International corporations are experiencing the ripple effect of governance practices that are
evolving on a global scale.
By Scott Green, CPA, MBA, Director of Audit & Compliance, Weil, Gotshal & Manges and Holly Gregory, JD,
Partner, Weil, Gotshal & Manges
As demonstrated graphically over the past several years, when seismic events shake investor confidence in large international
corporations, the worldwide landscape of public company governance changes. In our globally interconnected world, corporate
scandals and the regulatory reaction in one nation reverberate in distant economies. Rules, regulations, and norms around the world
influence the way public companies operate and are expected to operate, globally. In addition to affecting decisions related to capital
market access, new laws may increase the regulatory risks of doing business in various jurisdictions. New lending requirements,
evolving judicial expectations, and increasing shareholder activism may add to the risks of not meeting the raised governance bar.
Smart internal auditors know that this new world order is significant and are taking steps to revise their approach to governance risk.
They are scrutinizing their organizations’ governance models and comparing them to national norms and international best practice.
Governance practices and the laws that regulate corporate governance differ among countries. Even within countries,
approaches to governance may vary due to the different needs of organizations. On the following pages, we explore the variation of
global governance practices, discuss what are arguably the most important topics that should concern chief audit executives (CAEs),
and provide best practices for each area identified. This macro look at the differing stages of corporate governance development in
major world markets and the key areas important to CAEs can help internal auditors evaluate their organization’s governance
practices and respond accordingly.
A Global Overview
Corporate governance reform efforts have been developing over the years in response to the needs of individual nations and their
corporations. In the early 1990’s, the UK explored governance reforms on a “comply or explain” basis, through the adoption of the
Cadbury report (later, the Combined Code). An important initiative to produce a set of international corporate governance standards
was undertaken by the Organisation for Economic Co-operation and Development (OECD). In 1999, the OECD published its
Principles of Corporate Governance as a benchmark for policymakers, corporations, and others who would benefit from such
guidance (“OECD Principles of Corporate Governance” on page xx presents the organization’s most current guidance). The Asian
crisis of the late 1990s stimulated interest in governance reform in that region. More recently, the reform movement accelerated in
reaction to perceived governance failings.
The new regulatory focus on corporate governance in the United States is in response to the numerous and massive frauds that
came to light in 2001 and 2002. At first, many saw the governance failures as strictly an American problem. The far-reaching response
by the U.S. Congress, which imposed new practices on many foreign-based companies whose securities trade in the U.S. financial
markets, was criticized as overreaching.
As other jurisdictions experienced their own scandals, however, some countries have responded by studying, debating, and
strengthening their own governance practices. The European Union (EU), for example, has issued a phased action plan to
underscore its claim to regulate the corporate governance and audit standards of EU companies. In October 2004, member states
formally recommended for implementation several specific action plan reforms relating to director independence (at the supervisory
body level) and executive compensation disclosures. Profound changes may result.
What began as an American response to a series of disturbing revelations of corporate malfeasance and fraud eventually
created a governance revolution that is making its way through sovereign capitals worldwide.
The United States
In an effort to restore public confidence in the U.S. markets damaged by corporate scandals, the U.S. Congress passed the Sarbanes-
Oxley Act of 2002. The act significantly expanded regulatory oversight and guidance for auditors, lawyers, and analysts and mandated
that the U.S. Securities and Exchange Commission (SEC) impose several structural board reforms through the New York Stock
Exchange (NYSE) and the National Association of Securities Dealers (NASD) listing standards.
Most auditors are conversant with the parts of Sarbanes-Oxley that require the principal executive and financial officer of public
companies to certify their financial statements (Section 302) and to document their systems of internal control (Section 404), but there
are other provisions of the act that have a considerable impact on how public companies are governed. Among these provisions are
mandates that audit committees be comprised of independent directors and that they establish procedures for bringing questionable
accounting and audit matters to light including implementation of a mechanism for the confidential and anonymous submission by
employees of such complaints or concerns. Sarbanes-Oxley requires listed companies to adopt and disclose a code of ethics for key
executives or explain why they have not done so.
Additionally, amendments to NYSE listing standards approved by the SEC require that:
• The board consist of an independent majority.
• The audit committee, compensation committee, and nominating/corporate governance committee must be composed entirely of
independent directors
• All three of the key committees prepare and disclose a charter and provide for an annual self-evaluation.
• Nonexecutive directors regularly meet in executive session without management present, and independent directors do so at
least once a year.
• Each company has an internal audit function.
• Each company adopts and discloses corporate governance guidelines addressing director qualification standards,
responsibilities, compensation, continuing education, succession, and annual performance evaluation of the board.
• Each company adopts a code of ethics for directors, officers, and employees and discloses waivers of such code if granted to
officers and directors.
• Chief executive officers (CEOs) certify that they are not aware of any violations of the NYSE corporate governance listing
standards.
While the board of directors is required to conclude on a director’s independence, the NYSE listing requirements specify certain bright-
line criteria be applied in making this determination. NASD standards are similar except that certain of the independence thresholds
are lower reflecting the smaller market capitalization of many of its listings. The NASD rules do not absolutely require independent
compensation or nominating committees, but they do require that a majority of the full board’s independent members approve
compensation and nomination proposals.
Combined, these reforms address board and committee structures and processes, emphasize the role of independent directors,
and provide a stringent definition of director independence. They are designed to place boards in a position to hold management
accountable for the accurate portrayal of a company’s financial condition. They also require disclosures designed to assist
shareholders in monitoring a company’s corporate governance practices. As the regulatory framework in the United States continues
to evolve, public companies are now focusing on implementation and compliance with the new regulations and standards.
When the Sarbanes-Oxley bill was drafted, many governments and international firms sought exemptions from the legislation.
However, despite much concern and lobbying, no exemptions or accommodations were made for foreign entities in the Sarbanes-
Oxley legislation itself. The principal officers of foreign entities that file 20-Fs with the SEC — instead of the 10-Ks required by
domestic public companies — must also certify their financial statements. Additionally, a registered public accounting firm must audit
and attest to management’s assertions. The act specifically requires that foreign accounting firms register with the Public Company
Accounting Oversight Board (PCAOB), but the board is negotiating joint supervision rules with the EU that would rely on the oversight
of European regulators to conduct reviews of registered accounting firms in their respective jurisdictions.
The European Union
The discussion of modern corporate governance reform in the United Kingdom had been ongoing since the seminal Cadbury Code
was published more than a decade ago. Since then several other important contributions have been united with that code into a set of
voluntary practices — for companies traded on the London Stock Exchange — called the Combined Code. The Combined Code
works on a voluntary “comply or explain” basis. Companies must disclose whether they comply with its provisions and, if not, why.
Over time, various components of the code have influenced the development of rules and regulations governing public companies in
other jurisdictions. The most visible of these is the comply or explain methodology of compliance, which has been embraced by
several other EU member states. Additionally, disclosure of compliance (or non-compliance) with national voluntary governance
codes has become a component of the EU’s action plan for governance reform.
In the EU, corporate governance regulation and oversight of audit firms has been conducted on a national level with little
uniformity between member states. On May 31, 2003, the EU presented an action plan to improve corporate governance and audit
services throughout its membership. Unlike the fast track of U.S. reforms, the European plan envisions a lengthy implementation
period, stretching — for some of the reforms — to the end of the decade. Each proposal requires further development and then
eventual implementation through either (1) nonbinding recommendations or (2) directives to each member state to achieve the result
with room for national authorities to choose the form and methods.
The European plan is detailed in two communications emanating from the European Commission (EC) to the European Council
and the European Parliament. The first communication addresses the modernization of company law and corporate governance
presented in short-term and long-term objectives. In the short term, the plan calls for:
• Creating a European Governance Forum to coordinate governance efforts of member states.
• Expanding disclosure requirements for director compensation, governance policies, and related parties and reaffirming board
liability for nonfinancial communications.
• Strengthening independence and the role of nonexecutive directors.
• Harmonizing and integrating the legal frameworks to ensure efficient shareholder communications and participation.
• Simplifying the current EU directive on minimum capital maintenance requirements for listed companies.
• Facilitating cross-border mergers between companies of member states.
Longer-term initiatives include research and feasibility studies on institutional investor disclosures, board structures, board member
accountability, shareholder voting, and company structures.
The second communication from the EC contains major elements proposed to improve statutory audits. These elements include:
• Implementation of international audit standards.
• Creation of a pan-European mechanism to coordinate regulatory oversight of the audit profession.
• Definition of principles for the hiring, firing, and compensation of auditors.
• Further definition of auditor independence.
• Examination of the auditor’s role in reviewing and assessing a company’s internal control system.
• Harmonization of auditor ethics throughout the EU.
• Implementation of quality assurance mechanisms.
• Examination of EU auditor continuing education requirements.
• Development of disclosure requirements concerning audit firm relationships.
• Further study of auditor liability regimes.
In October 2004, the EC adopted a set of more detailed recommendations for member states relating to directors’ remuneration and
the role and presence of non-executive directors on listed companies’ boards of directors as a step in implementing its Corporate
Governance Action Plan. These recommendations call on the member states to adopt at a national level, whether by legislation or by
a “comply or explain” approach, provisions concerning the roles of non-executive directors. The recommendation regarding
independent directors focuses on the role of an independent director and provides both basic principles intended to strengthen the
role of independent directors as well as additional guidance to assist the member states in interpreting these principles. In
particular, it mandates that a unitary or supervisory board should include a sufficient number of independent non-executive directors to
ensure that any material conflicts of interest involving directors are dealt with properly.
Even prior to the release of this recommendation, a number of codes in the member states already expressed the principles set forth
in the recommendation regarding non-executive directors – for example, in addition to the U.K.’s Combined Code, the Swiss Code &
Directive mandates a majority of independent directors while Spain’s Olivencia Report recommends that outside directors should
outnumber executive directors.
The EC recommendation relating to the remuneration of directors invites member states to adopt measures which would promote
transparency towards investors, including, among others, mandatory disclosure requirements and a recommendation to submit
certain director remuneration policies to shareholder votes.
Beginning with the move to International Auditing Standards, the EU is starting to harmonize governance and audit regulation. The
commission continues to express concern about the “unnecessary outreach effects” of Sarbanes-Oxley for European auditors and
companies and the failure of the United States to “mutually recognize the equivalence of high-quality regulatory systems.” It identifies
certification of financial statements and internal control systems, direct U.S. access to EU audit working papers, U.S. auditor
independence requirements, and audit committee requirements as areas of continuing disagreement with the U.S. regulatory
approach.
Asia
The immediate after-effects of recent U.S. scandals have been less potent in Asia — in part because in the late 1990s, Asia suffered
its own set of governance related failures and many nations had begun to embrace reforms. In some Asian nations, however, Enron
and other large frauds provided an excuse to stall further corporate governance reform. In Japan, opponents of reform have pointed to
the inability of U.S.-style corporate governance to prevent fraud. However, it was not long ago, in a fraud similar to Enron, that Yamaichi
Securities used off-balance sheet vehicles to manipulate its financial statements resulting in the firm’s collapse. Furthermore, some
believe Japan’s banking sector crisis has been a partial result of poor corporate governance and shareholder accountability.
In China, the China Securities Regulatory Commission has been implementing a code of corporate governance practices. The
Code of Corporate Governance for Listed Companies in China seeks to make listed companies in China more attractive to investors
by strengthening minority shareholder rights. while restricting (to some degree) the power of the state, reforming board composition
to include independent directors, requiring that the board evaluate management, establishing a framework for director and executive
compensation, requiring internal control systems, and detailing independence criteria for external auditors. Following the UK model,
the code has been implemented on a comply-or-explain basis. Despite this important advance, the potential for political interference
both with the corporation and with the judiciary as well the failure to address corruption are viewed by investors as continuing
obstruction to the rule of law in China.
Africa and Latin America
In South Africa, the adoption of the King Report on Corporate Governance for South Africa – 2002 provides a governance
framework for those companies listed on the Johannesburg Stock Exchange. The King Report and the UK’s Combined Code have
few differences including both are applied on the “comply or explain” basis. Also of interest, the Johannesburg Stock Exchange is
preparing to launch the Socially Responsible Index to measure the social, environment and economic effects of top South African
companies. Corporate governance practices will be one criteria for inclusion in the index.
In Latin America, corporate governance reforms remain elusive. It is common for companies to have controlling shareholders in
most companies based in Latin America, therefore, minority shareholder rights reform remains the most visible issue in these
markets. While Argentina, Brazil, Chile and Mexico have passed laws strengthening minority shareholder rights, enforcement is
inconsistent. The OECD and World Bank sponsored the Latin American Roundtable on Corporate Governance in November of 2003
which established a blueprint for regional reform. It advocates creating stronger regulatory oversight, safeguarding minority rights,
adopting international accounting standards, and limiting cronyism throughout the region.
International Best Practices
The globalization of business has resulted in thousands of public companies doing business in different foreign jurisdictions. Given
that each country has its own set of governance rules, regulations, and practices, how can a company’s management and board of
directors manage its operations in such a way as to ensure that they comply in every country? Unfortunately, there are no short cuts.
Each jurisdiction must be researched and experts retained to ensure that the company is in compliance.
To help auditors evaluate a company’s policies against international standards, best practices from several international
jurisdictions are summarized herein. Identifying a select number of international best practices, even those that are most relevant to
CAEs, is not easy, as the range of governance development varies widely from country to country. For certain countries, the concept of
corporate governance does not exist, so discussion of best practices is premature. To settle on as set of best practices assumes that
certain institutions and systems are already resident. For instance, most governance standards assume that there is a transparent,
enforceable rule of law operational within the jurisdiction. Therefore, we assume that a strong legal system, liquid financial markets,
and independent audits of public company financial reports to shareholders are standardized practices. Given these assumptions,
we have focused our analysis on board composition, board structure, financial reporting controls, corporate values, whistleblower
protections, and audit department reporting lines as areas most relevant to CAEs for analyzing the governance risk of their
organizations.
Board Composition
Even before passage of Sarbanes-Oxley, there were important discussions from many different quarters regarding how to build the
most effective board of directors. Many governance experts agree that the best boards are:
• Largely independent of management and controlling shareholders.
• Led by an independent chairman.
• Technically well balanced.
• Composed of no more than 10 members.
Independence is key to an appropriately functioning board of directors. If the board is loaded with company management, or a founder
with a controlling stock interest, then it is possible that the directors are simply rubber-stamping the decisions of management rather
than digging in to understand what is happening at the company.
The “imperial CEO” — a CEO who also holds the position of chairman of the board — also represents a possible risk to an
organization’s welfare. Many argue that the role of chairman conflicts with that of CEO because the CEO often is, or should be, the
subject of board discussions and will be directly affected by decisions on matters such as who joins the board, management team
performance, and compensation.
There are some effective arguments against splitting these two positions, as it could create gridlock if there is not a consensus
between the CEO and chairman regarding how to move the company forward. Many also argue that this structure, which is prevalent
in the United States, has served U.S. businesses well over time. However, as detailed in the UK’s Combined Code, best practice
requires that “the roles of chairman and chief executive should not be exercised by the same individual.”
Some countries, such as Germany, have structurally separated these roles by implementing a two-tiered board structure
consisting of a management board and a separate supervisory board. In the United States, when the two roles are not separated, the
trend is to appoint an independent director to lead the board on matters that may pose a conflict with the CEO’s role.
Regardless of structure, what is important is that the board can handle sensitive matters involving the CEO unimpeded. An
imperial CEO who has unfettered control of the board can control the board agenda and its access to information, discourage
discourse, and implement a range of policies that potentially serve management at the expense of shareholders. The CAE must
assess this increased risk. An auditor would want to evaluate the compensation program to understand the incentives and potential
motivation to enter into transactions or change accounting policies to meet benchmarks or other remuneration triggers.
Many under appreciate the importance of a technically and functionally balanced board to a company’s oversight capability.
Accounting is the language of business, and the financial statements represent the stories told by each company. As such, it is
imperative that there are financial experts on every board of directors. Financial experts are now required in the United States;
however, some believe every director must be financially literate to be effective.
Financial literacy is not the only competency that a board requires. Highly specialized and complex fields such as drug
development, military procurement, and nanotechnology will need experts who exhibit the specific knowledge necessary to provide
effective oversight of these businesses. A competent board will exhibit both functional and technical expertise relevant to the company
that it supervises. A CAE must recognize that those boards without appropriate expertise may be overly reliant on management for
evaluation of business prospects, competitive analysis, financial reporting, and so on.
Board size is a governance factor that should not be overlooked. The larger the board, the harder it is to become active and
engaged, and this often results in more reliance on and deference to the CEO. According to The Report of the NACD Blue Ribbon
Commission on Director Professionalism published in 2001, typical large-cap company boards are in the 10- to 13-seat range, which
many observers believe to be optimal. Turnaround specialist Gary Sutton goes even farther, saying in the Spring 2004 edition of
Directors and Boards that “five or seven board members work best … more is worse since it diffuses responsibility.”
In fact, boards have gotten smaller. The executive recruiters Spencer & Stuart have found that the average board size has
decreased from 14 directors in 1993 to 11 in 2003. The substantial responsibilities placed on boards make it difficult to reduce
beyond 7 directors except for small companies, and one might expect that a large multinational corporation would have a larger board
than a small or mid-cap public company. However, a board consisting of more than 20 seats, which was not unusual just 10 years
ago, should be a red flag to the CAE that the board may be too large to function effectively.
Board Structure
If organizations have learned anything from the various frauds experienced recently, it is the need for competent and independent
oversight of financial reporting, remuneration, the nomination of new directors, and governance generally. Commonly, those
companies with the best governance practices will establish audit, compensation, and nominating — or governance — committees to
support the board of directors. Each committee will then prepare a charter that explain their functions. It is common for such charters
to provide access to appropriate experts and resources and for regular evaluations regarding the effectiveness of the committee’s
policies and procedures.
Audit Committees
The audit committee has the awesome responsibility for oversight of the financial reporting process. To ensure that accounting
policies are sound and financial statements appropriately prepared and audited, the board should have an audit committee
consisting only of outside directors and at least one financial expert. This is now a legal requirement in the United States. Best
practice would dictate that audit committees have access to all of the resources necessary to meet their oversight objectives,
including retaining outside advisors; hiring, terminating, and remunerating the public accountants and CAE; and having access to the
results of management’s own testing of assertions and key internal controls.
Compensation Committees
Although a compensation committee consisting of only outside directors will not guarantee a fair and balanced compensation
program, a committee consisting of insiders can only lead to suspicion regarding a program’s legitimacy. The compensation
committee should be able to retain quality advisors as it deems necessary to ensure that incentives are in place and metrics are
available to assess the effectiveness of the remuneration program.
Many believe that poor compensation practices produce incentives to manipulate financial statements, enter into transactions
that are not in the best interest of shareholders, or abuse corporate assets. Best practice requires that compensation be tied to long-
term incentives, not short-term stock swings or the closing of transactions. Stock awards that vest over time can better align the CEO’
s interests with that of shareholders, whereas tying compensation to short-term stock price appreciation or option grants can create
pressure to manipulate the financial statements.
However, simply tying compensation to long-term returns is not enough. Long-term plans can also be poorly designed. For
example, a judge ordered three executives of Computer Associates International (CA) to repay $550 million of stock awarded in 1998
under a five-year arrangement, as it did not meet the original intent of the plan. Later, a federal grand jury charged the former chairman
and CEO of CA, Sanjay Kumar, with securities fraud. According to the indictment, Kumar backdated billions of dollars of contracts to
meet Wall Street’s forecasts. What motivation would Kumar have to do this? Consider the stock awards just discussed and the effect
on Kumar’s wealth if the value of the stock declined before sold.
Nomination Committees
There should be an independent nominating or governance committee that has oversight of director nominations. An independent
nomination committee is particularly important for those public companies that are led by imperial CEOs. It is a natural inclination for
a CEO to seek those who are like-minded for his or her board. But that might not be the best answer for the shareholders. Best
practice requires a process that involves defining qualities the board currently lacks, identifying the profile of a director that would best
fit that role, conducting a search for a candidate based on the profile, and selecting the best candidate due to their credentials and
board needs.
A board selected primarily through relationships held by the CEO should be a red flag to the CAE that the board may not be
sufficiently independent and oversight might not be as effective as would otherwise be the case. In such cases, further assessment of
the compensation, financial reporting, corporate values enforcement, and whistleblowing processes would be appropriate.
Financial Reporting Controls
It is no surprise that the country that experienced a series of billion-dollar financial reporting frauds would respond with stringent rules
that would become the new standard for international best practice. In the United States, Congress responded by requiring that CEOs
and chief financial officers (CFOs) personally certify their company’s financial statements and using fines and incarceration as
enforcement tools. Congress also expressly required that public companies attest to the soundness of internal controls over financial
reporting, requiring that every public company document, evaluate, and test internal controls. While most large public companies are
finalizing this work, many small and mid-cap companies (which have a later deadline than larger companies) are still determining
how to best meet this requirement.
Best practice is still developing around financial reporting, but many companies are pushing certification of financial results
“down” the organization by requiring business unit and departmental managers to sign-off on the financial results for their area of
influence. This practice creates ownership of the numbers below the principal officers and, as a result, more care regarding the
contents. Other corporate practices include the creation of a disclosure committee to vet issues raised by line managers and
corporate staff for possible inclusion in the financial statements and related footnotes. The testing of assertions and controls may
also be evaluated by this group in addition to the audit committee.
Corporate Values
In the past, most senior executives spent little time or effort developing or reinforcing shared corporate values. There are, however,
exceptions. For instance, health-care products giant Johnson and Johnson developed and lives by its corporate credo; and the
employees of the investment banking powerhouse Goldman Sachs are expected to conform to the firm’s business principles. But
then again, there is Enron. Enron’s set of corporate values listed communication, respect, integrity, and excellence as important to its
company culture. But a simple list of words does not mean much if it is not clear how to apply their meaning to daily work lives.
Even more important, it must be clear that company leaders actually believe in their stated values. Not too many people would
use the word “integrity” to describe Enron’s management. It is clear to all that the company’s management either could not, or did not
care to, enforce this value. A fuzzy or vacant set of values is not just neutral, but destructive. Employees can spot insincerity in the
executive ranks all the way from the mailroom, and they will make a company pay for it.
To ensure that everyone in the organization is aware of corporate values and policies, every employee should attest annually to
having read and pledged their compliance with them. To reinforce these values, compliance with the code of conduct should also be
considered when making compensation and promotion decisions. In fact, the organization’s values should be cited whenever making
a visible decision that concerns employees.
Finally, certain companies determine the effectiveness of their efforts by conducting confidential employee surveys. Conducted
appropriately, these surveys can tell management and the board whether employees are getting the right messages and, if not,
where the company needs to focus its efforts. Such practices can reassure the CAE that management is serious about supporting a
culture that values honesty and transparency.
Whistleblower Protections
Corporate leaders who disregard ethical and legal conduct often devise incentives to encourage those around them to push the
envelope and discourage or even punish those that resist or report questionable behavior. For governance systems to identify such
behavior, there must be a strong culture that rewards doing the right thing and provides an effective means for reporting wrongdoings.
Employees must trust that their efforts will be supported and that their courage will be embraced if they report problems. Establishing
trust requires that whistle blowing not lead to punitive measures.
To encourage this culture, in the United States, Sarbanes-Oxley and SEC rules require companies to adopt a code of ethics for
senior financial officers. Stock exchange rules and Federal Sentencing Guidelines further require that companies adopt codes of
business conduct for all employees to assist them in avoiding illegal and unethical conduct. The audit committee must also establish
procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing
matters. Section 806 of Sarbanes-Oxley backs up this procedure by prohibiting actions to “discharge, demote, suspend, threaten,
harass or in any other manner discriminate against an employee … because of a lawful act done by the employee….” The act also
provides remedies in the form of compensatory damages.
Effectively fighting fraud in the management suite requires more than just having a fraud hotline. The board must actively engage
management at levels below the most senior level, vigorously question the internal and external auditors, and cogently enforce the
company’s code of conduct by rewarding compliance and addressing noncompliance. On November 1, 2004, amendments to the U.
S. Federal Sentencing Guidelines for Organizations became effective. The guidelines provide that if a compliance and ethics program
is deemed to be “effective” it will help protect a corporation in the penalty phase of a criminal proceeding. Effective compliance
programs should also help lessen the likelihood that a criminal proceeding — or an SEC civil enforcement action — is initiated in the
first place.
Whistleblower protections are critical to auditors. They help deter wrongful conduct, assist in bringing wrong-doing to the attention
of management and the board, and ultimately help protect the corporation. Without them, important sources of information may be
reluctant to come forward out of fear that their job is on the line. It is in every CAE’s interest to ensure that whistleblower mechanisms
are effective and that his or her efforts visibly contribute to the enforcement of the company’s compliance program.
CAE Reporting Line
Although there is a clear trend to have the CAE report to the audit committee, many still report directly to the CFO. Unfortunately, CFOs
have been at the center of the largest financial reporting frauds and can be deeply conflicted regarding the CAE’s opinion on the
status of financial reporting controls. Best practice would leave oversight of the internal audit department to the audit committee, and if
an administrative reporting line is needed, it should be to the CEO. Most CAEs will not have decision rights regarding their reporting
line, but they can begin to educate the audit committee regarding the conflicts faced by an internal auditor when he or she reports
directly to the CFO.
Informed Decision-making
The world of corporate governance is changing, and companies that do all the right things may still experience governance problems.
What it all comes down to is the judgment of the managers, directors, and gatekeepers of companies. By understanding international
best practices, audit executives improve their understanding of the key governance risks facing their organization and can focus on
risks that really matter. With this understanding they are better equipped to do the right things in the right way, and are capable of
more informed decision-making. The end result is that audit executives are better counselors to the board of directors and senior
management and more effective gatekeepers for the corporation’s shareholders.
Resources
The 2004 Global Competition Review analyzes board structures and director’s duties for 26 different jurisdictions. The Review can be
obtained through their website at www.globalcompetitionreview.com. Weil, Gotshal & Manges, an international law firm, publishes a
comparison of significant practices called International Comparison of Selected Corporate Governance Guidelines and Codes of
Best Practice. This and other useful information regarding other governance related topics (such as the Sarbanes-Oxley Act) can be
found at www.weil.com.
The National Association of Corporate Directors has many useful governance publications including risk oversight, board evaluation,
director’s ethics, audit committees, executive compensation, etc. Information can be obtained at www.nacdonline.org.
The Organisation for Economic Co-operation and Development (OECD) can also be a good resource for governance principles and
best practices. Information can be obtained at www.oecd.org.
OECD Principles of Corporate Governance
I. The corporate governance framework should promote transparent and efficient markets, be consistent with the rule of law, and
clearly articulate the division of responsibilities among different supervisory, regulatory and enforcement authorities.
II. The corporate governance framework should protect and facilitate the exercise of shareholders’ rights.
III. The corporate governance framework should ensure the equitable treatment of all shareholders, including minority and foreign
shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rights.
IV. The corporate governance framework should recognize the rights of stakeholders established by law or through mutual
agreements and encourage active cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability
of financially sound enterprises.
V. The corporate governance framework should ensure that timely and accurate disclosure is made on all material matters
regarding the corporation, including the financial situation, performance, ownership, and governance of the company.
VI. The corporate governance framework should ensure the strategic guidance of the company, the effective monitoring of
management by the board, and the board’s accountability to the company and the shareholders.
Source: OECD Principles of Corporate Governance–2004
Selected Corporate Governance Best Practices
How does your company stack-up against these selected best practices? A “No” denotes additional risk for the CAE to consider.
1. Is a significant majority of the board composed of persons who are independent of management and controlling
shareholders?
2. Is the chairman or lead director of the board an independent outside director?
3. Is the board both functionally and technically balanced?
4. Is the size of the board appropriate for the size of the business and not unduly large?
5. Are auditing, compensation, and nomination/governance the province of independent directors, functioning under their own
charters? Do the independent directors regularly engage in self-evaluation?
6. Do the board and supporting committees have access to their own advisors and counsel as needed?
7. Are controls over financial reporting documented with the entire senior management team certifying the financial results for
individual businesses or divisions?
8. Do the directors, managers, and employees attest annually to a code of conduct? Are there regular efforts to provide related
training and to gauge the effectiveness of communications regarding corporate values?
9. Are there mechanisms for employees or vendors to report serious policy infractions or fraud independent from management?
Do whistleblower protections exist for those that avail themselves of these mechanisms?
10. Is the chief audit executive retained through and evaluated and compensated by the audit committee of the board of
directors?
Red Flags of Corporate Governance
• There is no independent leader of the board, whether that leader has the title of chairman, lead director, or presiding director.
• There is a lack of open dialog at board meetings.
• The board does not retain its own outside experts for counsel on important issues such as compensation, risk management,
and governance.
• Meeting materials are not sent to directors sufficiently ahead of time to assimilate.
• Nonexecutive directors are overly reliant on management for setting meeting agendas.
• The size of the board is overly large, retarding effective communication among directors and independent consensus building.
• Nonexecutive director contact with line managers is not encouraged.
• There are excessive anti-takeover provisions in place that disadvantage active shareholders and unfairly protect management.
• The board does not consider shareholder proxy requests.
• A significant number of directors are company executives, or persons with business or personal relationships with the CEO or
the company, who could be expected to follow the lead of the CEO.
• The board is dependent on management to identify and nominate new directors.
• There is little correlation between corporate performance and incentive compensation.
• The CEO and CFO promote a culture of aggressive growth and give lip service to the importance of “tone at the top” such that
aggressive accounting policies and lack of accounting transparency is tolerated or encouraged.
• Mechanisms for reporting serious breaches of policy independent of management and for protecting whistleblowers are not
developed or communicated effectively.
Country comparisons not provided due to formatting issues.