Turnbull - the way forward?
Turnbull’s flexible risk-based approach to internal control is to be applauded. Risks faced by companies are constantly changing as a result of the dynamic nature of corporate objectives and the environment in which companies operate.
These, and what follows, are some of the key points identified at a recent KPMG debate at which a cross-section of UK companies debated the implications of the draft Turnbull guidance on internal control.
While many larger companies will be well on the way to achieving sound risk management and internal control systems, the proposal may well cause problems for less sophisticated companies. Companies without a strong internal audit capability will not be able to meet the requirements of Turnbull. Practical guidance will be needed by smaller companies especially.
This may be a role that the City Group for Smaller Companies could fill.
Increased responsibility and greater visibility for internal audit means resourcing will be an issue. How much will be needed will depend on the extent to which internal audit is involved in the risk identification and analysis process.
It is important that boards set the right tone and encourage ownership of risk and control by management. This means not only the downside of control failure but also the role proper risk management has in creating added value to the organisation. The process should not just be about reporting issues which result in damage to the business. Breakdowns in control or ‘near misses’ should also be reported.
Turnbull must not be seen as another layer of bureaucracy; management will not respond to such a framework.
Effective non-bureaucratic risk management will have to come from heads of businesses. Good managers will instinctively know the risks and the company’s risk management process will need to get them to share their insights. Turnbull will work if people remember good governance is about adding value and taking bureaucracy out of the business.
Andrew Steet, head of UK internal audit services, KPMG.