Sir Adrian Cadbury [UK] has said that corporate governance is about the way an organization is directed and controlled. If the board is in control of their business and they are adhering to all appropriate standards then stakeholders can take comfort in this fact. Meanwhile, being in control means that all foreseeable risks to the success of the business have been anticipated and addressed, as efficiently as possible. This alone does not guarantee success, but it does mean that there is a reasonable chance that the organization will maintain, if not exceed, market expectations.
To underline the need to be in control, the published annual report for companies listed on the stock exchange and most public sector or bodies should include a statement of internal control.
This statement is a bottom line item, which is derived from the complicated arrangement of systems, processes and relationships established within the organization. If these controls drive the organization forward and also tackle all known risks that threaten this positive direction, then there is a good system of internal control in place.
A well-governed organization must have good controls and the statement of internal control represents a crucial vote of confidence from the board to the shareholders and other stakeholders.
The Turnbull report includes a set of questions that the board may wish to discuss with management when considering reporting on internal control and carrying out its annual assessment. The list is based around the COSO model of control and covers the following areas:
- Control environment.
- Risk assessment.
- Control activities.
- Information and communication
It is clear that the board can secure information on the functioning of internal controls from sources within the organization, with much of this coming from the risk management and assurance reporting process that has been established.
The internal and external auditors also provide a major input as does the audit committee. Some organizations require their top managers to provide assurance statements where they confirm that suitable controls are in place, that they have been reviewed and improved (where appropriate) and that they are designed to help manage all material risks to the achievement of objectives.
Moreover, the statements may also incorporate a consideration of whether the controls are being applied as intended and that they are reliable. Internal audit is a big player in this field on control reporting and most audit teams have sharpened their focus to feed into the board’s attestations (or chief executive for public sector organizations).
Many of the components of model have already been referred to, but for completeness I can list them all as follows:
- Stakeholders – Should understand the role of the organization and what they get from it, and be discerning in demanding information on the system of corporate governance in place.
- Legislation, rules and regulations – These should all contribute to protecting people and groups who have invested in the organization or who have a direct interest in either the services or products provided or any partnering arrangements. The regulatory framework should also ensure a level playing field for competitors and inspire substance over form.
- Final accounts – The annual report and accounts should contain all the information that is required by users and be presented in a true and fair manner (in conjunction with international accounting standards). It should act as a window between the outside world and the organization so that interested users can peer through this window and get a clear view of the way management behave and their performance, with no chance of skeletons being hidden in the closet.
- External audit – There should be a truly independent, competent and rigorous review of the final accounts before they are published, without the distraction of the need to attract large amounts of non-audit fees from the company in question.
- The board – The board should be a mix of executives and non-executives balanced so as to represent the interests of the shareholders in a professional and responsible manner, chaired by a respected NED. Their responsibilities should be fully defined and assessment criteria should be in place, that ensure fair rewards are available for effective performance (via a remunerations committee).
- Audit committee – This committee of non-executives should provide an oversight of the corporate governance process and have a direct line to the shareholders via a separate report in the annual report. The committee should also seek to ensure management are equipped to install effective risk management and controls in the organization. Competent and experienced people should sit on the committee and ensure they are able to commit sufficient time and effort to the task of guiding and monitoring the accounting, audit, accountability, ethical values and governance arrangements, with no conflicts of interest—real or perceived.
- Performance, conformance and accountability – These three concepts should form a framework for corporate behavior where the spirit of the ideals are embraced (as part of organizational culture) in contrast to a list of rules that are studied by legal and accounting technicians with a view to ‘getting around’.
- KPIs [Key Performance Indicators] – Organizational effort should be formed around a clear mission, vision and set of values that fall into a balanced range of performance measures that ensure risks to effective performance are understood and properly managed.
- Internal audit – Should be professional, independent and resourced to perform to the professional standards enshrined in the new focus on risk management, control and governance; with a good balance of assurance and consulting effort.
- Risk management – There should be a robust system of risk management in place that is embedded into the organizational systems and processes and which feeds into an assurance reporting system (normally based on risk registers).
- Managers, supervisors and operational and front line staff – Should all understand the corporate governance framework and live up to the demands of their defined responsibilities (for performance, conformance and accountability) in this respect.
- Systems of internal control – Should exist throughout the organization and be updated to take account of all material risks that have been assessed, and should be owned and reviewed by the people who are closest to the associated operations. The published annual report should comment on the systems of internal control in place to manage internal and external risk.
- Performance management – The response to corporate governance ideals should be fully integrated into the way people are set targets and assessed in respect of their performance against these targets. Performance should be measured and managed in a balanced and meaningful manner.
- Ethical standards – Should form the platform for all organizational activities and should be given priority for all important decisions that are made. They should also underpin the human resource management systems (e.g. selection, training, appraisal, disciplinary, etc.) and be part of clear and consistent messages and values from top management. All employees should be encouraged to report all actual and potential risks to the business, customers and stakeholders, and positive action should be taken by management as a result.
- Commitment and capability – Are two further concepts that have been added to performance, conformance and accountability. Commitment is the embodiment of corporate governance values into the hearts and minds of everyone connected with the organization.
Capability relates to the training, budgets, time and understanding that are needed to make any new arrangements, such as control self-assessment, work. There are many organizations who send bold statements on the need for, say, better risk management but then fail to provide training, resources or space to enable people to do something about any gaps. Performance, conformance, accountability, commitment and capability are the key drivers for ensuring an enthusiastic response to corporate governance.
Companies are now being asked to prepare Operating and Finance Reviews that will provide investors with more information about business opportunities, significant risk and prospects. The need to maintain public confidence in the corporate sector and credibility in government and not-for-profit sectors has never been stronger. There are calls from all quarters to maintain this pressure to improve, develop and progress corporate governance arrangements as far as possible.