people ahead of profits. Listen from people who can offer different perspectives. People like to feel empowered and respected. IA was seen as a path to business. Create a fun environment so that people will stay.

The risk-based IA plan. Learn to build up your audit universe. Always practise risk-based auditing. Sometimes, a full-scope audit can use up too much of your resources. Later, I understood the concept of ‘opportunity cost’. Your audit plan can have relative ranking of risk factors. I included risks within each business unit and compared them across the enterprise. Focus on the more significant risks to the organization. There are endless possibilities of audit. I was able to substantially cut down the audit time required. The more audits you do, the more risks you are able to assess. One average, one audit member could complete up to 12 audits per year. Learn to perform an ERM first, before developing your audit universe. In the past, nobody talked about ERM. The whole point is to discuss on the wide-range of activities for the organization.

My first frauds. Over the years, I have performed many investigations. Sometimes, companies want to protect the fraudster because he is still a valuable member of the organization. Do not commit ‘white lies’ as they may have serious repercussions moving forward. Limit the people in the ‘know’. Do not jeopardise people’s career if they are under investigation. Sometimes, they might actually be innocent. Anyone is capable of committing fraud, even your close friend. It is important to keep investigations confidential, so as not to affect others’ reputations. Never assume guilt unless you have sufficient evidence.

Not all auditors hate risk. Management can decide how much risk to take, but auditors can challenge this. IA should not try to eliminate every risk that they see. Do your audit customers smile? It is not about eliminating risk, but about taking the right risk. There needs to be security over the batch jobs. It is essential to take a business perspective when it comes to auditing.

Internal auditors should understand that business is not about avoiding or limiting risk, it is about taking the right risk. I have learned that all internal auditors should consider themselves business people who have a job as internal auditors. Their work should be intended to contribute to organization success, not just point out deficiencies or “findings”. – Norman Marks

Loretta and Wow! Audit Projects. As IA, you can make the person’s job more interesting by making better use of their manuals and documents. Learn to reinvent your work. Make every project a ‘Wow!’ project. IA needs to talk to people to understand the risks that the organization faces, and what are the risks and opportunities. Spend time to talk to people on the ground. Timeliness is important. Long meetings are unproductive in nature and should be avoided. Auditors must talk in the language of business executives.

Why do I need to write an audit report? One needs to demonstrate empathy. You need to care about the success of the team. The report is a vehicle of communication. It benefits the management and the audit committee. Clear communications are easily understood. The report must be clear and concise. Management and the AC wants to know the following: 1) Is there anything they need to worry about?; 2) Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?. Manage on ‘exception’. After reading the first few paragraphs, you should be able to obtain the correct information. An opinion can be expressed on a written scale, 1) Satisfactory; 2) Needs Improvement; 3) Unsatisfactory. Management just want ‘high-level’ information. The goal is to effect improvement and not to keep reporting issues. Risks must be managed effectively. If management corrects the issue before the report is issued, I can drop the finding. Is it necessary to organize a closing meeting? I am looking out for information to make IA communications more accurate. If you know one audit report might affect other areas of the business, it is possible to share the findings with that area of the business.

Auditing Forward. IA must be independent and objective. Evaluate and improve the control and governance processes. Auditing forward means being involved in forward looking activities and ensure that controls are in place. Controls should be implemented before ‘production’ phase. This is more of a consulting project. IA’s success has to be inter-wined with success of project implementation. Going live without testing is potentially high-risk. Identify areas where the project is most likely to experience pitfalls. IA can value add if it can improve the company’s future. Telling about problems in the past can help, but only to a limited extent. Be agile and learn to change the IA plan swiftly. Know that business environments can change. Obtain monthly operating reports and key metrics so that analytics can be performed. Business leaders like IA who can value-add.

Effecting Change. Some IA functions measure their success by the number of recommendations made and % of findings accepted by management. The number of audit findings should diminish over time. IA must target the root cause and actions needed to fix the problem. By right, all recommendations should be accepted by management. Measure quality through the change that is made. The number of significant findings should be decreasing over time. IA should enable organizations to take corrective actions. ‘Does internal audit help you identify the need for change and improvement in the business, and then to get those changes made?’

Leadership. People need to have confidence in you. You cannot fake who you are. Always be the best that you can be. Show respect and listen to others. Give credit to your team members. Ask questions that make people think hard. I have received good feedback from those around me. Try to mentor others and to help their careers whenever possible. People need to think for themselves. People from the Big 4 are trained not to think. This sort of thinking needs to be reversed. There is a difference between a boss and a leader. Leadership is about providing direction, implementing plans and motivating people. Leadership styles can be modified and tailored according to the situation. Trust and loyalty are really crucial. Be loyal and build strong teams. Understand what motivates your staff and where they want to go in their careers. Always be there for your employees. A leader is supposed to motivate employees so that they can perform to the best of their ability.

Working with difficult people. Sometimes, you will meet people who dislike you on a personal level. If you want to be successful, you need to learn how to work with difficult people. There is nothing much you can do but apologize sometimes. Sometimes, you may enter a workplace with a high degree of politics. At times, you might not be able to change a difficult situation. In that case, the best thing to do is to leave on a good note. You can take courses on how to deal with difficult people. Learn to listen to angry people talk. Eventually they will simmer down. Being heard is almost like being loved. Being alone can allow the person to calm down. Always try to be professional and polite. There is little to gain if you keep criticizing the other person. Difficult people are difficult for a reason. That is because they may have something to hide.

Working for a Difficult Region. It is ridiculous if you need management permission to perform the audit. IA should be given full access and co-operation. If bonuses are tied to number and severity of audit problems, people will clean up data and be extra vigilant when dealing with auditors. Sometimes, people do not see value in IA. Do not have the aim of disciplining others.

Organizational Culture. CAEs should be concerned with the organizational culture. Is there a culture of integrity? Is the culture appropriate for realizing and delivering value? The CAE must stand tall. Sometimes, when the CAE reports bad news, the CE might want the CAE to be fired. There might be a culture of manipulation of books and earnings management. There must be a strong tone from the top. Do not have the culture of ‘cooking the books’. If there is, it could be a good idea to leave.

The expansion of internal auditing. Pay attention to contracts audit. Sometimes, there can be loopholes that may be exploited. Investigations should only be performed by well-trained personnel. Determination of whether fraud is committed is a legal responsibility. Do not believe that guilt is present until all evidence is in. Audit must be performed to check compliance with licensing terms.

World Class Internal Auditing. This means being an IA function that few are aware of and not many people adopt. Do not simply follow best practice. Always audit forward. Embed your IA team in all major initiatives. An effective leader should support the team and provide adequate resources. There are disadvantages with inexperienced auditors. Focus on important risks and do not waste time on immaterial activities. Do not try to make someone else look bad. There are 14 attributes to a world-class IA. 1) Be praised by AC and top management. 2) A cool place to work (Build a bonding spirit). 3) The department people want to transfer to, but hate to leave. 4) Where people think (observe similar situations in other companies; be creative and resourceful; standardized audit programs may not be applicable for all; learn to challenge norms). 5) Where people are set free to choose an audit approach that stimulates and develops, as well as getting to the heart of the problem – tackling the root issues head on. Auditors must get to the root cause of the problems, which tend to be people. Sometimes, people make mistakes because they are overworked. 6) The source of projects that are noticed, that will be told to the team’s grandchildren (major business improvements). 7) The internal consultants of choice and a source of talent. 8) At the exit interview, the manager says ‘thank you’ sincerely (Listen to your customers. If they value you, you are in a much better position). 9) Fully leverage the organization’s risk management process (automation, base audit plan on risk-adjusted risk universe (ERM etc)). 10) Fully leverage advanced continuous monitoring and auditing capabilities – as part of a risk-based audit program (perform analytics, employ technology for advantage, crowdsource etc. 11) Where the CAE sends a message to the CEO asking to chat, and the CEO comes to the CAE’s office (Learn to listen well). 12) Expanding into new and cool stuff, even if not traditional audit areas, such as process improvement, six sigma, audit of risk management and governance (use the LEAN concept to reduce waste, inefficiencies etc). 13) Where internal auditing is seen by management as a competitive advantage (see the value add in IA). 14) Where the CAE is never satisfied (learn from other CAEs, think outside the box).

After all, our job is not to score points telling people how many mistakes they made. Our job is to help people understand whether things are OK, and, when they are not, work with them to effect the necessary changes. – Norman Marks

Celebrating mistakes. Do not live in fear of making mistakes. However, one should learn from their mistakes or it might become an issue in future. However, there are some weaknesses that one must accept. Make adjustments to your behaviour. Sometimes, what appears to be negligence may not be so. Stop before reacting. Learn from your mistakes in order to help you succeed.

Looking back and forward. Not many IA departments assess and provide assurance on effectiveness of risk management. Very few consider governance issues. It is simply not just a ‘check the box’ function. Too many ACs don’t understand the potential of IA. IA practices must continue to improve. Business environments are getting more complex.

The Essential Guide to Internal Auditing by KH Spencer Pickett

Introduction. Auditors are expected to deliver. They have to present ‘big picture’ risks. They also need to identify risks with the departments. The audit report must add value to the organization. Visit the IIA website and keep up to date with the latest information. It is now a full-blown profession. An IA function can provide good governance. We now need to take into account internal audit standards, and the work of academics etc. This book makes reference to a lot of IIA standards. Please read the IIA standards. Chapter 2 – Corporate Governance; Chapter 3 – Managing Risk; Chapter 4 – Internal Controls; Chapter 5 – The Internal Audit role; Chapter 6 – Professionalism; Chapter 7 – The Audit Approach; Chapter 8 – Setting an Audit Strategy; Chapter 9 – Audit Fieldwork; Chapter 10 – Meeting the Challenge. This guide can improve an auditor’s professionalism. The internal audit function has evolved over the years. It has moved from accounting data in the past to ‘risk management, control and governance processes’. In the past, internal auditors’ job was to try to pick up fraud more quickly than the external auditors. In the past, the focus was more on low-level, detailed checking. Most ACs are required to have non-executive directors as well. Now, audits involves recognizing risks and then seeing how the controls can address the risk. Should the CAE report to the main board and not just the AC? ERM is also increasing in importance. These are exciting times as IA is also taking on a greater consulting role. However, the assurance aspect is still necessary.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. – IIA definition

Corporate Governance Perspectives. An organization should strive for performance, but at the same time adhere to guidelines and regulations. The tone from the top and investor’s expectations do matter as well. Corporate scandals can undermine the trust in the society etc. That is why there are corporate governance codes that are put to practise. Understand the agency model of how the shareholders vote in the directors, the directors oversee the managers and the mangers run the operations. The directors set targets for management and the directors report results to shareholders at the end of the year. Shareholders have a right to dividends. Directors have to protect the business and account for their activities. In reality, directors may not be aware of their role. There are many stakeholders involved in a company. There is a lot more attention on shareholders and how they are treated nowadays. Giving shareholders more information may not work as they might not understand such information. Why do we need business ethics if everyone is honest? Research has shown that people are not fully aware of what an ethical culture entails. External auditors make sure that the accounts can be relied upon. For public sector, the focus on VFM is greater and the owners are the taxpayers. Ethical standards should be made clear to all. There are problems, for example: a CEO which is too powerful; board members which are not independent; incompetent boards; employees who abuse the system; no accountability framework; poor tone from the top etc. Shareholders do not like short-term growth. However, managers want instant results. There can be confusion over levels of authority, and the legislative framework etc. Corporate governance aims to combat inappropriate behaviour. The 5 key principles of governance are 1) Rights of shareholders must be protected; 2) There should be equitable treatment of shareholders; 3) Timely and adequate disclosure; 4) Disclosure and transparency; 5) Responsibility of the board. Countries should adopt international accounting standards. Independent directors should meet at least once a year. Independent directors should ask tough questions to the CEO. Management should optimize shareholder return. Transparency is important. ASX has developed an important set of corporate governance principles. The OECD has global principles of good corporate governance. There should be effective interaction between board, management, external auditor and the internal auditor. IA must report directly to the AC. The AC should select the external auditor and evaluate both external and internal auditor performance. Fraud Risk Assessment must be performed. The internal auditor is more concerned with internal control to determine whether organizational objectives can be met. Sometimes, the EA and IA audit methodologies can appear to be quite similar. IA’s role is to promote suitable organizational controls. The IA should make use of IIA standards in their work. Both EA and IA should communicate with one another. IA is interested in system weaknesses that lead to potential loopholes or fraud. Most of the time, IA staff are employees of the company. EA is usually a legal requirement. IA is mainly in charge of fraud investigations. IA can focus more on operational audits. IA may also cover operational efficiency and VFM initiatives. The IA function is also active the entire year. IA and EA should exchange their audit plans. The ideal situation is where IA and EA sit together and fully integrate their plans. Most ACs meet at least quarterly. The AC is very important in the role of corporate governance. The AC is mandatory for most international stock exchanges. The AC has many governance related responsibilities to fulfil. Where is the link to risk management and internal control? All foreseeable risks must be anticipated. A well governed organization should have good internal controls in place. The annual report should spell out clearly the responsibilities of every committee etc. The codes of corporate governance does change over time. KPIs should be integrated with KRIs.

Managing Risk. There are different types of risk management, including ERM and CSA. The audit should move towards the future, by perceiving risk. There is a move away from compliance. Risk can be controlled. Management needs to take a certain risk appetite. Risk is measured in terms of consequence and likelihood. Risk only has meaning when related to an objective. A mission statement is useful. Risk has both an upside and downside. Excessive controls should also be cut as it affects productivity. Risk management is a dynamic process. Flexibility is important. However, some risks will be unanticipated. The risk owner must be identified. There must be open communication with management on risk-related matters. All risk must be identified. There needs to be strategies to tackle high risk impact areas. The entire process must be reviewed periodically. With a good ERM structure, shareholder value should be enhanced. Risk owners should be the ones implementing controls. After controls, the residual risk can be measured. 1) Terminate – stop the activity; 2) controls – are we doing enough to reduce risk to an acceptable level?; 3) Transfer – this could be through taking an insurance policy; 4) Contingency – BCP in case high risk events occur (high impact, low likelihood); 5) Take more risk; 6) Communicate; 7) Tolerate (esp for low risk areas); 8) Commission research; 9) Tell someone; 10) Check compliance . A company should keep risk registers. The approach for residual risk is to 1) more risk; 2) accept risk; 3) implement more controls. Take note that controls are costly. The tone of the top must be set. However, risk management is sometimes conducted based on gut feel. The risk analysis must be compared with a set criteria (different areas). The organization should prepare a risk appetite statement and define the control environment etc. There needs to be both qualitative and quantitative statements (limits, thresholds, key risk indicators). Risk workshops are good. However, risk workshops could be seen as cumbersome and a waste of time. There must be a board member sponsoring the process. There should be a risk management committee. The board and the audit committee should work together on a risk assessment around corporate strategy. The CE can act as the board sponsor. It is important to get the people on the ground’s buy-in. It is important for the risk policy to be established (It should contain governance, policy scope, policy applicability, risk management process, risk appetite, reporting, roles & accountability, variations and dispensations). COSO defines ERM as ‘A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.’. Look out for cross-functional risks. CSAs could be used to get information. In addition, interviews could be made. The use of CRA workshops are one option as well. Use a properly prioritized risk register to focus on the bigger risk issues. Risk can be classified into ‘strategic, programme, project, financial and operational.’ IA needs to work with the RM team to have streamlined ERM. ERM has a big role to play in strategic planning. There have been some new developments in the ERM space. For banks, it is very important to have a CRO. Even smaller organizations are paying more attention to risk management. Risk management is a good way to improve corporate performance.

Internal Controls. IC is very important to an internal auditor. A good understanding of internal control is important. IC is important and has to put in place. Poor controls can lead to losses. There is no substitute for IC. The control environment is important. Management must determine whether there is a need for controls. Once this has been identified, suitable controls needs to be identified. Next, they need to be implemented. Controls must be applied effectively. They need to be maintained and updated too. Do understand that there are different types of controls. It is all about the people. Beware of burdensome controls. Controls must be reviewed adequately. Controls should be a way of managing risk in the organization. IC must be implemented in the working procedures. The COSO framework is a good guide. The control framework helps drives the control environment. ICs must be communicated and monitored. Purpose à Commitment à Capability à Learning & Monitoring. People must learn to challenge old assumptions. CoBiT is for IT. There is also the Basel Committee on Banking Supervision. IC is closely linked to RM. Control mechanisms should be clearly defined. There are 4 types of controls: 1) directive; 2) preventive; 3) detective; 4) corrective. Some of the types of controls are: 1) authorization; 2) physical access restrictions; 3) supervision; 4) compliance checks; 5) procedural manuals; 6) recruitment and staff development policies; 7) SOD; 8) Sequential numbering of documents and controlled stationery; 9) Reconciliations; 10) Project and procurement management; 11) Financial system controls; 12) IT security; 13) Performance management. Warning signs: 1) Ability of senior management to override accepted control; 2) Lack of staff and vacant posts; 3) Poor control culture; 4) Staff collusion; 5) Reliance on a single KPI; 6) Reliance on memory; 7) Retrospective transaction recording; 8) Uncontrolled delegation of tasks. Understand the importance of soft controls. Control mechanisms must be designed appropriately. Use integrated controls. The fallacy of perfection. Control measures are costly. Management override of control is an issue which needs to be addressed. Ownership of control is very important. New developments are important to follow. SOX was being implemented.

If government organizations are to be effective, we must establish and maintain a system of internal control to protect government resources against fraud, waste, mismanagement or misappropriation. Employees often underestimate the importance of internal controls, or think internal controls amount to merely separating duties. However, internal controls encompass a comprehensive system that is critical to helping an organization achieve its goals and mission. – State of New York, Office of the State Comptroller

The IA role. Learn to define IA. An audit charter is needed. Internal auditing must be objective in nature. IA must attempt to add value to the organization. IA should also improve an organization’s operations. It must be systematic and disciplined. There is a need to continually improve the system. Risk management and control must be executed. The IA function should achieve 1) reliability and integrity of financial and operational information; 2) effectiveness and efficiency of operations; 3) safeguarding of assets; 4) compliance with laws, regulations and contracts. Much expertise is required from internal auditors. Sometimes, IA can provide an advisory role in relation to compliance and let the compliance do the rest of the job. MIS audits are also very important and have to be conducted. VFM is also related to audit work. The use of specialists may also be necessary. An audit charter needs to be written. The audit charter should cover areas recommended by the IIA Attribute Standard 1000. There are many possible types of audits that can be conducted by IA. IA must also appear to be independent when performing their work. IA must be impartial and provide unbiased views. The manager of the department cannot dictate what the auditor should do. Audit Ethics is important. IIA should refer to the ethics code. A code of ethics is necessary. Sometimes, the word ‘audit’ has a negative connotation. The auditor should have a good understanding of what the client is doing. Information must be extracted in an efficient manner. Dealing with people is important in the job. Planning for audits in the AC forum is important. IA should not just simply do work that management expects of them. Useful information should be listed on the IA website. What are some of the competencies required of internal auditors? Certifications help to showcase competency. Example: CIA. What makes good internal auditors? Auditors should be aware of 1) internal audit procedures/guidelines; 2) accounting principles; 3) indicators of fraud; 4) key IT risks; 5) management principles and materiality; 6) Appreciate and fundamentals of business subjects; 7) Soft and hard skills. Professional Development is important for the auditor. A certain number of CPE numbers is needed to retain membership to IIA. Workshops are useful for identifying training gaps. Appoint a training co-ordinator. This person should be able to carry out basic in-house training. The IA team should read journals etc. Work closely with SMM to ensure that risks are identified. Identify skill gaps etc.

The perception that operational management is very busy doing important work while the auditor is simply checking some of the basic accounting data that relates to the area can create a great imbalance. This sets the auditor at a disadvantage from day one of the audit. – KH Spencer Pickett

Professionalism. Internal auditors need to go through a detailed training programme. They must be knowledgeable. IA are professionals. IA is now a professional discipline and this is considered a huge achievement. IIA has issued its professional practice framework. You may read the attribute standards. An auditor needs to exhibit due professional care. All audits must be performed according to certain standards. Disclosure by IA must be made for consulting services etc. Quality assurance is important. IA needs to ensure that it complies with code of conduct and other relevant standards. Appropriate evidence of supervision is documented and retained. ‘The team leader, audit manager, and CAE each have a duty to ensure that they are available to direct staff as that audit is being conducted.’. Supervisors must review each workpaper and sign off. Questions or review notes must be addressed. Internal reviews or on-going monitoring is important. External reviews must be conducted once every 5 years. A pleasant audit image must be created. A feedback questionnaire needs to be conducted. A formal complaint procedure should be voiced out.

The internal auditor’s objectivity is not adversely affected when the audit recommends standards of control for systems or review procedures before they are implemented. The auditor’s objectivity is considered to be impaired if the auditor designs, installs, drafts procedures for, or operates such systems. – KH Spencer Pickett

The Audit Approach. IA can be performed in many different ways. Use a risk based systems approach. It can be more useful to examine the proper functioning of systems. Internal auditing provides a powerful level of review. There are several stages on RBSA. The use of CRSA is also possible. IA must be equipped with the right skills to perform the role. Fraud which have yet to be discovered is very alarming indeed. For fraud to take place, there must be the 4 elements: 1) motive; 2) attraction; 3) opportunity; 4) concealment. It is important to set the tone from the top etc. It is important to plan the investigation. Fraud risk assessment must be built in to the risk assessment workshops. VFM audits also may have to be performed. Management should be able to identify cost saving areas. VFM is concerned with the following: 1) economy; 2) efficiency; 3) effectiveness. IA can now also provide consulting services. Learn to manage change. Management is more concerned with the future than the past. IT governance is important as well.

Setting an Audit Strategy. The CAE must ensure that the audit activity adds value to the organization. Objectives must be present. The main role of audit is to give assurance work. The AC must understand clearly what IA is doing. The scope of services must be defined clearly. Audit objective must be geared to the organization’s objectives as well. The CSA approach has its perks. Sometimes, PESTL and SWOT analysis must be done. Audit plans should be driven based on ERM assessment. An audit universe must be defined. Management must be involved in the risk assessment process at least annually. Weaknesses in staff morale etc must be addressed so that the IA team can perform well. The resources used must be able to execute the audit plan. Auditors must be motivated to do their work. Low to medium risk audits can be performed on a rotation basis. An appraisal scheme must be suitably designed. There must be formal appraisal criteria. An auditor should have a career plan. There are many ways to assess an auditor’s performance. An audit manual needs to be written.

Audit Fieldwork. An auditor needs to perform the fieldwork. For each audit, the following must be defined: 1) engagement’s objectives; 2) scope; 3) timing; 4) resource allocations. Try and read through previous audit files. Every audit needs to have an outstanding matters list. Carry out your background research. Get the basic facts with management. Understand the nature of the audit. Highlight the type of audit skills required. If the audit is too difficult or the resources are not sufficient, the audit should be aborted. The senior staff should lead the preliminary meetings. Next, develop audit procedures. Define the tasks that need to be performed, even for the lead auditors. Define the extent of testing. The audit scope must be sufficient to achieve the objectives. For large audits, break them down into deliverables. A trend is for a move away from teamwork with a single auditor being given an audit to streamline resources.