The previous market conditions have triggered an important debate on corporate governance. Due to the numerous scandals and market failures, legislators and financial authorities have created many standards and enforced certain regulations to challenge the economic turbulence. Directors are now being held more liable for their performance regarding these requirements.
A Committee for Cadbury Report (1992) was set up in May 1991, to address the financial aspects of corporate governance. The absence of a clear framework to ensure that directors monitor sufficiently the controls of the business prompted the need to establish a detailed set of guidelines which companies would have to follow.
The Hampel Report (1998) followed the recommendations of the Cadbury Report and looked deeper into the roles of the shareholders, directors and auditors in corporate governance. It commented on sections where different approaches were taken and covered areas not considered before.
Obviously, corporate structures and governance principles might vary from country to country. However the basis of these arrangements is nearly the same among corporations.
In each of these reports, the objective is not to set down corporate behavior in detail but to ensure satisfactory disclosure so that investors and other stakeholders can assess the firm's performance and governance practices.
In brief, both reports take account of the following:
At the outset, the shareholders appoint a board of directors to govern the companies on their behalf, and an external audit function to ensure that financial statements give a true and fair view of the company.
The responsibility for good governance clearly rests with the board of management and the auditors' role is only to provide the shareholders with an independent and objective assurance on the reliability and accuracy of the financial statements.
Listed companies
All listed companies should provide a report explaining their governance policies, but they should also justified areas of non-compliance with the code.
It is noted that corporate governance is not evaluated on the basis of just complying with all the rules prescribed. The system has some flexibility to adjust for varying circumstances of individual firms.
Audit committees
All listed companies should have an audit committee which will help in raising the standards of corporate governance in areas where improvement is asked for. The audit committee will not only create a disciplined and controlled environment to reduce the opportunity for any malpractice and fraud but can also reinforce the status of the internal audit function by providing a higher degree of independence from management.
Internal audit
An internal audit department should be put in place to undertake investigations concerning the effectiveness of the internal controls and to report on any suspicion of fraud.
Adding to this, Deloitte (2008) states that in cases where internal audit function of a company is outsourced to an external provider, the basic considerations remain the same.
Risk
Although it is impossible to reduce risks to zero, following certain principles can mitigate them to an acceptable level as per the company's risk appetite. The more management and other staffs are held accountable in their work, the more effective and efficient the control mechanism will be and therefore, there is better possibility to keep risks down.
Indeed, a study conducted in the US by KPMG (1999), acknowledges that in view of the changing business arena, it is important to focus deeply on areas exposed to critical risks which could drive the firm towards poor performance or even failure.
The Turnbull Report (1999) was an important mechanism in the process of including risk management into auditor's role. It takes a risk-based approach while emphasizing on the internal control systems. Effective financial controls would ensure that the company's financial information is trustworthy.
The report suggests that intelligent risk taking contributes to the profitability of a business and therefore, rather than eliminating risk completely, internal auditors, via ensuring the effectiveness of internal control would assist the board in managing the business' risks.
Still, the Turnbull Report does not deviate from the other reports since it provides similar requirements. Companies without an internal audit function should annually assess the need to establish one. In case of an absence, management needs to provide assurance to the stakeholders as to how processes would be monitored and whether internal controls are operating as intended.
The report also provides for additions or modifications in certain areas. For instance, while considering company-specific factors when reviewing the need for an internal audit function, it also takes into account the cost/benefit criterion.
However, the existence of all these rules and regulations do not guarantee success. If a company cannot find people with the appropriate experience and skills, and if there is no good leadership and teamwork culture, it would be difficult to achieve prosperity in the corporate system.
Several participants from an interview conducted by Tapestry Networks (2009) for Ernst & Young affirm that effective corporate governance start with directors.
One participant of the same interview put it as follows:
"People are the starting point. You can have all the rules and tools in the world, but it doesn't matter if the people are [not good]."
Sarbanes-Oxley act; Can it benefit to private companies?
Whilst the SOX encourages most executives to implement its requirements onto public companies, SOX practices have been revealed to be practical to private companies as well(Deloitte, 2009)
As a matter of fact, private company leaders tailor their operations in line with SOX practices and choose the most relevant requirements to meet their organization's objectives. Forward-looking private companies have not only perceived SOX as a resourceful tool to preserve stakeholders' value but also, derived better costs management and improving information about the company's performance, all driven by enhanced procedures and business functions.
To summarize, private companies adopting SOX have benefitted from:
Improved efficiency of their corporate controls
Better allocation of available resources in a cost efficient manner and keeping business objectives aligned
Inefficiencies in the control system have been revealed, for instance duplicate operations performing the same functions
Lessons learned from accounting scandals
In February 2007, members of the European and North American Audit Committee Leadership Networks convened to talk about the accounting scandals of the early 2000s and to redefine their roles as audit committee chairs. They discussed lessons learned from the corporate failures and came out with a number of recommendations.
During the meeting, the case of Enron, WorldCom, Parmalat were reviewed and this brought to light the deficiencies in the governance mechanism. Among the major ones, they point out that:
It is a priority that companies have a strong and objective internal audit function.
Members saw internal auditing as a valuable asset in the prevention and detection of any fraud which could arise in the business.
In fact, some of them even invested more time and resources to the planning of internal audit and training of the internal auditors than they did on external audit due to its high level of importance.
Following the scandals, internal auditors need to be more skeptic and proactive. They should become more questionable to areas of uncertainty, and assess and challenge answers.
Now there is greater independence between internal and external audit function.
Qualifications for both internal and external auditors have increased with more emphasis on internal auditors.
Members also acknowledged that internal auditors may have varying roles. Some companies use internal audit, prioritizing verification of the effectiveness of internal controls, while others may add risk management to the internal audit scope.
Corporate Governance and its relation to valuation of company
Similar to Klapper and Love (2004) , (Matthew Morey, Aron Gottesman, Edward Baker, Ben Godridge, (2008)), through an investigation carried out in 2007, on whether improved governance causes higher valuations for the companies in emerging markets showed that there is indeed an important relationship between corporate governance and valuation. The study used data over at least a five year period from AllianceBernstein, and revealed that advancements in such best practices resulted in higher valuations. It was therefore recognized that investors attribute much importance to the issue of corporate governance.
The new definition of internal auditing
In June 1999, the Institute's Global Board of Directors of Internal Auditors approved the definition of internal audit as:
"An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes"
(Morgan, 1979,p. 161) takes the new definition as a breakaway from its past label as the "organizational policeman and watchdog".
(Bou-Raad, 2000; Krogstad et al., 1999) explains that internal audit has moved from the traditional assurance and compliance services to a more consulting and value-added approach. (Krogstad et al., 1999) also said that this move has permitted internal auditors to have a more influential role in the organizations.
The issue of the new definition of internal auditing in 1999 did not produce any absolute shift from the traditional compliance audit to the range of services that the new definition offers.
Internal Audit perspective
Traditional and compliance
Few years later, Al-Twaijry et al. (2003) reported that Saudi Arabia still attaches more importance to the traditional audits. Allegrini et al. (2006) documented the same result for Belgium. When analyzing the latter companies, Gerrit Sarens and Ignace De Beelde (2006) found that internal audit departments there were regarded as "small audit shops" and consisted of only one or two auditors. He then explained that Belgian companies are aware of the benefits that a larger and more proficient internal audit department would offer, but they lack the necessary resources to establish such a department. They could therefore not extend their demand for consulting or risk management services. Dessalegn Getie Mihret and Getachew Zemenu Woldeyohannis (2008) added that services provided by internal auditors are based on contextual factors.
Operational effectiveness and value-added role
Albert L. Nagy and William J. Cenker (2002) assessed the new definition in large listed companies of USA and responses from 11 internal audit directors admit that they have shifted the overall scope of their audit assignments towards operational activities.
From another paper, Dessalegn Getie Mihret and Getachew Zemenu Woldeyohannis (2008) summarized the point of views of various authors; (Stern (1994), Roth (2000), Gupta (2001) , and indicated that all of them focused about the existence of internal audit to add value to companies' operations.
6.3 Risk Management approach
Bottom of Form
Since the beginning of the 21st century, technological advances, economic and political events has changed the climate in which businesses operates. Markets are achieving a more global landscape with the help of electronic commerce. As new business risks emerged, many organizations were compelled to reformulate their strategies and to reconsider the status of internal auditing (Szpirglas, 2006).
While the responsibility to manage risk lies with the directors and senior management, internal auditors have become key contributors in Enterprise Risk Management (ERM). COSO (2004) defined ERM as
" a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
In fact, there is an infinite list of papers which highly associate internal audit with risk management.
Some companies believe that if they want to extend their risk management into a value-creating process, business leaders should recognized the pioneering role played by internal auditors in advising the Board on its overall risk assessment.
According to these leaders, internal auditors should concentrate less on their traditional compliance-driven function and seek greater role in risk management.
In view of developing a more systematic approach to risk governance, asset managers are also discovering the need to extend internal audit function to give internal auditors a more important position in contributing to the management of their firms.
As said, research papers on internal audit's role and risk management are numerous; and they all point towards the same conclusions. Leung et al. (2003) studied Australian companies at large and revealed that while 91 percent confirmed the importance of internal control, 71 percent of internal auditors considered risk management as another important internal audit objective. In practice, most of their audit assignments focused on risks and controls.
In the same year, according to a survey conducted in Europe, Paape et al. (2003) concluded that companies are integrating risk management in the scope of the internal audit profession.
Two-third of the participants said they provide advice and support in this area.
Taking a more active role by serving as strategic advisors on risks management, internal auditors would help the enterprise build a risk intelligence organization, where risks would be identified, assessed, and exploited in the light of creating value to the firm. Following this, internal auditing will also help ensure that resources are adequate and business objectives are being respected (Kunkel, 2004).
According to PricewaterhouseCoopers(PwC)'s 2010 Global Internal Audit Study, which includes responses from more than 2000 executives over at least 50 territories, it was found that with industries engaging more in global activities, strategic risk management is having a paramount importance in the mind of business leaders.
As Brian Brown, principal and Internal Audit Advisory Services leader at PwC said, many have blamed the financial crisis on poor risk management, which is why CEOs are giving more concern to upgrade their enterprise risk management capability. High experienced professionals with right range of skills are being recruited to form strong internal audit teams to better identify trouble spots and make use of the most appropriate technologies.
Oliver Engels (2010), a KPMG partner in Germany, talks about risk management as a catalyst for value creation. He explains that forward-thinking companies have move from preserving value of a company by eliminating risk completely, to trying to outperform their competitors by exploring for opportunities that risk can offer. This recall one of the Turnbull principle that engaging in risky activities can create value to the company on the basis that high risk equates high return.
Looking from a totally different perspective, the General Manager of Risk and Audit at Rogers and Company Limited (Karene Figaro, 2007), there could be another reason behind adopting risk management. The high and increasing insurance premiums that have to be paid to protect against risk encourages the board to ask for risk management services from their auditors. It has been explained that contracting insurance premiums when the company itself can mitigate the risk is a loss of resources. It is therefore be better to implement internal measures.
However, Ian Fraser would not share the same opinion as to the evolvement of internal audit function over time. Although the function has progressed towards an enterprise risk management approach, it would be unwise to say that every organization has evolved in this area. In public sector, for instance, the approach still rest on achieving effectiveness, efficiency and economy, the 3 E's of a value-for-money audit.
The latter further questioned about what should be the internal audit risk role. He mentioned that although the intention of the Turnbull report was that internal auditors should evaluate the risk management and monitor the internal control's effectiveness, some companies nevertheless assigned most of their risk management to the auditors. As a result, internal audit departments started to lose their independence within these organizations.
From his point of view, internal auditors should concentrate on providing an objective assurance to the board and management as to whether key risks are being managed appropriately and that internal controls are operating effectively.
6.4 The notion of consulting activity
Considering Albert L. Nagy and William J. Cenker (2002) paper again, some interviewees pointed out that the traditional function of internal auditor should not be completely ignored. Despite the redefined internal audit activities include consulting; most directors disagreed on their departments being labeled "consulting. This was because "consultants" were recognized as having a high level of knowledge and skills, and would be hired to solve or provide solutions to problems, which is different from internal auditors' main role of evaluating control effectiveness.
A study in the Mauritian context, particularly to the internal audit department of Mauritius Duty Free Paradise Company Ltd (by Vijaya Luxmeebye Gowreea, 2007) provided the same reaction. The interviewee stressed on the differentiation he makes between operational audit and consulting activity. In his opinion, an internal auditor would rather be someone who assesses the effectiveness of internal controls than someone who provides solutions to problems.
6.5 Prevention of fraud
To say that internal audit will absolutely detect any fraud might be false statement. However it is very common sense that through effective internal controls, the occurrence of fraudulent activities can significantly be reduced. Based on the interview at Mauritius Duty Free Paradise Company Ltd (Vijaya Luxmeebye Gowreea, 2007), it was eventually evidenced that certain malpractices were discovered with the help of the internal audit team, for instance misappropriation of assets in the warehouse.
Final note
The final point to note through this literature review is that, the scope and objectives of internal auditors allow certain variations depending on the directors' perception, nature of the businesses, requirements of the companies and the extent to which internal audit environment has been developed.
Deloitte (2009) states that "there is no single model for how internal audit should work".
Each organization has to develop its own model, based on its size and complexity, according to the organization's needs. On one hand, internal auditors would be expected to act as independent evaluator of management, and on the other hand, serve as consultant to the board.
In the light of the above exposé, we can nevertheless say that the new definition of internal audit has been applied on a broad perspective, with more emphasis made on risk management especially in more advanced economies such as the US.
Through this dissertation therefore, the Mauritian case shall be analyzed to see the orientation of the internal audit function and whether internal audit is meeting its governance objectives and contributing to risk management.
