by Glenn Cheney
With investor confidence at a dismal low and capital markets accordingly depressed, the Institute of Internal Auditors is asking American stock exchanges to require listed public companies to comply with a set of corporate governance principles.
"Considering the many recent reports of oversight failure, the dire need for strengthened corporate accountability is quite evident," said William G. Bishop III, the IIA’s president. "Now is the time for the board, senior management, internal auditors and external auditors to all step up to the plate."
Bishop and IIA chairman-elect LeRoy Bookal presented the institute’s recommendations to the Corporate Accountability and Listing Standards Committee of the Board of Directors of the New York Stock Exchange. The institute called for the NYSE, the American Stock Exchange and NASDAQ, as self-regulated organizations, to jointly adopt a set of principles that would require corporate boards to receive and disclose assessments of their companies’ internal controls and risk management.
"We were trying to establish the principle of a set of principles," Bishop said. "One of those principles should be that the board receive a comprehensive report on internal control and that the results of that assessment be made public."
The institute has endorsed a set of principles developed by Kennesaw State University’s Corporate Governance Center and is now recommending further research. The Kennesaw principles determine that a board of directors should monitor the chief executive officer, oversee the corporation’s strategy and monitor risks and the corporation’s control system. The roles of board chairman and CEO would be separate. The nominating, compensation and audit committees of the board would be composed only of independent directors.
Similar sets of principles have been adopted by the stock exchanges of London, Johannesburg and Toronto.
In response to a recent IIA survey of internal control practices, the institute also recommended that corporate boards disclose the effectiveness of their internal controls. These controls would include, not only controls over financial information, but the company’s ethical environment, its identification of risk and broad operational controls.
The IIA survey found that almost 30 percent of polled companies did not provide management with a written report on internal control. Only 8 percent issued a detailed report in their company’s annual report, though 31 percent at least stated that management was bearing responsibility for such control.
An earlier survey had found that only 37 percent of companies had a formal enterprise risk management process. And 17 percent didn’t know whether they even had a risk control process.
"We had two-thirds of corporate directors saying that, within their organizations, risk was not a key point of concern," Bishop said. "We’re saying that, with a set of principles and a report on control and the control based on risk, we can start to focus these directors, especially in small and midsized companies, on the need to understand the risks within their organization."
Bishop reiterated the importance of internal auditors in ensuring the effectiveness of internal controls, but he emphasized that they cannot do it alone.
"We think this report should be prepared internally but would include management assertions, the work of the external auditor, assessments made by others in the organization, such a comprehensive report pulled together by internal auditors but would rely on information and assessments made by other groups," Bishop said. "It’s a report that would be based on the significant risks facing the organization."
Bishop would like to see corporate directors use generally accepted principles to measure their company’s efforts and effectiveness and then to disclose the assessment of their internal control. He’d also like to see the board disclose whether they have an internal audit function, and if not, explain why. Such a requirement would benefit the internal audit profession indirectly.
"Our internal debates have been over whether we should ask for legislation requiring internal auditing, but none of us are keen to do that because we’re concerned that federal regulation might compress the scope of what internal auditors can do in an organization," Bishop said. "We stopped short of saying, ÔRegulate it or legislate it,’ but we are saying, ÔExplain why if you don’t have it.’ That puts a little additional pressure on a board to make that decision."
Bishop told the NSYE committee that the principles established by the London stock exchange did not require compliance but were effective because they generated negative investor opinions of companies that had failed to comply.
Roger Raber, president and chief executive officer of the National Association of Corporate Directors, who made a presentation to the NYSE shortly after Bishop, said that his organization’s recommendations are essentially in line with those of the IIA. "We’re together on this, and I think we made a clear statement to the New York Stock Exchange," Raber said.
The NYSE committee was created shortly after Raber testified before the U.S. House of Representative Committee of Energy and Commerce, in which he called for self-regulation of and improvements in corporate direction.
The committee is gathering input from the various constituencies of the exchange and the financial-services industry to provide guidance to the NYSE and industry-governing bodies on measures to bolster public confidence. It will review corporate governance and shareholder accountability issues, such as composition of corporate boards and committees, disclosure requirements and the role of independent audit committees.
The committee will issue a report on its findings as early as June 2002.
