This article explores the link between Board of Director oversight and the Board’s internal control oversight capability in light of the EOH civil proceedings on the back of a whistle-blower and subsequent forensic investigations. The article does not a criticism of the EOH board past and present but rather exploring the mechanisms necessary for board members to execute their individual and collective governance duties.
Even though EOH is a more recent example the EOH board is not unique in the belated discovery of Executive Management derailment of the organisation and misleading of shareholders. The Steinhoff saga, to name but one, is a stark reminder of the challenges faced by a board of directors to obtain reliable data early enough to prevent potential serious business and reputational harm to a company and its shareholders.
Although appointing new independent directors, as EOH has done, this alone cannot be the sole solution to the key challenge of accurate information. From the available information the civil action is not against previous non-executive board members but rather executive board members at the time. The main issue therefore does not seem to suggest gross board member negligence, but rather executive overreach on internal controls. From the information shared by EOH on the matter it seems they have since become aware of the Overreach on internal controls in turn suggests an existing controls framework at the time which the executive circumvented without board members having line of sight to the potential fraud. If the controls were not in place it begs the question why these risks were not identified and mitigated? When all is said and done, it seems the root cause may be the lack of timely and accurate information to inform and guide decision making and action.
The article aims to show a link between the governance strategy and commitment, governance capability, information collection and internal auditor independence as key aspects of a Board of Directors’ ability to manage the risk of inaccurate or withheld information.
The first aspect of effective governance and maintaining the level of required credibility in the business practices of an organisation is the governance strategy and commitment of the board.
In response to the credibility and reputational impact of the alleged fraudulent transactions the EOH board made a concerted effort to clarify its collective commitment to effective corporate governance. According to the EOH governance overview the board considers directors to be responsible for the systems of internal control. According to the EOH governance commitment these (systems and internal controls) are designed to provide reasonable, but not absolute, assurance as to the reliability of the Annual Financial Statements, and to adequately safeguard, verify and maintain accountability of assets, as well as prevent and detect material misstatement and loss.
The statement furthermore expressed a commitment on behalf of the management team “that a strong internal control environment, is critical to the success of EOH” and confirms management’s awareness of the material breakdowns in the control environment in the past and the continued effort to improve in the control environment, both from a design and effectiveness standpoint.
According to paragraph 59d of King iv The audit committee is responsible to establish an informed view on the effectiveness of the chief audit executive and the arrangements for internal audit. The EOH board complies with this provision by stating the approval, by the board on recommendation of the board audit committee, of the internal audit charter and internal audit plan.
From the statements it is difficult to fault the Board of Directors on their reported commitment and understanding of their collective and individual responsibility. The main questions, and the reason for belated response to fraud, is how does the board obtain timely and accurate information to ensure informed governance.
Corporate Governance Capabilities
The second link in the chain of information is the quality of corporate governance capability which in general consists of four main categories. These four broad capability categories, i.e. directorship, external auditing, internal auditing and company secretarial capacity, are essential for any board of directors to operate effectively in executing their governance oversight.
1) Experienced and expert board members to effectively analyse and interpret financial and other executive and statutory reports. The first step is to select and appoint appropriately skilled and experienced experts to guide the organisation towards success in the interest of shareholders;
2) High quality and accurate external auditor processes, findings and reports. The ability of external auditors to identify potential gross financial and procurement misconduct is important for board of directors to make informed decisions regarding internal controls.
3) High quality, objective and accurate internal auditor processes, findings and reports. The most underestimated mechanism for the board of directors is the team of internal auditors who serve as the eyes and ears on the ground.
4) Capable company secretarial guidance and support to ensure appropriate board of director operations is vitally important to maintain a high performing board of directors with clear roles and responsibilities and procedures.
In the EOH case the board clearly stated their commitment and intent with regards to board member quality, the review and confirmation of external auditor independence and the planned utilisation of the company secretary to ensure and guide board of director performance. The one area which it seems is left to the management team, other than approving the audit agenda, is the appointment, management and oversight of the internal audit team.
All the other three governance capabilities seems to be under the direct control and oversight of the board chair and the appropriate committees except the appointment and oversight of the internal auditor.
From experience with a variety of organisations the utilisation of the internal audit function is the one area with most disagreement. On the one hand the CEO and executive team may argue the internal auditor is there to assist them to improve internal controls and on the other hand the board of directors are heavily reliant on the internal audit function to identify and flag any and all non-conformances as early as possible and this includes reporting the CEO for potential wilful negligence which is the fertile soil for unintended conflict of interest.
If the internal audit function is a department within the organisation reporting to the CEO and part and parcel of the organisational culture, socialising and fraternising with management and employees, how can the board of directors trust the internal audit process and or reporting to be objective and free from management sympathy.
If a board of directors are serious about collecting accurate and objective early warning signs the quality of information supplied within each of the four capability categories should receive equal attention with regards to appointment, management and utilisation.
Board expertise: the expertise of board members can easily be managed through effective director appointment and other mechanisms to ensure adequate discipline, industry and governance capability. Non-performing board members should be held accountable for information supply and information dissemination from various management and audit reports. Protecting shareholders by ensuring effective management practices is the first level of information accuracy -prepare for meetings and as the right questions.
External audit: The accuracy of information from external auditors is not always easy to guarantee, but there are mechanisms such as conflict of expertise and capability verification, effective resource contracting, interest verification, regular rotation, in-depth reviews, financial benchmarks and other mechanisms to mitigate external auditor information and reporting quality.
Internal audit: The internal audit capability, whether in-sourced or out-sourced, forms a key component of the overall information collection and verification landscape within an organisation. The Board of directors with specific reference to the audit committee and potentially risk committee are reliant on the internal audit function to generate accurate and actionable information.
Internal Auditor Independence
Instructions: According to King IV paragraph 49 Section 5.4 The governing body should assume responsibility for internal audit by setting the direction for the internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes. The development and agreement of the audit agenda and schedule by the board with the internal auditor without interference from the executive management is a second mechanism to ensure information accuracy and trustworthiness.
Appointment: According to King IV paragraph 52 Section 5.4 The governing body should approve the appointment of the CAE, including the employment contract and remuneration of the Head of Internal Audit and ensure that the person who fills the position has the necessary competence, gravitas and objectivity. In our opinion this should extend to shortlisting, background checks, interviews, remuneration negotiation and appointment. By involving executive directors’ involvement or any other support service within the organisation is to risk manipulation of appointments towards other than effective auditing and objective reporting. Although not specifically required the board may consider including the approval of all internal auditor appointments not only the head of internal audit.
Performance management: The only disciplinary mechanism for the head of internal audit and the appointment team should be the Board and not internal organisational policies and procedures. The performance of the internal auditor might be less about the agreeableness of the internal relations than the efficiency and effectiveness with which the audit function completes the agree audit schedule.
Organisational involvement: According to King IV paragraph 56 Section 5.4 The CAE should report to the chair of the audit committee on the performance of duties and functions that relate to internal audit. On other duties and administrative matters, the CAE should report to the member of executive management designated for this purpose. Although the section makes provision for administration and other duties the temptation may exist to induct the internal audit team into the organisational culture and collegiality. The board may need to consider the extent to which they prefer the auditors independent from peer pressure and emotional connections and also what the additional duties may refer to. The more the internal auditor becomes part of the executive team the higher the probability of personal alliances and unintended blindspots over time.
In conclusion it seems the EOH board did address most of the requirements including highlighting the role of the company secretary in ensuring effective board performance. The possible exception to a comprehensive response in the interest of addressing governance credibility would be the lack of a clearly articulated approach to independence, utilisation and management of the internal audit function as an extension of the board rather than a department within the organisation. The link between governance and accurate information hinges heavily on how the board and its committees empowers and utilises the internal audit capability.