United States-based Eric Hespenheide is Deloitte’s global managing partner of internal audit. It is, he says, an “opportune” time to be an internal auditor. Demand for internal audit services is riding the bow wave of legislative and regulatory change to the rules of corporate governance seeping into economies around the world.
The US, with its wide-ranging and regulation-ridden Sarbanes-Oxley legislation, has already moved. Now European countries are reluctantly accepting that change there is also inevitable. And even though New Zealand’s small economy and corporate structures will feel the cost pinch of additional regulation, reporting and control, Hespenheide doubts “cost” will be sufficient excuse to duck the issue.
“It is,” he says, “a question of how important it is for New Zealand companies to participate in the global economy. I understand the issue of scale. But [capital markets] are demanding demonstration of commitment to controls environment and the governance norms that are being played out in the US and in the United Kingdom.”
Even America’s larger private companies are adopting key elements of the Sarbanes-Oxley provisions. “They are looking at board composition and setting up audit committees and so on,” says Hespenheide. The impetus comes from capital markets and lenders who believe the tougher regulations are now the benchmark for corporate governance levels of performance and conformance. The risk profile of companies that don’t adopt these new standards increases.
“For New Zealand’s larger companies that want to play on the world stage there will be an expectation that they will have constructs like independent boards of directors, audit committees and so on. We are definitely seeing countries that rely on self-regulatory or principles-based compliance moving away from that. Particularly in Europe. We need some teeth and to make some requirements about how companies conduct themselves,” he adds.
Hespenheide was on his way to the Institute of Internal Auditors international annual conference in Sydney. He stopped in New Zealand for two days and met with directors and senior executives in Wellington and Auckland to talk global changes in governance, risk management, audit committee processes and, of course, the issues and opportunities for internal auditing.
Regulatory requirements and systems are irreversibly changing, he said. And New Zealand could not afford to wait for its own major scandal to hit before it implements more prescriptive guidance as opposed to the principles-based approach it currently has.
He concedes, however, that there has been what he calls “first year pre-occupation” with rules, regulations and compliance. He expects that to settle down and for directors and boards to move back to focusing on performance ahead of conformance. The uncertainty about what constitutes adequate documentation for both directors and management has dominated the change process since the new legislation was introduced. “We have had an extended period of uncertainty while we work out how much [documentation] is enough,” he says.
Has this activity caused them to take their eye of the ball when running their businesses? “I certainly hope not,” says Hespenheide, “but we have seen some evidence that companies are not making fourth quarter acquisitions, suspending all internal IT projects for the fourth quarter and other kinds of things that have true business consequences. It may be circumstantial because it is the first year [of the new rules] and no one knows exactly what will happen next spring when some of the attestation reports come out. But I don’t think businesses generally have taken their eyes off the ball.”
The new rules and regulations are, according to Hespenheide, having an impact on how business in the US will conduct itself, hopefully for the better. “But if the investing public at large and the legislators in particular believe that this will prevent any future scandals or frauds, that would be misplaced. Somebody is cooking the books as we sit here,” he suggests. “We just don’t know about it yet.”
Part of the legislative intent of the tougher rules is response to US chief executive claims that they were not aware of the risks and other issues in their companies. “Having them personally criminally liable and taking responsibility was conscious effort to elevate expectations that if you are the CEO you should know what is going on,” says Hespenheide. The legislators were intent on taking “ignorance” as defence away in future.
He conceded it is “difficult” to legislate for ethical behaviour. But the whistleblower provisions within the Sarbanes-Oxley rules are intended to help prevent massive frauds. “These frauds aren’t unsuspected by people who work in the company. The legislation is trying to ensure corridor of communication so middle manager or accounts clerks or anyone who has information or evidence that something is amiss can get it confidentially to place in the organisation that can deal with it. The legislative intent was to create an environment where whistle blowing, if you will, can go on.”
For Hespenheide “this is an opportune time to be an internal auditor”. Internal auditing is, he hastens to add, “not the answer to good corporate governance” but it an important element. The role of the internal audit has been enhanced because of the regulatory obligations and liabilities that board audit committee now has. The internal audit function is an ideal way for the audit committee to execute some of its responsibilities. “If the audit committee is going to do its job and execute their fiduciary responsibilities, they will have to have strong internal audit function,” he says. “It is hard to imagine how they would have sufficient knowledge, independent of management, of what is going on with internal audit.”
That, of course, drives its own set of tensions between internal audit and management “but the triangle of senior management, internal audit and the board’s audit committee and how they interact is undergoing some fundamental change”, says Hespenheide. One important change in relationships has come from the fact that external auditors are now hired by the audit committee. “In the past, auditors saw themselves as the clients of management. Notwithstanding the fact the understanding was auditors worked for the board and shareholders, the reality was the relationship was directly with senior management.”
Much the same has happened with internal audit. “It too was seen as function of management and voluntary activity. Now the audit committee wants to be as independent as possible even though it will be hired by management,” he says. “Internal audit should be serving as monitoring function over management prophecies that go to the board.” All of this is premised on audit committees getting better understand of how to do this. It needs to be clear just where audit committees should be spending their time – presumably helping the company and management to identify, assess and analyse risk.
Will this all make management more risk averse? “It is one of our concerns,” he says. “Risk management, if taken to extreme, becomes risk factor itself if it becomes risk avoidance. You can avoid risk to the detriment of the entity. I think we will, in time, reach an equilibrium between risk management and risk taking. It is not matter of risk avoidance but of risk intelligence.”
New climate impact monitor launched
A new online climate impact monitor aims to demystify the action – or inaction – of Aotearoa New Zealand’s top carbon emitters. Climate Action Tracker Aotearoa (CATA) independently analyses company