Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.
Every corporate director knows the importance of M&A in the grand scheme of enterprise. With some 40,000 significant transactions announced annually, M&A is hard to ignore. Yet there are persistent risks that directors need to understand and mitigate through insightful questions and the dialogue that ensues.
Risk: Not all bets will pay off—at least not right away. Buying a company means placing a bet on the future. Given the level of unpredictability involved, there is some chance that the merger will fail to achieve its goals and/or fail to return incremental value to shareholders. It is commonly cited that “80 percent of all mergers fail” to add value; however, this percentage is an exaggeration. Event studies that compare transactions over time present a more realistic picture by showing that incremental financial value is not assured. For example, a study conducted by Kingston Duffie, publisher of the digital magazine Braid, indicates that companies actually lost 4.8 percent of their value when they spent at least five percent of their market capitalization on M&A during the 18-month period between October 2014 and March 2016. The interactive graphic included in the study shows differentiated performance during the period—high for Stamps.com Inc., medium for Starwood Hotels & Resorts Worldwide Inc., and low for EV Energy Partners. Your company could experience returns like any one of these.
Question for Directors:If this merger ends up havinga slightly negative result for our shareholders, what are the compelling strategic reasons to do this deal? When do we believe that deal synergies will materialize?
Risk: As a director, you could be named in a lawsuit—especially if you are voting on the sale of a company. In 2015, lawsuits were brought in 87.7 percent of completed takeovers. Although most cases settle, some do go to trial. In a trial setting there are four main standards for judging director conduct in the sale of the company, ranging from lenient to stringent:
The business judgment rule (trusting the decision as long as directors have no conflicts of interest and are reasonably well informed).
The Unocal standard (protecting anti-takeover moves only if a threat is real).
The Revlon standard (requiring an auction process once a company is in play).
Entire fairness (requiring both a fair price and a fair process).
In addition, when a company has promised its shareholders the right to have the company appraised, the court itself can impose its own valuation. In the original Dell go-private transaction, the court retroactively forced the company to pay aggrieved stockholders what the court deemed to be a missing increment to their premium.
Question for Directors:How can we find assurance that sale is in the best interest of the company and its owners, and that we have chosen an optimal price? How can we ensure that there is a litigation-ready record of our deliberations in this regard?
Risk: You could lose your board seat. According to a study by Kevin W. McLaughlin and Chinmoy Ghosh of the University of Connecticut, there is a higher rate of retention for directors from the acquiring firm (83 percent) following a merger, with the most likely survivors being individuals who serve on more than one outside board. Only about one-third of directors from the target board (34 percent of the inside directors and 29 percent of the outside directors) continue to serve after the merger.
This October, when Dell Inc. and EMC Corp. officially merge (assuming full regulatory clearance following their recent shareholder approval), many who serve on the EMC board may not be on the post-merger Dell board, including retiring EMC Chair-CEO Joe Tucci. When the merger was first announced last October, a spokesman for Elliott Management Corp. stated in a press release, “Elliott strongly supports this deal. As large stockholders, we have enjoyed a productive and collaborative dialogue with Joe Tucci and EMC’s Board and management. We are confident that this Board has worked tirelessly to evaluate all paths for the company and that today’s transaction represents the best outcome for stockholders.”
Saying goodbye to some or all of these incumbents this fall will seem to be an ironic outcome for creating value. And yet that is how it must be. Fiduciaries are not self-serving, but rather they serve on behalf of shareholders to promote the best interests of the company. As such, they need to be ready to move on when that is the best outcome for the corporation. Still, it is disruptive (and not always creatively so) to be a trusted voice of wisdom for the future one day, and mere history the next.
Question for Directors: If we sell this company and our board must merge or disband, who among us will be most useful in steering the combined company in the next chapter?
These are not easy questions. But by asking them, directors can help their companies beat the tough M&A odds.
Meeting minutes of the board of directors, which usually are prepared by the corporate secretary, can play a crucial role in a government investigation or civil litigation relating to a decision or indecision of the board of directors or the knowledge of an individual director. In some instances, the minutes could establish an important defense for directors, while in other instances the minutes may subject directors to unnecessary criticism or worse. Directors should ensure that the corporate secretary follows these guidelines.
Unlike the meeting secretary, directors neither are obligated nor are advised to take individual notes during board and committee meetings. Individual director notes are unnecessary because the secretary’s official minutes will contain a record of the meeting. Additionally, director note-taking is risky. Directors’ notes likely would be discoverable in litigation, and notes that seemed clear in the days after a meeting may not be clear several years later after memories have faded. Absent a clear interpretation, adversaries will attempt to impose their own meanings on the notes. Furthermore, if multiple directors take notes, discrepancies may exist with other notes or the official meeting minutes.
Although individual circumstances may vary, below are some general guidelines that corporate secretaries of U.S. companies should follow when they take official notes and prepare meeting minutes for the board of directors. If a company is incorporated outside the United States, different guidance might apply.
Record the essential information. The corporate secretary should record essential information such as the date, starting and ending times, location, attendees (e.g., directors, management, experts, and legal counsel), presence and maintenance of a quorum, meeting chair, materials distributed in advance of the meeting, topics discussed, and decisions made in a formal meeting of the board. In some cases, the secretary should note the length of particular discussions and deliberations, especially if a particular discussion is an important part of the meeting. Directors also should ensure that the notes taken by the corporate secretary do not editorialize, as commentary could be misconstrued by an adversary if discovered in litigation.
Clearly identify separate meetings and tasks. Because notes and minutes are incomplete by nature, the more organization and structure they contain, the easier they will be to understand and interpret in the event that they are scrutinized. Secretaries should use the meeting’s agenda as a guide for organizing and labeling their notes and the minutes, and should indicate transitions from one topic to the next, including presentations by management, counsel, or advisory firms and executive sessions.
Identify in notes when an attorney is present during a conversation. Directors’ interactions with lawyers usually are protected by the attorney-client privilege or work-product protection, which may shield the content of those discussions from being turned over to an adversary. Boards also should consider including the general counsel in meetings that could involve a discussion of legal issues. If a lawyer is present during any portion of a meeting, the minutes should indicate the lawyer’s name and law firm, and the portions of the meeting for which the lawyer was present. Generally, the minutes for these interactions should indicate only that such discussions occurred and the general topics discussed.
Identify and describe the board’s deliberative process. Recording the general fact that the directors discussed or deliberated about an issue is critically important. However, what a particular director said about a particular issue is usually less important. For that reason, and to avoid errors in attribution, the secretary’s notes and official minutes generally should use collective or passive-voice descriptions (e.g., “the directors discussed the matter” or “a discussion ensued”) as opposed to attempting to record individual viewpoints and the directors who expressed them. Because directors may express passionate views about an issue, the secretary should exercise good judgment in determining what to record.
If notes are taken by hand, they should be clearly, legibly recorded, and should not include shorthand. Illegible meeting notes and notes taken in shorthand can be difficult to interpret when the secretary refers to them while drafting the official minutes. Provided typing is not disruptive to the directors in the meeting, directors should ask corporate secretaries to consider taking notes on a secure computer. Clarity and accuracy are crucial because a difference of opinion between directors regarding the events that occurred at a meeting ultimately may be resolved by reference to the secretary’s notes. In the litigation or regulatory enforcement context, unclear notes may result in meeting minutes that lack an obvious, objective interpretation and are susceptible to being misinterpreted by an adversary.
Encourage the secretary to maintain a standard practice of note taking. Secretaries generally should establish and maintain a standard practice for taking notes, retaining meeting materials and individual notes, and preparing meeting minutes. Deviating from a standard practice could raise negative inferences from a regulator or court.
The secretary should distribute the draft minutes for directors to review as soon as practicable. During their review, directors and secretaries should be mindful of any important events that occur between the meeting date and the finalization of the minutes. If a director believes the minutes omit important information, then the director should discuss orally the matter with the secretary. E-mails regarding the minutes between the secretary and directors, or among directors, should be strictly discouraged.
Discuss with counsel whether to retain notes and draft minutes. There may or may not be a legal or corporate requirement for the secretary to retain his or her meeting notes or draft minutes. After the official minutes are approved, the secretary should discuss with company counsel whether there is a requirement to maintain these materials and ascertain the length and nature of the requirement. If there is no requirement to maintain the materials, the secretary should discuss with counsel whether and how to discard them.
Bradley J. Bondi and Bart Friedman are partners with Cahill Gordon & Reindel LLP. They advise financial institutions and global corporations, boards of directors, audit committees, and officers and directors of publicly-held companies in significant corporate and securities matters, with particular emphasis on internal investigations and enforcement challenges. Michael D. Wheatley, a litigation associate at Cahill, assisted with this article.