July 2008 Institute of Internal Auditors International Conference

July 2008 Institute of Internal Auditors International Conference

The July 6-9, 2008 gathering of internal auditors attracted 3,000 from around the globe. I sat with auditors from every continent except Antarctica working for businesses, governments and nonprofits. General session speakers were shown on four screens at San Francisco’s Moscone Center West to ensure everyone had a front row seat. Featured speakers included Jim Collins, Sharon Allen, Linda Bardo Nicholls, Gene L. Dodaro, former Senator Paul Sarbanes and Kevin “the Katalyst” Carroll. Interesting that the “motivational” speaker came last. Participants apparently had to motivated to leave. Find “official” IIA highlights here. What follows are a few of my own impressions from the conference. Inconcurrent sessions, I attended only those focused on corporate governance, one of 11 tracks, so like everyone else I missed most of the conference.

Jim Collins

The first speaker was Jim Collins, author of Built to Last and Good to Great. He is a student and teacher of “enduring great companies — how they grow, how they attain superior performance, and how good companies can become great companies” — with lots of good advice grounded in research. Greatness, he says, is not a function of circumstance. “Greatness, it turns out, is largely a matter of conscious choice, and discipline.” Companies that fail to become great place too much emphasis on using incentives to “motivate” otherwise unmotivated or undisciplined people. Great companies, in contrast, focus on getting the right people in the first place — those who are self-motivated and self-disciplined, those who wake up every day, compulsively driven to do the best they can because it is simply part of their DNA. Here are a few other gems from Jim:

  • 90% of great CEOs come from within the company. 2/3 of failures are “charismatic” outsiders.
  • Disciplined action begins with what you stop doing. There’s only 24 hours in a day. Sure, keep your “to do” list but, more importantly, start a “stop doing” list.
  • Great cultures are comprised of self-motivated people. Bureaucratic rules drive out creativity, which is built on a clear framework of values, not rules.
  • Climbing El Capitan isn’t about taking risk, its about risk management. We can go faster because we are safe/conservative. Increase safety and increase achievement. Companies that succeed in turbulent environments are those that deal best with asymmetric risks.
  • Double your questions to statements ratio; you’ll learn more.
  • “White space” days of no or few interruptions will allow you to get much more accomplished.
  • Good is the enemy of the great. Too many settle for good. Create your own personal “board of directors” to help guide you to impeccable standards.
  • Especially applicable to the work of internal auditors – 99% of what you fix will never be seen; the 1% you don’t will be highly visible. The choices we make that no one sees, make us great.

If you missed the conference, or even if you attended, be sure to check out jimcollins.com. The site is packed with speech clips, a library, diagnostic tools and much more. (Photo courtesy of IIA conference photographer, Jeff Croghan)

Catherine L. Bromilow

The first track I attended was presented by Catherine Bromilow — “What are directors doing and where do they want to improve?” She sees recent evolution primarily driven by SOX and related SEC rules, exchange listing requirements, institutional investors and governance raters. How have they changed over the last 5 years?

  • Majority independent boards
  • Periodic board discussions without management
  • Independent audit, compensation and nominating committees
  • More and longer meetings (e.g., 34% of audit committee met 11 times or more in 2007, compared with 1% in 2002. Most meet 7-9 times.)
  • More transparency: charters, governance guidelines and policies
  • Audit committee chairs weren’t involved in reviewing quarterly filings. Now they’re even reviewing press releases.
  • 65% CEO/Board chair roles combined; down from 75% Now 3% in UK and 15% in Canada.
  • 62% of boards elected every year; up from 40%
  • 79% with mandatory retirement age (generally 70-72); up from 55%

Adaptations are coming quicker. Boards now don’t want to be seen as laggards. Many are now adopting reforms before rules take effect. Board members are spending a lot more time on their responsibilities and most are now serving only on one board. Catherine sees that as a negative because of the loss of synergy. While the perceived liability of serving as a director was trending up after Enron and Worldcom, it has been dropping now for several years.

Most feel they are too focused on compliance and are not able to pay enough attention to strategy — growing the business. Their biggest challenges are the state of the economy, risk management and succession planning. Its what they don’t know that can hurt them the most. Top concerns are:

  • Restatements
  • Customer satisfaction (only 51% of boards get this information)
  • Management missing strategic goals
  • Adverse 404 filings
  • Employee satisfaction/values (only 58% of boards get this information)

Internal audits can help by ensuring this information is passed along, as well as adding the audits perspective on risk management. Keep or establish open lines of communication with the audit committee by providing staff support to their meetings. Catherine provided the following useful links (Four you Apple users, the first sites don’t work well with Safari):

  • PwC US corporate governance. See especially, “What Directors Think 2007.” For example, 90% of directors believe board members should attend director education seminars; however, only 40% of boards have a formal budget for director education.
  • PwC Corporate Reporting. I especially like “Governance and Corporate Reporting.” The current issue contains articles on the Credit Crunch, Principles-based standards, Non-GAAP measures, and Sustainability.
  • PwC 10 Minutes. The current issue focuses on tax reform.
  • PwC CFOdirect Network. Join and you can save a multitude of publications to a library stored on the PwC site.

Sharon Allen

Sharon Allen was ranked by Forbes as the 64th most powerful women in 2007, up from 96 in 2006. She was the 1st woman board member at Deloitte & Touche and was then elected to chair the board. Her presentation focused on “New Views on Building Value Today and the Talent to Lead Enterprises Tomorrow.”

I was struck by her notion that internal auditors might be a good source for future board members since they work at the crossroads of management, boards and stakeholders. Internal auditors, she reasoned, were used to viewing the enterprise more wholistically than most and could build bridges across flattened silos… especially if they focused attention on nonfinancial metrics which tend to be leading, rather than lagging, indicators, such as environment, customer satisfaction, innovation, whistleblowing, and the results of employee surveys.

How is as important as what is produced. In a recent Gallup poll, business executives ranked far below nurses, teachers and pharmacists in honesty and ethical standards. Yet, it is the ethical corporations that best attract customers, capital and employees. Confidence and trust command a premium. During the next 30 years it appears more qualified employees will be leaving the workplace than entering it. The scramble for top talent will be fierce. Auditors will need to move beyond compliance to the role of strategic advisor and consultant.

If they do, she sees them as a great match for C-suites and boards, providing greater diversity of thought, and helping translate risk to reward. Enterprise risk management (ERM) is key and internal auditors can help assess those operational risks, both downside and upside. I checked with a few friends on this thought and got the following from Eleanor Bloxham of the Value Alliance and Corporate Governance Alliance: “If she means by having done internal audits you are on the path to the boardroom, I seriously doubt it. Would you have some important experience? Yes. What would be important also is operational or other experience that the board is looking for as well as the ability to connect with the other board members and the ability to communicate and think conceptually.” I agree with Eleanor. Audit experience alone isn’t likely to get an auditor into the boardroom, but it could be an important core competency for the right person and situation.

For more from Sharon Allen, see The ABCs of Board Room Dynamics — Attitude, Behavior, Candor.

Rick Julien and Larry Rieger

The next track I attended was “Audit Committees, Good Governance, and the Chief Audit Executive,” where Rick Julien and Larry Rieger reported results of a survey they did on chief audit executives (CAEs) and how they are helping board ACs to meet their increased responsibilities. Their definition of “corporate governance” was all encompassing: “Corporate governance is the systems and processes an organization has in place to protect the interests of its diverse stakeholder groups, e.g. shareholders, employees, customers, vendors, community, etc.” (compare with other definitions)

They went over the basic duties of audit committees and the expanding role of the CAE. Their research involved a series of questions to CAEs, ACs and CFOs. Almost all CAEs think they provide updates to AC members on critical issues. They educate them on relevant risks but they also identified some opportunities where support it lacking.

  • 32% don’t educate ACs on new governance initiatives and compliance trends
  • 36% don’t help prepare for AC meetings
  • 45% aren’t involved in ERM related activities, including risk assessments
  • 66% aren’t involved in conducting orientation for new board/audit committee members
  • <25% of CAEs strongly agree the AC leverages them to increase effectiveness
  • Only 30% of CAEs strongly agree they serve as a link between the AC & management

ACs also identified areas where CAEs need improvement. What was most interesting was comparing the two and noting the discrepancies:

  • While about 85% of CAEs thought they kept the AC informed on relevant risk management strategies; less than 60% of ACs thought so.
  • Almost 80% of CAE thought they were evaluating governance processes, ERM process and/or informal controls; only about 40% of ACs thought so.
  • About 70% of CAEs thought they were providing information to the AC on new governance issues and emerging compliance trends; less than 40% of ACs thought so.
  • Although about 35% of CAEs thought they conducted orientations for ACs, only slightly more than 20% of ACs thought so.

One key finding: the biggest challenge over the next 12-18 months is ERM, managing risk across the entire company. Julien and Rieger emphasized that audit committees want help from auditors. CAEs, ACs and CFOs need to work closely together.

Joel Kramer

“Best Practice in Educating Corporate Audit Committees” turned out to be a list of 25 worst practices — too many to list here. One opinion that seemed to be shared with just about all the presenters was the importance of ERM. Those must have been the three most repeated letters of the alphabet at the conference.

Linda Bardo Nicholls

Bright and early on Tuesday, Linda Nicholls kept auditors on the edge of their seats addressing “Risk Management From a Global Perspective.” She recounted many of the financial horrors, from the last year and the apparent rescue of markets by sovereign wealth funds. Then she asked, “Have regulatory capture and box ticking compliance ruined the audit function? Has collaboration become coddling?” The FDA, for example, would need 1900 years to inspect every foreign food plant at their current rate.

Business judgement has been devalued and replaced with checklists and box ticking compliance. Creating shareholder should be the more critical concern. The trend is to conformance with best practices but there is no one best approach. Too frequently, we are trying to quantify qualitative standards. The result is cumbersome, unpopular and ineffective. “Where is the auditor who calls out over-done standards,” she asked.

About 87% of destroyed value comes from strategic blunders, she asserted; only 13% from compliance failure. What doesn’t happen is often more significant than what does, as in the Sherlock Holmes tale of the dog that didn’t bark. The idea that more rules will save us from the next crisis is wrong. Some of the most critical measures are nonfinancial, such as the war for talent.

About 75% of boards say regulations are causing them to spend more time on downside risk, than upside risk that comes through product innovation, service quality, and employee engagement. Where is growth on your risk map? We must be proactive and focus more on the upside risk. It seemed a provocative, unconventional speech for an auditors conversation and got people thinking. Many rushed to ask her for a copy so they could study her words more carefully… especially the notion of upside risk.

Yuen Teen Mak

Yuen’s presentation was on the “Issues and Challenges in Corporate Governance in Asia and Implications for Internal Auditors.” He began by outlining the “comply or explain” approach used in the UK and most countries outside the USA. One of the problems is that monitoring and enforcement of disclosure obligations by regulators in Asia is lacking. Success depends on market enforcement by investors. A study of implementation in Singapore found:

  • non- or partial compliance, with no explanations
  • false or misleading disclosures
  • uninformative/boilerplate explanations

It is difficult to take action against listing companies because intent must be proved, you must how investors suffered and other requirements must be met before the rule is enforced. In Yuen’s opinion, it isn’t working, at least not as well as he would like. Some additional barriers to improving corporate governance, especially in Singapore, are as follows:

  • Lack of enforcement capacity and the huge pay discrepancies between civil servants and corporate attorneys
  • Balancing the interests of suppliers vs users of capital (the system leans to users)
  • Concerns about the costs of regulation, especially for small businesses
  • Competition for listings. High standards would send companies packing to other exchanges.
  • Shortage of qualified directors (although he says there are plenty outside the “old boys” network)
  • Cross border listings. Hard to locate responsible parties and proper jurisdiction
  • Proxy voting barriers
  • Apathy among shareholders. Foreign shareholders more active
  • Shareholder lawsuits more costly and difficult
  • Limits to media scrutiny

Yuen provided a nice explanation of board/shareholder/management relationships and the typically more overlapping structures found in Asia. There are fewer “independent directors” and many of those who meet the formal definition aren’t really independent but are tied to controlling shareholders or management. Shareholder rights look better on paper than they are in practice. One example of a common problem is that both the controlling shareholder and the executive director may be on the audit committee. That makes reporting wrong doing by either party very difficult. Additionally, less than 33% of independent directors on audit committee in Singapore companies have accounting or finance expertise.

With regard to internal auditors, the IA function is generally not mandatory and the efficacy of the function varies widely. Many auditors have no professional training and therefore do not apply professional standards. AC members often sit on many boards, therefore their attention can be very limited. All and all, its seemed like a rather bleak assessment. Unfortunately, it was similar to that provided later in the afternoon with regard to Thailand, where governance practices appear to be even more lax.

See also From Conformance to Performance and SSRN for a list of Yuen’s papers.

Paul Sobel

Paul spoke on the “Interrelationsips of ERM, Corporate Governance and Internal Audits.” His definition of corporate governance was a little more limited than that of Rick Julien and Larry Rieger the previous day. It is the “process conducted by the Board of Directors to authorize, direct and oversee management toward the achievement of the organization’s objectives.” He used several imaginative diagrams to explain the relationship between the board, stakeholders, risk management and assurance functions.

Helpful to me, since ERM was such a pervasive concern at the conference, was his explanation borrowed from COSO. “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

He then went through and explained the COSO ERM Cube and turned it into a fan, assigning what are appropriate and inappropriate roles for the IA function. Core roles are as follows:

    • Giving assurance on the risk management processes
    • Giving assurances that the risks are correctly evaluated
    • Evaluating risk management processes  


    • Evaluating the reporting of key risks
    • Reviewing the management of key risks

    Legitimate IA Roles with Safeguards

    • Facilitating identification and evaluation of key risks
    • Coaching management in responding to risks
    • Coordinating ERM activities
    • Consolidated reporting on risks
    • Maintaining & developing the ERM framework
    • Championing the establishment of ERM
    • Developing ERM strategy for board approval

    Roles IA Should Not Undertake

    • Setting the risk appetite
    • Imposing risk management processes
    • Management assurance on risks
    • Taking decisions on risk responses
    • Implementing risk responses on management’s behalf
    • Accountability for risk management

    Of course, these aren’t set in stone and IAs can certainly help boards in discussing their risk appetite, for example. See also Aligning corporate governance with enterprise risk management: melding enterprise risk management with governance means directors, senior management, internal and external auditors, and risk owners must work interdependently, Management Accounting Quarterly,  Winter, 2004.

    Gene Dodaro

    The Acting Comptroller General of the US Government Accountability Office gave what was essentially an ERM evaluation of the federal budget. I was reminded that many saw the credit crunch and global climate change coming. Even if you can get people’s attention, will those making money today off the status quo be willing to sacrifice for future generations? The outlook is somewhat bleak but we have to stay optimistic and keep working as if people will wake up in time for reforms to take effect. Gene certainly wasn’t shrinking, faced as he appears to be, with an impossible task.

    Janice WilkinsDavid Julian and Doug Anderson

    Carlo di Florio moderated a discussion between Janice, David and Doug on the “Role of Internal Audit in Corporate Governance.” Each briefly described their role as auditors in their companies. Janice emphasized independence, objectivity and letting her gut guide her. However, she emphasized that her gut is data-based. Audits is not there for “gotcha” but to help elevate issues — get resources to where they will have the greatest benefit.

    David said historically they had dealt mostly with detailed controls but he is increasingly focused on horizontal risk across silos. He’s trying to create a risk management culture. The detailed controls seem to work fine. The real work is in leveraging data to manage risk — not assurance but “reassurance” after units have already performed self-audits.

    Similarly, Doug appears to be pushing value change. “Do they understand risk? Do they have the right attitude toward risk?” His job is to look at tone and attitude. He sees himself as the eyes and ears of the AC and of management.

    Pornanong Budsaratragoon

    Pornanong provided what turned out, at least to me, to be another somewhat bleak picture of “Corporate Governance From an Asian Perspective.” Since the 1997 financial crisis, Asian governments have made progress in promoting corporate governance with the idea of promoting national competitiveness. (As an aside, I delivered a speech at an Asian Development Bank conference soon after the Enron implosion.) Pornanong presented a ranking of countries over time, completed byACGA and CLSA Asia-Pacific Markets. Although it looks like all country scores have been dropping since 2004, the standards have increased, so its hard to tell. However, it does appear that Singapore was the leader until 2007, when that position passed to Hong Kong.

    Pornanong discussed many of the same issues Yuen Teen Mak had touched on earlier. She says the focus among most is the stock price, not the corporate governance process, which many view as window dressing for primarily external consumption. Many have figured out how to look good on paper, without making real reforms. Some of the major challenges include:

    • Prevalence of family control among many of the largest publicly traded companies.
    • Interlocking networks of subsidiaries and sister companies.
    • Political instability causing barriers to privatization of state owned enterprises.
    • Investors don’t have enough knowledge to distinguish between “good” and “poor” corporate governance — and they don’t care. (Perhaps attributable to lack of good financial media.)

    Two of the many tables presented were interesting to contrast. One showed adoption of codes of good practice, mandatory independence for directors, and mandatory audit committees by country and by date. By 2007 all countries covered had made substantial progress. The other table showed a similar assessment for shareholder rights, proper functioning of audit committees and voting by poll. In the vast majority of countries progress, if any, was mostly marginal.

    The picture was one of cosmetic changes, such as the adoption of checklists to convince outsiders that companies were practicing good governance or are at least making an attempt to comply. Corporate governance reforms are still not considered a strategic component to help actual performance. Perhaps this will change as institutional investors become more important.

    Regardless of her current assessment, Pornanong seems convinced that Asian markets will find the right proportion of accountability, transparency and fairness. It won’t be the same as the “Western Recipe” but it will be something that works for Asia and something the West can also learn from. I certainly hope so.


    Although there were few debates over what I would consider cutting edge corporate governance topics, like shareowner access to the corporate proxy or the role of private equity firms, obvious trends like splitting chair and CEO positions were discussed. In fact, several speakers provided an excellent overview of widely accepted “good” corporate governance practices.

    Readers who are shareowners, directors, employees or other stakeholders can take comfort in the fact that many IIA members are exposed to research on corporate governance practices and have a growing awareness of the important role they can play in ensuring good governance. It was an informative look at how corporate governance theories are carried out in practice. As this track grows at future conferences, auditors can help us all avoid future bubbles that lead to crisis. Of course, if they do, we’re unlikely to know, since, as Jim Collins pointed out, 99% of what auditors fix will never be seen. The choices we make that no one sees, make us great. (This article is also permanently posted to the 2008 archives.)


    Comments are closed.

    Powered by WordPress. Designed by WooThemes