Viewpoint

Could the internal audit team at News Corp have identified and clamped down on the illegal activities of their journalists?  Todd Davies doesn’t think so.

The News of the World scandal is causing ripple effects around the world, with commentators in Australia and abroad beginning to ask questions about News Corp’s corporate governance. They are also starting to ask questions on the role of independent directors, audit committees, risk management and internal audit which could have broader implications outside the media sector.

Challenges with News Corp’s corporate governance

It’s no secret in Australia that News Corp’s governance has been controversial for some time, although usually for the likes of poison pills rather than risk and assurance.

However, now in light of the phone hacking scandal, international commentators are beginning to ask about News Corp’s audit committee, the composition of it and whether internal audit was truly independent of management. While these are all important issues for any director to consider, in our view, the focus needs to be on the newsroom itself.

How do you audit a newsroom?

People might be surprised to hear this – in fact, I’m surprised to hear myself saying it – but I’m standing behind News Corp on this. Well, I’m standing behind their internal audit team anyway. I’ve met many of their people. I like them all. I trust them and respect them and a lot of what they do. Many of their practices are upper quartile and are an exemplar of modern practice. So the reality is, if they’ve got problems, we’ve probably all got problems.

The bigger issue is how you audit a newsroom. It’s very different to the usual audit procedures. We can audit back office functions – accounts payable, accounts receivable, treasury. We can chase the money trails and see where they lead. We can audit logistics, distribution and supply chain. We can audit IT systems, business continuity and the like. But auditing a newsroom is hard.

The challenge with newsrooms is that journalists need to protect their sources, in the same way that auditors need to protect their whistle blowers. They have a long-established culture, a code of ethics that looks very much like the code of ethics of an accountant – and a barrage of case law to support it.

There’s been no shortage of controversial cases on this in Australia where media companies have stood side by side to allow journalists to protect their sources. It’s a place where confidentiality is everything. As such, it’s really hard to get to the heart of the matter as an outsider. Or even as the editor.

You may be able to get a sense of the culture by spending time in the newsrooms. Some titles are methodical and measured. Some are like lunatic asylums with people hanging from the rafters. You might be able to let the people upstairs know that you don’t like the culture in the lunatic asylum and that the editor of a certain title may need some coaching in management 101. We’ve all done this.

The reality is that in a newsroom you end up auditing their payroll, overtime and contributors. You also go through their expenses so that they know someone is watching.  You check a sample of them, ask a few probing questions, make sure they were authorised by the right people.  The reality however this is about as effective as having the occasional patrol car drive down a troubled street. It’s a deterrent at best, but unlikely to find much.

In other words you do the normal stuff and if there was a scandal like this happening, it’s almost impossible to know unless you already suspect something and go looking for it specifically.  No doubt all media companies will go looking for this specific circumstance now, but it will be after the fact. If anything was an issue you can almost guarantee it’s now been shut down.

How do you audit your newsroom?

So, the big issue in a lot of organisations is that while internal audit capabilities keep on evolving, their capabilities are still focused on back office functions. While they understand the core business, they struggle to get at the heart of it.

Internal audit functions in news organisations spend a lot of time auditing in the newsrooms, but they don’t always get to the heart of what’s happening in those newsrooms. Internal audit functions in health organisations spend a lot of time auditing in hospitals and wards, but they don’t get to the heart of what’s happening in clinical governance, in patient care or the culture in those wards. Internal audit functions in manufacturing companies spend a lot of time auditing at mine sites, but it’s hard to get to the heart of what’s happening in the culture of what’s happening on the shop floor.  In short, even being on the floor most of the time, things pass right by us.

These are not isolated examples.  Every company has it’s equivalent of a newsroom – something we audit, but only scratch the surface. From my perspective the big question for audit committees and heads of internal audit coming out of the News Corp scandal is around the scope and capabilities of the internal audit activity and whether they’re getting to the heart of matters or just doing a superficial patrol.

This article first appeared in Issue 87 of Risk Magazine, August  2011.  Todd Davies was formerly head of audit and risk of Fairfax Media – Newscorp’s main newspaper rival in Australia – and a member of the ASX Corporate Governance Council.  A summary of the News Corp scandal can be found here.

Opinion

I’ve been deleting the word strategic from a lot of documents lately.

And it’s assisting immensely.

You see I’ve got this idea that the more times a person uses the word strategic, the more likely it is that the person is puffing or bluffing.

In the risk and assurance space using the word strategic usually does little to aid understanding.  In most cases it’s just misleading.

Take the term ‘strategic risk management’ (SRM) which is cropping up everywhere these days.

Somehow SRM has ended up in the accountabilities template for NSW Government agencies.  Apparently they’re now supposed to be responsible for strategic risk management as rather than good old fashioned risk management.  Now this would be fine if anyone knows what SRM is.

I know what risk management is, I even know what enterprise risk management is, but strategic risk management?  Is it the management of strategic risks perhaps?  Or something other than tactical risk management?

The Risk Management Society in New York had a go recently at defining SRM.  They’ve got a discussion document out on it in fact.  The discussion document is useful.  It says that SRM is an evolving discipline – in other words, they don’t know what it is either.

And then take the term ‘strategic audit plan’ which I still see regularly.

These documents are usually a standard audit universe spread over three years.  They tend to ignore external conditions or do other things that strategic documents tend to do. But because their focus is on more than this financial year, the documents must be strategic.  The reality is that it’s often anything but.

So when I see the term strategic appear in a charter, article, brochure or job title I get wary.

So the simple solution, delete the work strategic.  I do.  It adds amazing clarity.

Better still add the letters ‘un’ to the front – ‘unstrategic’, or delete and put ‘tactical, but with a time horizon of slightly longer than 12 months but not longer than my current tenure or bonus timeframe’ in front of it.

I think you’ll find this clarifies many things immensely.

This opinion piece was one of the cover stories in Issue 86 of Risk Magazine, July 2011.  Todd Davies has been championing a better understanding on strategic risk for many years and taught the IIA’s first courses on this topic.

He contends that strategic risk is a class of risk in it’s own right and needs a dedicated identification process involving external viewpoints.  TDA’s other articles on this topic can be found here.