Corporate Governance – Safety net finished?

The last decade of the 20th century may be remembered as the formative period for corporate governance. The Turnbull Committee draft guidance on internal control could prove the final element in the grand scheme to give investors some protection from the more rash decisions of less conscientious directors.

But what are the real implications for directors and auditors, both internal and external?

High-profile insolvencies in the 1980s suggested that there was scope for improvement in corporate governance standards. Hence Sir Adrian Cadbury, Sir Richard Greenbury and then Sir Ronnie Hampel all put their names to reports designed to reduce obfuscation in annual reports and introduce basic ground rules to provide some checks on executives.

The role of internal controls in all of this is central, as Sir Adrian Cadbury pointed out (see box) and Hampel confirmed – by extending the definition of internal controls beyond purely financial controls. Now Nigel Turnbull has added his name to the corporate governance roll of honour, by attempting to guide listed company directors on how they can meet the new requirements made of them when monitoring and reporting on internal controls.

Directors are the ones in the limelight here, Turnbull stresses. It is the board which has the responsibility for the system of internal control and must ‘regularly assure itself that appropriate processes are functioning effectively’ to monitor risks. Directors should disclose in the annual report, as a minimum, that appropriate processes are in place and explain how they have reviewed the effectiveness of the processes.

The Institute of Directors is still considering its response to the Turnbull recommendations. But a spokesman says: ‘It’s very difficult to disagree with anything in it, although in general we don’t like burdens on business. We believe that, in principle, directors should be allowed to decide how to run their business.’

Turnbull’s report acknowledges that directors may delegate aspects of review work to committees, including the audit committee. Paul Rutteman, an Ernst & Young partner and former author of guidance on internal controls, says the impact on audit committees is the issue that concerns him most.

Audit committees are accustomed to and accomplished in dealing with financial risks and controls, he explains. ‘They are used to working with the external auditors and to working out the risks in financial areas,’ says Rutteman. ‘But it may be a bit different if they are talking about other things. The risk is that non-executive directors who form the audit committee are more remote from the business in those other areas than the executive directors are.’ Audit committees will have to be strong enough to refuse to take on tasks they are not competent to handle, he says. ‘That puts the onus back on the board itself,’ says Rutteman.

Although smaller listed companies might be expected to be most concerned by increases in governance requirements, CISCO, the body representing the interests of smaller quoted companies, seems relatively unflustered.

‘Our initial view is that it is a sensible approach,’ says Jane Tuckley, chairman of CISCO’s corporate governance committee. ‘The report seems to allow all companies to implement a system of internal control that is appropriate to their individual requirements. Some reports in the past tried to set down absolute parameters, but this one is quite flexible.’

Nor is Tuckley overly concerned by the broadening of internal controls beyond purely financial ones. ‘A well-managed company should have an eye to other controls too,’ she says.

If directors are in the limelight, so are internal auditors. The Turnbull report notes that an adequately resourced internal audit function should be in a position to provide the board with much of the assurance it requires regarding the effectiveness of the system of internal control. ‘It is difficult to see how a company can comply with the spirit of Turnbull without an internal audit capability,’ says Andrew Steet, partner in charge of KPMG’s internal audit service. ‘This will increase the market for high-quality internal audit people, because how can a business comply if it doesn’t have a strong internal audit capability?’

Steet believes most organisations will need to make some changes to meet Turnbull’s requirements, and some will have much to do. ‘The majority of internal audit departments in the country are adopting a risk-based approach to internal auditing,’ says Steet. ‘The minority who are not, should question the value they are adding to their organisations, because their boards will need to look elsewhere in the organisation to get the assurance they need to comply with the recommendations of Nigel Turnbull.’

The Institute of Internal Auditors is itself generally supportive of the Turnbull report, although it does express concern that internal audit could, in some cases, be made solely responsible for providing the board with the necessary assurance to comply with the Stock Exchange’s Combined Code. It believes the report should make clear that management is responsible for providing primary assurance, while internal audit should provide ‘independent’ assurance.

External auditors are the group who appear most untroubled by the Turnbull report. ‘I don’t think this is going to increase liability for auditors,’ says Rutteman. ‘Auditors will satisfy themselves that directors have a process in place for satisfying themselves (that controls are adequate). Auditors won’t be second-guessing their conclusions.’

Rutteman’s opinion appears to be backed by the insurers, for the moment at least. A spokesman for Royal & Sun Alliance, one of the traditional suppliers of insurance to accountancy firms, says no new guidance has yet been issued in the light of Turnbull. ‘The main impact will be on company directors,’ he says. ‘At the moment there should be no impact on auditors and their PII.’

Roger Davis, head of professional affairs at PricewaterhouseCoopers and Turnbull Committee member, believes there needs to be a degree of common sense applied to the question of the external auditor’s role. ‘There does have to be a fresh look at the scope (of their work),’ he says. While auditors should ‘clearly be associated with the process’ of reviewing controls, Davis says: ‘I don’t think it is appropriate for the auditors to start second-guessing the risks, particularly the business risks. I don’t think we are asking the audit profession to go around second-guessing the whole running of the business.’

The Auditing Practices Board welcomes the emphasis within the Turnbull proposals on the need for directors to have an ongoing process for identifying, evaluating and managing the company’s key risks.

However, technical director Jon Grant says the APB is concerned that there is currently an expectation gap relating to the auditor’s review of internal controls required by the Listing Rules. ‘Many believe that auditors are providing more assurance than is in fact the case and is perhaps even possible,’ he says. ‘The expanded definition of controls introduced by the Hampel Committee will exacerbate this problem.’

The APB believes that clarification of the objectives of the auditor’s review is essential. ‘This needs to be done in the Listing Rules,’ says Grant. ‘Once it is clear what is required of auditors it will then be necessary to examine the Turnbull guidance to establish whether it provides the criteria to underpin that review.

In this regard the flexibility within the Turnbull guidance, applauded by businesses, may cause difficulties for their auditors. ‘Some refinements may be required, but if the Turnbull Committee report ultimately gets the thumbs up, will this mark a close to corporate governance activity for a while?

‘I would like to think this issue (of corporate governance) could now be parked for a number of years,’ says Davis. ‘What is in place is pretty sensible stuff. The key question is whether companies will follow the sensible stuff.’


1992: Sir Adrian Cadbury publishes his ground-breaking report on corporate governance. Sir Adrian claims that almost all corporate failures can be traced back to a failure in internal controls. His committee’s recommendations include the requirement that the role of chairman and chief executive be divided and emphasise the value of non-executive directors.

1995: Publication of the Greenbury committee’s report on directors’ pay in response to public concern over perceived salary excesses. Sir Richard Greenbury requires improvements in the disclosure of directors’ pay and benefits.

1997: Sir Ronnie Hampel reviews the state of the corporate governance playing field. This results in Hampel publishing his own recommendations in order to smooth out some of the rougher edges. His committee’s report avoids prescriptive measures, but notably concludes that directors should be made responsible for monitoring non-financial risks and controls, as well as the financial ones.

1998: The Stock Exchange publishes its Combined Code on corporate governance, drawing together all of the recommendations made in the reports by Cadbury, Greenbury and Hampel.

1999: The report of the Turnbull Committee, set up by the English ICA, with the backing of the Stock Exchange, suggests how listed UK companies should apply Hampel’s recommendations on internal control.

The committee confirms that company boards should consider all relevant risks, not just financial risks, as had been the case prior to Hampel.

Consultation closes on 14 June and, assuming all goes well, a final guidance note will then become part of the Stock Exchange’s code. Listed companies are expected to comply with the principles of the code. Those that do not will have to disclose their reasons for not doing so. Companies are expected to put procedures in place to implement the Turnbull recommendations by the time they report on accounts for years ending on or after 23 December 1999. Full compliance is due for years ending on or after 23 December 2000.

Sarah Perrin is a freelance journalist

Related reading