Speech by Sir Win Bischoff at IIA Annual Conference - 01 October 2015

News types:

Published: 1 October 2015

On 1 October, FRC Chairman Sir Win Bischoff, addressed the audience at the Institute of Internal Auditors annual conference on how internal audit plays a key role in organisations, risk management and assurance processes.
The plain text version of Sir Win's speech can be found below.

Sir Winfried Bischoff
Chairman
Financial Reporting Council
IIA Annual Conference
1 October 2015

Good morning and thank you for inviting me to speak today.

As the independent regulator responsible for the quality of audit in the UK, we are often asked to talk about the work we do on setting standards for the external audit process. But as the ‘third line of defence’, internal audit plays a key role in organisations, risk management and assurance processes.

And in today’s world of corporate scandals and tightening financial regulation, the role of internal audit continues to grow in importance in terms of assessing risk and examining company culture.

Only last week we saw what appears to be a major governance failing at VW, a company that is highly admired for the excellence of its technology and praised for its brands.  I know its senior management well and the shock is all the greater for that.  It seems that the pursuit of revenue was championed in part of the organisation over setting a culture where honesty and customer satisfaction were prioritised.  In that environment the most crucial role is for internal audit to continue to focus on its core strengths of impartiality and objectivity.  Public trust in business has been dented. The role of internal audit has been put into the spotlight and with that the role of company culture.   Where was internal audit at VW?   Too cowed and influenced by the demonstrable success of the firm, or not independent enough to speak up?

Poor corporate culture and practices and a lack of challenge in the boardroom have been identified as a root cause in a number of recent corporate failings in banking and other sectors. Issues such as executive remuneration, market manipulation and supplier arrangements have drawn comment and criticism.   I suspect that if the failings of VW had occurred in the banking industry, everyone would have resignedly nodded and put them down to what we all expected, but in one of the stalwarts of the manufacturing industry?  No!   That makes it all the more worrying for everyone committed to good governance and behaviour across all industries and the corporate sector in general!

At the FRC we are clear that “regulation” comes in many forms and needs to be fit for purpose in order to achieve the right outcomes. When it comes to corporate governance, the principles of good practice apply across the board.  Assurance that these principles are being applied effectively means that the importance of Internal Audit extends across the corporate spectrum.

We, at the Financial Reporting Council, set the UK Corporate Governance Code on a ‘comply or explain’ basis. Practically all FTSE 100 companies comply with all of the recommendations, but those that choose not to are given the opportunity to explain why not to their shareholders. This flexibility has enabled the FRC to make changes, whilst allowing the market time to implement them and the ability to make decisions that work in the long term interests of their business.

The IIA has taken the lead in a variety of initiatives recently which have increased the profile and importance of the internal auditor, and in the way that Boards of Companies look to them for guidance.   These initiatives have been particularly important, as we are all aware, in dealing with issues arising from the financial crisis. Vital here is the true independence of the Internal Auditors.  They are placed in a position where they have to opine about the effectiveness of a wide range of processes - and their outcomes - in dealing with the risks the company faces.  That takes skill and judgement and the support the IIA provides to its members in this area is invaluable.

The 2014 revision of the UK Corporate Governance Code requires that directors of listed companies report – taking account of the company’s current position and principal risks – on how they have assessed the prospects of the company, over what period they have done so and why they consider that period to be appropriate. They should also state whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions.

This statement is intended to express the directors’ view about the longer term viability of the company over an appropriate period of time selected by them. A key role of Internal Audit is to ensure that the control and risk systems which help to identify and assess external risks are sound.

In terms of the response to the Code changes we have seen a handful of early adopters, and as reporting in this area becomes more widespread we should be able to see a clearer picture of the role which internal auditors are playing.

However, no governance framework can eliminate risk, nor should it seek to do so absolutely.

The difficult question of what represents an acceptable level of risk and ultimately corporate failure will always be with us, but we must not be complacent. We should continue to seek new ways to prevent and deal with poor governance practice. It is for this reason that we introduced references – in the preface to the Code and in the associated risk guidance in 2014 – to the issue of establishing high standards of behaviour in terms of culture, values and ethics in the boardroom, and how these behaviours are transmitted and taken up throughout companies.

The FRC understands that addressing cultural issues and embarking on cultural change is not easy. There are strong links between governance and establishing a culture that supports long-term success.

Boards have the responsibility for shaping the culture within the boardroom and across the organisation as a whole. To establish the appropriate culture for the organisation, the board must define the company’s purpose and the behaviours it wishes to promote in order to deliver its strategy. This involves asking questions and making choices about the correct balance between constructive innovation and disproportionate risk-taking; deciding whether different parts of the business should operate differently; maintaining culture under pressure and through change; and encouraging constructive discussion among shareholders on culture. In order to do all this, the Board must not just ensure that it pays attention to the findings of internal audits, but that it ensures sufficient internal audit arrangements are in place.  As it does with external auditors, the FRC recommends that internal auditors should employ professional scepticism.

Clearly there are a number of what might in the past have been considered esoteric risks which companies should already be focussing on – climate change and cyber security are examples, so is reputation.  Rather than focus only on individual risks, we recommend that Internal Audit takes an overall view of the particular company’s circumstances and how these relate to the risks it faces.

The FRC is undertaking work this year and next “to assess how effective boards are at establishing company culture and practices, and embedding good corporate behaviour, and to consider whether there is a need for promoting best practice”. We will shortly issue an invitation to participate in a collective view of culture, what we call “a culture coalition”. This collaborative project aims to deliver practical, market-led resources to promote better practice and help boards and companies establish and embed their desired company culture. We hope to work closely with the IIA in the promotion of this initiative.

Culture is not an easy concept to define. It’s the sum of knowledge, beliefs, values and experiences acquired by a group of people over a period of time through living or working together. Every company is different and cultures might need to be established or changed within a specific timetable. This brings added complexity. Internal auditors are integral to supporting good culture, ensuring it is being embedded by all staff and that underpins the organisation’s processes. I commend the work that you do and look forward to the IIA’s input into the FRC’s work on this topic.

Thank you for listening.