Reform required to ASX’s Principle 7?


As the Australian Securities Exchange (ASX) Corporate Governance Council starts its regular review of the Principles and Recommendations, the Institute of Internal Auditors (IIA) has fired an early salvo on the need for change.

Although we’ve learned a lot from the global financial crisis and the destruction of value, the reality is that when it comes to regulation and preparing for the next big shock, how prepared are we?

ASX Principle 7 – Recognise and Manage Risk is regarded as world-leading in its requirement for CEOs to inform the board of the material business risks facing the organisation and the status of these risks. Changes made to Principle 7, (Recommendation 7.2) in 2007, stated: “The board should require management to design and implement the risk management and internal control system to manage the company’s material business risks and report to it on whether those risks are being managed effectively”.

In other jurisdictions, the regulatory focus is still on the risk process being in place, rather than on ensuring there is a comprehensive reporting process on risks. This is an important distinction from the 2007 changes that seems to have been missed by many.

The challenge is that no one is charged with checking the veracity of the risk reporting which management provides to the board. The IIA has taken the view that this needs to be done independently, and that internal auditors are best placed to perform this function.

As a non-executive director, I agree that independent assurance on the risk function is required. Indeed, this has been the first thing I’ve asked for at the audit and risk committees that I’m on, and it’s a great relief that to get this. It either gives us comfort that things are okay, or gives us a plan to get it right. Internal audit is well placed to lead this type of review, or buy in the skills to do so.

However, whether internal auditors have the capability to assess the veracity of the risk reporting provided by management, and whether all material risks are identified and reported to the board, is another question, particularly in the area of strategic risk and emerging macro risk. Assessing the veracity of risk reporting to the board of material risks is a specialised capability that often doesn’t lie in house or within the normal risk and assurance skillsets and talent pools, including the professional service firms.

Assurance over whether material risks are reported in full will be a challenge for all. Few companies do this well. If you find one, buy their shares!

But while we’re all feeling our way in this space, internal audit does have an important role in letting boards know if the material risk reporting is incomplete or unreliable. This is an important role that internal auditors have played in the past. To this end, the IIA’s shot across the bow is both timely and necessary. The challenge for internal auditors, however, will be getting the skills in place to keep pace with the change that their professional body is demanding. I wish them well in this charge.

Why it’s time to mandate

An if-not, why-not regime works fine if you have the ability to sell your shares.

The reality, however, is that most superannuation funds hug the ASX 300 / 500 index, so if a company share price starts to rocket, you end up owning that stock, even if governance is poor.

This has not gone unrecognised, which is why internal control signoffs on financial statements and audit committee composition started off as corporate governance recommendations, but ended up as law and listing rules respectively.

Arguably, risk management and internal audit are as important as these requirements — if not more so, and have been made law and/or listing rules elsewhere for this reason.

When you think of corporate collapses within the ASX 500 in recent years, or the estimated 20% of the ASX 200 which don’t have an internal audit function, there’s a good argument to say that there are these things which should not be optional.

This article first appeared in the March edition of Risk Management Today. Todd Davies is the former Technical & Policy Director of IIA Australia.