Reflections on

Corporate Governance

and the role of the

internal auditor
(2005)

Jan Cattrysse

Master of Internal Auditing

Roularta Media Group
Contents

Introduction………………………………………………………………………. p. 1

Chapter I: Corporate Governance, what’s in a name?…..…………………….…. p. 3

Chapter II: Historical Background and codes………………………..……….….. p. 6

II.1 USA………………………………………………………….…………..….. p. 6
II.2 United Kingdom……………………………….……………...……………. p. 8
II.3 Belgium………………………………………………………...…………… p. 10
II.4 Other…………………………………………………………...…………… p. 11

Chapter III: Participants………………………….………………………………. p. 14

III.1 Board of Directors………………………………….……………………… p. 14
III.2 Audit Committee…………………….……………………..…….………… p. 16
III.3 Management………………………….…………………………..………… p. 17
III.4 Stakeholders………………………….……………………………..……… p. 18

Chapter IV: Aspects of Corporate Governance………..……………………….… p. 20

IV.1 Attributes…………………………………………………………………... p. 20
IV.2 Code of Conduct…………………………………………………………… p. 21
IV.3 Why Corporate Governance matters………………………………….…... p. 22
IV. 4 Corporate Governance guarantees?………………………………………. p. 24
IV. 5 Corporate Governance and Internal Control……………………………... p. 25

Chapter V: Corporate Governance and the media…….…………………………. p. 28

V.1 The role of the media regarding Corporate Governance……...……….….. p. 28
V.2 Corporate Governance regarding the media……………......….…….…… p. 30

Chapter VI: The Internal Auditor and Corporate Governance……………..……. p. 32

VI.1 The relationship between Corporate Governance and the Auditor…...…... p. 32
VI.2 Implications of Corporate Governance on the Audit Profession…..…...…. p. 34
VI.3 The Position of the Auditor in a Corporate Governance ‘environment’….. p. 35
VI.4 Special Aspects deserving Special Attention………….……………...……. p. 38
Ethical values and integrity……….………………………………….. p. 38
Fraud……….…………………………………………………………. p. 49
Corporate Social Responsibility……….……………………………... p. 41
Risk assessment and risk management……….………………………. p. 42
VI.5 The Auditor’s Tools………………………………………….…...………... p. 46

Conclusions……………………………………………………………………..... p. 55

Bibliographical Sources……………………………………………………….…. p. 58

Appendix: useful internet links on corporate governance and internal

auditing……………………….…………………………………………………… p. 64
Introduction
Corporate Governance is a hot issue on all continents. For the past months and years, more or
less disturbing new(s) items dealing with corporate governance have ‘emerged’. At some
time it seemed as if the whole political, economic and financial world was held hostage by,
and concerned with, the development of this phenomenon.

Considering the role and the position of the internal auditor within an organization, the choice
of devoting a paper to the subject of corporate governance and the contribution that can be
offered by the internal auditor in this domain is hardly surprising.

The mere ‘extent’ of the subject, however, has forced me to begin the title with ‘Reflections
on…’. The numerous aspects of corporate governance make it practically impossible to
encompass all ‘angles’ in one paper. The fact that not one single definition of corporate
governance exists but that definitions are being formulated in view of those aspects of
corporate governance the author or commentator wishes to ‘elaborate’ on, confirms the
enormous extent of the phenomenon itself.

However, this paper is not meant to give a narrowly focussed view on a subject that affects so
many. On the contrary, it is meant to shed some light on different aspects, characteristics,
components and issues of corporate governance, always bearing in mind the possible role of
the internal auditor. This is also the reason why some aspects will be treated more thoroughly
than others.

Moreover, this paper has no intention of telling the internal auditor what to do but rather to
give an indication of different elements which may enable the internal auditor to contribute to
what is generally referred to as ‘good’ corporate governance.

However, in order to fully grasp the possibilities for the internal auditor with regard to
corporate governance, I found it useful to shed some light on the phenomenon of ‘corporate
governance’ itself: its meaning, its history, its different features, its various participants, its
components and a number of other aspects pertaining to the subject of corporate governance.

Taking into account my professional occupation and my present employer, a short chapter has
been devoted to corporate governance and media surroundings.

The chapter dealing in particular with the role of the internal auditor lists a number of
considerations regarding the possible impact of the internal auditor on corporate governance
in different ways. A number of references are also made to 'regulations' by the Institute of
Internal Auditors.

To end with, a number of conclusions are formulated.

In order to provide the reader with ample opportunity to study more in depth one or more
items that are dealt with in the paper, a large number of footnotes have been included. Apart
from providing supplementary explanation, they are primarily meant to offer links, sources
and reference directions the reader may want to consult.

1
In view of the rapid developments of different aspects of corporate governance, including the
positions and recommendations of various organizations, next to the bibliographical sources,
listed at the end of the paper, an appendix with a number of internet addresses has been added.

The list of bibliographical sources includes a large number of references to articles, papers
and reports. It does, however, not include full reference to every possible source referred to in
the paper itself.

The appendix is meant to help the reader on his or her way to possible further information. Its
purpose was not to provide an exhaustive list, but rather to provide a selection of a number of
sites that are significant for the contents of the paper. Thus, a number of these sites mainly
deal with internal auditing while others focus more on corporate governance as such. Please
also note that some of the internet sites referred to in the footnotes clearly state that certain
materials cannot be copied.

In reading the paper, it is important to keep in mind that it is meant in the first place as a
guidance for the internal auditor on the phenomenon of corporate governance, bearing in
mind the objectives set out above (not so much completeness but practical information to
aspects which may concern internal auditors or to which the internal auditor may ‘add value’).

Jan Cattrysse, MIA

Roeselare, Belgium, May 20th 2005

No part of this paper may be copied or reproduced in whole or in part, in any form, without
prior authorization of the author.

2
Chapter I: Corporate Governance: what’s in a name?
In order to make sure that there are no misunderstandings regarding the linguistic content of
the term ‘Corporate Governance’, it may be useful to look first at the two keywords
individually before trying to understand their mutual relationship.

Corporate:
‘forming or being a corporation, having a legal existence distinct from that of the individuals
who compose it’. (the New Shorter Oxford English Dictionary)

Governance:
‘controlling or regulating influence, control, mastery’. (the New Shorter Oxford English
Dictionary)

Having consulted different sources on corporate governance we find that, although the
dictionaries are quite precise about the meaning of these two words individually, the mere
combination offers a multitude of ‘different’ interpretations.
‘Corporate Governance’ is not just adding up two words, it is one concept.

Possible definitions of corporate governance include:

• ‘Governance is the form by which stakeholders monitor their company of interest.’1
• ‘Corporate governance is the system by which companies are directed and controlled.’2
• ‘Corporate governance is the system by which business corporations are directed and
controlled.’3
• ‘Corporate governance deals with the mechanisms by which stakeholders of a corporation
exercise control over corporate managers such that stakeholders interests are protected.’4
• ‘Corporate Governance refers to the systems and processes within an entity which
establish its goals and objectives, and which monitor achievement of these goals and
objectives in ways which conform to the operating values of the entity.’5
• ‘Corporate Governance means doing everything better, to improve relations between
companies and their shareholders; to improve the quality of outside directors; to
encourage people to think long-term; to ensure that information needs of all stakeholders
are met and to ensure that executive management is monitored properly in the interest of
shareholders.’6

1
Yeoh E., Jubb C., ‘Governance and Audit Quality: Is there an Association?’, University of Melbourne,
Australia, December 2001, via
http://accounting.rutgers.edu/raw/aaa/audit/midyear/02midyear/2002%20Midyear%20Audit%20Conference%20
Program.htm (15 April 2005).
2
Quote from the Cadbury Report par. 2.5, via http://www.blindtiger.co.uk/IIA/uploads/2c9103-ea9f7e9fbe--
7e15/Cadbury.pdf (15 April 2005).
3
OECD short definition via http://www.consultgroup.net.au/consultants-resources/white-papers-articles/oecd-
principles.html, (15 April 2005). Remarkable is the resemblance to the Cadbury definition of 1992.
4
Velury U., Reisch J., O’Reilly D, ‘Corporate Governance and the Selection of Industry Specialist Auditors’ via
http://accounting.rutgers.edu/raw/aaa/audit/midyear/02midyear/2002%20Midyear%20Audit%20Conference%20
Program.htm (15 April 2005).
5
Definition copied from the Australian Auditing Standards: ‘Defining Internal Control, Corporate Governance
and Internal Control’, via http://www.nt.gov.au/ago/brochures/control (15 April 2005).
6
A number of definitions of Corporate Governance can be found in the article ‘What is Corporate Governance?’
via http://indiainfoline.com/nevi/what.html (15 April 2005)

3
• ‘Corporate Governance is all about relating the company to different stakeholders that
include shareholders, policyholders, employees, suppliers and society at large.’7
• ‘Corporate governance consists in the rules and procedures that determine the decision-
making, control and monitoring processes within the company…’8
• ‘Effective corporate governance ensures that long-term strategic objectives and plans are
established, and that the proper management and management structure are in place to
achieve these objectives; while at the same time making sure that the structure functions
to maintain the organization’s integrity, reputation, and accountability to its relevant
constituencies.’9

Apparently, corporate governance means a lot of different, mostly interrelated, things to

different people depending on the organization to which it is applied! The definitions are
sometimes so different that one often wonders whether they are really all about the same
thing. We should bear in mind, however, that these definitions need to be interpreted in their
proper context.

The definition from which we start in this paper reads as follows:

‘The term ‘corporate governance’ is susceptible of both narrow and broad definitions.
Narrowly defined, it concerns the relationships between corporate managers, directors and
shareholders. It can also encompass the relationship of the corporation to stakeholders and
society. More broadly defined still, “corporate governance’ can encompass the combination
of laws, regulations, listing rules and voluntary private sector practices that enable the
corporation to attract capital, perform efficiently, generate profit, and meet both legal
obligations and general societal expectations.’10
Especially the stretching of the definition to include the ‘voluntary sector practices’ and the
‘general societal expectations’ is enriching. It is a clear indication to what is sometimes
described as ‘beyond’ compliance.11

Looking at the definition again we find different kinds of information. Reading the definition
backwards, we come across several objectives of corporate governance:
1. attract capital
2. perform efficiently
3. generate profit
4. meet legal obligations
7
‘Corporate governance – Important for successful insurance’ article by S. Guha (12 March 2002), via
http://www.thehindubusinessline.com/bline/2002/03/12/stories/2002031200081300.htm (15 April 2005)
8
‘Eni and Corporate Governance’, via
http://www.eni.it/eniit/eni/internal.do?layout=la_compagnia&mnselected=lc_2_corporate_governance&channelI
d=-
1073757805&menu=false&mncommand=openById&mnparam=lc_2_corporate_governance&lang=en&sessionI
d=@@@@0360120448.1113377276@@@@&reset=true (15 April 2005).
9
‘The Underutilized Internal Auditor’, article by Anthony J. Ridley, via http://www.theiia.org/ecm/guide-
ia.cfm?doc_id=347 (15 April 2005).
10
Gregory, Holly J. & Simms, Marsha E., ‘Corporate Governance: What it is and why it matters.’, via
http://www.transparency.org/iacc/9th_iacc/papers/day2/ws3/d2ws3_hjgregorymesimms.html (15 April 2005)
11
A number of ‘documents’ and ‘reports’ refer explicitly to the term ‘beyond’ to indicate that corporate
governance goes ‘further’ than mere compliance e.g.: The Final Report by the Joint Committee on Corporate
Governance is titled: ‘Beyond Compliance: Building a Governance Culture’
(via
http://www.cica.ca/multimedia/Download_Library/Research_Guidance/Risk_Management_Governance/Govern
ance_Eng_Nov26.pdf (12 April 2005)). Or the paper by L. Van den Berghe titled “Beyond ‘Corporate
‘Governance: an overview of the challenges in front of us” (via http://www.ivb-
ida.com/documenten/EN_beyond_LVDB.pdf (15 April 2005)).

4
5. meet general societal expectations

Moreover, corporate governance concerns:

1. the relationship between managers, directors and shareholders
2. the relationship of the organizations to its stakeholders and to society
3. compliance to laws, regulations and listing rules
4. voluntary (private sector) practices.

From the point of view of the internal auditor, these elements of the definition of corporate
governance provide an interesting platform from which he can recognize several aspects of
internal control according to the COSO definition. Further elaboration of the relationship
between corporate governance and internal control will be dealt with in chapter IV. 5
‘Corporate Governance and Internal Control’ p. 25.

Contrary to more recent views, codes were originally quite reluctant to enforce corporate
governance recommendations by way of transforming them into binding laws and regulations.
This trend can also be found in the joint document ‘Corporate governance for Belgian listed
companies’ (The Cardon Report) which was issued by the ‘Brussels Stock Exchange’ and the
‘Banking and Finance Commission’ in December 1998. This document clearly aimed at
issuing recommendations which: ‘…do not aim to enforce organisational rules on listed
companies.’12
The notion existed that corporate governance was guided by internal views and convictions
rather then by imposed regulations. The recommendations formulated at that time were
principally meant to provide a framework for the companies on the one hand and to give a
clear signal to the international investors’ community on the other.
It was believed that Belgian company law e.g. already incorporated the basic requirements for
good corporate governance and that the additional opportunities lay within the area of
corporate behavior pertaining to aspects of transparency, integrity and responsibility.

A very useful ‘innovation’ in numerous codes was the introduction of the ‘comply or explain’
principle. This principle was aimed at forcing companies to explain those aspects in which
their situation did not ‘follow’ the recommendations. The reason for the introduction of this
principle was to force companies to at least consider the recommendations and to stimulate
companies to ‘comply’ so that they would not need to explain.

In view of the recent ‘disasters’ one cannot help but wonder how long this ‘comply or
explain’ principle will still last. There seems to be a growing demand for ‘compliance’ and
less interest in the ‘explanation’. Surely, the more emphasis is being placed on compliance,
the more need for control and for independent audits in general.

12
The full document can be consulted via http://www.ecgi.org/codes/code.php?code_id=14 (15 April 2005).
Further information on Belgian codes is provided on pages 10-11.

5
Chapter II: Historical Background and codes
In order to comprehend to its full extent the speed and ‘drive’ with which corporate
governance codes, recommendations and/or regulations are either issued or altered, a brief
‘historical’ survey leading to the more recent developments will be provided. The word
‘historical’ is deliberately being put between quotation marks since it is merely dealing with a
period of 30 to 35 years. Whereas some may just argue that the basic principles of corporate
governance have been valid for centuries (referring even to the times of the East Indian
Trading Companies), others maintain that prior to 1970, the terminology ‘corporate
governance’ was relatively unknown. In view of the overall objectives of the paper, we shall
look no further back than approximately 35 years.
Although the development of corporate governance principles has taken place ‘all over the
world’, the following outline is limited to a personal selection of the more ‘important’ and
‘relevant’ evolutions in general and for Belgium in particular.13

II. 1 USA
The Watergate scandals in the US are commonly considered as the origin of the evolution of
corporate governance during the past three decades. In the early 1970s, the term ‘corporate
governance’ mainly appeared in American Law journals. The investigations resulting from
the Watergate scandals led to the Foreign and Corrupt Practices Act of 1977 which included
specific articles on the establishment, the maintenance and the review of the systems of
internal control.

A second wave of impulses was triggered by a number of corporate scandals and difficulties
(Kodak, General Motors, Sears…) which led to the formation of the Treadway Commission14.
The report of the Treadway Commission (October 1987) emphasized the need for a proper
control environment, independent audit committees and the need for an internal audit
function.15 The same report led to the formation of the Committee of Sponsoring
Organizations of the Treadway Commission (better known as COSO). The objective of the
COSO committee was to develop, in consensus, additional guidance on all aspects of internal
control, starting from one single definition of internal control. This committee, ‘sponsored’ by
five ‘professional’ organizations, was responsible for the report: ‘Internal Control – Integrated
Framework’. (1992)
For the past decade now, this report is generally referred to by the IIA (Institute of Internal
Auditors) and many other organizations as ‘the’ work of reference for internal control.
13
Taking into consideration the definition of corporate governance, it is not possible to list all ‘codes’. The
focus is mainly being placed on a number of significant codes which have largely contributed to the present day
development of ‘corporate governance’. However, it must be said that since corporate governance is such a
broad ‘issue’, every document regulating certain aspects of corporate governance could be included in a list of
codes on corporate governance. A large number of supranational, national or even regional professional
(regulating) organizations may have their ‘own’ codes dealing with a number of general and specific corporate
governance aspects typical for their ‘sector’. Among these sectors, we commonly find the best regulated ones
such as banking or insurance. This also accounts for the fact that, whereas traditionally the majority of codes
originated in government, stock exchange, banking and accounting surroundings, we now also find ‘codes and
principles’ drawn up by shareholders associations, directors organizations, investment managers associations,
universities, pension fund associations. A number of these ‘codes and principles’ can easily be accessed through
the list of ‘codes and principles’ provided by the European Corporate Governance Institute (www.ecgi.org) (15
April 2005).
14
Although the commission is best known as the ‘Treadway Commission’, its original name was ‘The National
Commission on Fraudulent Financial Reporting’.
15
The full report can be consulted via www.coso.org/publications/NCFFR.pdf (15 April 2005).

6
Not so much a general corporate governance code, but nevertheless an interesting document
for internal auditors, is the report of the Blue Ribbon Committee on ‘Improving the
Effectiveness of corporate Audit Committees’ (February 1999). It lists 10 recommendations
to improve the effectiveness of audit committees, completed by 5 ‘guiding principles’. They
were formulated by the New York Stock Exchange (NYSE) and the National Association of
Securities Dealers (NASD). Of particular interest is principle 2 dealing with the ‘Independent
Communication and Information Flow between the Audit Committee and the Internal
Auditor’ stating among other things: ‘While management is responsible for internal controls,
the internal auditor is in a position to evaluate and report on the adequacy and effectiveness
of those controls. The internal auditor occupies a unique position – he or she is ‘employed’
by management, but is also expected to review the conduct of management. This can create
significant tension, since the internal auditor’s ‘independence’ from management is necessary
for the auditor to objectively assess management’s actions, but the auditor’s ‘dependence’ on
management for employment is clear. Recognizing this tension, the Committee believes that it
is essential to have formal mechanisms in place to facilitate confidential exchanges between
the internal auditor and the audit committee.’16

The most recent event which resulted in a growing number of rules and regulations was the
series of corporate collapses that took place in the period 2002-2003 (Enron, WorldCom,
Adelphia, Tyco, …). These scandals led to a drastic change in the point of view of the
‘supervisory’ institutions. Comply or explain was no longer an option; only compliance
provided proper assurance for good corporate governance.
The Sarbanes-Oxley Act of 2002 (SOX)17 including the Public Company Accounting
Oversight Board (PCAOB) 18 were direct consequences of this swing toward ‘extreme’
hardnosed corporate governance measures which were approved and supported by a large
majority in the US.
Between 2002 and 2004, not less than 8 sets of ‘rules’ or ‘codes’ were introduced and
implemented in an attempt to enhance good corporate governance on the one hand (telling
corporations what to do) and to restore the trust by the ‘society at large’ on the other hand.

From the point of view of the position of the internal auditor, we note that already in that
same year 2002, the New York Stock Exchange no longer adhered to the comply or explain
principle and instead of ‘recommending’ or ‘expecting’ an internal audit function, the final
proposal text of the new standards ‘imposed’ the following rule: ‘All NYSE listed companies
must have an internal audit function’ 19

Still, even with these new ‘measures’ which need to ensure ‘tighter control’ thus reducing or
eliminating the risk of corporate scandals, new more or less worrying news items are being
broadcast on a regular basis. 20

16
‘Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate
Audit Committees’, NYSE, New York, 1999, p. 39. The full document can be consulted via
http://www.nyse.com/pdfs/blueribb.pdf (15 April 2005).
17
The full document of the Sarbanes-Oxley Act can be consulted via
http://www.pcaobus.org/About_Us/Sarbanes_Oxley_Act_of_2002.pdf (16 April 2005)
18
The idea of a supervisory board was eventually adopted by other countries such as Canada which established
the Canadian Public Accountability Board (CPAB) in early 2003. For more information see
http://www.pcaobus.org/ (12 April 2005) and http://www.ica.bc.ca/kb.php3?catid=501 (16 April 2005)
19
The full text can be consulted via http://www.nyse.com/pdfs/corp_gov_pro_b.pdf (16 April 2005)
20
A useful source for US corporate governance news is http://www.srimedia.com (15 April 2005)

7
II. 2 United Kingdom
Although more recently corporate governance seems far more the ‘hot’ issue in the US, one
cannot ignore the importance of the corporate governance developments in Britain since the
beginning of the 1990s. As nowadays in the US, the urge for corporate governance
regulations in the UK was also mainly triggered by a series of corporate ‘accidents’. (BCCI,
Maxwell Group, …)

The first committee established to deal with the financial aspects of corporate governance was
the Cadbury Committee. This committee was particularly concerned with the ‘perceived’ low
level of confidence in financial reporting. Although their report was preceded several years
by the reports of the Treadway Commission, the Cadbury Report (Dec. 1992) 21 is generally
believed to be the foremost cornerstone of modern corporate governance. Its findings and
recommendations leading to the present day evolutions of corporate governance worldwide
had quite an effect on the corporate world. The three basic principles included: openness,
integrity and accountability. One of the most controversial and revolutionary requirements
and at the same time the one that had the potential of having an impact on internal auditing,
was the requirement that ‘the Directors should report on the effectiveness of a company’s
system of internal control.’22

A less known report was the Rutteman Report or ‘Internal Control and Financial Reporting:
Guidance for directors of Listed Companies Registered in the UK’ (Dec. 1994). It is worth
mentioning because it was the ‘predecessor’ of the ‘Turnbull Report’ and was based on the
COSO principles on internal control.23

Chronologically, the next event was the establishment of the Greenbury Committee24 which
was in its turn followed by the Hampel Committee. The Hampel Committee was responsible
for drawing up the ‘Combined Code’ (June 1998)25. The Combined Code broadened the
importance of corporate governance and included, next to elements of accountability, also
elements of prosperity. The final report of the Hampel Committee starts as follows: ‘The
importance of corporate governance lies in its contribution both to business prosperity and to
accountability.’26 In fact, the Combined Code, as the term itself suggests, was a combination
of the recommendations of the Cadbury Committee, the Greenbury Committee and the
Hampel Committee. On the one hand, the committee decided that accountability was
important and thereby endorsed the contribution made by the Cadbury Committee, but on the
other hand it also decided that the emphasis put on accountability by the Cadbury Report
tended to draw to much attention away from the primary responsibility of the board: to
enhance the performance and the profit of the business.
21
The complete report can be consulted via http://www.blindtiger.co.uk/IIA/uploads/2c9103-ea9f7e9fbe--
7e15/Cadbury.pdf (16 April 2005).
22
Recommendation 4.5 of the code of best practice of the Cadbury Report via
http://www.blindtiger.co.uk/IIA/uploads/2c9103-ea9f7e9fbe--7e15/Cadbury.pdf (16 April 2005).
23
Note that ‘traditional’ literature on corporate governance development in the UK frequently only mentions
three reports on corporate governance: the Cadbury, the Greenbury and the Hampel reports. Both the Rutteman
Report and the Turnbull report are often considered as either ‘guidance’ or ‘reports on internal control’ and not
on corporate governance as such. Moreover, since the Rutteman Report has been superseded by the Turnbull
Report it is hardly ever mentioned.
24
The Greenbury Committee was set up by the government to look into directors’ pay and benefits. It made
recommendations in the form of a code which was published in July 1995. It will not be dealt with further in this
paper. The report can be consulted via http://www.ecgi.org/codes/documents/greenbury.pdf (16 April 2005).
25
The revised version of the Combined Code can be consulted via
http://www.ecgi.org/codes/documents/combined_code.pdf (16 April 2005).
26
The Hampel Report via http://www.ecgi.org/codes/documents/hampel23.pdf (16 April 2005).

8
The last report that had significant implications on corporate governance but also on internal
auditing is the ‘Turnbull Report’ (September 1999)27. The purpose of the Turnbull Report is
to provide guidance on certain aspects of the combined code, especially those dealing with
internal control. Since this is the most recent report and since it takes into account the
recommendations of the others, it may be interesting to have a look at some of the
fundamental recommendations.
- Listed companies are expected to have a sound system of internal control to safeguard
shareholders’ investment and the company’s assets.
- Management needs to review the effectiveness of internal controls on an annual basis, at
least.
- The risk facing the business should be regularly evaluated.
- The review should include risk management, operation and compliance, as well as
financial controls.
- Risk management is the collective responsibility of the whole board.
- The board is ultimately responsible for internal control, but may delegate aspects of the
review work.
- The need for an internal audit department needs to be kept under review.
This report pays particular attention to aspects of risk management and internal auditing!

This does by no means imply that since the Turnbull report no further efforts were made to
enhance and promote good corporate governance. On the contrary, similarly to the US
scenario, a great number of guidelines, reports and codes were (re)written in the past years.
It can however not be denied that some of them are merely ‘updates’ of previous reports and
codes or that some of them elaborate on a particular aspect of corporate governance in general
such as audit committee guidance or guidance for non-executive board members.

Contrary to the ‘American’ developments, there remains a large degree of ‘voluntary

compliance’ and the ‘comply or explain’ principle is still explicitly present in these ‘English’
documents. This is also valid with regard to the internal audit function; companies that do not
have an internal audit function are recommended to review the need for one ‘from time to
time’ and they should explain why they do not have one.
In the case of the revised ‘Combined Code on Corporate Governance’ of 2003, even listed
companies are merely expected to comply with the Code’s provisions most of the time. 28
Moreover, the same document suggests a number of company specific factors which may
offer an acceptable reason why the company does not have an internal audit function. These
include the scale, diversity and complexity of the activities, the number of employees and the
cost/benefit considerations. 29

27
The Turnbull Report can be consulted via http://www.ecgi.org/codes/documents/turnbul.pdf (16 April 2005)
or http://www.icaew.co.uk/viewer/index.cfm?AUB=TB2I_6342&tb5=1 (16 April 2005).
28
‘The combined Code on Corporate Governance’, July 2003, p. 1, via
http://www.ecgi.org/codes/documents/combined_code_final.pdf (16 April 2005)
29
Ibid. p. 37.

9
II. 3 Belgium
In January 1998, ‘the Association of Belgian Enterprises (FEB-VBO) released a set of
corporate governance recommendations based on the Cadbury Code and the Brussels Stock
Exchange issued a set of ‘benchmark’ guidelines for good corporate conduct.’30

At about the same time (also January 1998), the Belgian Banking & Finance Commission
(CBF) issued its ‘Recommendations of the Belgian Banking & Finance Commission’.
In December 1998, The Brussels Stock Exchange presented its own report, ‘Report of the
Belgian Commission on Corporate Governance, also known as the Cardon Report.

However, the Belgian Banking & Finance Commission and the Brussels Stock Exchange
decided to incorporate their respective codes in one single document: ‘ the Dual Code of the
Brussels Stock Exchange and the Belgian Banking & finance Commission’.

To complete the set, suffice it to add that in January 2000 ‘the Director’s Charter’ was drawn
up by the ‘Fondation des Administrateurs’.31

Unlike the situation in the USA and the UK, however, there was no apparent immediate cause
for the development of corporate governance in Belgium at that time32. The Belgian Code for
corporate governance puts a slightly different emphasis on different aspects of corporate
governance. As it seems, the primary purpose was not to enhance the accountability of
corporate executives but rather to call for a greater managerial independence from dominant
shareholders. 33

Nevertheless, the three ‘original ‘codes are all based on the Cadbury Report, be it with due
consideration for the Belgian situation. It is interesting to learn that during the preparation of
the three original codes, there was ample consultation among the different parties involved.
Fortunately this has led to the fact that there are no actual contradictions to be found between
them.34
These Belgian codes mainly deal with a number of aspects pertaining to the board: role,
composition, working and reporting.

Realizing that different codes hardly contributed to a uniform interpretation of good

governance principles, a new effort for a single code of best practice on corporate governance

30
Cheffins, Brian R., ‘Corporate governance Reform: Britain as an Exporter’, December 1999, p. 7, via
http://papers.ssrn.com/sol3/delivery.cfm/000307304.pdf?abstractid=215950 (16 April 2005).
31
Some authors consider this document as a corporate governance code, others do not. The document in
question is a short list of a number of best practices descriptions of 10 specific tasks performed by company
directors, of which the last task is to adhere to the charter itself. The full document can be consulted via
http://www.ecgi.org/codes/documents/fda_code_eng.pdf (16 April 2005).
32
Not everybody agrees with this point of view. Michel De Samblanx notes that ‘although literature always
argues that the Belgian situation is different from the situation in the US, it was a similar situation which led to
the raid on the ‘Generale Maatschappij van België’ in 1988 by Carlo de Benedetti’ (free translation from: De
Samblanx, Michel J., ‘Corporate governance en niet-genoteerde vennootschappen met een casus over een
familiale vennootschap, Economisch en Sociaal Tijdschrift, Antwerpen, 1999/2, p. 314) According to professor
De Samblanx, there are two originating causes for corporate governance developments in Belgium: the first
being the judicial claim on the domain of corporate governance and the second being the more ‘economic’
concern with consideration for a ‘sound’ structure of internal control.
33
Cheffins, Brian R., ‘Corporate governance Reform: Britain as an Exporter’, December 1999, p. 12, via
http://papers.ssrn.com/sol3/delivery.cfm/000307304.pdf?abstractid=215950 (16 April 2005).
34
Meeus, D., ‘De Recente Belgische Aanbevelingen inzake Corporate Governance’ in ‘Corporate Governance,
het Belgisch perspectief, Antwerpen-Groningen, Intersentia Rechtswetenschappen, 1999, p. 37.

10
for listed companies was launched in 2004. A joint initiative was taken by the three
‘organizations’ involved to form a Corporate Governance Committee whose task it was to
draw up a new Corporate Governance Code, taking into consideration the principles of the 3
original codes. Following the U.K. model, the committee opted for a principle-based
approach instead of rule-based and kept the ‘comply or explain’ principle.
The final result is the Belgian Corporate Governance Code dealing with 9 basic principles and
offering supplementary provisions and guidelines. This code is initially only applicable for
listed companies.35
Since the code is basically meant for listed companies and only recommends that non-listed
companies should follow the Code whenever possible, a reaction by non-listed SME (Small
and Medium sized Enterprise) professional organizations lead to the drawing up of a draft
corporate governance code for non-listed enterprises, the Buysse Code. Next to a number of
recommendations which are equally valid for listed companies, this code also includes a
number of ‘specific’ recommendations for non-listed companies. These specific
recommendations deal with particular aspects such as:
- family owned businesses and the advantages of a family forum, a family charter, etc…
- best practices for SME in the field of banking relations, supplier relations, client relations,
personnel relations, etc…36

Both the UK and Belgian Codes are ‘principle based’ while the US codes are ‘rule based’

II. 4 Other
This chapter provides some information on the names and dates of a number of ‘national’
codes or reports. It also deals briefly with three pan-European or international codes:
- the Principles of the OECD (Organisation for Economic Cooperation and Development)
- the Basel Committee Publications
- Corporate Governance Principles and Recommendations of the EASD (European
Association of Securities Dealers)

A number of national codes and reports are frequently ‘quoted’ in corporate governance
literature. Purely from an informational point of view some of the better known ones are
listed below:37
1997: The Peeters Report (The Netherlands)
1998: The Olivencia Report – Código de Buen Gobierno (Spain)
1998: The KonTraG (Germany)
1999: The Viénot II Report (France)
1999: Five years to the Dey (Canada)
2000: Corporate Governance Rules for German Listed Companies (Germany)
2001: King II Report (South Africa)
2001: Beyond Compliance: Building a Governance Culture (Canada)

35
The full text of the Belgian Corporate Governance Code, published on December 9, 2004 can be consulted via
http://www.corporategovernancecommittee.be/library/documents/final%20code/CorpoGov_UK.pdf (16 April
2005)
36
the test of the draft version of the Buysse Code can be consulted via
http://www.ucm.be/ucm/ewcm.nsf/0/5066c3fee76b7e84c1256fc8004b0dfa/$FILE/Projet%20Code%20Corporate
%20governance%20PME.pdf - French version – (20 April 2005)
37
No further information on these codes will be given here. As mentioned before, the cornerstone of modern
corporate governance was certainly the Cadbury Report. A lot of the reports listed here drew their
recommendations from the Cadbury Report. Sometimes they are even referred to as the ‘French’ or the ‘Dutch’
version of Cadbury.

11
2002: The German Corporate Governance Code – The Cromme Code (Germany)
2002: Corporate Governance Code (Italy)
2003: Corporate Goverance: A guide to good disclosure (Canada)
2003: The Dutch Corporate Governance Code – The Tabaksblat Code (The Netherlands)
2003: The Aldama Report (Spain)
2003: The Corporate Governance of Listed Corporations (France)
2004: Recommandations sur le gouvernement d’entreprise (France)

In addition to this shortlist there are numerous more codes which have been drawn up all over
the world over the past 5 years. 38
In Europe, a large number of codes were renewed or updated after the Ahold, Parmalat and
Dutch/Shell scandals.

The OECD Principles of Corporate Governance

In 1998 the OECD council asked the OECD as an organization to draw up a set of corporate
governance principles. The purpose of this ‘exercise’ was to help members and non-members
to evaluate and improve the framework for corporate governance in their respective countries.
The principles were adopted in May 1999 by no less than 29 countries. The principles focus
on listed companies and they represent a common basis on which the OECD members agreed
as being of principal importance for the development of good corporate governance practices.
The OECD recognizes that there is not just one single model of good corporate governance
and explains that the principles are based on common elements from different cultures and
countries. The principles, like recommendations in general, are not binding.
Based on the idea that the principles are a generic instrument on the one hand and the fact that
the whole phenomenon of corporate governance was rapidly evolving, the original document
was revised in 2002.39
The current version includes 6 principles completed with a number of recommendations.
While the principles aim at serving as a reference point for all OECD members, it is precisely
the way in which the steering group has formulated the possible use of the principles (not
binding, complementary to other codes, not dealing with certain aspects such as ‘board
structure’, etc…) which illustrates the existing divergence among the national codes.
The annotations to the principles refer to the internal auditor as a possible provider of
accurate, relevant and timely information, especially to non-executive board members,
thereby stressing the importance of providing easy access for non-executive board members
to the internal auditor who is described as a ‘key manager within the company’.

The Basel Committee

The BIS (Bank for International Settlements) is an international organization aimed at
promoting and enhancing cooperation among central banks (and other agencies) in pursuit of
monetary and financial stability. The Basel Committee was formed in 1974 and includes
members of thirteen countries (including Belgium). The committee has no formal authority
and relies mainly on the commitment of its members. The main objective of the Committee is
to promote sound banking supervisory standards.

Two publications40 which merit the attention of the internal auditor in general and especially
the internal bank auditor are:

38
A large number of these codes can be consulted through http://www.ecgi.org/codes/all_codes.php (16 April
2005)
39
The complete document of the revised principles can be consulted via
http://www.oecd.org/dataoecd/32/18/31557724.pdf (16 April 2005).

12
- ‘Enhancing corporate governance in banking organisations’ (September 1999) 41
- ‘Internal audit in banks and the supervisor’s relationship with auditors’ (August 2001)42
The first publication aims at reinforcing the importance of the OECD principles for banks and
at the same time addresses a number of ‘new’ issues such as ‘risk management’ and ‘audit
functions’.
The second one truly represents a milestone in emphasizing the significant role of the internal
auditor with regard to the evaluation of internal control processes. It partially builds on the
first document and further elaborates on various aspects of internal auditing to enhance
corporate governance, albeit in banking surroundings.
‘Strong internal control, including an internal audit function, … is part of a sound corporate
governance’43

Corporate Governance Principles and Recommendations of the EASD

In May 2000, the European Association of Security Dealers (EASD) released its report:
‘Corporate Governance Principles and Recommendations’. The organization is fairly young,
it was only formed in 1994. In 1997 the organization installed a Corporate Governance
Committee.
The report sets out from the point of view of corporate governance in relation to stock
markets and liquidity. It is a pan-European, non-binding report, which is more detailed than
e.g. the ‘OECD Principles’. In view of the origin of the paper, it is no wonder that no less than
five of the nine principles deal with corporate governance aspects pertaining to the rights of
shareholders. The last four deal with more general aspects such as composition of boards,
conflict of interest, and disclosure of information.44

40
The Basel Committee has published a number of papers dealing with internal control, internal audit and
corporate governance. Although they address the banking world in the first place, the papers often offer general
application possibilities. A list of papers drawn up by the Basel Committee can be consulted via
http://www.bis.org/bcbs/publ.htm (17 April 2005).
41
This publication can be consulted via http://www.bis.org/publ/bcbs56.pdf (17 April 2005).
42
This publication can be consulted via http://www.bis.org/publ/bcbs84.pdf (17 April 2005).
43
Basel Committee, ‘Internal audit in banks and the supervisor’s relationship with auditors.’ August 2001, p. 1,
via http://www.bis.org/publ/bcbs84.pdf (17 April 2005).
44
The full document can be consulted via http://www.ecgi.org/codes/documents/easd_cg_pr.pdf (16 April
2005).

13
Chapter III: Participants
Consulting literature on the subject of corporate governance provides us with different views
from different angles consequently taking into consideration different players. Some speak
only of owners, managers and directors, while others broaden the ‘team’ to all kinds of
stakeholders including society as a whole.

According to Lutgard Van den Berhge & Abigail Levrau the number of players and the
identity of the players depend on the ‘level of corporate governance’. Their study reveals 5
different levels of which the first is the narrowest form of corporate governance, which deals
only with the Board of Directors. Level two includes shareholders, directors and management
(a combination called the corporate governance tripod). Level three also includes
stakeholders such as employees, suppliers and clients. Level four will broaden the scale even
further to including ‘all’ stakeholders (government, environment, society). Typical of a fourth
level model is the emphasis that organizations, which adhere to this model, place upon ethical
and socially responsible entrepreneurship. Level five is a macro economic level, which may
be situated on a national, European or even global scene and includes questions like enterprise
culture, entrepreneurial value, etc… 45

The objective of this chapter is to have a look at the possible different players. Since some
are more ‘crucial’ than others, some will be discussed more extensively than others.
The following ‘participants’ will be dealt with:
- the board of directors
- management
- the audit committee
- the ‘stakeholders’ including shareholders, suppliers, customers, employees …46

III. 1 Board of Directors

One of the crucial players or participants in the corporate governance process is the board as a
whole as well as its members individually.
Generally speaking, the board is responsible for the oversight of all matters of corporate
governance. In particular, relating to internal control, the board should report on the
effectiveness of a company’s system of internal control. This was first outlined in the Cadbury
Code47 but can still be found in the Combined Code.48
The overall responsibilities of the board include the following tasks:
- ensure the strategy of the organization (development, implementation and follow up)
- oversee management’s risk management (effective, proactive and continuous)
- judge corporate culture (tone at the top – ethical values…)
- measure and monitor performance (both leading and lagging)
- evaluate proper diligence in transformational transactions (acquisitions, mergers,
alliances, joint ventures, including major capital expenditure)
- evaluate management, compensation and succession planning

45
Van den Berghe L., Carchon S., ‘Corporate Governance Practices in Flemish Family businesses’, September
2001, p. 4, via http://papers.ssrn.com/sol3/papers.cfm?abstract_id=288287 (17 April 2005).
46
The auditor has deliberately not been mentioned here as a ‘player’ since his role is not dealt with in this
chapter. The role of the auditor is dealt with in chapter VI ‘The Internal Auditor and Corporate Governance’ p.
32 ff.
47
See footnote 21.
48
See footnote 25.

14
- communication and disclosure (financial and operational disclosure including corporate
governance practices)49

These are just some of the responsibilities of the board. It is very well possible that boards
shall also deal with a number of ‘specialized’ tasks which have not been included here.50

In practice, the success of the board in assuming the above responsibilities will depend largely
on the board dynamics which, in its turn, is the result of the composition of the board.
Its members shall therefore have a competency profile according to the type and function of
the board. A number of minimum competencies for board members in view of corporate
governance are being recommended. According to the type of literature, different lists of
possible competencies (attributes and skills) are provided. Some authors will define certain
competencies as compulsory, while others merely recommend. The following may be
considered ‘best practice’ items:
1. accountability (understand and accept the duties and obligations)
2. strategic thinking (contribute to the development of the vision with the ability to identify
and adapt to trends and changes)
3. monitoring (be able to analyze, review and assess financial and operations reports and
performance)
4. policy development (assess objectives, endorse standards and establish resource allocation
priorities)
5. decision making (consider all possible solutions taking into account ethical values,
different opinions, risk and opportunities, and all the stakeholders’ expectations)
6. advising (evaluate the needs, interpret the information and suggest proposals and
solutions)
7. teamwork.(work cooperatively and constructively with other board members and
employees thus fostering mutual respect and trust)51

A last ‘characteristic’ of the board which may in the end well prove to be one the most
important characteristics is what Michael Jensen calls: ‘Board Culture’, referring to the way
in which board meetings take place. He further elaborates on the subject stating that: ‘The
culture of boards will not change simply in response to calls for change from policy makers,
the press, or the academic community. It only will follow, or be associated with, general
recognition that past practices have resulted in major failures and substantive changes in the
rules and practices governing the system.’52
Since the above remarks by Jensen were launched almost a decade ago, we can only conclude
that he was right. Something has to happen before change takes place.

49
For a full description of these responsibilities we refer to: The Institute of Internal Auditors Research
Foundation, ‘Corporate Governance and the Board - What Works Best’, prepared by Pricewaterhouse Coopers,
2000, pp. 107.
Another possible source for key responsibilities of the board is the ‘ OECD principles for Corporate
Governance’ p. 24, via http://www.oecd.org/dataoecd/32/18/31557724.pdf (17 April 2005). Most of the more
recent codes normally devote quite some attention to the responsibilities of the board as well.
50
Caution is advised on the English use of the word board which does not necessarily refer to the board of
directors of an organization or a company. Board can also refer to an independent (governmental or federal)
agency (entity) with specific (operational) responsibilities, e.g. the wildlife board, the access board, the board of
appeal, the transportation research board, the transportation safety board, a dental board, a medical board etc…
51
This information is based on ‘List of Board Member Skills and Attributes’, via
http://www.dpc.wa.gov.au/psmd/pubs/exec/boards/boards14.html (17 April 2005).
52
Jensen, Michael C., ‘The Modern Industrial Revolution, Exit, and the Failure of Internal Control Systems’,
1993, p. 41-42, via http://papers.ssrn.com/sol3/paper.taf?ABSTRACT_ID=93988 (17 April 2005).

15
The recent call for ‘independent, non-executive’ directors is certainly one step in the right
direction. The independent non-executive directors are regarded as the only true
representatives of all stakeholders. 53

III. 2 Audit Committee

Audit committees are vital to investors and internal auditors. For the investor, they have to
provide confidence in corporate governance. For the internal auditor, they have to assure his
independence. Recent developments have given audit committees more authority on the one
hand and more responsibility on the other.

Since the audit committee is a ‘specialized’ subcommittee of the board, standards of

competency are even more important than those set out before (see above Board of
Directors).

Just as for the Board of Directors, the key success factors of the audit committee will be
dependent on the skills and attributes of its members. Even more emphasis is placed on
aspects such as ‘…time commitment, financial literacy, and, above all, independence’.54

The independence of the audit committee is largely determined by the number of ‘outside’
members. A study among Canadian publicly traded companies showed that firms were
‘voluntarily’ including more ‘outsiders’ on their audit committees when:
1. the proportion of outside directors on the board increased
2. the functions of CEO and chairman were segregated
3. the overall size of the board increased55

Upon consulting a number of codes which are currently in vigor in different countries, it can
be noted that there are currently two major ‘principles’ with regard to audit committee
composition. The first one stating that the audit committee should be composed entirely of
members who are at the same time non-executive as well as independent. The other opting
for an audit committee composed exclusively of non-executive members but with (only) a
majority of independent members.
The second option allows former executive members or important shareholders who are not
actively involved in management to become audit committee members. Although they can
hardly be defined as ‘independent’, they do not perform an executive role and they can
contribute an important amount of relevant expertise to the audit committee.
For not only should audit committee members have appropriate knowledge of financial issues,
but also of non-financial issues and should they have proper experience with regard to the
organization’s operations. Their main objective is to contribute to the assessment of the
effectiveness of the system of internal control in general.

53
In view of the objectives of the paper, we will not go into this aspect of corporate governance any further,
although we have to confirm that the call for independent board and committee members has been intensified in
recently proposed revised recommendations for corporate governance. An outline of possible different ‘types’ of
directors; executive vs. non-executive, internal vs. external, dependent vs. independent (Belgian model), is
offered by De Samblanx, M. in ‘Corporate governance en niet-genoteerde vennootschappen met een casus over
een familiale vennootschap’, Economisch en Sociaal Tijdschrift, Antwerpen, 1999/2, pp. 318-325.
54
‘Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate
Audit Committees’, NYSE, New York, 1999, p. 21, via http://www.nyse.com/pdfs/blueribb.pdf (17 April 2005)
55
Beasley, M., Salterio, S., ‘The Relationship Between Board Characteristics and Voluntary Improvements in
Audit Committee Composition and Experience’, p. 23, 2001, via
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=272590 (17 April 2005).

16
The obligations of the audit committee are manyfold.56
‘In general, audit committees take responsibility in three important areas: Financial reporting,
Corporate governance and Corporate control.57
‘The responsibility of audit committees in the area of corporate governance is to provide
assurance that the corporation is in reasonable compliance with pertinent laws and
regulations, is conducting its affairs ethically, and is maintaining effective controls against
employee conflict of interest and fraud.’58

III. 3 Management
‘The quality of corporate behavior is a critical issue in terms of the competence of
management and is often the subject that the media highlight when companies fail.’ 59

The Basel committee defines the role of senior management with regard to corporate
governance by saying:
‘Senior management is a key component in corporate governance. While the board of
directors provides checks and balances to senior managers, similarly, senior managers should
assume that oversight role with respect to line managers in specific business areas and
activities. …key management decisions should be made by more than one person (‘four eye
principle’).60

In other words, the whole issue of corporate governance stands or falls with management.
They deal with all aspects of corporate governance on a day-to-day basis. They set the tone at
the top, guard over the ethical values, fraud and social corporate responsibilities, and practice
‘risk management’61, … and finally, they are responsible for internal control.
Especially the last part dealing with internal control proves to be one of the cornerstones on
which the internal auditor’s involvement in corporate governance is based.

Within the management constellation, a particular importance is given to the CEO:

‘Chief executive officers are the most important players in the internal control oversight
process that add the best value. Their attitudes, actions, and judgments must be compatible
with the principles of good corporate governance.’62

56
A practical example of a list of responsibilities of the Audit Committee is ‘What are the roles and
responsibilities of the audit committee’, via http://www.microfinancegateway.org/audit/mfis/faq_01q003.htm
(17 April 2005).
57
Over the past few years, a clear shift toward more emphasis on corporate governance has been observed. Until
a few years ago, the most important tasks of the audit committee were to assist the board in the evaluation and
oversight of financial information, of the system of internal control and of the auditing process. Corporate
governance as such figured under ‘miscellaneous’. Nevertheless, already then it was felt that corporate
governance was going to play an increasingly more important role in the future and an important contribution
had to be foreseen for non-executive directors and the audit committee. (see also De Samblanx, M.,
‘Auditcomités en Corporate Governance’, Studies IBR, controle 3/95, Antwerpen, 1995 pp. 12-23 dealing with
the tasks of the audit committee).
58
Institute of Internal Auditors: ‘Internal Audit and the Audit Committee: Working together toward common
goals’, via http://www.theiia.org/index.cfm?doc_id=372 (17 April 2005).
59
Percy, J.P., ‘Auditing and Corporate Governance – a Look Forward into the 21st Century’, International
Journal of Auditing, 1(1), 3-12, 1997 p. 8.
60
Bank for international settlement, Basel Committee, publication N° 56 , ‘Enhancing Corporate Governance for
Banking Organisations’, September 1999, p.7, via http://www.bis.org/publ/bcbs56.pdf (17 April 2005).
61
A full description of the different responsibilities for risk management can be found in: Institute of Internal
Auditors Research Foundation, ‘Corporate Governance and the Board - What Works Best’, prepared by
Pricewaterhouse Coopers, 2000, p. 17.
62
Root, S.J., ‘Beyond Coso: Internal Control to enhance Corporate Governance’, John Wiley & sons, Inc., New
York, 1998, p. 11.

17
III. 4 Stakeholders
This player is actually a group of players of which the ‘members’ all have a ‘stake’ or interest
in the organization.
Although there are numerous definitions of a stakeholder, they usually can be narrowed down
to the same basic idea: ‘A stakeholder is a group or individual who can affect or can be
affected by the achievement of the organization’s objectives.’

Especially with regard to issues such as Corporate Social Responsibility63, the term
‘stakeholder’ has entirely replaced the word ‘stockholder’. Although stakeholder may sound
a little like stockholder, they both may have totally different, if not opposite, expectations.

Among the stakeholders, different sources traditionally recognize investors (shareholders,

financiers – banks, creditors, donors…), employees (full time and temporary, volunteers,
managers…), suppliers (key suppliers, distributors, affiliates…) and customers, and more
recently also government (e.g. tax authorities) and the communities in which the organization
operates.64

Note that the interest of the ‘investor-shareholder’ is of a particular kind and often very
different from the other stakeholders. The other stakeholders may have contractual, binding
or legal claims on the company in the form of wages and benefits, invoices to be paid, loans
to be reimbursed, taxes etc… The shareholder also has expectations, but they are focussed on
the profit of the organization. Subsequently his claim follows all others. Thus, the individual
role of stakeholders may be very different. 65

Moreover, one should not forget that increasingly more ‘expectations’ go well beyond the
contractual, binding or legal claims. Considering the employee-stakeholder, we find that a lot
of expectations are related to values. Expectations are guided by those aspects the individual
or the group considers to be important. Of course, they expect to be paid, but the reasons why
somebody is or isn’t ‘happy’ with his or her job are rarely just wage-related. Tensions
between employers and employees often originate from different accents on different values.
While employees may value more honesty, happiness and fair treatment, the organization may
well focus on their expectations being quality, flexibility and efficiency.
This does by no means imply that the employee does not adhere to the value of quality, nor
the organization to the value of honesty, but that their priorities are nevertheless somewhat
different. The way in which these priorities are set by the organization and the way they are
perceived by the employee-stakeholder will contribute to the image and the perception of
‘good corporate governance’.

The challenge for corporate governance is to meet the expectations of both the stakeholders
and the shareholders, for an organization cannot be successful when neglecting the

63
See also pp. 41-42.
64
Recently, the ‘group’ of stakeholders has been expanding along with the expansion of the importance of
corporate governance in general. The stakeholders group has come to include more ‘external stakeholders’ such
as the media, the stock exchange, governmental departments and agencies, environmentalists, consultants and
advisors, auditors, trade unions, business associations, competitors, non-profit organizations, consumer
protection groups, communities etc…
65
Chapter IV of the annotations to the ‘OECD Principles of Corporate Governance’ is called ‘The Role of
Stakeholders in Corporate Governance’. It deals with possible roles for shareholders and also very briefly with
e.g. employees and creditors but given its pan-European scope the recommendations or suggestions remain very
general. OECD Principles of Corporate Governance, 2004, p. 46 ff., via
http://www.oecd.org/dataoecd/32/18/31557724.pdf (17 April 2005).

18
expectations and needs of either. Without prospects of a sound return on investment, any
organization will fail in attracting capital and in neglecting the expectations and needs of the
other stakeholders; again the organizations will not succeed in reaching their objectives.

19
Chapter IV: Aspects of Corporate Governance
IV. 1 Attributes
In dealing with aspects of corporate governance, various approaches are possible. However,
in combining the definition chosen at the outset of the paper with the different participants
discussed in the previous chapter, one way of looking at the aspects of corporate governance
would be to start from the stakeholders’ expectations. In other words: ‘What are the
stakeholders looking for in the organization?’.
Again, depending on the organization, some of these expectations may vary. Stakeholders, or
better shareholders, of non-profit organizations may have different expectations than those of
profit organizations. In general, however, they will all look for the same basic characteristics
of ‘good’ corporate governance.

Literature on corporate governance often mentions four to seven distinct core attributes of
corporate governance:
1. discipline
2. transparency
3. independence
4. accountability
5. responsibility
6. fairness or equitable treatment
7. social responsibility 66

- Discipline involves the commitment to adhere to ‘proper’ behavior by management.

- Transparency deals with aspects of timely disclosure of accurate and complete
information. This information may pertain to financial statements but also to operational
performance. Transparency should be applied to reports but also to any release of
information. The disclosed information must be clear and easy to analyze.
- Independence is aimed at assuring fair distribution of power and independence, as such it
deals with composition of the board, appointment of committee members and auditors. It
will help to avoid conflict of interest.
- Accountability must provide investors with the means to question the board and its
committees. Accountability will ensure that the board monitors the systems of internal
control, takes into account the expectations of the stakeholders in general and the
shareholders in particular and that governance roles and responsibilities are sufficiently
known.
- Responsibility is all about being responsible for the actions and the decisions taken by
management. Responsibility ensures that the board is responsible for taking action should
corrective intervening be called for. Responsibility equally involves compliance with laws
and regulations.
- Fairness should be aimed at balancing the interest of all stakeholders in general and at
protecting the rights of the (minority) shareholders in particular.
- Social responsibility implies that proper priority is given to ethical values and socially
correct behavior. This will ensure a ‘decent’ corporate reputation.

66
While some corporate governance codes or reports list only four aspects, others list more which may or may
not be an extension of those four. Normally the four aspects are fairness, transparency, accountability and
responsibility. The King II Report (South Africa) lists seven aspects. They include the four ‘core’ aspects but
were extended with aspects such as Discipline, Independence and Social Responsibility. The first King Report
included six aspects. (Discipline was not listed as a separate aspect.)
http://www.ecgi.org/codes/documents/executive_summary.pdf (17 April 2005).

20
Many codes of corporate governance hold a mix of principles, guidelines and
recommendations while in fact these are often nothing more than a set of rules or measures to
attain the core attributes.
Similar to the risk based auditing principle where the key notions are objectives, risks and
control measures, corporate governance codes are largely all about attributes, risks an rules. 67

IV. 2 Code of Conduct

A major emphasis is placed on company conduct and ethics. Various resources recommend
or even require that a code of conduct be adopted, implemented and publicized.
The code of ethics should deal with several aspects of ‘preferred’ behavior under certain
circumstances. In many cases the code of ethics will be integrated in the general code of
conduct of the organization.68

While the code of conduct may also include the way in which company property (cars, hard-
and software, mobile phones) has to be handled, the code of ethics will mainly deal with
moral aspects of the behavior of personnel and staff of the organization.
Depending on the organization, elements of the code of ethics (code of conduct) may include:

♦ Integrity ♦ Honesty
♦ Humanity ♦ Confidentiality
♦ Impartiality ♦ Privacy
♦ Neutrality ♦ Equal opportunity
♦ Fairness ♦ Safety
♦ Diligence ♦ Security
♦ Objectivity ♦ Loyalty
♦ Independence ♦ External relationships …

The code of ethics may also deal with more specific issues such as conflict of interest, gifts
and contributions, use of inside information, fraud, copyright, sexual harassment, etc…69
Ethics is just one of the aspects of corporate governance which is continuously becoming
more important.

Nowadays, there are already quite a few ‘professional organizations’ which impose some sort
of code of ethics upon their members, whether they be individuals or organizations.
Moreover, the public opinion seems to add increasingly more value to the ethical behavior of
corporations, public and/or private.

67
A practical example of possible rules that may help to attain the attributes can be found in the paper written by
Chen, C.W. Kevin, Chen, Zhihong and John Wei, C.K., ‘Disclosure, Corporate Governance, and the Cost of
Equity Capital in Emerging Markets’, Hong Kong, October 2004, Appendix A, p. 43 via
http://www.accountancy.smu.edu.sg/research/seminar/pdf/Kevin_Chen.pdf (17 April 2005)
68
The King Report (the first version dating from 1994), the corporate governance code of South Africa,
describes a ‘code of corporate practices and conduct’. This code lists various corporate governance
recommendations on the ‘conduct’ of the board and its members. Only the last item deals specifically with the
code of ethics. Via http://www.ecgi.org/codes/documents/king_i_sa.pdf (17 April 2005). Note, by the way,
that article 10.1 states that ‘companies should have an effective internal audit function that has the respect of
both the board of directors and management’.
69
Just two examples of a code of ethics worthwhile having a look at are ‘Doing the right thing’, March 2004, the
ethics policy of Pinnacle West via http://www.pinnaclewest.com/files/DTRT_27Apr04.pdf (17 April 2005) and
the ‘Lockheed Martin Code of Ethics and Business Conduct’ , January 2005, via
http://www.lockheedmartin.com/data/assets/7856.pdf (17 April 2005).

21
In recent years, a number of organizations or centers have been focusing on the aspects of
Ethics and Corporate Social Responsibility. According to these organizations ethical conduct
might just be the edge a business needs to succeed in our competitive world.
They argue that the ‘soft’ aspects of corporate governance will make the difference since all
other ‘hard’ aspects will be regulated by law.70 Or as the ‘Business Roundtable’ stated already
in 1997: ‘The ‘soft’, subjective factors in corporate governance… receive less attention from
scholars and journalists but are critical in the real world of corporate behavior.’71 These soft
factors include social, moral, health and safety issues.

In most recent developments, we detect that the adoption and disclosure of a code of conduct
has been made compulsory in a number of cases: ‘Listed companies must adopt and disclose a
code of business conduct and ethics for directors, officers and employees, and promptly
disclose any waivers of the code for directors or executive officers’. 72. So we see that
although ethics itself may be ‘felt’ as a soft aspect since it is not always quantifiable in a
straightforward way, the fact of having a code of conduct has become a ‘hard’ measure.

As for the internal auditor’s role, the IIA clearly states in the standards that ‘The internal audit
activities must evaluate the design, implementation, and effectiveness of the organization’s
ethics-related objectives, programs and activities’. 73
‘The ethical climate and other “soft” controls are so important to the control environment that
they deserve a considerable share of auditor attention’74

All of this brings us to ‘those responsible’ for good corporate governance. Who is ultimately
responsible? Who has to protect the shareholders but also the other stakeholders? Who has to
ensure that the expectations are being met? The board!

IV. 3 Why Corporate Governance matters

It is essential that the board understands the importance of corporate governance. The quality
of corporate governance will have a profound impact on the:
1. efficiency of corporate assets use
2. ability to attract low-cost capital
3. ability to meet societal expectations
4. overall performance

70
Although quite a few of examples of Codes of Ethics can readily be found on the internet there are a number
of sites that deal specifically with the aspect of ethics in general en business ethics in particular. These sites
offer a variety of information and practical guidance with regard to a code of ethics (see e.g.
http://www.ethicsweb.ca/codes/ (17 April 2005) or http://www.ibe.org.uk/codesofconduct.html (17 April
2005)). An interesting document, although somewhat outdated, is the short paper by Bruce Kaye, ‘Compliance
and Corporate Culture: Making the Most Out of Codes of Ethics’ which appeared in the Australian Journal of
Management, Vol.21, N° 1, June 1996 pp. 11. It can be consulted on the web site of the Australian Graduate
School of Management via http://www.agsm.unsw.edu.au/eajm/9606/pdf/kaye.pdf (17 April 2005). It explains
different ways in which a code of ethics can add value to the organization.
71
The Business Roundtable, ‘Statement on Corporate Governance’, September 1997, p. 2, via
http://www.businessroundtable.org/pdf/11.pdf (13 April 2005). On May 14th 2002, the BRT (Business
Roundtable) issued a new report called: ‘Principles of Corporate Governance’, via
http://www.brtable.org/pdf/704.pdf (17 April 2005).
72
NYSE standards for listed companies approved by the SEC in November 2003 via
http://www.nyse.com/pdfs/finalcorpgovrules.pdf (30 April 2005)
73
implementation standard 2130.A1 via http://www.theiia.org/?doc_id=1617 (30 April 2005)
74
Verschoor, Curtis C., ‘The Ethical Climate Barometer’, Internal Auditor, October 2004, p. 53

22
1. Efficiency of corporate assets use
Effective corporate governance promotes the efficient use of resources since organizations
who actually exercise good and effective corporate governance will also attract investor’s
capital. Indeed, through exercising good corporate governance those organizations will prove
to the potential shareholders their capability of producing goods or services in the most
‘efficient’ way and at the same time yielding a high return.

2. Ability to attract low-cost capital

Subsequently the investor confidence will lead to low-cost capital on the condition that the
investor is provided with a number of procedures which will protect his ‘share’.
These procedures should include:
- independent monitoring of management
- transparency in corporate performance
- ownership and control
- possibility to participate in certain fundamental decisions
In other words: corporate governance

Moreover, the investor is prepared to pay more for a company with good corporate
governance because:
1. he believes that the company will perform better in the future
2. he believes he is reducing risk
3. the attention devoted to corporate governance is a fad and one does not want to be left
behind (everybody does it).75

From the ‘2000 McKinsey & Company Investor Opinion Survey’ we learn that no less than
81% of European investors are willing to pay an average premium of 19 % for shares of a
‘well governed’ company. Belgium follows this trend with 79% en 19.6% respectively.76
Since the results of the 2002 survey do not comment on Belgium as such we can only
compare the results of the biannual survey pertaining to Western Europe. This comparison
shows a decrease in number of investors willing to pay a premium from an average of 81% to
78% and a decrease in the premium itself from an average of 19% to 14%.77 Despite the
decreasing results, the fact that still four out of every five investors are willing to pay for
‘good’ corporate governance puts corporate governance on the auditor’s priority list.

3. Ability to meet social expectations

This is an interesting point since it implies expanding one of the crucial aspects of internal
control, compliance with laws and regulations, to include ‘meeting societal expectations’.
Again, these particular expectations are often situated in the area of the ‘soft’ aspects of
corporate governance. There are no lists of these expectations which may vary profoundly
from nation to nation, from sector to sector, from culture to culture. Nevertheless these soft

75
Source: excerpts from The McKinsey Quarterly, 1996, number 4, page 170, ‘Putting a value on Corporate
Governance’, via www.lens-library.com/mckinsey.html (17 April 2005).
76
The complete ‘2000’ report can be consulted via
http://www.mckinsey.de/_downloads/knowmatters/organisation/investor_opinion.pdf (17 April 2005)
77
The full ‘2002’ report can be consulted via
http://www.mckinsey.com/clientservice/organizationleadership/service/corpgovernance/pdf/GlobalInvestorOpini
onSurvey2002.pdf (17 April 2005). A personal e-mail from Marc Watson at McKinsey revealed that due to an
extension of the 2002 survey to cover an additional 8-10 countries had forced them to remove some other
countries based on the size of the local capital. This is the reason why detailed information on the behavior of
Belgian investors is no longer available.

23
aspects are very much determining factors for the stakeholder perception of ‘how an
organization is doing’.

4. Overall performance
Taking into account the first three impact factors, the only thing still missing for the overall
performance is the accountability by the board and management.
Corporate governance as such is no guarantee for improved success. It should, however,
contribute to a more efficient use of assets, to attracting low-cost capital, to meeting
expectations of stakeholders and shareholders, to helping to avoid or prevent corruption
within the organization, and in doing so lead to enhanced (better) performance.78

IV. 4 Corporate Governance guarantees?

After discussing the attributes of corporate governance and realizing the importance of a code
of conduct and understanding why corporate governance matters, we would like to find out
what elements are still missing and what guarantees corporate governance will offer.

Are there still aspects which may stop good corporate governance?
Yes there are. Some of these issues may be:
1. board members with conflict of interest
2. dependence of board members from their directorship fee for a living
3. lack of time commitment by board members to the company
4. new members are ‘inside’ nominated
5. insufficient training or education of directors
6. lack of discipline to comply with rules and regulations
etc…

Despite a growing awareness of good corporate governance, there are, and probably will
always be, some risk areas which cannot entirely be kept under control. In fact, the board
itself will not always be eager to implement a number of measures to counteract the above
risks. The internal auditor who experiences one of the above mentioned barriers may well
have to exercise a lot of patience in order to improve the situation. Patience alone, however,
will not suffice; a strong personality, an independent mindset and the necessary support from
the ‘top’ are crucial for a successful outcome.

In trying to persuade senior management and the board, the internal auditor will have to apply
‘due professional care’ and be on the alert for promises he cannot keep.

Good corporate governance is no assurance for good company performance!

One cannot imagine a chairman explaining the poor results of the company on the one hand,
but on the other quickly pointing out that the company upholds the highest standards of
corporate governance. The internal auditor must be aware that ‘contributing’ to good
governance is just one aspect of his job. We refer to the definitions of internal control and
internal auditing which we will encounter further on and which define the evaluation and the
improvement of the effectiveness of governance processes as only one aspect of internal
auditing. Directors and management need to take decisions on the basis of what is right for
the company in the first place, taking into account the principles of good corporate
governance and the ‘best practices’. They would fail their job should they make decisions on
78
A substantial amount of information on the issue of ‘Why Corporate Governance matters’ was gathered from
‘Corporate Governance: What it is and why it matters’, paper by Holly J. Gregory and Marsha E. Simms, via
http://www.transparency.org/iacc/9th_iacc/papers/day2/ws3/d2ws3_hjgregorymesimms.html (17 April 2005).

24
the basis of ‘best practices’ thereby leading the company to ‘bad’ results. This might well be
one of the reasons why a number of present-day codes still adhere to the ‘comply or explain’
approach.79 This measure can be compared with the use of the comply or explain measure
which internal auditors should offer their clients with regard to the remarks and
recommendations they make in their audit reports. Non-compliance is possible on the
condition that an (acceptable) explanation is provided. Should the auditor not accept the
explanation, then he can address his observations to the audit committee.

Good corporate governance is no guarantee for successful business!

If the directors simply do not understand the business, than the business will go broke.
Nowadays, we can say that corporate governance codes and/or reports are widely spread all
over the world. Codes that include recommendations or regulations formulated by and for the
benefit of groups of investors, corporations, self-regulating organizations (e.g. NYSE),
associations of directors, business groups etc… are available.
However, these codes do not offer watertight solutions sure to guarantee success. They
generally offer a series of best practices which can lead to success. An important thing still
missing at that time is a process to provide reasonable assurance that the objective: ‘good
corporate governance’ can and will be achieved. Precisely that process is called internal
control.

IV. 5 Corporate Governance and Internal Control

Let us have a look at the subject ‘internal control’ which so many codes refer to as a matter,
on the effectiveness of which, the boards should report on at least annually. The Combined
Code for instance prescribes the following:80 ‘The Board should maintain a sound system of
internal control to safeguard shareholder’s investment and the company’s assets’.
It goes on as follows: ‘The directors should, at least annually, conduct a review of the
effectiveness of the group’s system of internal control and should report to shareholders that
they have done so. The review should cover all controls, including financial, operational and
compliance controls, and risk management.’81
And the final provision on ‘internal control’ says: ‘Companies which do not have an internal
audit function should from time to time review the need for one.’82

79
It is common knowledge that complying with the Sarbanes-Oxley act of 2002 is costing industry billions of
dollars. From an internal control point of view it is not obvious to ‘weigh’ that cost (of compliance) to the
benefit. COSO suggests that one should always consider the relative costs and benefits when establishing
internal controls. The challenge lies in finding the right balance. Is the risk worth the control? We can only note
that many non U.S. companies are not at all pleased, that some of them have voluntarily delisted and that the
number of new listings on U.S. exchanges has drastically diminished. See also Pozen, Robert C., ‘Can European
Companies Escape US Listings?’, Cambridge, 03/2004 via
http://www.law.harvard.edu/programs/olin_center/corporate_governance/papers/Pozen-European-Companies-
464.pdf (17 April 2005)
The Institute of Internal Auditors is just one of the parties curious to the exact cost of the Sarbanes-Oxley 404
implementation. See ‘Sarbanes-Oxley 404 Cost Survey’ via http://www.gain2.org/404cost.htm (17 April 2005)
Just to be complete we include that non-us companies were recently granted a deadline extension on the
implementation on Sarbanes-Oxley 404 via http://www.srimedia.com/artman/publish/article_894.shtml (15
April 2005)
80
‘The Combined Code, Principles of Good Governance and Code of Best Practice’ principle D2 ‘Internal
Control’, via http://www.ecgi.org/codes/documents/combined_code.pdf (15 April 2005).
81
Since COSO dates from 1992, it is understood that all codes and principles adopting this recommendation
were fully aware of the impact and the ‘magnitude’ of the term ‘internal control’ as defined by COSO.
Moreover, numerous reports and codes refer to and acknowledge the work that has been done by COSO.
82
The relation between internal control and the internal auditor is dealt with in the Chapter VI ‘The Internal
Auditor and Corporate Governance’ p. 32 ff.

25
Having established that internal control is fundamental to corporate governance, let us then
have a look at the question: what is a sound system of internal control?
The definition of internal control, according to COSO reads:
‘Internal control is a process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
in the following categories:
• effectiveness and efficiency of operations
• reliability of financial reporting
• compliance with applicable laws and regulations’83
Moreover, COSO appoints the CEO as the ultimate responsible individual for the system of
internal control and recommends that he ‘assumes’ ownership of the system which implies
establishing, running and maintaining the system, while the board should discuss the ‘state’ of
the system.

According to COSO, an effective system consists of five interrelated components:

- Control environment: it is the environment in which is operated and includes factors such
as ‘integrity and ethical values’, ‘commitment to competence’, ‘the board of directors or
audit committee’ (composition, independence, interaction with auditors, activities…), ‘the
philosophy and the operating style of management’, ‘the structure of the organization’,
‘authorities and responsibilities’ and ‘human resource policies and practices’. Again this is
the basis for a good internal control system.
- Risk assessment deals with aspects of the objectives of the organization, whether they be
financial, operational or compliance, identification of key success factors, risk
identification and analysis, and change management.
- Control activities focus on all activities which help to ensure that management directives
identified as necessary to address risks are carried out. Special attention is given to the
different kinds of control and indicators and the integration with risk assessment.
- Communication and information is the component dealing with the identification,
capturing and communication of internal and external information needed for the
achievement of the objectives.
- Monitoring is the process that assesses the quality of the performance of the internal
control system over time, both through ongoing activities and through separate
evaluations. Monitoring factors which have to be taken into account include the
designation of the evaluator, the evaluation process, the methodologies which can be
applied, the documentation of the system and the controls, the action plan and last but
certainly not least, the reporting of deficiencies with the purpose of leading to corrective
actions.

Management should report on the effectiveness and efficiency of the internal control system
to the board and the board in its turn should review the system. In other words, the board
needs to convince itself that the system that has been put in place by management actually is
effective and efficient and that it does address all aspects of risk and that it does contribute to
the achievement of the objectives of the organization.

How will the board do this? The board will achieve this by ‘information gathering’ from
different sources such as the management itself, external auditors and not in the least internal
auditors.

83
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control – Integrated
Framework’, Vol. I, 1994, p. 13.

26
This is one of the reasons why the European Commission goes beyond those (numerous)
reports which strongly recommend audit committees but at the same time fail to recognize the
full importance of the internal audit functions by saying:
‘However, it is unlikely that companies without a strong internal audit function will be able to
provide an audit committee (the board) with sufficient information to fulfill its
responsibilities. …Consequently, recommendations have been made for the appointment in
major companies of a chief internal auditor to lead a strong internal audit team that is capable
of providing the audit committee with sufficient information to fulfill its responsibilities on
behalf of the board’.84
‘The important point is that internal control in intertwined with and directly affected by the
dynamics of corporate governance’.85

The relationship between the internal auditor and corporate governance will be further
‘explored’ in Chapter VI: ‘The Internal Auditor and Corporate Governance’ p. 32 ff.

84
European Commission Green Paper: ‘The Role, the Position and the Liability of the Statutory Auditor within
the European Union’, 1996, p 24, via
http://europa.eu.int/comm/internal_market/auditing/docs/other/700996en.pdf (23 April 2005).
85
Root, S.J., ‘Beyond Coso: Internal Control to enhance Corporate Governance’, John Wiley & sons, Inc., New
York, 1998, p. 37.

27
Chapter V: Corporate Governance and the Media.
A word of special attention is due to the role of the media regarding corporate governance on
the one hand and to special aspects of corporate governance regarding the media on the other.

V. 1 The role of the media regarding Corporate Governance

Do the media play a specific role in corporate governance? In fact, should the media play a
distinctive role in corporate governance? Perhaps questions we are not confronted with every
day, although a lot of information about the success and failure of corporate governance
reaches us through the media.
First of all it is important to point out that the role the media have on reporting on corporate
governance has not as such been regulated. There are no specific ‘regulations’ prescribing
media when, how and in which way they should report on corporate governance.
However, there are numerous indications that the media can play a crucial role in providing
information to the ‘stakeholders’ and to the ‘community-at-large’.

As it is put forward by the Organization for Security and Co-operation in Europe:

‘Information to the public and the control of government action and administrative acts are
the essential functions of the media in a democratic system.’ 86
This does not only apply to governments but also to ‘private’ companies or any other
organization.

In their paper ‘The Corporate Governance Role of the Media’ 87, Dyck and Zingales argue
that the media can affect corporate governance in several ways:
- the media can push politicians and regulatory organizations to adopt new measures
- the media can influence the behavior of managers
- the media can influence the perception by the society at large.

They further demonstrate that the principle of ‘disclosure’ (supported by widespread

communication by the press) is a far more efficient way to enhance adherence to a corporate
governance code than mere compliance. In some countries, where non-compliance as such
cannot be penalized, the media can even be used as a form of sanctioning or at least as a
‘watchdog’.

Thus the media provide the necessary ‘checks and balances’; meaning that the media serve as
a controlling instrument aimed at helping to insure an equilibrium or balance between the
interests of the shareholders, the managers, the directors, the state, etc…

According to Louis Lowenstein88 it is the ‘financial branch’ of the media business in general
which feeds the public. This is, however, only possible if the public have enough appetite for
news on corporate governance. Lowenstein argues that in the late 1990s the public had an
86
OSCE (Organization for Security and Co-operation in Europe), ‘preparatory seminar for the ninth meeting of
the OSCE economic forum: Good Governance in the public and private sectors against the background of
globalization'’ Brussels 30 and 31 January 2001, p. 17 via
http://www.osce.org/documents/sg/2001/01/311_en.pdf (23 April 2005).
87
Dyck, I.J. Alexander and Zingales, Luigi, "The Corporate Governance Role of the Media" (August 2002).
CRSP Working Paper No. 543, pp. 38 via http://papers.ssrn.com/sol3/papers.cfm?abstract_id=335602 (23 April
2005)
88
Lowenstein, Louis, "Corporate Governance and the Voice of the Paparazzi" (February 1999). Columbia Law
School, Center for Law and Economic Studies, New York, Working Paper No. 132, pp. 54, via
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=163386 (23 April 2005).

28
‘astonishing’ appetite for news about their investments. He analyzes the ‘meat’ the paparazzi
feed on to keep the public happy and comes up with the following two main aspects:
- the mandate corporate disclosures
- stories to satisfy the thirst for information. These stories may include production
problems or employees’ troubles or even collapse rumors.
‘The audience watching business news… listen to a CEO defend his company’s strategy as
never would have happened just a few years ago.’89
‘Corporate America is not governed by the press, but it is influenced, particularly when voice
becomes a ubiquitous chorus90’
Although Lowenstein wonders whether a downdraft on Wall Street will not leave the
paparazzi with quite a diminished and much less interested audience, he concludes by saying:
‘A voice in time, whatever the medium, has always been important, but it has become vital as
the economy becomes more complex and rapidly evolving.’91

Especially with respect to the comments made by analysts, one wonders to what degree this
‘free’ advice is not just a marketing tool. ‘Historically, ‘sell’ ratings have constituted fewer
than 1% of analysts’ recommendations,… . They’re often under pressure from the companies
they cover, big institutional investors, and their own employers to maintain positive ratings.’
92
Which brings us back to the point of integrity and ethical values. (see also the next chapter
V. 2, p. 30, as well as chapter VI. 4, p. 38 ff.)

The question remains whether the media should have a duty to report on corporate
governance.
According to Dr. Alison Harcourt, a media specialist, it is very doubtful whether the media in
general feel they have a duty to report on corporate governance. Harcourt argues that a lot of
media coverage is spent on industry but not on their internal corporate governance as such.93

Nevertheless, there are increasingly more indications that the media can and should have a
pertinent role in corporate governance.
- Already before the recent corporate debacles, Dr. Lutgard Van den Berghe expressed her
wishes for an external monitoring instrument, especially for non-listed companies, since
they are confronted with less regulated compliance aspects. She suggests that a
monitoring role could be given to the media: ‘May be that the media can play an
important role in scrutinizing these organisations and fostering good governance
practices.’94
- The King II Report (South Africa) devotes a (small) chapter on corporate governance and
the role of the media. It emphasizes the need for well-trained financial journalists, and
calls for specialized courses. Furthermore it asks that the journalists’ profession should
encourage ways of ensuring high standards of financial journalism.95 Although the

89
Ibid. p. 37.
90
Ibid. p. 40.
91
Ibid. p. 54.
92
Business Week Online, ‘Special report – The Crisis in Corporate Governance; Analysts’ May 6, 2002, via
http://www.businessweek.com/magazine/content/02_18/b3781706.htm (23 April 2005).
93
This information was obtained from personal correspondence with Dr. Alison Harcourt. Information on the
professional background of Dr. Harcourt can be consulted via
http://www.bradford.ac.uk/acad/ssis/staff/CES/harcourt_a/#research (23 April 2005).
94
Van den Berghe L., ‘Beyond ‘Corporate’ Governance: an overview of the challenges in front of us’, 2001, p.4,
via http://www.ivb-ida.com/documenten/EN_beyond_LVDB.pdf (23 April 2005).
95
The information was obtained through personal e-mails with Richard Wilkinson, Executive Director of the
Institute of Directors who publishes the King Reports.

29
 recommendations are not ‘binding’, it is quite a novelty to find an emphasis on the
importance of the role the financial media (and analysts) play in examining the extent of
compliance with corporate governance practices.

In addition to the controlling and monitoring role described above, organizations should also
use the media to their full benefit. Favorable newspaper articles and TV spots on social
responsibility measures can provide organizations with improved perceived images by the
larger community. Organizations should promote their voluntary initiatives in their effort to
aspire ‘beyond’ compliance through all available media and the media, in its turn, should have
an obligation to report on such initiatives.

V. 2 Corporate governance regarding the media

The second aspect of corporate governance is even more interesting from the point of view of
the internal auditor employed in the media sector. Whereas the first aspect is more a reporting
responsibility of the media, the second one deals with aspects of corporate governance which
should be incorporated in the media, i.e. within the organization.
The basic idea was well put by Mr. Peter John Aitsi: ‘…if we (the media) are to place the
spotlight onto other sectors, we must ensure our own ‘house’ is in order.’96
This exemplary, and at the same time vulnerable, role implies that the media should adhere to
the very highest standards of corporate governance. They should address all attributes of
corporate governance as described before in chapter IV :‘Aspects of Corporate Governance’
p. 20 ff.
Moreover, in addition to these more general aspects, they should show particular interest in
specific issues such as:
- a sound balance between public interest an commercial imperatives
- adherence to governance codes and social responsible investment criteria
- commitment to ‘beyond’ compliance standards wherever and whenever possible
- adoption, implementation and publication of ethical codes of the highest standard
- disclosure of all cross-ownerships and influences
- declaration of editorial policies and political allegiances
- openness to all sources of funds, including big advertisers and sponsors
- etc...97

Also in the field of social corporate responsibility there are still a number of challenges for the
media. One of those was well formulated by Roger Martin in relation to his ‘Virtue Matrix’
(see chapter VI. 5 The auditor’s Tools) whereby he argues:
‘Media companies have failed to take concerted action to stem the tide of vulgar trash that too
often passes for children’s entertainment. There are compelling commercial, scientific, and
political reasons why these initiatives have not come to pass, but the inability or unwillingness
to deliver these obvious benefits creates a powerful public sense that corporations are not
doing enough.’98

96
Aitsi, Peter, John, ‘Media Ethics and Corporate Governance’, paper presented at the PNGID Conference, 18
April 2002, via http://www.pngid.org.pg/host_pngid/aitsi.html (23 April 2005).
97
This information was obtained from: ‘Good News & Bad: the Media, Corporate Social Responsibility and
Sustainable Development’, via http://www.sustainability.com/publications/engaging/good-news-and-bad-
more3.asp (23 April 2005).
98
Martin, Roger L., ‘The Virtue Matrix: Calculating the Return on Corporate Responsibility’, Harvard Business
Review, March 2002, reprint p. 4 (can be purchased via www.hbsp.harvard.edu (23 April 2005)).

30
Again, some of these specific issues are compliance issues, while others are not. How the
internal auditor can contribute to the evaluation of some of these specific corporate
governance issues will be discussed in the next chapter.

31
Chapter VI: The Internal Auditor and Corporate Governance
‘Internal auditing is an independent, objective, assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes’99

The Institute of Internal Auditors (IIA) further defines ‘Governance’ as ‘The combination of
processes and structures implemented by the board in order to inform, direct, mange and
monitor the activities of the organization toward the achievement of its objectives.’100

Let us then have a closer look at the role of the internal auditor in this corporate governance
process. In order to do so in a more or less structural way, this chapter has been divided into
five headings, each dealing with a different aspect of that role.

1. The relationship between Corporate Governance and the Internal Auditor.

2. Implications of Corporate Governance on the Audit Profession.
3. The position of the Auditor in a Corporate Governance ‘Environment’.
4. Special Aspects deserving Special Attention.
5. The Auditor’s Tools.

VI. 1. The relationship between Corporate Governance and the Auditor

Looking back at corporate governance as a whole, i.e. the demands, pressure and tasks of the
audit committee, management and the board in general, the expectations of the different
stakeholders, the position of the internal auditor within the organization, etc…, an impact on
the workload and the responsibilities of internal audit appears unavoidable.

The mere definition of internal auditing and the standards drawn up and implemented by the
IIA give the internal auditor not just the mandate but the obligation to contribute in any way
possible (consulting or assurance) to the evaluation of the corporate governance process.

In Chapter IV: ‘Aspects of Corporate Governance’, we already established the relationship

between management and corporate governance, the audit committee (the board) and
corporate governance and corporate governance and internal control. Moreover, it became
obvious that the audit committee relies ‘heavily’ on the internal auditor for its review of the
system of internal control as prescribed by corporate governance codes and
recommendations.101
Therefore, it is not surprising that the IIA puts a lot of effort in guiding its members to
become corporate governance specialists, capable to assist both management and the board.
The IIA does so by continuously discussing, commenting, recommending and training on
different aspects of corporate governance in general and on audit aspects in particular.

99
Definition of internal auditing set by the IIA (Institute of Internal Auditors), via
http://www.theiia.org/ecm/guide-ia.cfm?doc_id=1582 (23 April 2005).
100
Via http://www.theiia.org/ecm/guidance.cfm?doc_id=1499 (23 April 2005).
101
The recommendations made by the Turnbull Report (see footnote 27), in elaborating further guidance on the
principle D2 ‘Internal Control’ of the Combined Code (see footnote 25 and chapter IV. 5, p 25), have contributed
in a large degree to ‘recent’ statements on the position of the internal auditor with regard to internal control.
Turnbull set the tone for the further development of the relationship between the internal auditor and internal
control and between the internal auditor and corporate governance.

32
One of the internal regulating devices used by the IIA is the ‘Professional Practices
Framework’ including not only a ‘Code of Ethics’ but also a set of ‘Standards for the
Professional Practice of Internal Auditing’ comprising mandatory criteria for internal auditing
as it should be. These standards are quite general for they are applicable to all internal
auditors regardless of the organization.102

However, some ‘Standards’ and ‘Practice Advisories’ of the IIA deal more specifically with
aspects of corporate governance.
Three standards in particular draw the attention in this context:
• performance standard 2100
• implementation standard 2120.A1
• performance standard 2130
• performance standard 2100 ‘Nature of the work’ reads as follows:
‘The internal audit activity evaluates and contributes to the improvement of risk
management, control and governance systems’.
The standard gives a very general description of the work of the internal auditor.
The practice advisory pertaining to this standard further explains all aspects that are to be
understood in the standard. It determines the scope of the internal auditing work, lists the
responsibilities of management and goes on to define how the auditor’s evaluation leads to
an appraisal of the overall management process.

• Implementation standard 2120.A1 deals in particular with the assurance aspect provided
by the internal auditor on the adequacy and effectiveness of controls encompassing the
organization’s governance, operation and information systems. These include:
 reliability and integrity of financial and operational information
 effectiveness and efficiency of operations
 safeguarding of assets
 compliance with laws, regulations and contracts
Again the practice advisory provides further information, and in doing so points in every
sense to corporate governance. The practice advisory elaborates on the tasks of the board:
‘One of the tasks of the board of directors is to establish and maintain the organization’s
governance processes and obtain assurances concerning the effectiveness of the risk
management and control processes’. Also on the tasks of management: ‘Senior
management’s role is to oversee the establishment, administration, and assessment of that
system of risk management and control processes.’ And finally on the auditors: ‘Internal
and external auditors provide varying degrees of assurance about the state of effectiveness
of the risk management and control processes.’

• Performance standard 2130 deals in particular with ‘Governance’: ‘The internal audit
activity should assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:
 promoting appropriate ethics and values within the organization
 ensuring effective organizational performance management and accountability
 effectively communicating risk and control information to appropriate areas of the
organization
 effectively coordinating the activities of and communicating information among the
board, external and internal auditors, and management.

102
More information on the (revised) Standards and the Code of Ethics can be obtained via
http://www.theiia.org/ecm/guidance.cfm?doc_id=1625 (23 April 2005).

33
 Once more, the practice advisory goes on to explain in detail the full contents of this
standard in dealing with aspects such as compliance with society’s legal and regulatory
rules, accepted business norms, ethical precepts and social expectations. It explains what
is understood under governance & organizational culture and how the internal auditor can
play an active role in the support of the organization’s ethical culture listing a number of
‘ethical’ features the internal auditor should evaluate.

Continuous working towards improving the quality of the added value of the internal audit
department is equally an element of striving for good corporate governance. Other
developments such as the NYSE regulation obligating all listed companies to have an internal
audit function can only contribute to the further strengthening of the relationship between
corporate governance and the internal auditor.

VI.2 Implications of Corporate Governance on the Audit Profession

While traditionally the role of the internal auditor was to help the organization to maintain the
system of internal control of its financial statements, a whole range of new opportunities,
possibilities and responsibilities present themselves in the wake of corporate governance.
The ultimate challenge for the internal auditor is to find the necessary ways to provide the
degree of reasonable assurance expected by all the participants. On other words, the internal
auditor needs to become the key ‘enabler’103 in the corporate governance process.

Audit committees try to improve their own effectiveness through better and more frequent
contacts with the internal auditor who represents one of their most valuable sources of
information.
The dual position104 in which the internal auditor finds himself gives enables him, as it were,
to keep one eye on the direction the company is going in, and the other on every aspect of
internal control including rules and regulations, laws and expectations, risk and opportunities
etc…

Corporate developments, along with more inquisitive stakeholders and assurance

requirements, not only on financial but also on non-financial measurements and reporting,
increase the audit workload.

Thus the internal auditor becomes ‘an integral part’ of the corporate governance process.105

The conviction that the internal auditor plays a valuable role in the ‘corporate governance’
process is recognized by many organizations of different interest.
‘The role of auditors is vital to the corporate governance process. The effectiveness of the
board and senior management can be enhanced by:
- recognizing the importance of the audit process…
- taking measures that enhance the independence and stature of auditors

103
Note that we use the term ‘enabler’ and not ‘actor’. The internal auditor as such does not ‘act’ on the same
level as the board and management but he ‘enables’ the governance process to fulfil itself in the best possible
way.
104
See also chapter VI. 3 ‘The Position of the Auditor in a Corporate Governance ‘Environment’’ p. 35.
105
It is obvious that the ‘tasks’ which are expected from the internal auditor may vary according to the
environment in which he or she is employed. The internal auditor in a US listed company environment shall
have to deal a lot of attention e.g. to the aspects of compliance with Sarbanes-Oxley 302 and 404 sections
whereas an internal auditor in a non-profit organization shall have different priorities. For those auditors who
are faced with the Sarbanes-Oxley challenge the IIA offers ‘specific ‘guidance. (see also
http://www.theiia.org/index.cfm?doc_id=4052 (23 April 2005))

34
- utilizing, in a timely and effective manner, the findings of auditors
- ensuring the independence of the CAE (Chief Audit Executive) through his reporting to
the board or the board’s audit committee
The board should recognize and acknowledge that the internal and external auditors are their
critical important agents.’106

Indeed, ‘particular emphasis is being placed on board of director and audit committee
responsibilities for the role a better understanding, evaluation and management of business
risks has in corporate governance. Internal auditors should consider this emphasis as being on
the global leading edge and recognize the contributions they can make to their audit
committee to facilitate the discharge of these responsibilities’.107

Consequently, effective communication is one of the prerequisites for sound corporate

governance in general and at the same time the key for enhancing the relationship between the
internal auditor, the external auditor and the audit committee. The written reports by the
internal auditor, evaluating the internal control system, are one of the foremost cornerstones
of the assurance the audit committee needs in the oversight process. They enable the audit
committee to fulfill one of its primary tasks: to conclude on the effectiveness of internal
control. A primary task which we have encountered throughout various previous chapters.

Some special aspects of corporate governance which hold a true challenge for the internal
auditor are discussed in chapter VI. 4 ‘Special Aspects deserving Special Attention’.

VI. 3 The Position of the Auditor in a Corporate Governance

‘Environment’
The position of the internal auditor in a corporate governance environment takes into
consideration possible relationships (directly or indirectly) with participants-stakeholders
which traditionally are not taken into account.

Traditional internal audit sources talk about two possibilities of positioning the internal
auditor within the organization. ‘Ratcliff’ speaks of an ‘ideal positioning’ (responsible to the
board and reporting to management) and a ‘practical positioning’ (responsible to management
and reporting to the board): ‘Conceptually, internal auditing should not report
administratively to management. Internal auditing may retain a reporting responsibility to
management, but it should maintain its primary responsibility to a higher authority, such as
the board of directors.’108
This is somewhat confusing in view of what the IIA says: ‘Ideally, the chief audit executive
should report functionally to the audit committee, board of directors or other governing
authority, and administratively tot the chief executive officer of the organization’ 109

However, ‘Ratcliff’ goes on by saying: ‘the relationship with the audit committee typically is
a reporting relationship. … Typically, executive management is administratively responsible
106
Basel Committee on Banking supervision: ‘Enhancing Corporate Governance for Banking Organizations’,
Basel, September 1999, p. 7, via www.bis.org/publ/bcbs56.pdf (23 April 2005).
107
Verschoor, Curtis C., ‘Audit Committee Briefing: understanding the 21st century audit committee and its
governance roles’, The Institute of Internal Auditors, 2000, p. 31.
108
Ratcliff, Richard L., Wallace, Wanda A., Sumners, Glenn E., McFarland, William G., Loebbecke, James K.,
‘Internal auditing, principles and Techniques, Second Edition’, The Institute of Internal Auditors, 3rd printing,
2001, p. 22.
109
IIA practice advisory 1110-1, via http://www.theiia.org/index.cfm?doc_id=4299 (members only) (23 April
2005)

35
for the internal auditing function.’110 This might suggest that in the sentence starting with
‘conceptually’ the word administratively should be replaced by functionally.111
Many sources agree that the air needs to be cleared on the reporting issue. Internal auditing’s
reporting lines may well be the next ‘topic’ to be dealt with in the present debate on corporate
governance and the role of the internal auditor. While a lot of parties involved agree that
there is a reporting line to the audit committee, the questions still open are: How direct are
those lines? And how independent are those lines?

Nevertheless, it is increasingly believed that: ‘Internal Auditors need to acknowledge the audit
committee as their primary client, and not management’112 or ‘The internal audit function
should view the audit committee as a client and should be looked upon by the committee as a
vital source of information.’113

Especially during the past few years, it has become clear that the internal auditor and the audit
committee are developing a ‘unique’ relationship characterized by particular aspects such as
the ‘reporting lines’ but also the ‘safeguarding of independence’.
The ‘traditional’ position of the internal auditor in an organization and his relationship to both
management and the audit committee is well described by the Blue Ribbon Committee.114

This does by no means imply that the internal auditor operates in complete disregard of
management. In order to ‘add value’ to the organization, it is of course equally desirable that a
healthy collaboration exists between management and the internal auditor.
This can be illustrated by the fact that in the annual audit plan the intern auditor should take
into account ‘any risks and control concerns identified by management’. 115

An interesting way of looking at the interactions and the different concepts of corporate
governance is the “governance” loop as depicted by David McNamee.

110
Ratcliff, Richard L., Wallace, Wanda A., Sumners, Glenn E., McFarland, William G., Loebbecke, James K.,
‘Internal auditing, principles and Techniques, Second Edition’, The Institute of Internal Auditors, 3rd printing,
2001, p. 32.
111
One of the co-authors, Wanda Wallace, explains the apparent contradiction between the point of view of
‘Ratcliff’ and that of the IIA as follows: ‘The problem is in concept relative to practical reality. The conceptual
notion of not reporting administratively to the CEO was to avoid situations where the individuals audited
(including the CEO) are setting budgets, allocating time, censoring reports, and/or evaluating performance of
internal auditors. Yet, the audit committee is not constantly accessible, and someone has to be there day-to-day
to facilitate activities. Hence, the standards evolved to make a distinction between function and administrative as
subcomponents of our language. In reality, the functional reporting link to the audit committee is intended to
maintain an independent reporting link, keeping most of what we have in mind in our "ideal" with the audit
committee. I believe the standards' use of the word administrative is merely to recognize daily activity
communications with executives in residence. The functional language is intended to ensure that the audit
committee would have priority on substantive (administrative) matters.’
(e-mail from Wanda Wallace).
112
Verschoor, Curtis C., ‘Audit Committee Briefing: understanding the 21st century audit committee and its
governance roles’, The Institute of Internal Auditors, 2000, p. 48.
113
Rittenberg, Larry E., ‘Lessons for Internal Auditors’, Internal Auditor, April 2002, p. 32.
114
See footnote 16.
115
From: ‘Sample Internal audit Department Charter’, via http://www.theiia.org/index.cfm?doc_id=383 (23
April 2005)

36
 116

The ‘picture’ places the internal auditor in a far ‘larger’ context than is traditionally done by
audit resources.

Note that McNamee implicitly defines the ‘leaders’ as the primary client of the internal
auditor in this model and not the ‘owners’ which include the board.117

Whereas we are used to finding the ‘players’ in their respective roles with regard to the
internal control oversight process: who does report on what to whom, McNamee confronts us
with a whole different perspective. McNamee does not focus on the reporting lines as such
but uses the arrows to indicate who provides what to whom more in terms of expectations. .

He refers to management as ‘leaders’ whereas the boards are technically the owners.

One type of stakeholder we do not explicitly identify is the employee who is partially
incorporated in this model in the organization that does the work of converting assets into
products. However, since this is an American based model, we find, next to the suppliers, the
unions as providers of services. Thus, in analyzing this ‘loop model’ we should not forget that
we are dealing with a model based on a society in which unionized labor is very much
different from the way we know it in lots of other countries.118

116
Copied from ‘The Governance Loop: Protecting Stakeholders Interests’ via
http://www.mc2consulting.com/govloop.htm (23 April 2005).
117
McNamee argues: ‘many internal auditors have drifted far afield of what they ought to be doing and the IIA
has codified this into its new standards, unfortunately’. He believes that the internal auditor’s first responsibility
is to management. (personal e-mail from David McNamee).
118
Still today, US unions are a lot more powerful than most other labor unions all over the world. Each union
has its political and operational tentacles which reach deep into the American Society. Membership to a union is
nearly a ‘condition sine qua non’ for ‘getting a decent job’. Moreover, unionized workers are better protected
and earn substantially more than non-unionized workers (average of 25%!). Some unions are quite well known
such as the teamsters who have most of the transportation workforce including most of the airline pilots as their
members. The AFL-CIO (American Federation of Labor – Congress of Industrial Organizations) represents
more than 13 million workers in the US in 66 different labor unions. More information via
http://www.aflcio.org/home.htm (23 April 2005).

37
VI. 4 Special Aspects deserving Special Attention
Keeping in mind the different aspects, characteristics and peculiar features of corporate
governance, we come across a number of ‘special’ aspects. Special not only in the way they
should be adopted and implemented or adhered to, but also in the way they could or should be
dealt with by the internal auditor.
The special issues which will be dealt with are the following:
• Ethical values and integrity
• Fraud
• Corporate Social Responsibility
• Risk assessment and risk management
The order in which these ‘special’ aspects are discussed has nothing to do whatsoever with
their importance to the matter.

In accordance with the title of the paper, a number of ‘reflections’ will be given on these four
issues. The objective is not to go into every detail but to point out a number of aspects which
may be valuable to the contribution of the internal auditor to corporate governance in general
and to one of these issues in particular. Each of the issues can be and has been the subject of
many books, papers and reports.
A number of references to these works are given in the footnotes and in the appendix at the
back of the paper. Finally, a number of tools which can help the auditor and which may relate
at the same time to one of these issues will not be dealt with specifically in this chapter but in
chapter VI. 5: ‘The Auditor’s Tools’ p. 45 ff.

Ethical values and integrity

As pointed out in chapter IV.2 ‘Code of Conduct’, a major emphasis is placed by corporate
governance on company conduct and ethics.
Why? ‘…because of the devastating impact that even isolated acts of wrongdoings can have
on an organisation’s reputation among its stakeholders’119.
Indeed, during the past few years several new aspects of risk management have emerged; one
of them being reputation risk management. (see also further under ‘risk assessment and risk
management)
As for the interrelation with the other aspects, sound ethical values will lead to a higher
degree of integrity which in its turn will help to prevent and detect possible fraud. Therefore
ethical values help strengthening the system of internal control. ‘Business ethics are the
bedrock of internal control’120

Yet it seems that we have arrived at a time when keeping the balance between ethics and
profits is becoming ever more difficult. The following chart depicts the hypothetical
relationship between ethics and profits:

119
Arthur Andersen, ‘Ethical concerns and Reputation Risk Management, a study of leading UK companies,
December 1999, p. 3, via http://www.globalethics.org/andersonrpt.pdf (30 April 2005).
120
Root, S.J., ‘Beyond Coso: Internal Control to enhance Corporate Governance’, John Wiley & sons, Inc., New
York, 1998, p. 91.

38
 HIGH

Imbalanced Ideal

PROFITS

Dangerous Imbalanced

LOW

LOW HIGH
BUSINESS ETHICS
121

A written code of ethics and conduct, integrating values such as honesty, trust and integrity
should be communicated to all members of the organizations and even to all outside relations
so that they know what is acceptable and what is not. 122
It is the role of the internal auditor to consult by helping management in making suggestions
as to what aspects should be included in the code. It is also the role of the internal auditor to
evaluate by checking the correct application of the code and be aware of any code violations.

Fraud
Fraud, or rather the minimization of fraud is another special aspect of corporate governance.
‘The board should maintain a sound system of internal control to safeguard shareholders’
investments and the company’s assets.’ (Combined Code)123

Turnbull states that one of the reasons why effective controls have to be established is to
contribute to the prevention and the detection of fraud.

In its position paper ‘Internal Auditing in Europe’, the ECIIA states that: ‘Internal audit will
ensure that the risk of fraud has been properly identified and assessed by executive
management. Internal audit will provide assurance that internal controls have been properly
designed to address the risk of fraud and that they are working effectively’.124
In an earlier position paper: ‘The internal auditor’s role in the prevention of fraud’ the ECIIA
argues that ‘in the context of fraud, the primary responsibility for internal auditing is to ensure
that management has reviewed its risk exposures and identified the possibility of fraud as a
business risk, where appropriate.’125
With regard to the role of the board, management and the audit Committee, the ECIIA
addresses three main issues:
1. the extent to which internal control systems can prevent, deter and/or subsequently detect
the determined employee fraudster.

121
Ibid. p. 94.
122
Other aspects of the code of conduct have been discussed in chapter IV. 2 ‘Code of Conduct’ pp. 21-22.
123
‘The Combined Code, Principles of Good Governance and Code of Best Practice’ principle D2 ‘Internal
Control’, via http://www.ecgi.org/codes/documents/combined_code.pdf (30 April 2005).
124
ECIIA, position paper ‘Internal Auditing in Europe’, Brussels, February 2005, p. 38
125
ECIIA, position paper ‘The Internal Auditor’s Role in the Prevention of Fraud’, October 1999, p. 5, via
http://www.iia.dk/Positionpaperfraud.pdf (30 April 2005).

39
2. the extent to which more rigorous governance and control requirements – internal and
external – will prevent high level fraud.
3. the extent to which internal audit can report to the audit committee, by virtue of its
charter, on management malpractice.
Furthermore the ECIIA formulates a number of positions on (fraud) risks and on the position
of the internal auditor; these positions deal with aspects of fraud awareness and training, risk
based audit planning and risk based auditing, providing reasonable assurance on the adequacy
and effectiveness of risk assessment and control regime by the internal auditor to the
stakeholders, etc…

The IIA’s position on the possible contribution by the internal auditor to detect and prevent
fraud is quite clearly stated in the following standard: ‘The internal auditor should have
sufficient knowledge to identify the indicators of fraud but is not expected to have the
expertise of a person whose primary responsibility is detecting and investigating fraud.’126

One of the most effective ways of preventing fraud is through upgrading the control
environment mainly by the tone which must by set by the top of the organization (they must
all prove an exemplary behavior) and by a code of conduct which has been duly
communicated to everyone.

It is generally believed that an organization has three tools at its disposal to fight fraud:
- good corporate governance
- the right tone at the top
- a sound system of internal controls

Internal auditors should:

- have knowledge of the indicators of fraud
- be aware of the fraud risks in the area which is being audited
- be alert to possible fraud opportunities
- focus on areas where controls are weak or fraud sensitive
- continue or recommend further investigation if necessary
- advise management and the board on possible measures to improve fraud prevention by:
- changing the ‘culture’
- publicizing additional measures
- increasing the risk (probability) of getting caught
- introducing or increasing the application of correct sanctions

In this respect, the role the internal auditor plays in the detection and prevention of fraud is a
direct contribution to good corporate governance and should be encouraged by the board and
by management.

However, does practice reflect theory? ‘The internal Auditor’s Role in the Detection and
Prevention of Fraud: A Post-SAS No. 82 Analysis’ shows that internal auditors generally do
not regard the detection and prevention of fraud as a primary role. According to the authors,
this is ‘consistent with the position taken by the IIA in their newly revised standards for
proficiency and due professional care.’ And if the auditor does play a role, it is more likely to
be a preventive than a detective role. Also significant is the fact that the internal auditor is
prepared to play a more active role in fraud (detection and prevention) committed to the

126
IIA Attribute Standard 1210.A2, via http://www.theiia.org/ecm/guidance.cfm?doc_id=1499 (30 April 2005).

40
detriment of the organization than for the benefit. While in the first case it concerns usually
employee fraud, in the second case management is more likely to be involved.127

Corporate Social Responsibility

Corporate social responsibility is one more of those ‘recent’ terms applied to a ‘certain way of
doing business’.
Is this one of the ‘keys’ to success or is it just another buzz word?
One of the major challenges for the modern internal auditor is to constantly evaluate these
‘new’ developments and to decide what aspects he can use to his advantage and to the
advantage of his organization.
In order to be able to make that decision, the internal auditor should, in the first place, become
familiar with the characteristics of the phenomenon.
What is corporate social responsibility? What does it ‘prescribe?’ How far does it go? What
is the relation between corporate governance and corporate social responsibility?

‘Most definitions of corporate social responsibility describe it as a concept whereby

companies integrate social and environmental concerns in their business operations and in
their interaction with their stakeholders on a voluntary basis’128

‘Corporate social responsibility is concerned with treating the stakeholders of the firm
ethically or in a socially responsible manner. Stakeholders exist both within a firm and
outside. Consequently, behaving socially responsible will increase the human development of
stakeholders both within and outside the corporation.’129

Generally speaking, sources on corporate social responsibility agree that corporate social
responsibility is a part of corporate governance.
However one cannot deny that recent ‘corporate accidents’ draw much more attention on
‘traditional’ aspects of corporate governance such as independence of board of directors, audit
committees and external auditors, and the reliability and disclosure of financial and
operational statements than on aspects of corporate social responsibility dealing with e.g.
environment and human relations.
This is by no means any reason to pretend that corporate social responsibility is not important,
merely that reality does not always reflect the aspirations of all involved.
Nevertheless, a number of initiatives such as ‘Business for Social Responsibility’130 and the
‘Global Reporting Initiative’131 kept this aspect more-than-alive over the past few years and
they certainly have contributed to private, national, and international awareness for the subject
of corporate social responsibility and sustainability reporting.

Just one of the results is the fact that the European Commission produced an important
amount of recommendations, guidance and information on these subjects. What started in

127
Thomas, William C., Clements, Curtis E., ‘The Internal Auditor’s Role in the Detection and Prevention of
Fraud: A Post-SAS No. 82 Analysis, January 2002, pp. 33 is a study based on a survey among internal auditors
in the US. Via http://raw.rutgers.edu/raw/aaa/audit/midyear/02midyear/papers/1-16-02%20Draft.doc (30 April
2005).
128
Definition from the European Commission Green Paper ‘Promoting a European Framework for Corporate
social Responsibility’, July 2001, p. 8, via http://europa.eu.int/comm/employment_social/soc-
dial/csr/greenpaper_en.pdf (30 April 2005).
129
Definition taken from ‘What, if any, is the relation between Corporate Governance and Corporate Social
Responsibility’, via http://www.mhcinternational.com (30 April 2005).
130
More information via www.bsr.org (30 April 2005).
131
More information via www.globalreporting.org (30 April 2005).

41
2001 with a green paper: ‘Promoting a European Framework for Corporate Social
Responsibility’, followed in 2002 by a policy: ‘Communication on Corporate Social
Responsibility’, has grown to a valuable collection for anybody who needs to know more on
the subject.
Information on codes of conduct, social labels, social reporting, workplace standards,
environmental standards, quality standards (ISO, EFQM, etc..), CSR mapping tools… are
readily available to all those interested. 132

In the next chapter: ‘The Auditor’s Tools’, a number of tools relating to Corporate Social
Responsibilities will be ‘illustrated’.

However, beware of the traps: just as corporate governance is no guarantee for successful
business, neither is corporate social responsibility!
Looking at the ‘Enron Corporate Social Responsibility Annual Report 2000’133, we learn that
a corporate responsibility task force was formed, that they had discussion with their
employees, that an intranet site was launched, that they were concerned with risks and
opportunities associated with corporate responsibilities etc...
On the one hand they were committed to the highest standards of environment, health and
safety principles; they were concerned about emissions and their effect on the climate change,
had environmental programs in Brazil, were occupied with health and safety, reducing energy
requirements, human rights, ethics (anti-corruption and bribery), community relations etc…
On the other hand however, they were doing ‘anything’ necessary to ‘satisfy’ the expectations
of the ‘shareholders’ and to make themselves attractive to potential investors.
The lesson: ‘…all the things CSR (Corporate Social Responsibility) has been measuring and
fighting for and applauding may be colossally beside the point. Because they fail to tell us
what’s really going on inside companies. What’s going on is one single thing: unremitting
pressure to get the numbers, by any means possible’.134
So it may well be argued that stakeholder pressure on the organization just may push
management into taking decisions that lead to ‘facade building’ but end up in the opposite
direction of where the stakeholders actually want them.

Risk assessment and risk management

Although ‘fraud’ has been treated as a separate risk, it is worthwhile having a closer look at
the relationship between the internal auditor on the one hand and risk assessment and risk
management on the other.
Much credit for the recent developments in risk awareness and risk management is to be given
to the Turnbull Report which has had a tremendous influence on the attitude of the
organization towards risk management.135 Turnbull states that internal control ‘has a key role
in the management of risks that are significant to the fulfillment of its business objectives’136,
thereby setting the tone for the importance of risk assessment to the internal auditor.

132
All information via http://europa.eu.int/comm/employment_social/soc-dial/csr/ (30 April 2005)
133
This report can be consulted via http://www.enron.com/corp/pressroom/responsibility/CRANNUAL.pdf (30
April 2005).
134
Kelly, M., ‘The next step for CRS: Economic Democracy’, article published by Business-Ethics in 2002.
(www.business-ethics.com)
135
See also footnote 27.
136
‘Internal Control, Guidance for Directors on the Combined Code’ (Turnbull Report), Institute of Chartered
Accountants In England & Wales, London, September 1999, art. 10, p. 4, via
http://www.icaew.co.uk/viewer/index.cfm?AUB=TB2I_6342&tb5=1 (30 April 2005).

42
Risk assessment and risk management are vital aspects of corporate governance; the first
being more the responsibility of the internal auditor, the second the responsibility of
management. 137
In declaring risk management the responsibility of management, one should consider the
distinction between the actual responsibilities of the board and of management with regard to
the risk management process. (See also chapter III: ‘Participants’, p. 14 ff.).
This distinction can be formulated as follows: ‘The board is responsible for the total process
of risk management, as well as for forming its own opinion on the effectiveness of the
process. Management is accountable to the board for designing, implementing and
monitoring the process of risk management and integrating it into the day-to-day activities of
the company.’138

Risk assessment then, according to COSO, is ‘the identification and analysis of relevant risks
to achievement of the objectives, forming a basis for determining how the risks should be
managed.’139

Since the board relies on sound risk management and internal control frameworks and
systems to provide reasonable assurance regarding the achievement of the objectives, and that
the board therefore needs assurance on the soundness of these frameworks and systems, the
internal auditor, both in the assurance and consulting function, can provide valuable
assistance. However, in view of the auditor’s independence and objectivity, he should be
cautious for ‘over-involvement’; ‘responsibility’ and ‘accountability’, exclusively belong to
the board and management. 140

The ‘COSO – ERM framework’141 is very clear about this; it states that the internal auditors
can and should play a significant role in monitoring the ERM process but that they do not
have primary responsibility for its implementation or its maintenance.

In addition to the ‘mission’ given to the internal auditor with regard to the evaluation of risk
management processes through the definition of internal auditing, the Institute of Internal
Auditors recognizes a number of ‘core internal auditing roles with regard to ERM’ next to a
number of ‘legitimate internal auditing roles with safeguards’ and a number of ‘roles internal
audit should NOT undertake’.

137
While risk assessment is usually defined as the process of identifying, categorizing (measuring) and
prioritizing risks, risk management will treat risks by avoiding, transferring, controlling, sharing, accepting,
etc…
138
‘Executive Summary of the King Report 2002’, via
http://www.ecgi.org/codes/documents/executive_summary.pdf (30 April 2005).
139
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –
Integrated Framework’, Vol. I, 1994, p. 33.
140
Further information on the position of the internal auditor with regard to risk management can be obtained
from the position statement from the Institute of Internal Auditors –UK and Ireland: ‘The role of Internal Audit
in Risk Management’, via http://www.blindtiger.co.uk/IIA/uploads/-38c9a362-ed71ce5fa5--
7778/PositionStatementRiskManagement.pdf (30 April 2005).
141
ERM = enterprise risk management. See also Enterprise Risk Management on p 45.

43
142

Two specific ramifications in risk management include ‘reputation risk management’ and
‘enterprise risk management’.

Reputation Risk Management

A particular risk which concerns both management and the board even more is the corporate
reputation. The reputation of the organization (which is one of the key elements determining
the external ‘perception’) may well become the far most important ‘soft’ element for the
future success of the organization.
There are a lot of risks that can endanger the reputation of an organization:
- financial performance
- corporate governance performance
- quality of management
- ethical values
- fraud
- compliance with laws and regulations etc…
Precisely those risks which lead us right back to the core aspects of corporate governance.
Good corporate governance will protect the companies’ reputation.

But how can the auditor help? In fact, an important contribution can be made by the internal
auditor through the assessment of the:
 corporate vision and responsibilities
 code of conduct
 policies on performance expectations
 compliance with stakeholders expectations
 risk management system

142
Institute of Internal Auditors, UK and Ireland ‘Position Statement, The Role of Internal Audit in Enterprise-
wide Risk Management’ via http://www.blindtiger.co.uk/IIA/uploads/-3851753f-fe67ecc7cf--
7f4e/200409ERMPositionstatement.pdf (30 April 2005).

44
 ‘residual risk tolerance’ in important areas
 vision on ‘external’ relations (partners, suppliers, customers)
 means of communication

The ‘Ethical Concerns and Reputation Risk Management’ study (see footnote 119) shows,
among other things, that:
- only in 35% of the cases, the internal auditor contributed to the development of the code
of conduct compared to 45% for the Human Resources department, more than 60% for the
legal or compliance department and even more than 60% for the company secretariat.
- internal audit could have an important input based on their experience from independent
monitoring operations or previous occurrences of wrongdoing.
- Internal audit contributes in 25% of the cases in the development and the delivery of
business ethics training.
- Internal audit is generally very much aware of business ethics risk (the same appears to be
also valid for as the CEO, the CFO and the chairman).

According to the ‘Aon European Risk Management & Insurance Survey’ (2002-2003), loss of
reputation is seen as the second biggest threat to business (the first being business
interruption). From a negative point of view, loss of reputation can result in a very large cost.
From a positive point of view, effectively managing reputation risks presents one of the
largest opportunities to create economic value. 143

Enterprise Risk Management

Along with the evolution of corporate governance in the 1990s and the establishment that risk
management was a fundamental element of corporate governance, the aspects of risk
management were further explored and refined and led to a new term: ‘enterprise risk
management’. As is true for corporate governance, a number of different, although
interrelated definitions, can be found on the subject.
To some it is nothing more than an ‘overall risk management approach to business risks’.144
To others it is: ‘ … a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may effect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives’. 145

Enterprise risk management deals with both ‘traditional risks’ and ‘speculative risks’; the first
always leading to ‘losses’ while the second actually aiming at a ‘positive result’ although the
outcome may be different (better or worse). So, a risk may well be, or turn into, an
opportunity or vice versa since both risk and opportunity depend on elements of chance and
condition.
In other words: ‘Depending on the conditions, risk (negative) may turn into opportunity
(positive) or vice versa.’

143
Information from ‘The Aon Risk Management & Insurance Survey 2002-2003’ via
http://www.aon.com/about/publications/issues/uk_2003_survey/2003_uk_greatest_threats.jsp (30 April 2005)
and the ‘Willis UK Bulletin Spring/Summer 2004’ via
http://www.willis.com/news/publications/ROI_Newsletter.pdf (30 April 2005)
144
D’Arcy, Stephen P., ‘Enterprise Risk Management’, University of Illinois, May 2001, p. 2, via
http://www.cba.uiuc.edu/~s-darcy/papers/erm.pdf (30 April 2005).
145
Definition from the ‘Coso Enterprise Risk Management – Integrated Framework, Executive summary,
September 2004’ via http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf (30 April
2005)

45
Another significant difference to ‘traditional’ risk management is that enterprise risk
management deals with risks from a ‘holistic’ point of view meaning that they are looked
upon and treated as ‘overall’ risks affecting the overall achievement of the organizations’
objectives instead of individually or separately. Thus one ‘particular’ risk may provide
‘overall’ new opportunities. This implies that risks need to be managed from a strategic point
of view instead of (only) from a now-and-here operational point of view.

As for the internal auditor, the more emphasis is placed on risk management, the more the
auditor will have to steer his audit planning in the direction of risk-based audits as opposed to
control based audits, thus focussing more on process risks.
In conclusion we can say that the internal auditor can make an important contribution to the
‘risk process’ of the organization in:
- providing assurance on the adequacy and effectiveness of the risk management framework
- providing assistance to improve risk identification and risk management processes
- assisting the board to improve the risk management framework

The added value of the internal auditor results from the following benefits he offers to boards
and management:
- he is a valuable source of advice
- he offers objective ‘reasonable’ assurance
- he assists them in their efforts to enhance internal control.

VI. 5 The Auditor’s Tools

The final chapter deals with the problem of how to measure, evaluate and monitor corporate
governance performance in general or even specific aspects of it.
The purpose is to make a survey of a number of tools in order to provide the internal auditor
with possible instruments he or she may or may not already be familiar with. Again the
objective is not to list all possible tools but to ‘reflect’ on a number of them.
One of the most important questions to be answered in the first place is whether corporate
governance is at all quantifiable. Can we measure good corporate governance?
Can an objective and neutral system for measuring be devised? Or does it already exist?

The fact that corporate governance encompasses so many different kinds of aspects, both
‘hard’ and ‘soft’, indicates that perhaps some of them can be measured more easily than
others.

Since hard aspects coincide largely with aspects of compliance, there may well be a
possibility to measure this ‘compliance’. As for the so-called ‘soft’ aspects (beyond the
numbers), which are to be situated largely in the ‘control environment’, the question is not so
easily answered. While we should consider cultural and national differences, some soft
aspects may be perceived as more or less important depending on the country the company is
situated in. Examples of this are environmental concerns, child labor 146 etc…

146
A frequent remark concerning child labor is that there is no child labor in most ‘European’ countries. This
may be correct. However, as has been established before, among our stakeholders are also our suppliers and
clients. The relationship between our clients and/or suppliers on the one hand, and our own organization on the
other, is a basic aspect of corporate governance. Good corporate governance, implying good social and
corporate responsibility should therefore also look out for aspects of child labor related to our suppliers and
clients. This could be foreseen by adopting an article in the business code of conduct stipulating that particular
attention should be given to the aspect of child labor in the selection of suppliers.

46
Probably the best tool for measuring the ‘soft’ aspects would be benchmarking, i.e. comparing
to ‘best practices’ within the same cultural environment and, if at all possible, within the same
sector.
However, more recently a number of initiatives have been taken to design ‘tools’ to measure
or evaluate corporate governance performance in general and/or particular aspects such as
corporate social responsibility or ethical culture.

We shall start by having a look at some of the more ‘general’ tools followed by a few of the
‘newer and more specific’ tools.

1. COSO ‘Evaluation Tools’

Volume II of ‘Internal Control – Integrated Framework’ contains: ‘…a set of tools that may
be useful in conducting an evaluation of an entity’s internal control system’. 147
Discussing the entire set of tools would lead us too far into detail. However, the internal
auditor will certainly find helpful information on a number of aspects crucial to good
corporate governance. These aspects are bound to include all the factors of the control
environment. This COSO ‘Evaluation Tools’ offers no less than 14 pages of possible
considerations and ‘points of focus’ on the control environment factors which are the basis for
a sound corporate governance process. Furthermore, the fact the COSO itself places a lot of
emphasis on these factors is illustrated once more by the example at the end of the ‘manual’
148
where no less than 17 of the 47 pages are devoted to the control environment. 149
This does by no means imply that the tools for the other components are less valuable; it
merely points out the importance of the first component of the COSO framework not only
with regard to internal control but also to corporate governance.
Conclusion: a most valuable manual, though often ‘forgotten’ or ‘lost’ in the shadow of the
first volume of the report containing the framework itself.

2. Red flags
Red Flags are warning indicators which may be helpful to the internal auditor in deciding
which aspects of the organization or of a process or department need closer looking at.
Most commonly, ‘red flags’ are warning indicators used in forensic investigation, i.e. in
looking for fraud. For this reason, red flag lists often focus on ‘risk factors’ for fraud
complemented by a limited number of more general ‘risks’.150
However, red flags can equally be applied to corporate governance. Good corporate
governance should protect the organization against ‘fraud’ (see chapter VI. 4 ‘Special
Aspects…’).
In a number of cases, it is possible to find lists of ‘general’ red flags in literature or even on
the internet151. For more specific industry related sensitive matters, the ‘creativity’ of the
internal auditor will be needed to determine and establish his or her own ‘red flags’. The

147
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –
Integrated Framework’, Vol. II, 1994, p. 1.
148
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –
Integrated Framework’, Vol. II, 1994, p. 133-181.
149
The remaining pages are devoted to the other COSO components as follows: Risk Assessment: 15 pages,
Control Activities: 2 pages, Information and Communication: 6 pages and Monitoring: 7 pages.
150
An example of a list of red flags can be consulted via
http://www.fcps.k12.va.us/Superintendent/InternalAudit/redflagsfraud.htm (07 May 2005).
151
In the article: ‘Corporate Governance and Client Investing’ a number of red flags for poor corporate
governance have been included in exhibit 1, via http://alliedfs.com/pressreleases/pr2Jan04.html (07 May 2005)
Another source for a number of red flags for poor corporate governance can be found in the Internal Auditor
magazine from February 2005 on page 59.

47
‘Report of the NACD Blue Ribbon Commission on Audit Committees: A Practical Guide’
provides a checklist of red flags and risk factors which may help the internal auditor on his or
her way.
It includes red flags on accounting, behavioral matters, infrastructure complexity, limitations
of responsibilities and authorities, communications, remunerations, etc…152
Another, more specific, list which is meant for directors along with a discussion of each of the
red flags can be found in the book: ‘Red Flags in Board Reports – A Guide for Directors’.153
As the title suggests, the red flags only deal with board reports. A large number of these red
flags deal mainly with financial matters although there are also a number of red flags which
deal with internal control as well as with internal and external auditing activities.
We should always keep in mind that the use of red flags offers no guarantees of discovering
fraud or flaws or elements of poor corporate governance. Red flags are just one of the tools
the auditor can use to ‘assist’ him or her.
Conclusion: a helpful tool if ‘interpreted’ in the right way

3. The checklist
A third example of a possible tool was designed by the Institute of Internal auditors UK and
Ireland and is called ‘Good Corporate Governance – A Checklist’
This checklist can easily be downloaded in the form of a Microsoft Word worksheet.154
The checklist comprises a total of 47 questions with regard to the following aspects of
corporate governance:
- statutory accountability (1 question)
- accountability for public money (3 questions)
- communication with stakeholders (5 questions)
- roles and responsibilities (25 questions)
- annual reporting (3 questions)
- internal controls ( 5 questions)
- audit committee ( 1 question)
- external auditors ( 1 question)
- leadership (1 question)
- code of conduct ( 2 questions)
Although this checklist was drawn up by the UK and Ireland National Institute of Internal
Auditors and an appreciation for the work they have put into this checklist is certainly earned,
it is my personal feeling that the never-ending typical internal auditor’s ‘hunch’ of
‘something’s missing’ is still present after going through the list.
It becomes more and more obvious that, when dealing with corporate governance, there are
clearly no complete one-size-fits-all sets of instructions.

Since the introduction of more ‘rule-based’ codes en regulations, a whole new array of
checklists have been drawn up. Some of those deal with corporate governance in general,

152
Further information on the Report can be obtained on the NACD site: www.nacdonline.org. (24 April 2005).
A ‘free’ overview of the most important red flags is available in the February issue of ‘Tone at the Top’ via
http://www.theiia.org/iia/publications/newsletters/ToneAtTheTop/ToneFeb02.pdf on pages 3 and 4 (24 April
2005).
153
The book can be consulted via http://www.occ.treas.gov/RF_Book.pdf (24 April 2005). The site of the
Office of the Comptroller of the Currency offers a few guides on red flags and internal control especially for
auditors and others involved in banking via http://www.occ.treas.gov/toolkit.htm (24 April 2005).
154
The Institute of Internal Auditors UK and Ireland online via
http://www.iia.org.uk/knowledgecentre/keyissues/corporategovernance.cfm?Action=1&ARTICLE_ID=111 (24
April 2005).

48
others focus on compliance with a certain code of even on a particular aspect of compliance.
155

Only the general recommendations and regulations can be brought together into a checklist,
the specific and voluntary ‘beyond compliance’ aspects will have to be treated one-by-one.
Conclusion: an admirable effort making a good starting point and at the same time proving
once more how difficult it is to ‘design’ a corporate governance checklist.

4. The scorecard
The last example of a ‘general’ tool was designed by the DVFA (Deutsche Vereinigung für
Finanzanalyse und Asset Management) and is called the ‘Scorecard for German Corporate
Governance’. Originally it was developed to evaluate five criteria of corporate governance of
the German Corporate Governance Kodex:
 corporate governance commitment (15%)
 shareholder rights (20%)
 transparency (20%)
 company management (30 %)
 auditing (15%)

The scorecard was updated in 2003 to include the evaluation of seven criteria:
 corporate governance commitment (10%)
 shareholders and the general meeting (12%)
 cooperation between management board and supervisory board (15%)
 management board (10%)
 supervisory board (15%)
 transparency (20%)
 reporting and audit of the annual financial statements (18%)

Generally speaking, there is no reference to the internal auditor but it does provide a useful
instrument to help the auditor on the way to evaluating the ‘corporate governance’ process in
his or her organization. 156
Conclusion: a very ‘specific’ tool on ‘general’ aspects.

Other organizations also designed specific scorecards to measure the degree of ‘compliance’
with corporate governance best practices.
These scorecards generally measure compliance with corporate governance rules, regulations
and codes. Their information is usually meant for the institutional investors.

155
There are quite a number of corporate governance checklists dealing with corporate governance in general or
certain components thereof. Banks, special interest groups and even survey and consulting agencies or
organizations are recently increasingly composing their own ‘corporate governance checklist’ focusing on those
aspects which fill their particular needs. Examples of such checklist can be consulted via the following internet
addresses:
http://www.manager-magazin.de/static/fragenkatalog_eng_cg.pdf / (23 April 2005)
http://www.deloitte.com/dtt/article/0,1002,sid%253D27217%2526cid%253D74721,00.html (24 April 2005)
The ‘Audit Committee performance evaluation self-assessment checklist’ is quite interesting though it is based
on the Combined code.
And of course there are the SOX compliance checklists such as http://www.soxtoolkit.com/sox-comp.htm (24
April 2005) or http://www.kmzr.com/files/tbl_s23Publications/FileUpload117/2874/Sarbanes-
Oxley%20Act%20and%20NYSE%20Governance%20Compliance%20Checklist%20(NYSE)%20(June%202004
).PDF (23 April 2005)
156
DFVA, ‘Scorecard for German Corporate Governance’, via http://www.dvfa.com/pdf/scorecard.xls (24 April
2005).

49
An example of such a ‘scorecard’ is the ISS (Institutional Shareholder Services) ‘Corporate
Governance Quotient’ which provides a rating for a company based on sixty one criteria with
regard to eight corporate governance factors including the Board, Audit, Executive and
Director Compensation, State of Incorporation, Ownership, …. This rating was initially
introduced in June 2002.157
Other examples include the GMI (GovernanceMetrics International) rating (report), 158 giving
an actual rating on the basis of six criteria (each including a number of subcriteria) or the
‘Corporate Governance Disclosure Scorecard’ 159.

A final example is the Deminor coporate governance ratings based on more than 300
corporate governance indicators. The Deminor ratings were first launched in 1999 and only
with regard to European stock exchanges. Once again these ratings are mainly designed for
institutional investors. 160

In general, we can conclude that these scorecards are ‘third party evaluation’ tools which will
not be used directly by the internal auditor and therefore they will not further be dealt with.161

5. Corporate social responsibility measuring tools

Next to the more general tools, a whole array of specific measuring tools has recently been
developed.
As we have seen in chapter VI. 4: ‘Special Aspects…’, corporate social responsibility has led
to various initiatives, including a number of specific ‘tools’.
While some of these tools may prove to come in handy to the internal auditor, others are
mainly directed towards management. Nevertheless, it is to the full advantage of the internal
auditor to be familiar with ‘all’ kinds of tools if he wants to optimize his role as partner to
management. As indicated before, it is not the objective to list all existing tools but to focus
on a few possibilities that offer a wide variety of ‘angles’.

The first example of a corporate social responsibility measuring tool in the broadest sense, is
the ‘Morley Fund Management Sustainability Matrix’. This matrix is the result of a ‘third
party’ rating of FTSE 100 companies on issues dealing with management vision and strategy
on the one hand and business sustainability on the other. A grading committee gives grades
from 1 to 5 for vision and strategy on the x-axis, 1 being given for excellence and 5 being the
lowest grade. Business sustainability is rated from A to E on the y-axis. An A is given to
companies whose core business involve sustainable solutions such as alternative energy or
healthcare while an E would be ‘given’ to those companies whose core business is in conflict
with sustainable development such as e.g. arms manufacturers or tobacco companies.
The most positive aspect of this initiative is the fact that someone has put time and energy in
actually performing this exercise and that it has been publicized.

157
More info via http://www.isscgq.com (30 April 2005).
158
More info via http://www.gmiratings.com (30 April 2005). A practical example of a scorecard can be
consulted via http://www.gmiratings.com/(zu3rho45yc0l5ey2idxuy245)/Images/SampleReport.pdf (30 April
2005)
159
The scorecard can be consulted via http://www.cgfrc.nus.edu.sg/download/Sg_CG/Scorecard.pdf (30 April
2005)
160
Information via http://www.deminorrating.com/ (30 April 2005)
161
Caution is advised when ‘interpreting’ the results of certain scorecards. Especially when the scorecards do
not entirely take into account national or regional differences. Moreover some scorecards keep track of specific
items such as the number of foreign board members, the number of female board members, the age of the board
members etc…

50
It raises, however, a number of remarks and questions such as:
- The list is just one private initiative and deals ‘only’ with 100 ‘narrow defined’ companies
- Why is there no company with neither a ‘one’ nor a ‘five’ rating on vision and strategy?
- The matrix can only be used in a ‘true’ sustainability context i.e. an oil company can score
very well in adhering and practicing the highest standards of corporate governance but
can, per definition, never score high in this ‘sustainability’ matrix.
Conclusion: a commendable initiative despite its very limited use.162

A second, more generic, matrix is the so-called Virtue Matrix designed to calculate the return
on corporate responsibility. This matrix was ‘invented’ by professor Roger Martin of the
University of Toronto (Rotman School of Management) and officially presented in March
2002 in the Harvard Business Review.
Martin sets out from the fact that the expectations of shareholders and the ‘larger community’
are not always opposed:
- supporting charities or local museums can create goodwill among clients (stakeholders) in
spite of high product prices (shareholder)
- adhering to laws and regulations (stakeholder) can protect the company from sanctions
(shareholder).
Martin calls these ‘responsibility’ measures which are explicitly aimed at enhancing
shareholder value, instrumental as opposed to intrinsic measures which have no purpose of
enhancing shareholder value as such but are taken because management believes it is the right
thing to do. One of the major problems for management is that they don’t know if a given
‘measure’ will profit the shareholders and/or the stakeholders, or perhaps neither!
The virtue matrix was designed to be a framework for assessing possibilities for socially
responsible measures.

The matrix actually consists of four quadrants representing the forces that impact corporate
social responsibility. The bottom two quadrants are the civil foundation consisting of norms,
customs, laws and regulations (the instrumental measures). Some of them can be ‘followed’
by choice (voluntary) or by compliance (mandatory).
The top two quadrants are called the frontier. This is where new intrinsic measures originate.
These measures may benefit shareholders and society (strategic) or just society (structural)
and clearly not the shareholders.
Measures that originated in the frontier can migrate to the civil foundation either through
widespread imitation or through the fact that they become the norm or even government rule.
This way, measures such as health care benefits e.g. will move from the top quadrants to the
lower quadrants because ‘everybody’ is giving them, even when it is on a voluntary basis.

How can this matrix help in calculating the return on corporate responsibility? A lot of
companies adhere to many corporate social responsibility standards which are catalogued in
the ‘civil foundation’ and that they are therefore regarded by society as ‘normal’. If a
company aims at earning ‘extra credits’ it should consider measures in the frontier area. That
is were the public will notice the difference but where there is little willingness.
By listing the existing ‘social responsible measures’ in the framework an organization will be
confronted with its own strengths and weaknesses in the field of social responsible behavior.
Thus, recent developments in corporate governance in general, together with all the new
regulations and recommendations will not actually enhance the public perception of the

162
More information on the matrix via
http://www.morleyfm.com/media_centre/press_releases/archive/130502.htm (30 April 2005).

51
organization since all these ‘regulations and recommendations’ are elements of the civil
foundation.
Therefore, most ‘hard’ factors or ‘compliance’ factors are not enough; ‘beyond’ compliance is
needed to ‘distinguish’ the organization.
Conclusion: a useful tool which can be applied to many organizations and which has the
possibilities to mature in the future. The internal auditor may find it useful to list and assess
the existing and possible corporate social responsibility measures in his or her organization.163

Other, more standardized, tools include:

- The Global Reporting Initiative Guidelines
- The Accountability 1000 and Social Accountability 8000 Standards

The ‘Global Reporting Initiative Guidelines’

The Global Reporting Initiative (GRI) is an institution aimed at developing sustainability
voluntary reporting guidelines on a global basis. The GRI regularly publishes a report
(framework) with voluntary guidelines containing a number of principles which should be
considered in reporting on sustainability.
The GRI also publishes, along others, a list of companies adhering to the guidelines. In a few
years time, the list has grown to more than 650 organizations (657 companies on 4 May 2005)
and includes multi-national companies of no less than 50 countries. The majority of these
companies are from Japan (122), the U.K. (72) and the U.S.A. (69).
The ‘guidelines’ provide useful information on a number of aspects which may interest the
internal auditor such as the principles themselves, the performance indicators (which could be
applied as a kind of checklist), or even its overall mission and vision along with comments on
corporate governance trends.164
The guidelines are available in 9 languages.

The Accountability 1000 and the Social Accountability 8000 Standards

These are standards dealing respectively with aspects of social and ethical performance and
labor and workplace conditions.
They are meant to provide a framework that can be used by organizations to improve their
‘corporate social responsibility’ performance on the one hand but also to evaluate that
performance on the other (through audit or certification).
The accountability 1000 standard consists of best practices dealing with accounting as well as
with auditing and reporting and was first drawn up by the Institute of Social and Ethical
Accountability in November 1999. The standard can be of help to the internal and external
auditor.165
The accountability 8000 consists of a workplace standard aimed at enhancing working
conditions and dealing with special labor rights issues including child labor, forced labor,
freedom of association, discrimination, health and safety, working hours, remuneration etc…

163
A full copy of the original article can be purchased via www.hbsp.harvard.edu (30 April 2005). See footnote
112.
164
More information via www.globalreporting.org (30 April 2005). The 2002 guidelines can be consulted via
http://www.globalreporting.org/guidelines/2002.asp (30 April 2005). The GRI is currently working on the
innovation of the guidelines. This will result in the release of a new set of guidelines in mid 2006.
165
General information can be obtained via www.accountability.org.uk (30 April 2005). Both the framework
(1999) and the assurance standard (version 2003) are available to download for free via
http://www.accountability.org.uk/aa1000/default.asp (30 April 2005). The consultation document on the
AA1000 Assurance Standard Guiding Principles from June 2002 can be consulted via
http://www.accountability.org.uk/uploadstore/cms/docs/AA1000S%20Assurance%20Standard%20Guiding%20
Principles%20Consultation%20Document.pdf (30 April 2005).

52
The standard was drawn up by ‘Social Accountability International’ (SAI) for the first time in
1997.
It can assist the internal auditor in providing him with a number of aspects on social
accountability in general and will be of specific use for the internal auditor whose
organization is preparing for social accountability certification.166

In the end, all these tools on corporate social responsibility should result in what is known as
triple bottom line reporting. ‘TBL reporting is defined as corporate communication with
stakeholders that describes the company’s approach to managing one or more of the
economic, environmental and/or social dimensions of its activities and through providing
information on these dimensions’. 167

It becomes clear that while different ‘domains’ of corporate governance are being ‘explored’,
at the same time new measuring and evaluation tools are being developed.

Moreover, the tools discussed above are not the only tools the internal auditor can apply in his
evaluation of the corporate governance processes of his or her organization.

The internal auditor has the opportunity to add value to the organization in pointing out those
aspects or issues management has not yet fully considered or which could be improved upon
or with which the organization is not in compliance with to the full extent.
The resourcefulness of the internal auditor will prove to be one of his or her critical success
factors.

6. Other tools
Additional tools, in general, but no less important, which may enhance this resourcefulness
may be:

- thorough knowledge of pertinent frameworks168

- attendance of IIA and other professional seminars offering additional valuable information
of how to tackle corporate governance related audit aspects.
- IIA guidance through articles and position papers on specific subjects169
- information via focussed searches on the internet, keeping abreast of specific (new)
developments which be of assistance in preparing audit assignments.170

166
More info can be found via the Council for Economic Priorities Accreditation Agency via www.cepaa.org
(30 April 2005). The SA8000 standard can be consulted via
http://www.cepaa.org/Document%20Center/2001StdEnglishFinal.doc (30 April 2005).
167
Definition from ‘Sustainability: a guide to triple bottom line reporting’, Group of 100 incorporated, Australia
2003 via http://www.ey.com/global/download.nsf/Australia/AABS_G100Guide/$file/G100_guide-tbl-
reporting2003.pdf (30 April 2005). This 53-page booklet offers a concise, clear and comprehensible overview
of what TBL is all about. It includes reference to a number of corporate governance attributes and aspects, to the
different stakeholders involved, to the accountability standards, the Global Reporting Initiative, etc…
168
One of the ‘common’ tools available to the internal auditor is the variety of frameworks, offered by different
organizations, which he can consult for guidance in his auditing function. These frameworks include e.g. COSO
Internal Control – Integrated Framework (see also chapter IV. 5 p. 25), CoCo (the Canadian internal control
framework meaning ‘Criteria Of Control’), Cobit (Control Objectives for Information and related Technology)
which can be consulted via www.isaca.org) etc…. Moreover, these organizations are constantly gathering
information and steering their activities in the directions of ‘what matters today’. That is the reason why the
Canadian CoCo Board has changed its focus and even its name to the Risk Management and Governance Board.
For similar reasons, COSO developed its ERM framework.
169
An example is the position paper ‘Internal auditing’s Role in Sections 302 and 404 of the U.S. Sarbanes-
Oxley Act of 2002’ via www.theiia.org/iia/download.cfm?file=1655 (07 May 2005)

53
- benchmarking
- seeking outside assistance-information
- computer assisted audit techniques (CAATS)171
etc…

Moreover, the IIA ‘Standards for the Professional Practice of Internal Auditing’, in particular
the performance standards, will guide the internal auditor throughout his internal auditing
assignments in general.

Finally, when dealing with measuring, one should keep in mind that measuring
(benchmarking or any other way) needs to be repeated on a regular basis since ‘best practices’
may evolve over a period of time. Moreover, as far as corporate governance is concerned,
there really is no ‘one-size-fits-all’ solution.

In this chapter we have seen that there is a close relation between the success of corporate
governance and the role of the internal auditor in the organization. We have dealt with the
relationship between corporate governance and the internal auditor and the IIA standards
available on this issue. We have taken a closer look at some of the implications on the audit
profession, not in the least the contribution which is expected by various stakeholders of the
internal auditor. We have looked at the place the internal auditor holds in the stakeholder
structure. We have pointed out a number of particular aspects which deserve special attention
by the internal auditor and which are at the same time fundamental to sound corporate
governance. And finally we have discussed a number of possible tools which can help the
internal auditor to evaluate or measure the corporate governance performance. We must,
however, not forget that the internal auditor can, at most, provide only reasonable assurance.
Moreover, the pressure that is constantly present can lead to a number of actions which may
impede the achievement of the objectives of internal control. One of these actions is
‘management override’. Although instances may be possible in which management override
is justifiable, we should always bear in mind that: ‘a well-designed control structure, if set
aside at management’s discretion, can be equivalent to no controls in terms of risk
exposures.’172

170
An example of such an item is the Reputation Quotient, an assessment tool aimed at measuring perceptions of
corporate reputation but at the same time offering some kind of elementary framework that can be used by the
internal auditor to learn more about the drivers of corporate reputation. Info via
http://www.harrisinteractive.com/expertise/reputation.asp (07 May 2005) or
http://www.12manage.com/methods_corporate_reputation_quotient.html (07 May 2005)
171
Computer applications including not only Excel but especially applications such as ACL or IDEA can assist
the internal auditor in increasing the added value he brings to his organization. Especially in the field of
assurance, such applications offer a number of possibilities in terms of sampling and full database analysis (no
record limitations). Also in the ‘field’ of fraud detection e.g., these applications can prove a valuable instrument.
172
Ratcliff, Richard L., Wallace, Wanda A., Sumners, Glenn E., McFarland, William G., Loebbecke, James K.,
‘Internal auditing, principles and Techniques, Second Edition’, The Institute of Internal Auditors, 3rd printing,
2001, p. 113.

54
Conclusions
Over the past few years, ‘business disasters’ hit hard and unexpectedly. Not just in the US,
but all over the world corporate ‘malfunctions’ happened. Even before ‘earth shaking’ affairs
such as Enron and Worldcom, Europe had already experienced its own ‘share’ of the trouble
with the collapse of companies such as Lernout and Hauspie in Belgium and SwissAir in
Switzerland.
And even today the general consensus is the following: we have regulations, external auditors,
stock exchange commissions, financial analysts, audit committees, internal auditors etc… and
still we are being ‘fooled’. The pressure on corporate governance is on.

This paper aimed at producing a number of reflections on the phenomenon of corporate

governance for the benefit of the internal auditor. It started by trying to explain the meaning
of the term ‘corporate governance’, gave a brief historical review, discussed different
attributes and aspects followed by the possible impact on the media to end with a number of
reflections on the relationship between corporate governance and the internal auditor in a
broad sense. It took a closer look at the implications corporate governance can have on the
audit profession, at the position of the internal auditor in this corporate governance
environment, at a number of special aspects which may deserve special attention by the
internal auditor and finally at a number of more or less specific tools the auditor has at his
disposal to fulfill his role with due professional care thus meeting the expectations of his
stakeholders.

Throughout the paper, we have encountered a number of findings, arguments and hints for
possible improvement or further development of corporate governance. Those are precisely
the issues the internal auditor has to pay attention to.

A striking finding is that a lot of codes still include ‘recommendations’, i.e. voluntary rules.
Does that mean that those in favor of ‘minimal rules’ are wrong? Or that more rules will stop
fraud, cheating, lying and deceiving?
On the one hand we see that a number of (U.S.) developments concerning regulating
corporate governance all point in the direction of making more ‘compulsory’ rules.
For the internal auditor, rules are a handy instrument in the area of control activities. They
allow him to perform targeted compliance audits. Without rules, or procedures for that
matter, there is no compliance in the strict sense of the word. So the advantage of rules is that
they serve as checking tools for compliance.

On the other hand, rules offer no guarantees. Rules will not stop future incidents. So let us be
vigilant: If you give people a rule, they will find a way out or around it. We should enforce
good governance principles so that one can interpret what has been done.
‘Corporate scandals of recent years have clearly shown that the plethora of laws of the past
century have not eliminated the less savory side of human behavior. Rules cannot substitute
for character.’173

The tone at the top and the quality of the control environment as defined by COSO form the
only valid basis on which a sound internal control system is built to enhance a correct
application of corporate governance practices. ‘Official policies specify what management

173
Quote by Alan Greenspan, US federal Reserve Chairman, April 16, 2004 via
http://www.federalreserve.gov/boarddocs/speeches/2004/20040416/default.htm (30 April 2005)

55
wants to happen. Corporate culture determines what actually happens, and which rules are
obeyed, bent or ignored. Top management – starting with the CEO – plays a key role in
determining the corporate culture.’174

Companies can play 100% by the rules and still ‘fool’ their shareholders and stakeholders.

Furthermore, it has become clear from the paper that corporate governance is a lot more than
rules and compliance and that a lot of it has to do with ‘attitudes’ and ‘decent behavior’ for
which there are few rules.

Moreover, the evaluation of an organization by the larger community is largely influenced by

feelings and expectations of stakeholders outside the organization on the one hand while on
the other, the evaluation by the shareholders is mainly influenced by profit, prospect and trust.
This results in tension and pressure on the organization in general and on management in
particular.
In the 1990s so many people had invested their earned savings in stock that there was
absolutely no way listed companies could, would or should fail!
That was the pressure: ‘To be the best!’

And many boards were so interested in those rising stock prices and their own increasing
wealth, that they were slowly but surely falling asleep with self-interest.

Already in September 1998, Arthur Levitt, former SEC chairman warned for Enron-like
‘accidents’: ‘Increasingly, I have become concerned that the motivation to meet Wall Street
earnings expectations may be overriding common sense business practices. Too many
corporate managers, auditors, and analysts are participants in a game of nods and winks. In
the zeal to satisfy consensus earnings estimates and project a smooth earnings path, wishful
thinking may be winning the day over faithful representation.’ 175

Good corporate governance, however, according to many sources, is all about accountability
but also about prosperity. Therefore, corporate governance means learning how to live with
different pressures and expectations while keeping things ‘under control’. In order to do so,
their must be a sound intern control system (management), a professional internal control
oversight (board – audit committee) and a thorough internal control evaluation (internal and
external auditors).

Corporate governance is a compilation of numerous aspects all aiming at contributing to the

realization of the attributes to which corporate governance aspires.
The ultimate objective being: ‘to meet the expectations of all stakeholders’.
The internal auditor therefore must not only be familiar with these attributes and these
aspects, but he is also expected to evaluate the system which is meant to provide reasonable
assurance concerning the achievement of that objective. The internal auditor can add value by
helping to provide assurance to the stakeholders (via the audit committee) that the system
which looks after their expectations and interests is efficient and effective.
‘Internal audit has become a participant of corporate governance as a key pillar in assuring

174
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –
Integrated Framework’, Vol. I, 1994, p. 36.
175
Bill Parish, ‘Chairman Levitt Announces Action Plan to Improve Quality of Corporate Financial Reporting’,
via http://www.billparish.com/19980928levittspeech.html (30 April 2005).

56
that the board can fulfill its task as good as possible’ 176

How can he do this? He can do this simply by doing his job the best way he possibly can,
giving due attention to those aspects of the organization which are crucial to the achievement
of ‘all’ objectives, thereby applying ‘due professional care’. By using his skills and his
experience. By relying on the standards provided by the IIA and by using every tool available
which may help him to fulfill his responsibility in the best possible way.
Regularly, new or improved tools are (sometimes freely) provided by different sources.
Courses and seminars aim continuously at guiding and training the internal auditor in all
aspects of the auditing profession, including aspects of corporate governance.
As stated in the introduction, a large number of links and supplementary information are
provided through a multitude of footnotes and the appendix of useful internet addresses so
that the paper itself maybe used as a consulting tool to the internal auditor or any other
interested reader.

Throughout the paper, it has become obvious that corporate governance is ‘on its way’ and
that the opportunities for the internal auditor to put his ‘mark’ on the process are manifold.
Corporate governance is often referred to as ‘doing the right things and doing things right’.
However it is also often defined by what others think or feel, and once the definition is there,
it is very difficult to change it for the better. That is why business nowadays depends
increasingly more on ‘ethics and values’, fair play, honesty, openness etc… because
businesses just can no longer afford to ‘mess things up’: one error can be fatal!
Moreover, the past ‘accidents’ have resulted in a ‘there is no more room for excuses’ mood.
So the internal auditor must be ‘on top’ of things, exercising his risk assessment in all its
aspects and giving timely signals to the board and management in order to ‘safeguard’ the
organization in every possible way.

And while the internal auditor up until a short while ago just might have been somewhat
reluctant to ‘rock the boat’, it must be clear that he will go down with the boat if he does not
rock it in time!

Hopefully this paper can contribute to this awareness and help the internal auditor in his
constant search for ways to add value to his organization, for then the paper will have
achieved its objective.

176
Quote from the speech by Dominique Vicenti, Vice President of Global Practices Center, IIA Inc, during the
IIA Belgium General Assembly on 22 April 2005.

57
Bibliographical sources
Books
Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –
Integrated Framework’, (Executive Framework, Framework, Reporting to external Parties, Addendum
to ‘reporting to external parties’), AICPA, Jersey City, two-volume edition 1994, Vol. I, pp. 155

Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Internal Control –

Integrated Framework’, (‘Evaluation Tools’), AICPA, Jersey City, two-volume edition 1994, Vol. II,
pp. 203

De Samblanx, Michel J., ‘Auditcomités and Corporate Governance’, Studies IBR, Controle 3/95,
Antwerpen, 1995, pp. 96

Institute of Internal Auditors Research Foundation, ‘Audit Committee effectiveness – What Works
Best’, prepared by Pricewaterhouse Coopers, 2nd edition, 2000, pp. 101

Institute of Internal Auditors Research Foundation, ‘Corporate Governance and the Board - What
Works Best’, prepared by Pricewaterhouse Coopers, 2000, pp. 107

Ratcliff, Richard L., Wallace, Wanda A., Sumners, Glenn E., McFarland, William G., Loebbecke,
James K., ‘Internal auditing, principles and Techniques, Second Edition’, The Institute of Internal
Auditors, 3rd printing, 2001, pp. 1105

Root, S.J., ‘Beyond Coso: Internal Control to enhance Corporate Governance’, John Wiley & sons,
Inc., New York, 1998, pp. 340

Verschoor, Curtis C., ‘Audit Committee Briefing: understanding the 21st century audit committee and
its governance roles’, The Institute of Internal Auditors, 2000, pp. 59

Articles, papers and reports

Aitsi, Peter, John, ‘Media Ethics and Corporate Governance’, paper presented at the PNGID
Conference, 18 April 2002, via http://www.pngid.org.pg/host_pngid/aitsi.html (23 April 2005).

Arthur Andersen, ‘Ethical concerns and Reputation Risk Management, a study of leading UK
companies’, December 1999, pp. 52, via http://www.globalethics.org/andersonrpt.pdf (30 April 2005).

Balkaran, Lal, ‘Curbing Corruption’, Internal Auditor, February 2002, pp. 40-47.

Barrier, Michael, ‘Relating to the Audit Committee’, Internal Auditor, April 2002, pp. 29-30.

Barrier, Michael, ‘The Crisis in Governance’, Internal Auditor, August 2002, pp. 50-53.

Barrier, Michael, ‘Principles, Not Rules’, Internal Auditor, August 2003, pp. 68-73.

Barrier, Michael, ‘A New Dey in Canada’, Internal Auditor, October 2003, pp. 41-45.

Basel Committee on Banking Supervision, ‘Enhancing Corporate Governance for Banking

Organisations’, Basel, September 1999, pp. 11, via http://www.bis.org/publ/bcbs56.pdf (17 April
2005).

Basel Committee on Banking Supervision, ‘Internal audit in banks and the supervisor’s relationship
with auditors’, Basel, August 2001, pp. 19, via http://www.bis.org/publ/bcbs84.pdf (17 April 2005).

58
Beasley, M., Salterio, S., ‘The Relationship Between Board Characteristics and Voluntary
Improvements in Audit Committee Composition and Experience’, 2001, pp. 39, via
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=272590 (17 April 2005).

Beasley, Mark S., Clune, Richard and Hermanson, Dana R., ‘ERM a status report’, Internal Auditor,
February 2005, pp; 67-72.

Bookal, Leroy E., ‘Internal Auditors: Integral to Good Corporate Governance’, Internal Auditor,
August 2002, pp. 44-49.

Business Roundtable, ‘Statement on Corporate Governance’, September 1997, pp.21, via

http://www.businessroundtable.org/pdf/11.pdf (13 April 2005).

Business Roundtable, ‘Principles of Corporate Governance’ May 2002, pp. 28, via
http://www.brtable.org/pdf/704.pdf (17 April 2005).

Business Week Online, ‘Special report – The Crisis in Corporate Governance; Analysts’ May 6, 2002,
via http://www.businessweek.com/magazine/content/02_18/b3781706.htm (23 April 2005).

Cadbury Report: ‘The financial aspects of corporate Governance’, London, December 1992, pp. 89,
via http://www.blindtiger.co.uk/IIA/uploads/2c9103-ea9f7e9fbe--7e15/Cadbury.pdf (15 April 2005).

Cardon Report: ‘Corporate governance code for Belgian listed companies’ December 1998, pp. 10 via
http://www.ecgi.org/codes/code.php?code_id=14 (15 April 2005).

Cheffins, Brian R., ‘Corporate governance Reform: Britain as an Exporter’, December 1999, pp. 37,
via http://papers.ssrn.com/sol3/delivery.cfm/000307304.pdf?abstractid=215950 (16 April 2005).

Chen, C.W. Kevin, Chen, Zhihong and John Wei, C.K., ‘Disclosure, Corporate Governance, and the
Cost of Equity Capital in Emerging Markets’, Hong Kong, October 2004, pp. 46 via
http://www.accountancy.smu.edu.sg/research/seminar/pdf/Kevin_Chen.pdf (17 April 2005).

Cima (Chartered Institute of Management Accountants), ‘Enterprise Governance: Getting the Balance
Right’ 2004, pp. 58, via http://www.cimaglobal.com/cps/rde/xbcr/SID-0AAAC564-
CD800EAD/live/enterprise_governance_report_2004.pdf (30 April 2005).

Code Buysse ‘Corporate governance, Recommendations à l’attention des entreprises non-cotées en

bourse’ (draft version in French), April 2005, pp. 24, via
http://www.ucm.be/ucm/ewcm.nsf/0/5066c3fee76b7e84c1256fc8004b0dfa/$FILE/Projet%20Code%2
0Corporate%20governance%20PME.pdf (20 April 2005).

‘Combined Code, principles of good corporate governance and code of best practice’, June 1998,
(revised version May 2000) via http://www.ecgi.org/codes/documents/combined_code.pdf (16 April
2005).

‘Combined Code on Corporate Governance’, July 2003, pp. 82 via

http://www.ecgi.org/codes/documents/combined_code_final.pdf (16 April 2005).

Committee of Sponsoring Organizations of the Treadway Commission (COSO), ‘Coso Enterprise Risk
Management – Integrated Framework’, (Executive summary) September 2004, pp. 7 via
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf (30 April 2005).

D’Arcy, Stephen P., ‘Enterprise Risk Management’, University of Illinois, May 2001, pp. 24, via
http://www.cba.uiuc.edu/~s-darcy/papers/erm.pdf (30 April 2005).

59
De Samblanx, Michel J., ‘Corporate governance en niet-genoteerde vennootschappen met een casus
over een familiale vennootschap’, Economisch en Sociaal Tijdschrift, Antwerpen, 1999/2, pp. 313-
349.

De Wulf, Hans, ‘Corporate Governance: een Inleiding’, Notarieel en Fiscaal Maandblad, 1998, 8, pp.
189-209.

Dyck, Alexander and Zingales, Luigi, "The Corporate Governance Role of the Media", August 2002,
CRSP Working Paper No. 543, pp. 38 via http://papers.ssrn.com/sol3/papers.cfm?abstract_id=335602
(23 April 2005).

EASD (European Association of Security Dealers), ‘Corporate Governance Principles and

Recommendations’, Brussels, May 2000, pp. 34, via
http://www.ecgi.org/codes/documents/easd_cg_pr.pdf (16 April 2005).

ECIIA (European Confederation of Institutes of Internal Auditing), position paper ‘the internal
auditor’s role in the prevention of fraud’, October 1999, pp.19, via
http://www.iia.dk/Positionpaperfraud.pdf (30 April 2005).

ECIIA (European Confederation of Institutes of Internal Auditing), ‘Internal Control and Internal
Auditing: Guidance for Directors, Managers and Auditors.’, November 2000, pp.12
http://www.iia.dk/EC%20Comm%20Paper%20on%20Int%20cont%20etc.doc (24 April 2005).

ECIIA (European Confederation of Institutes of Internal Auditing), ‘Internal Auditing In

Europe’(position paper), Brussels, February 2005, pp. 70.

Ernst & Young, ‘What is Corporate Governance’, March 2004, pp. 16, via
http://www.ey.com/global/download.nsf/Australia/Corporate_Governance_-
_What_is_Corporate_Governance_-_Feb_2004/$file/CorpGov_WhatisCG.pdf (14 April 2005)

European Commission Green Paper: ‘The Role, the Position and the Liability of the Statutory Auditor
within the European Union’, 1996, pp. 38, via
http://europa.eu.int/comm/internal_market/auditing/docs/other/700996en.pdf (23 April 2005).

Greenbury Report, July 1995, via http://www.ecgi.org/codes/documents/greenbury.pdf (16 April

2005).

Gregory, Holly J., & Simms, Marcia E., ‘Corporate Governance: What it is and why it Matters’, via
http://www.transparency.org/iacc/9th_iacc/papers/day2/ws3/d2ws3_hjgregorymesimms.html (17
April 2005).

Guha, S., ‘Corporate governance – Important for successful insurance’, March 2002, via
http://www.thehindubusinessline.com/bline/2002/03/12/stories/2002031200081300.htm (15 April
2005).

Hampel Report via http://www.ecgi.de/codes/documents/hampel23.pdf (16 April 2005).

IIA (Institute of Internal Auditors): ‘Internal Audit and the Audit Committee: Working together
toward common goals’, via http://www.theiia.org/index.cfm?doc_id=372 (17 April 2005).

IIA (Institute of Internal Auditors), ‘Professional Practices Framework’, via

http://www.theiia.org/ecm/guidance.cfm?doc_id=1625 (15 April 2005).

60
IIA (Institute of Internal Auditors), ‘Internal auditing’s Role in Sections 302 and 404 of the U.S.
Sarbanes-Oxley Act of 2002’, 2004, pp. 12 via http://www.theiia.org/iia/download.cfm?file=1655 (07
May 2005).

IIA Belgium, ‘Internal Audit is your essential partner in Governance, Control and Risk’ (position
paper), Brussels, March 2005, pp. 33
IIA UK and Ireland, ‘The role of Internal Audit in Risk Management’, London, June 2002, pp.4, via
http://www.blindtiger.co.uk/IIA/uploads/-38c9a362-ed71ce5fa5--
7778/PositionStatementRiskManagement.pdf (30 April 2005).

IIA, UK and Ireland ‘Position Statement, The Role of Internal Audit in Enterprise-wide Risk
Management’ London 2004, pp. 6, via http://www.blindtiger.co.uk/IIA/uploads/-3851753f-
fe67ecc7cf--7f4e/200409ERMPositionstatement.pdf (30 April 2005).

Jackson, Russell A., ‘Principles versus Rules’, Internal Auditor, October 2004, pp. 56-61.

Jensen, Michael C., ‘The Modern Industrial Revolution, Exit, and the failure of Internal Control
Systems’, 1993, pp. 64, via http://papers.ssrn.com/sol3/paper.taf?ABSTRACT_ID=93988 (17 April
2005).

Joscelyne, Graham J., ‘Balancing Relationships’, Internal Auditor, February 2004, pp. 35-36.

Kaye, B., ‘Compliance and Corporate Culture: Making the Most Out of Codes of Ethics’, The
Australian Journal of Management, Vol.21, N° 1, June 1996 pp. 11, via
http://www.agsm.unsw.edu.au/eajm/9606/pdf/kaye.pdf (17 April 2005).

King Report 1994, chapter 20 ‘the code of corporate practices & conduct’ via
http://www.ecgi.org/codes/documents/king_i_sa.pdf (17 April 2005).

King Report 2002, executive summary, via

http://www.ecgi.org/codes/documents/executive_summary.pdf (17 April 2005).

Lockheed Martin, ‘Setting the Standard, Code of Ethics and Business Conduct’, January 2005, pp.53
via http://www.lockheedmartin.com/data/assets/7856.pdf (17 April 2005).

Lowenstein, L., ‘Corporate Governance and the Voice of the Paparazzi’, Working Paper No 132,
Columbia Law School, New York, February 1999, pp. 54, via
http://papers.ssrn.com/paper.taf?abstract_id=163386 (23 April 2005).

Martin, Roger L., ‘The Virtue Matrix: Calculating the Return on Corporate Responsibility’, Harvard
Business Review, March 2002, reprint pp. 8 (can be purchased via www.hbsp.harvard.edu) (23 April
2005).

McKinsey & Company, ‘Investor Opinion Survey’ London, June 2000, pp. 17, via
http://www.mckinsey.de/_downloads/knowmatters/organisation/investor_opinion.pdf (17 April
2005).

McKinsey & Company, ‘Global Investor Opinion Survey, Key Findings’, July 2002, pp. 17, via
http://www.mckinsey.com/clientservice/organizationleadership/service/corpgovernance/pdf/GlobalInv
estorOpinionSurvey2002.pdf (17 April 2005).

McNamee, D., ‘The Governance Loop: Protecting Stakeholder Interests’, via

http://www.mc2consulting.com/govloop.htm (25 April 2005).

61
Meeus, D., ‘De Recente Belgische Aanbevelingen inzake Corporate Governance’ in ‘Corporate
Governance, het Belgisch perspectief, Antwerpen-Groningen, Intersentia Rechtswetenschappen, 1999,
pp. 35-54.

New York Stock Exchange ‘Corporate Governance rules proposals’, 2002 via
http://www.nyse.com/pdfs/corp_gov_pro_b.pdf (16 April 2005).

New York Stock Exchange, ‘Final NYSE Corporate Governance Rules’ 2003, via
http://www.nyse.com/pdfs/finalcorpgovrules.pdf (30 April 2005).

OECD (Organisation for Economic Cooperation and Development), ‘OECD Principles of Corporate
Governance’, 2004, pp. 65, via http://www.oecd.org/dataoecd/32/18/31557724.pdf (16 April 2005).

Office of the controller of the currency, ‘Detecting Red Flags In Board Reports, a Guide for
Directors’, Washington DC, October 2003, pp. 54, via http://www.occ.treas.gov/RF_Book.pdf (24
April 2005).

Orsini, Basil, ‘Mature Risk Management’, Internal Auditor, August 2002, pp. 66-67.

Percy, J.P., ‘Auditing and Corporate Governance – a Look Forward into the 21st Century’, in
International Journal of Auditing, 1(1), 3-12, 3-12, 1997 pp.1-12.

Pinnacle West, ‘Doing the right thing’, March 2004, pp. 39, via
http://www.pinnaclewest.com/files/DTRT_27Apr04.pdf (17 April 2005)

Pozen, Robert C., ‘Can European Companies Escape US Listings?’, Cambridge, 03/2004, pp. 4, via
http://www.law.harvard.edu/programs/olin_center/corporate_governance/papers/Pozen-European-
Companies-464.pdf (17 April 2005)

Pricewaterhouse Coopers, ‘Risk Management & Internal Audit Practices’, 2002, pp.10, via
http://www.pwcglobal.com/extweb/pwcpublications.nsf/4bd5f76b48e282738525662b00739e22/9053f
1d01e0c535a85256b6e005e369e/$FILE/02_0641iassurvey.pdf (07 May 2005).

Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of
Corporate Audit Committees’, New York, 1999, pp.73, via http://www.nyse.com/pdfs/blueribb.pdf
(15 April 2005).

Rittenberg, Larry E., ‘Lessons for Internal Auditors’, Internal Auditor, April 2002, p. 32.

Ridley, Anthony J., ‘The Underutilized Internal Auditor”, via http://www.theiia.org/ecm/guide-

ia.cfm?doc_id=347 (15 April 2005).

Roussey, Robert S., ‘A case for Global corporate Governance Rules: An Auditor’s Perspective’ in
International Journal of Auditing, 4, 2000, pp. 203-211.

Sarbanes-Oxley Act of 2002, via

http://www.pcaobus.org/About_Us/Sarbanes_Oxley_Act_of_2002.pdf (16 April 2005).

‘The Belgian Code on Corporate Governance’, Brussels, 9 December 2004, pp. 36, via
http://www.corporategovernancecommittee.be/library/documents/final%20code/CorpoGov_UK.pdf
(16 April 2005)

Thomas, William C., Clements, Curtis E., ‘The Internal Auditor’s Role in the Detection and
Prevention of Fraud: A Post-SAS No. 82 Analysis, January 2002, pp. 33, via

62
http://raw.rutgers.edu/raw/aaa/audit/midyear/02midyear/papers/1-16-02%20Draft.doc (30 April
2005).

Treadway Commission (National Commission on Fraudulent Financial Reporting), ‘Report of the

National Commission on Fraudulent financial Reporting’, 1987, pp. 192, via
www.coso.org/Publications/ncffr.pdf (15 April 2005).

Turnbull Report (Internal Control, Guidance for Directors on the Combined Code), London,
September 1999, pp. 15, via http://www.ecgi.org/codes/documents/turnbul.pdf (16 April 2005) or
http://www.icaew.co.uk/viewer/index.cfm?AUB=TB2I_6342&tb5=1 (16 April 2005).

Van den Berghe L., ‘Beyond ‘Corporate’ Governance: an overview of the challenges in front of us’,
2001, pp.4, via http://www.ivb-ida.com/documenten/EN_beyond_LVDB.pdf (23 April 2005).

Van den Berghe L., Carchon S., ‘Corporate Governance Practices in Flemish Family businesses’,
September 15, 2001, pp. 24, via http://papers.ssrn.com/sol3/papers.cfm?abstract_id=288287 (17
April 2005).

Velury U., Reisch J., O’Reilly D, ‘Corporate Governance and the Selection of Industry Specialist
Auditors’, pp. 35 via
http://accounting.rutgers.edu/raw/aaa/audit/midyear/02midyear/2002%20Midyear%20Audit%20Confe
rence%20Program.htm (15 April 2005).

Verschoor, Curtis C., ‘The Ethical Climate Barometer’, Internal Auditor, October 2004, pp. 48-53.

Walker, Paul L., Shenkir, William G. and Barton, Thomas L., ‘ERM in practice’, Internal Auditor,
August 2003, pp. 51-55.

‘What is Corporate Governance’, via http://www.indiainfoline.com/nevi/what.html (15 April 2005).

Yeoh E., Jubb C., ‘Governance and Audit Quality: Is there an Association?’, University of Melbourne,
Australia, December 2001, via
http://accounting.rutgers.edu/raw/aaa/audit/midyear/02midyear/2002%20Midyear%20Audit%20Confe
rence%20Program.htm (15 April 2005).

63
APPENDIX: USEFUL INTERNET ADDRESSES
Just enter ‘corporate governance’ or ‘audit’ as the search criterion in one of the many search
engines on the World Wide Web and you will be overwhelmed with all kinds of links, some
far more interesting than others. In order to help you, should you like to make a first
‘reconnaissance’ tour, the following list may offer a selection of interesting links.

- AccountAbility: www.accountability.org.uk
- Association of Certified Fraud Examiners: www.cfenet.com
- Auditnet: www.auditnet.org
- Bank for International Settlements (Basel Committee): www.bis.org (list of papers
www.bis.org/bcbs/publ.htm )
- Business Ethics (corporate responsibility magazine): www.business-ethics.com
- Business for Social Responsibility: www.bsr.org
- Business Round Table: www.businessroundtable.org
- Canadian Institute of Chartered Accountants (CICA): www.cica.ca
- Committee of Sponsoring Organizations of the Treadway Commission: www.coso.org
- Corporate Governance Network: www.corpgov.net
- Enterprise Risk Management Portal: www.erisk.com/portal/home.asp
- Ethics web: www.ethicsweb.ca/codes/
- European Corporate Governance Institute: www.ecgi.org (codes
www.ecgi.org/codes/all_codes.php)
- Global Corporate Governance Forum: www.gcgf.org
- Global Reporting Initiative: www.globalreporting.org
- Institute of Internal Auditors (IIA): www.theiia.org
- International Corporate Governance Network: www.icgn.org
- IT Governance Institute: www.itgovernance.org
- KPMG audit Committee Institute: www.us.kpmg.com/auditcommittee
- New York stock Exchange: www.nyse.com
- Organisation for Economic Cooperation and Development: www.oecd.org
- Public Company Accounting Oversight Board: www.pcaobus.org
- Risk info: www.riskinfo.com
- Social Science Research Network: www.ssrn.com
- SRI media (Corporate Governance News): www.srimedia.com
- Transparency International: www.transparency.org
- The Corporate Library: www.thecorporatelibrary.com
- World Bank Group: www.worldbank.org
- World Council for Corporate Governance: www.wcfcg.net

64