F E AT U R E

Company Secretary and internal auditor: joint guardians of governance, risk management and control
By Mark Harrison, Managing Director, Protiviti

he internal auditor within any organisation is an important ally and supporter of the

promoting the importance of ethics and a positive corporate culture.

Company Secretary. Separately, they represent the two primary organisational managers who focus entirely on governance and risk. Together, they can represent a real force in terms of changing behaviour and driving improvement in governance, risk management and control. While most organisations will have an internal audit function, recent discussions with a range of Company Secretaries around Australia suggest that Company Secretaries are not effectively using internal audit to support their objectives.

Observations of interaction between the Company Secretary and internal audit

Our observations across a range of organisations of varying size, complexity, industry and geography suggest that the interaction between the Company Secretary and internal audit is often minimal. Situations where interaction could be occurring but often is not, include: Company Secretaries not receiving relevant internal audit reports Company Secretaries not providing input into the internal audit plan Company Secretaries not being aware of internal audit findings in the area of corporate compliance Company Secretaries not using internal audit to provide oversight in connection with secretarial responsibilities inconsistencies between advice and messages between Company Secretaries and internal audit, and internal audit not regularly using the Company Secretary as a source of evidence and insight across the organisation. Obviously these deficiencies do not apply to all organisations: we have seen evidence in a number of organisations where the interaction between the two roles is strong, active and very healthy. Further, the need and nature of the interaction between the two roles is heavily dependent on how the roles of the Company Secretary and internal auditor are utilised within the organisation. Over the past decade, both roles have changed. Both have moved from largely operational functions toward a more strategic role providing advice and support to improve organisational performance. Arguably, both professions are still working out how best to

Company Secretary, internal audit and governance

A common description of corporate governance is as a Corporate Governance Table whereby corporate governance has four cornerstones or legs, being: the board of directors executive management internal auditors, and external auditors.1

The role of the Company Secretary varies from organisation to organisation, and can be anything from a part of the board of directors leg, to part of the executive management leg, to the glue the holds the table together. Our view is that the Company Secretary can add the most value to their organisation by interacting with all of the legs of the table to assist in driving the governance agenda. With internal audit serving as one of the tables legs, the Company Secretary can get real support from internal audit in achieving governance objectives. In fact, internal auditors routinely help with its leg of the governance table by assisting with: how to better manage risks how to improve the organisations compliance with laws and regulations, and

24
F E B R U A RY 2 0 0 7 K E E P I N G G O O D C O M PA N I E S

F E AT U R E

achieve these more strategic roles, and what tools (both within and outside an organisation) should be used to achieve their objectives. This may be one reason why the two professions are not currently best utilising the services of the other to achieve improvements in performance and governance within their organisations. In conversations with Company Secretaries, another potential cause for the lack of interaction between the Company Secretary and the internal auditor emerges: a lack of understanding of what exactly an internal auditor can or should do within an organisation.

the exception rather than the rule that the internal auditor focuses entirely on financial transactions and processes. Further, internal audit is rarely devoted specifically to tick and flick auditing of transactions. Todays internal audit function is a multi-disciplinary function that goes beyond simple compliance to efficiency and effectiveness, considers operational (and in some cases legal) matters as well as corporate process, and possesses specific expertise in areas such as governance, risk management and ethics. The purview of todays internal audit function covers the full expanse of an organisation from board performance and operations through to detailed business processes and technology and environmental and stakeholder management. This broad area of responsibility and its requisite skillset, together with the heavy emphasis on risk management and governance, provide an important tool which can be used to assist the governance professional.

What does the internal auditor do?

The Institute of Internal Auditors, the professional body for internal auditors around the world, publishes a Professional Practices Framework which includes the following definition:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.2

How can the Company Secretary utilise internal audit most effectively?
Internal audit represents a valuable resource to the Company Secretary as it seeks to meet business objectives, and especially as it relates to the objectives of internal control: efficiency and effectiveness of operations reliability of financial reporting compliance with applicable laws and regulations, and the safeguarding of assets. Each organisations internal audit function possesses unique individuals, skills and competencies, which management broadly (and the Company Secretary specifically) needs to understand and then use effectively in helping meet its objectives. Internal audit should not be a function exclusively used by the audit committee. An internal audit function, by its very nature of being internal, is a part of managements systems of internal control and governance and thus should be an asset and tool for management. While the charter of, need for and capability of each organisations internal audit function will vary, Company Secretaries may find the following suggestions helpful in determining how to best leverage internal audit resources to achieve strong, well-designed and effective risk management, internal control and corporate governance processes. Utilise internal audit resources as part of the organisations enterprise-wide risk management and governance management to identify, source, measure, prioritise and develop a plan to address and manage the most significant business and governance risks the organisation faces in achieving its business objectives.

The manner in which this assurance and consulting is provided can vary. In some organisations, all internal audit activity takes the form of discrete reviews and reports which are tailored to areas of high risk or high significance to the organisation or where there is specific reliance on controls. In other organisations internal audit also provides training, advice and consultation, and serves on various management committees. In any of these capacities, internal audit acts as a change agent to identify areas where processes, people or technology are not performing at an optimal or appropriate level and recommend improvements. As noted in a recent publication by Protiviti:
The true measure of performance for internal audit is the ability to effect and facilitate organisational change that fosters continuous improvement and gradual progression up the risk management continuum. The true worth of internal audit is not measured in the weight of after-the-fact recommendations, but in the ability to provide justin-time advice and influence positive change that adds value to the organisation internal audit should be at the forefront of positive change by recommending and facilitating the process of aligning people, processes and technology to achieve improved sustainable performance.3

This can equally be applied to governance arrangements and, in fact, much of internal audits work assists with establishing and maintaining good corporate governance. The internal audit profession has moved significantly over the past decade. It is now by far

25

F E AT U R E

I continued

Provide input to the internal audit function in the development of the annual internal audit plan and changes to the plan to focus limited resources on risks and areas of the greatest importance. Discuss and develop plans for internal audit to assist in efforts related to the organisations efforts to comply with key legislation, (and for publicly listed organisations) the Australian Stock Exchange Principles of Good Corporate Governance and Best Practice Recommendations. Consider how the internal audit function might be used as a rotational management-training program for the organisations governance professionals and other managers. Support the internal audit function in connection with key findings, and its plan for process owners to make changes and improvements to internal controls, governance and management arrangements, and process issues and deficiencies. Visibly support and encourage the mission and effort of the internal audit function. This should also be reciprocated with the internal auditor visibly supporting the role and objectives of the Company Secretary. Work closely with the audit committee to help ensure the internal audit function remains objective and adds value to the organisation.

Joint guardians of governance, risk management and control

Given the consistency of objectives of todays Company Secretary and internal audit (improved governance, risk management, compliance and control) there is significant scope for the two roles to work closely together to achieve those objectives. By bringing different perspectives, skills and authorities together to bear upon the governance, risk management, compliance and control of an organisation, there is real scope to drive improvements in organisational performance and conformance. Mark Harrison is a Managing Director of Protiviti, an independent international consultancy providing advice and support in risk management. For more information on Protiviti, visit www.protiviti.com.au. Mark can be contacted on (02) 9240 0606 or at mark.harrison@protiviti.com.au.

Notes
1 2 Bruce Adamec, Linda Leinicke, Joyce Ostrosky, W. Max Rexroad, Getting a Leg Up, Internal Auditor, June 2005, p 42 Institute of Internal Auditors, Framework for the Standards for the Professional Practice of Internal Auditing (Administrative Directive No. 1) 3 Protiviti, Top Priorities for Internal Audit in a Changing Environment, 2006, p 3 G

26
F E B R U A RY 2 0 0 7 K E E P I N G G O O D C O M PA N I E S