Could the internal audit team at News Corp have identified and clamped down on the illegal activities of their journalists?  Todd Davies doesn’t think so.

The News of the World scandal is causing ripple effects around the world, with commentators in Australia and abroad beginning to ask questions about News Corp’s corporate governance. They are also starting to ask questions on the role of independent directors, audit committees, risk management and internal audit which could have broader implications outside the media sector.

Challenges with News Corp’s corporate governance

It’s no secret in Australia that News Corp’s governance has been controversial for some time, although usually for the likes of poison pills rather than risk and assurance.

However, now in light of the phone hacking scandal, international commentators are beginning to ask about News Corp’s audit committee, the composition of it and whether internal audit was truly independent of management. While these are all important issues for any director to consider, in our view, the focus needs to be on the newsroom itself.

How do you audit a newsroom?

People might be surprised to hear this – in fact, I’m surprised to hear myself saying it – but I’m standing behind News Corp on this. Well, I’m standing behind their internal audit team anyway. I’ve met many of their people. I like them all. I trust them and respect them and a lot of what they do. Many of their practices are upper quartile and are an exemplar of modern practice. So the reality is, if they’ve got problems, we’ve probably all got problems.

The bigger issue is how you audit a newsroom. It’s very different to the usual audit procedures. We can audit back office functions – accounts payable, accounts receivable, treasury. We can chase the money trails and see where they lead. We can audit logistics, distribution and supply chain. We can audit IT systems, business continuity and the like. But auditing a newsroom is hard.

The challenge with newsrooms is that journalists need to protect their sources, in the same way that auditors need to protect their whistle blowers. They have a long-established culture, a code of ethics that looks very much like the code of ethics of an accountant – and a barrage of case law to support it.

There’s been no shortage of controversial cases on this in Australia where media companies have stood side by side to allow journalists to protect their sources. It’s a place where confidentiality is everything. As such, it’s really hard to get to the heart of the matter as an outsider. Or even as the editor.

You may be able to get a sense of the culture by spending time in the newsrooms. Some titles are methodical and measured. Some are like lunatic asylums with people hanging from the rafters. You might be able to let the people upstairs know that you don’t like the culture in the lunatic asylum and that the editor of a certain title may need some coaching in management 101. We’ve all done this.

The reality is that in a newsroom you end up auditing their payroll, overtime and contributors. You also go through their expenses so that they know someone is watching.  You check a sample of them, ask a few probing questions, make sure they were authorised by the right people.  The reality however this is about as effective as having the occasional patrol car drive down a troubled street. It’s a deterrent at best, but unlikely to find much.

In other words you do the normal stuff and if there was a scandal like this happening, it’s almost impossible to know unless you already suspect something and go looking for it specifically.  No doubt all media companies will go looking for this specific circumstance now, but it will be after the fact. If anything was an issue you can almost guarantee it’s now been shut down.

How do you audit your newsroom?

So, the big issue in a lot of organisations is that while internal audit capabilities keep on evolving, their capabilities are still focused on back office functions. While they understand the core business, they struggle to get at the heart of it.

Internal audit functions in news organisations spend a lot of time auditing in the newsrooms, but they don’t always get to the heart of what’s happening in those newsrooms. Internal audit functions in health organisations spend a lot of time auditing in hospitals and wards, but they don’t get to the heart of what’s happening in clinical governance, in patient care or the culture in those wards. Internal audit functions in manufacturing companies spend a lot of time auditing at mine sites, but it’s hard to get to the heart of what’s happening in the culture of what’s happening on the shop floor.  In short, even being on the floor most of the time, things pass right by us.

These are not isolated examples.  Every company has it’s equivalent of a newsroom – something we audit, but only scratch the surface. From my perspective the big question for audit committees and heads of internal audit coming out of the News Corp scandal is around the scope and capabilities of the internal audit activity and whether they’re getting to the heart of matters or just doing a superficial patrol.

This article first appeared in Issue 87 of Risk Magazine, August  2011.  Todd Davies was formerly head of audit and risk of Fairfax Media – Newscorp’s main newspaper rival in Australia – and a member of the ASX Corporate Governance Council.  A summary of the News Corp scandal can be found here.

To subscribe to this series of occasional articles and case studies, please click here.

IIA standards suggest that an internal audit function should have an independent assessment of their function every five years to assess their level of compliance with the IIA’s standards. Despite this being recognised as better practice and being a regulatory requirement in some sectors, less than 50% of internal audit functions in Australia are having this done.

It is important in the timing of an external quality assessment that the Chief Auditor understands exactly where they’re at, what the independent review is likely to say, what gaps there are and how to prioritise.

This is where we come in. We work with Chief Audit Executives to get a good handle on their baseline, prioritise their efforts and measure the change they’re making.  We also go further than the IIA standards by giving them a sense of where they sit relative to their the leaders in their field and where the opportunities are to leapfrog their existing practices.

We recommend a self-assessment being undertaken in the first six months after taking over an internal audit or risk function, or 12 months before an external quality assessment is performed to enable the team to understand what needs to be done and prioritise their efforts.

In addition, leading Chief Auditors engage us for an annual assessment and planning exercise of where the greatest opportunities are for improving the effectiveness of their function. These annual discussions go beyond the IIA standards to help them to have a sense of where they are sitting relative to leading practices globally and which ideas are worth focusing on in the next 1-3 years.

Our clients generally experience the following outcomes:

• A clear baseline of where existing practice is sufficient, and where it is deficient
• Ideas on leading practices which may be relevant to their organisation
• A plan of what is required to satisfy the external quality review and what will drive the greatest impact in their organisation
• A plan for how to communicate this to key stakeholders and get their support
• Alignment with corporate and personal goals, objectives and targets
• Access to an ongoing sounding board and source of leading practice ideas
• A great result in the external quality review with no surprises and 1-2 exemplars of best practice

The Institute of Internal Auditors provides a helpful 8 minute YouTube clip on how the quality process works.  Todd Davies & Associates recommends the IIA’s Quality Team for the external quality assessment once a self assessment has been done and a clear improvement plan is in place.

Why Todd Davies & Assocates

At TDA our focus is on helping risk and assurance functions to achieve world’s best practice.  By focusing on this rather than solely on compliance with IIA standards, we make sure you’re set up for success in a way which supports your function, your team as well as your leadership in your organisation. And our deep involvement with the IIA over many years ensures we have deep knowledge of what’s required and expected under the IIA’s framework.

What could you achieve with TDA on your team?

To subscribe to this series of occasional articles and case studies, please click here.

This is often not deliberate, but is a result of different skillsets required to execute the plan and lead the function.  The skills and experiences for today’s leading CAEs are hard to come by, which can result in a glass ceiling for rising stars, and a chasm for succession planning.

Sometimes it’s appropriate to put external support around your rising stars, for example:

• One of your rising stars is in their first CAE role and you want to make sure they’ve got a sounding board to help them through the process as they make their mark
• One of the deputies is ready to take the next step and they could use advice from someone who’s ‘been there, done that, but isn’t my boss’
• You want to accellerate a high-potential team member by giving them access to a different set of perspectives

How we help

Todd Davies deliberately seeks out and works with rising stars – both in advisory arrangements and also in formal and informal mentoring. Having TDA as backup allows rising stars to test ideas, innovate and take risks in a calculated way – with the experience behind them to help them spot the defining moments along the way, and navigate these for best outcomes.

Todd has worked with many over the years including many of the CAEs who have become leaders in listed companies in their early 30s.  We have supported them in these roles in various capacities, including helping them ready themselves to take these roles first time. As a recent ‘rising star CAE’ Todd is able to help rising stars chart their course with great empathy and relevance.*

An example of what we do – The Audit Committee Chat

Before meeting with their Audit Committee Chair and presenting to the Audit Committee, some rising stars will have a trial run with Todd.

Todd will run through their pack, stress test it and ask the difficult questions ahead of the meeting as part of their preparation.  He’ll also give advice on what the audit committee members are probably thinking about, and what their angle is on the papers presented, as well as what they need to cover off from a board perspective in addition to their specific audit committee remit.

Briefing and debriefing afterwards also allows discussion of some of the subtle cues given by the directors, and for the young CAE to handle themselves in a manner far beyond their years.

A resource for aspiring CAEs

The Davies Report aims to fill the void on leadership matters for progressive CAEs.  It is also written with rising stars in mind to help them think beyond the audit plan and engage in some of the issues that leading CAEs think about.

If you’re an aspiring CAE, why not subscribe free of charge from the front page of our website?

Let’s work together

Working with rising stars is the highlight of our working day.

If you are the next CAE or have the next CAE sitting in your team, we’d love to work with you to help them on their journey.

Why not give Todd a call?  (02) 9043 1719

* Todd was appointed CAE of an Australian top 50 while in his early 30s and his work is still referenced as a case study of how to use internal audit to drive change. While he won’t disclose his age on this site, he will say that he is Gen X and it’s been less than 5 years since he left that role.  He’s also working on setting the path for a new generation of audit committee members in NSW.

To subscribe to this series of occasional articles and case studies, please click here.

Speaking & training circuit

Save the date:

• The Black Swan Myth Debunked | Corporate Risk Management – Strategic Resilience for Emerging Risks | May 26-27 2011 | Swisshotel | Sydney

Recent speaking engagements:

• Best practices in public sector internal audit, audit committees and risk management | IIA Asia Pacific Conference (SOPAC)
• New global risk standard – ISO 31000 | Interview with Michael Parkinson on the new global standard (available in streaming video)
• Providing Internal Audit Opinions | National masterclass & webinar series – IIA-Australia
• Understanding Strategic Risk | National masterclass series – IIA-Australia
• Risk and Responsibility | Association of Heads of Australian University Colleges and Halls (AHAUCHI) national congress (available in streaming video)
• Smashing Open the Addiction to Business as Usual | Bryant University / MA Chamber of Commerce (USA)
• The Real Risks of Business as Usual | WA Water Strategy & Climate Change Resilient Futures Strategy Forum
• Audit Opinions – Part of the process or optional extra | AICD National Public Sector Conference
• Building a Good Audit Committee | SOPAC – IIA’s premier regional conference for Australia, South Pacific & Asia (with Jon Isaacs – prominent Audit Committe Chair)
• Futurecasting | Mega trends for forecasting, strategy and risk in a rapidly changing world – ACL user’s forum
• ASX Corporate Governance Council’s Revised Corporate Governance Principles and Recommendations | Intitute of Internal Auditors Canberra Chapter
• Internal audit as a change agent | ICAA Business forum Victoria (CPE week, Melbourne)
• From the Backroom to the Boardroom – a new horizon for Internal Audit | IIA Western Australian Internal Audit congress, Perth
• Fundamental change in the Audit Profession… Where is it going, how will it affect you and what do you need to do about it? | NSW Internal Audit congresses, Sydney, Penrith (IIAA)
• Corporate Governance and Risk Management for Not for Profits and NGOs | Australian Society of Association Executives, Sydney (AuSAE)
• Pulse Radio – a case study in radical innovation | LQA Innovation program, Melbourne
• Fundamental change in the Audit Profession… Where is it going, how will it affect you and what do you need to do about it? | Association of University Auditors (ACUA) Australian National Conference, Sydney.

Academia & education

Todd led and/or developed the majority of short courses and masterclasses for IIA-Australia on complex and emerging areas from 2008-2010. These included:

• Strategic risk
• Mastering the new Principle 7 (Recognise and Manage Risk) of the Australian Stock Exchange Corporate Governance Principles & Recommendations
• The new International Professional Practices Framework
• Providing internal audit opinions
• Technical & Regulatory updates
• A range of other ad-hoc topics.

In addition Todd has been a guest lecturer and tutor at the following:

• Advanced Management Accounting Module | Institute of Chartered Accountants – (CA Program)
• Cashflow forecasting, financial modelling and valuation models | Edith Cowan University (National Enterprise Workshop)
• Company Law – Edith Cowan University | (Bachelor of Business Program)

To subscribe to this series of occasional articles and case studies, please click here.

The article reviews the latest benchmarking study from IIA and Protiviti of 160 heads of internal audit from around Australia and draws out three key themes of interest to those charged with oversight of internal audit and risk management.

Key points

• It is now the norm for internal audit to be independent from management. If you are not in line with the IIA’s Policy Agenda, you may be an outlier.  Given that these are simple mechanical mechanisms, we recommend benchmarking your function against these areas and taking action accordingly.
• Internal audit still struggles to demonstrate compliance with professional standards.  Given that these matters are relatively straight forward, organisations should insist that their internal audit functions and outsourced providers comply with the IIA’s International Professional Practices Framework.
• Quite rightly, strategic risk has entered the top 5 priorities for heads of internal audit, however the reality is that capabilities in this area are embryonic at best. Organisations should assess whether have this capability in-house, and if not take steps to develop it, or periodically engage professional assistance to fill this gap. The first step is to understand what strategic risk is, and this article takes some initial steps towards defining this.

Please feel free to download the article and pass it on. (Download, pdf, 3 pages, 113kB)

For more information on this publication can be found here.

Todd

Related links

Strategic risk and emerging risk capability assessment

To subscribe to this series of occasional articles and case studies, please click here.

Given the major reforms in Queensland and New South Wales in the past 18 months, we will  have a focus on their changes, which are both interesting in their own right.  Queensland has moved to a principles-based approach in a range of respects, while New South Wales is implementing what I believe to be one of the most comprehensive and best thought through approaches to these matters anywhere in the world.  Both will be watched with great interest by other jurisdictions.

On the panel with me will be policy makers NSW and Queensland as well as practitioners at the audit committee and chief auditor level in both states who will be sharing their experiences and viewpoints as they implement the new policy frameworks of approach.  We’ll also be drawing comparisons from the IIA’s policy agenda which was launched by Lindsay Tanner earlier this year as well as canvassing the different jurisdictions in the room (Commonwealth, and state and local government from each state and territory in Australia, New Zealand and abroad).

Building on last year’s debate, this session will be of great interest for those charged with leading governance within government departments and organisations, or charged with policy setting — both to get a sense of where we could / should be going, as well as hearing from those who are already doing it and some of the lessons learned from these.

I’ve promised to make the session “more Jennie Brockie than Tony Jones”  so please pose a question during the session (Tuesday May 11 from 11:15am – sessions 6D & 7D) or come and say hello over the course of the ACIIA/SOPAC Conference.

Looking forward to seeing you there.

Todd

Useful document from the NSW Auditor General.

To subscribe to this series of occasional articles and case studies, please click here.

Disclaimers and caveats in audit reports and engagement letters are often brushed over, until something goes wrong, and then can cause great tension between those providing the internal audit assurance, and those relying on their work. Rightly or wrongly, the classic “where were the auditors” line is begging to be pulled out, and is often the first response.

In my experience, issues usually arise as a result of expectations gaps around the nature of audit opinions rather than negligence, but this takes time to disentangle after the fact. The better option of course, is to get this squared away up front.

As part of my work in helping the market to get more sophisticated about the nature and level of assurance commissioned and provided, I’ll be leading an on-line masterclass for the Institute of Internal Auditors in Australia on Tuesday May 4 from 1:00pm AEST.

Through structured discussion and practical exercises, this course will take participants through a framework for providing internal audit opinions, including being clear on when to use them, how to use them, legal implications, how to navigate overlaps between different assurance standards and frameworks and an appreciation of the IIA’s official guidance in this area.

While this is targeted towards internal auditors in particular, this course will also be relevant for anyone who regularly relies on internal audit reports such as the senior finance team, C-Suite and audit committee members.

For more information and registration, please got to the Institute of Internal Auditors’ Australian website.

To subscribe to this series of occasional articles and case studies, please click here.

After two years working with the Institute of Internal Auditors as their national Technical and Policy Director in Australia, I’ve had a lot of inquiries on why I was moving on, and what’s next.

Risk Magazine Magazine (Australia) published an interview with me this week – Davies Leaves on a High - which covers this in the context of the IIA.

Given that articles can only contain so much, for those who are interested in the full story, our media statement gives a bit more insight into how the last two years of focused effort fits into a long term program of structural change for the the internal audit profession for the betterment of directors, boards, shareholders and the general public.  This is available for download at the link below.

Media Statement – Todd Davies departure from IIA (pdf , 336kB)

For more information, please feel free to contact me directly.

Todd Davies FCA CIA FIIA(Aust) MAICD
(02) 9043  1719

To subscribe to this series of occasional articles and case studies, please click here.

As part of their ongoing roles, Directors and CEOs need to have a deep understanding of the strategic risks and opportunties facing their organisations.  Increasingly they are looking to their internal audit team for a view on whether their company’s risk management systems are adequate, and complete which needs an understanding of strategic risk as well as traditional areas of compliance, reporting and operations.

Strategic risk management is an area which is vital to the long term prosperity and performance of any organisation, yet it is an area which is not well understood or applied.  While auditors and managers are often comfortable with operational, reporting and compliance risk, it is often strategic risk that leads to material and irreversible business disruption. Internal audit teams are now expected to have an understanding of strategic risk and evaluate their organisation’s capabilities in this area as emphasised in Principle 7 of the ASX Corporate Governance Principles & Recommendations.

As part of the Institute of Internal Auditors ongoing work to enhance the capabilities of their members they have engaged TDA to facilitate a series of half-day public courses on strategic risk.   The course covers strategic risk as a distinct segment on the COSO framework, sources of strategic risk, strategic risk capability and a range of concepts to help understand and assess strategic risk.

Developed for Chief Audit Executives, by the end of this course, participants should be able to:

• Differentiate strategic risk from other risk types in the overall risk universe
• Recognise how strategic risk manifests itself
• Assess their organisation’s ability to identify, assess and manage strategic risk
• Identify areas of strategic risk vulnerability in their organisation
• Interact confidently with those responsible for leadership in this area.

Dates for the rest of the year are:

Melbourne: Thursday, September 10 2009

Perth: Friday, September 25 2009

Sydney: Friday, November 6 2009

For more information go to the Education & Events section of www.iia.org.au or call the IIA on (02) 9267 9155.

If you are not an internal auditor and would like a briefing session for your organisation, please contact us at info[at]todddavies.com.au or contact Todd on (0) 422 000 913.

To subscribe to this series of occasional articles and case studies, please click here.

Due to popular demand TDA is now offering advice in this area.

For more information, click here.

To subscribe to this series of occasional articles and case studies, please click here.