audit committee quarterly - kpmg...profile of a typical fraudster 6 a whole new ball game 9 what...

Audit Committee Institute

Sponsored by KPMG

Audit Committee Quarterly BELGIUM

08Issu

e

Welcome 1

Audit Committeesand Shared Services 2

Enterprise Risk Management 4

Profile of a Typical Fraudster 6

A Whole New Ball Game 9

What Boards need to knowabout IT Governance 11

Internal Audit Reporting Lines 15

What gets Measured gets Managed -Boards Performance Assessment 17

Global Anti-MoneyLaundering Survey 20

Resources 23

Events 28

Background

The audit committee and other board members occupycenter stage today in the wake of corporate governancereforms. Their challenges are numerous, with perhaps theirbiggest challenge that of satisfying increased regulatorycompliance requirements while maintaining their overalleffectiveness.

The Audit Committee Institute (ACI) platform offers directorsand audit committee members the opportunity to gain the additional knowledge, enhanced competencies and thepersonalized assistance they need to fulfill their demandingoversight roles.

The ACI, sponsored by KPMG, has been communicatingwith board and audit committee members at an internationallevel since its formation in 1999. In Belgium, the ACI is indirect and regular contact with over 2.500 directors.Fundamentally, ACI programs support members by providinga focus on evolving issues, the sharing of best practices,and the opportunity to meet with their peers.

• The ACI publication Shaping the Belgium AuditCommittee Agenda is the Vademecum for all auditcommittee members, providing them with theknowledge, tools and techniques to help them betterfulfill their demanding mission.

• The ACI website (www.audit-committee-institute.be) andthe Audit Committee Quarterly periodical offer articlesfrom the ACI on regulatory and technical matters, featureaudit committee “hot topics”, and include other contentfrom our extensive resources.

• ACI Roundtable Sessions and Seminars provide anopportunity to gain first-hand experience, and for anexchange of views with peers and Audit CommitteeInstitute professionals.

Audit committee members and other board members are looking for focused knowledge and the sharing of bestpractices. Registration at the ACI Website provides themwith this helpful range of tools free of charge.

Please refer to the ACI Website for registration.(www.audit-committee-institute.be)

… to the latest edition of Audit Committee Quarterly, a publication designed to help keep auditcommittee members abreast of developments in corporate governance and related subjects. For thoseof you new to the Audit Committee Institute (ACI), and this publication in particular, a brief outline of thebackground to ACI is set out opposite.

This eight issue of the Audit Committee Quarterly presents some interesting survey results, includingthe 2007 Anti-Money Laundering Survey (page 20) that highlights the extensive commitment shownby the banking industry to this topic. I also recommend the Profile of a Typical Fraudster articlestarting on page 6. Among its observations: fraud seems to be a male word, and it is mostly committedby senior management—including board members.

To keep you up-to-date, the Quarterly brings you the latest developments in several fields of interest. Inan article starting on page 17, we report on the continuing developments in the area of Board

Performance Assessment, which is looking for better and tougher ways of measuring and managingboard effectiveness.

Responding to your Audit Committee agenda priorities (referring to the ACI Annual Survey resultspresented in our previous newsletter), we bring you an article on page 11 in respect of What boards

need to know about IT governance, putting forward a range of straightforward, clear questions andfrank answers on the subject.

The Quarterly continues our Audit Committee Resources series (starting on page 23) by bringing youarticles of interest from around the globe. Many other pertinent topics are included in this newsletter,and I personally recommend it to you.

I trust you will continue to enjoy the ongoing benefits of ACI membership. Please contact us [email protected] with any comments or suggestions of topics you would like to receiveACI attention, and visit our Website at www.audit-committee-institute.be for a wealth of information onaudit committees.

Theo ErauwChairman ACI Belgium

Welcome...

2 Audit Committee Quarterly - Issue 08

Smart sourcing refers to the practice of outsourcing to thirdparties and other countries (offshore outsourcing), but alsoto the “in-sourcing” of certain competencies, sometimesfrom offshore destinations as well. Popular offshoredestinations, for example, are currently Poland and theCzech Republic in Europe, and India, Malaysia and China inthe Far East.

The excessive cost of inefficient processes in many smallerand diverse sites, a non-optimal occupation capacity, andoften high ICT exploitation and license fees, encouragescompanies to turn to the building of centralized sharedservice centers or to use smart sourcing.

Such initiatives, when successfully implemented, canproduce an initial cost advantage of 25 to 40 percent, apartfrom other advantages, such as the implementation of bestpractice processes and more integrated and standardizedsystems. One of the additional advantages for the board

and management is that a number of widely-spreadprocesses often become centralized, and in so doing,strengthen reporting, control and risk management.

Of course, the basic economic assumptions need to berespected. It notably requires a sufficient volume oftransactions and a minimum of two sites with similaractivities at a sufficiently high cost. This is essential so thatthe investment in a central shared service center or in asmart sourcinginitiative can be recovered.

”Look before you leap” would be good advice when startingthese initiatives. The board and the audit committee mustevaluate a solid business case, as drafted by management.It is highly recommended that the business case be basedon benchmarks, among other things, to estimate the poten-tial for improvement of performance and the reduction ofcosts.

Audit Commitees and Shared ServicesBoard and audit committee members are increasingly faced with issues in the domain of shared service andsourcing. Many organizations are grouping a number of internal services, such as ICT, finance, HRM,back-offices, logistics and real estate management, into domestic or cross-border shared services, or are usingsmart sourcing.

X

Cost

Volume

Volume increase

through concentration

Individual entities

SSC/Outsourcing

Savings potential

through redesign

Savings potential

through concentration

3rd Quartile

Median

1st Quartile

Y

Audit Committee Quarterly - Issue 08 3

Additionally, a profound analysis of the risks, as well as themeasures required to manage them, is an essential elementof the business case. One must realize that initiatives suchas creating a central, shared service center, or engaging in asmart sourcing activity represent serious risks.

The audit committee should look to such initiatives from itsrisk and control perspective.

The evaluation of the business case by the board and theaudit committee should analyze, at the minimum, whetherthe following topics are fully addressed, and that thesemajor risks are considered:

Business: The initiative is not based upon, nor is aligned with the business strategy and features of your company, such as a preferred degree of centralization or the local atonomy of countries and sites, product diversity,customer and supplier diversity. A benchmark analysis measuring the potential cost savings and an analysis of the degree of effort and investment required is missing tosome degree. Enterprise or country risks are notrecognized to their full extent, nor are measures proposedto manage and control them, or to compare withalternative, less risky solutions.

Control of performance and risks: In the operational model, the responsibilities to measure and controlperformance, and the risks of the shared service centeror third party, are not clearly defined or not effectivelyrecognized. There is a lack of attention to the requiredoperational and financial controls and related instrumentsto measure and manage them.

Vendor evaluation or location: The vendor selection is not based on sound tender specifications, detailed requests for proposal (RFP), and evaluation policy and procedure. The RFP does not include enoughrequirements with regard to the vendor's proposal onpolicies to measure performance and risks. The criteria and methods for the evaluation of the policies, proposed by the vendor to measure and control performance and risks, were not properly defined or the evaluation did not

take place. A detailed location study to select theappropriate site and country, based on multiple criteria, is not, or only partially, done. Country riskassessment is not done properly.

Legal compliance requirements in the different countries are not thoroughly recognized or analyzed in the countries where the shared service center or third party will perform the defined services. Especially in strongly-regulated domains such as financial services or accounting, the legal and regulator's compliance requirements can be unexpectedshow-stoppers if not properly addressed. The legalstructuring and or fiscal issues, such as transfer pricing andunder-utilized tax losses are not investigated thoroughly.

In the proposed operating model, the people, processes,system and risk issues are not well addressed orrecognized. An incomplete or poorly-prepared peoplemigration or redundancy plan, a lack of a clear IT strategy and migration plan, as well as a badly managedcommunication plan are major reasons for the failure of such initiatives. The absence of appropriate controlinstruments and contingency plans is another reason why such initiatives fail.

The board, audit committee and management should be fullyaware that assessing a business case on initiatives, such assetting up a central shared service center or engaging in asmart sourcing initiative, requires their highest attention.


Enterprise Risk ManagementCompany boards of directors often refer powers to the audit committee inrespect of risk management and control frameworks.

These delegations should be reflected in the auditcommittee's terms of reference, with committee membersconsidering such crucial aspects as:

• Is the board or audit committee adequately overseeing management's process for identifying and monitoring principal business risks?

• What risks are acceptable to the company, and through what process are they being managed?

• Is enterprise risk management being used to manage an organization's key business risks and opportunities?

• Is the audit committee contributing to a “no surprises” environment? Is the audit committee alert to theindicators contributing to the company's risk profile?

Audit committees should be aware that there is an ongoinginternational trend of evolving legal or corporate governancerequirements to ensure that companies have a robustenterprise risk management (ERM) oversight program. ERMhas emerged as an important means of identifying thecritical risks the organization faces—including, for example,reputation, ethics, e-business, health, safety and environmental risks (not just financial or insurable hazards)—and then managing and optimizing that portfolio of riskssuch that commensurate financial rewards are realized.

Belgian rules and governance

Not all Belgian audit committee members are aware that theinternational COSO internal control framework, which manycompanies indicate in their annual reports as their internalcontrol system methodology, was updated in the fall of2004 to integrate an ERM based approach.

Also, the Belgian Code Lippens establishes the principlethat the audit committee should review internal control andrisk management systems set up by executive managementat least annually, with a view to ensuring that the main risksare properly identified, managed and disclosed. For thelatter, the audit committee should review the statementsincluded in the annual report on internal control and riskmanagement.

Finally, the Belgian Company Law, applicable to all Belgiancompanies, has added a paragraph in Article 96 indicatingthat the annual report must contain a description of themain risks and uncertainties (effective 30/1/2006).

Recent surveys: the facts

A recent international survey conducted by the AuditCommittee Institute among its audit committee membersfound the following:

• Almost 80 percent of the participants indicated that they were not fully satisfied with the board or audit committee’s oversight of risk management,or the processes thatmanagement used to identify and manage the company's risks.

• Approximately one out of three participants stated that there was no clearly defined process for assigning risk oversight responsibilities among the board and itscommittees.

• More that 50 percent believe that the audit committee should not have primary responsibility for oversight of the company's risk management program.

• In specific areas of risk, the participants indicated room for improvement in their oversight of information security (78 percent), fraud risk (61 percent), financial reporting and implications of taxes (59 percent), and internalcontrols (36 percent).

In addition, another recent study of the U.S. AuditCommittee Institute and McKinsey based on the role ofDirectors in ERM indicated, among other conclusions:

• While many directors believe they have a good handle on the risks their companies face, others tend to approach risk more on a case-by-case basis and, therefore, may not have adequately robust and systematic ERM processes.

• Too many companies currently rely excessively on the audit committee to oversee risk at the board committee level.


• Directors' understanding of the company's major risks: Compared with 36 percent four years ago, only10.5 percent now report as not having a high degree of understanding of the company's major risks.

• However, while 89.5 percent of directors have a high-levelof understanding of their company's major risks,

substantially less, at 73.4 percent believe their companiesmanage risk to a similarly high degree.

• And, even fewer (72 percent) directors say theircompanies use the right risk metrics and methodologies to make strategic decisions.

Conclusions

Taking into account the different approaches boards may take in referring -frameworks, it is vital that there is an unambiguous understanding of how theboard of directors, other board committees and the audit committee shareresponsibilities.

If the audit committee is responsible for this important area of corporategovernance, it should be reflected in its terms of reference.

In the latter scenario, the audit committee needs to assess whether it'sgetting appropriate risk management information regularly enough, and itshould evaluate the adequacy and timeliness of management reporting to thecommittee on financial, non-financial, current and emerging risk trends at leastannually.

The audit committee also needs to discuss risk management with seniorexecutives, and internal and external audit. A non-exclusive high-levelquestions list based on the enterprise risk management framework (riskstrategy, risk structure, measuring and monitoring, portfolio, and optimization),can be found in the Belgian Audit Committee Institute's publication Shapingthe Audit Agenda, available on the ACI Website. The same publication has achapter on enterprise risk management and risk indicators.

Finally, audit committees should determine that management has implementedpolicies that identify the company's risks in financial reporting, and, whereapplicable, the wider sphere of business risk, and that controls are adequate, inplace, and functioning properly. As part of its assessment, the audit committeeshould consider requesting from management an overview of the risks, policies,procedures, and controls to gain meaningful insight into the key sources of risk,and how such risks are managed. A risk summary example, designed to giveaudit committee members a quick insight into the key risks and the effectivenessof the controls in place, is included in the Belgian Audit Committee Institute'spublication Shaping the Audit Agenda, set out as Exhibit 13.


With the increased awareness of fraud and misconduct, andthe increasing intolerance of investors for such behavior, weare seeing a positive drive by companies to manage theserisks. By basing the Profile of a Fraudster Survey 2007 onhundreds of actual fraud investigations conducted withinEurope, India, the Middle East and South Africa (EMA), theresults have revealed a comprehensive profile of those whocommit fraud, the conditions in which that fraud takesplace, and the actions taken in response.

The survey is unique for two reasons: first, it is significantthat this survey focuses on the perpetrator. Secondly, itis extraordinary because it is based on actual fraudinvestigations and not on voluntary self-declarations ofinterviewed organizations. The result is an overall profile ofthe perpetrator in the environment in which he operated,and the circumstances of this eventual exposure. Theresults paint an interesting and instructive picture of“the typical fraudster”.

Who commits fraud?

At first glance, an average fraudster is not much differentfrom an average person, with the consequence that it isoften extremely difficult to detect fraudulent acts. It is notsurprising then, that people are often caught unaware whensomeone is accused of fraud. Our culture encourages us topresume innocence in relationships; fraud is anaberration. And, of course, drawing suspicion through overt,conspicuous behavior is not conducive to anonymity, sofraudsters often seek the background.

The perpetrator is usually the colleague who is known to behelpful, polite and inconspicuous; but most importantly, it isthe colleague that enjoys the absolute trust of bothsuperiors and colleagues.

This highlights the importance of recognizing trust as a mainrisk factor, making it all the more crucial for management to

exercise a well-considered balance between trust andcontrol. This insight should not lead to the assumption thateach trusted employee is a potential fraudster. Rather, itleads to the question:

Why do people commit fraud?

From a theoretical point of view, there are three importantfactors concerned with the commission of fraud:opportunity, motive, and a rationalization of the act. Thesefactors are also known as the “fraud triangle”.

Opportunity generally occurs through weaknesses in internal controls, and creates an atmosphere wherefraudsters believe they are likely to be successful and undetected. Therefore, companies primarily focus their prevention efforts on this aspect of the fraud triangle by enforcing certain types of controls, and by implementing effective fraud risk management policies. Trust, though important in business, often opens the door for fraudsters.

Motive often develops from financial pressure resulting from a fraudster's excessive lifestyle, from the gap between the financial remuneration earned and the responsibility held by the individual, the pressure to meet financial targets, the superiority complexes of theindividual, or through simple, basic greed.

Rationalization is the fraudster's internal dialogue that provides the self-justification for his actions. Fraudsters convince themselves that they are “owed” thisremuneration by the employer.

Insight, awareness and recognition—Turn expertise into added value

Becoming aware of the above mentioned facts, gaininginsight into the motivations of a fraudster, and recognizingthe enormous threat to which every company is exposed are

Profile of a Typical Fraudster


the first important steps in establishing and implementing aneffective and sustainable fraud risk management system.

In 89 percent of the profiles, the fraudsters committedfraudulent acts against their own employers. In 20 percentof these profiles, an external perpetrator was also involved.Interestingly, the tenure of employment does not have apositive influence—rather the contrary, as more than50 percent of the offenders have been with their companyfor more than six years. In 68 percent of the profiles,fraudsters acted independently, with more than five peopleinvolved in only 5 percent of profiles. In 91 percent ofprofiles, perpetrators were not content with one fraudulentact and offended multiple times, often over a period ofseveral years.

These findings highlight a significant risk based on theconcept of trust, as company executives are privy to highlyconfidential information and have the potential to cause themost harm to the organization.

The findings reinforce the notion that the overridingmotivations for white-collar crime are greed, opportunity,and the pressure to meet budgets and targets. The last two

reasons particularly should ring a warning bell and raise theawareness of employers, because they provide at least oneaspect of the fraud triangle and offer a reason for a secondone.

Fraudster facts and figures

Personal details

• Seventy percent of fraudsters were between the ages of 36 and 55 years old.

• Males made up 85 percent of perpetrators.

• The perpetrator acted independently in 68 percent ofprofiles.

• In 89 percent of profiles, the fraudsters were employees committing fraudulent acts against their own employer, whereas 20 percent involved complicity with an external perpetrator.

• Members of senior management (including boardmembers) represent 60 percent of all fraudsters. Anadditional 26 percent of profiles involve management level


persons bringing the total to 86 percent of profilesinvolving management.

• In 36 percent of profiles, the perpetrator worked for their company for two to five years before committing fraud.

• In 22 percent of profiles, the fraudulent employeesregistered more than 10 years of service at the victim's organization.

• The internal fraudster most often works in the finance department, followed by operations, sales or as the CEO.

Fraud details

• Misappropriation of money was revealed as the most common type of fraud.

• In 83 percent of profiles, the fraudsters acted nationally and not internationally.

• Ninety-one percent of perpetrators did not stop with one single fraudulent transaction, but rather performedmultiple fraudulent transactions.

• Every third perpetrator acted more than 50 times.

• A total loss of one million euro and more per fraudster and profile was caused by every second fraudster in Europe, by almost every third perpetrator in South Africa, and by every fourth offender in India and the Middle East.

• In 24 percent of profiles, the timeframe for perpetrating fraudulent acts was less than one year. In 67 percent of profiles, fraudsters acted within a timeframe of between one year and five years until they were exposed, or stopped their fraudulent activities.

• Fraudsters were mainly detected by whistle-blowers or management reviews (accumulated 46 percent).

Psychological and additional circumstances

• Greed and opportunity (when taken together account for 73 percent of profiles) are indicated to be the overriding motivations for fraud.

• No prior suspicion existed in more than half of theprofiles, but in 22 percent of profiles the companies did not act, even though there was prior suspicion.

• Perpetrators were able to commit fraud by primarily exploiting weak internal controls in 49 percent of profiles.

Fraud management within the concerned organization

• In 50 percent of profiles, companies did not communicatethe details of the fraud within the organization. In15 percent of profiles, companies revealed information concerning the fraudulent acts only selectively.

• Aside from the external investigation conducted, thecompanies mainly carried out internal investigations, took disciplinary or legal actions and/or involved the police.

Company facts and figures

• All sectors are almost equally affected by white-collar crime, except for the chemical, pharmaceutical and biotech sectors, which appear to be less effected.

• In half of the profiles, the turnover of the companies that suffered damage was less than 50 million euro in Europe, while in South Africa it was 63 percent. In India and the Middle East, the companies had a turnover of less than 50 million euro.

Audit committee considerations

For the audit committee, the two most crucial findings werethat top management can not be excluded from fraud andmisconduct risk; in fact, they are the greatest threat.Secondly, the most effective detection methods werewhistle-blowing and management reviews.

Based on the oversight role of the audit committee inrespect to the effectiveness of the organization's anti-fraudprogram and controls, these findings provide a broadframework that can be considered when reviewing anddiscussing fraud-risk assessments and strategies.


When a company becomes distressed, and is faced with the choice of trying to save the business or go intoinsolvency, both executive and non-executive directors must show an appropriate duty of care to keystakeholders or risk personal liability.

A Whole New Ball Game

For most directors, dealing with a troubled business is aonce-in-a-lifetime experience for which they are unlikely tobe fully prepared. With the company rapidly running out ofcash, they must balance the demands of all stakeholders:shareholders, customers, secured and unsecured creditors,employees, pension trustees, and, last but not least, theregulators. At such a time, executives often turn to the auditcommittee for guidance, as this body is the custodian ofgood governance, responsible for ensuring that the board isreporting and behaving correctly.

The board must ask itself whether the company has areasonable chance of avoiding insolvency, and if not, mustdo all it can to minimise losses to creditors. One majordecision faced is whether to continue trading at all. Bystaying in business, it can hopefully give existing creditors abetter deal, as once a business enters insolvency, or evenapplies for a judicial moratorium, its overall value canplummet. However, directors must also be aware that sucha move can prejudice the interests of any new creditors,and could potentially expose them to the risks of wrongfultrading, as well as to personal liability.

Coping with a new reality

Directors—both executive and non-executive—will find thattheir obligations increase substantially when the business istrying to restructure. They will have a role to play with thoseresponsible for restructuring, and need to take part inmeetings with key advisers and, possibly, banks andregulators. Board meetings will also become far morefrequent—in some cases increasing to several times a week.This can be a big commitment, especially for non-executives.

The restructuring process itself involves a whole new set oftasks, such as creating and implementing a turnaround plan,

filling critical leadership positions (and removing unwantedmanagers), disposing of assets, managing working capital,laying off excess staff while retaining key personnel, andmanaging communications with stakeholders such ascreditors and employees—all of whom may be extremelynervous.

This level of workload can take its toll, with directorsspreading themselves too thin and being unable to focus onday-to-day business. Indeed, it's not uncommon for seniormanagement to be caught up in the drama of crisismanagement and almost completely ignore their day jobs.In such situations, the organization can benefit greatly fromthe help of turnaround specialists. These professionals canput an action plan into place swiftly and, as the incumbentmanagement team is often too emotionally committed toexisting strategies, take the tough decisions that may becalled for.

If a board suspects that it might be facing solvency issues,one of the first actions it must take is to secure ongoingspecialist legal advice, as it could face a challenge fromdisgruntled stakeholders, or administrators after liquidation.It is usual in such circumstances for the board to ask thelegal adviser to attend all board meetings and to becomefully involved in any significant decisions. Directors are notonly risking personal liability for any new credit taken on(should the company continue trading), they may also runthe risk of disqualification from being a director.

In this regard, we refer to a special procedure called “TheAlarm-bell Procedure” which, if not followed, can increasethe liability of the board members. This procedure requiresthe board to convene a general meeting of shareholders tovote whether the business, should its net assets fall belowhalf or one-fourth of its share capital, continue to trade or be


dissolved. The board must draw up a special report where iteither suggests the dissolution of the company, or proposesrecovery measures. Finally, the general meeting ofshareholders will vote as towhether the business is tocontinue or be dissolved.

This procedure, while often experienced as (merely)formalistic, cannot be taken lightly. For instance, boardmembers may risk personal liability should their specialreport contain unrealistic recovery measures. Apart fromthis Company Code requirement, the directors must file forbankruptcy within a period of one month when certainconditions are met. Failing to do so can, again, increasetheir liability. Resigning at that point in time is not a viableoption to avoid liability in case of (proven) insolvency.

Finally, and by means of example, it could be that boardmembers have irreconcilable differences as to what actionto take, leading to a decision by a majority of the board witha minority in opposition. In this case, the minority membersshould take action to avoid possible liability resulting fromthe majority's decision.

Spotting the warning signs

With so much to do—and with a significant personalresponsibility—directors will want to be fully prepared forany cash crisis. Regrettably, many fail to read the warning

signs, as they're either too preoccupied with day-to-daymanagement, or are over-optimistic about their ability tostop the rot. Executive management in particular is unlikelyto recognise the scale of the issues, and the non-executivescan play a crucial role in getting a board to recognize theseverity of a rapidly deteriorating situation.

The company is likely to be suffering from a weak operatingcash flow, with previous recovery plans failing to deliver.Moreover, with continually falling expectations, directorsfind themselves having to manage communications fromthe board to the external world. Under such conditions, itdoes not take too long for serious problems to arise. Therole of the non-executives can be made much more difficultif the information from the executives is being “managed”such that symptoms of company deterioration are beingdisguised internally.

Once management has faced up to its challenges, only swift,decisive action can turn the business around, and as mentioned,the organization may well benefit from additional resources. Bytaking appropriate steps and getting good legal advice, theboard will give itself the best opportunity of preserving value,and may avoid taking decisions that could have personalrepercussions for individual directors.


1 KPMG Global Partner in Charge of IT Advisory2 A Committee of One's Own, Richard Nolan, CIO Insight3 Global IT Project Management Survey: How Committed Are You?, KPMG International4 Fixing the Corporation- IT Disconnect, Charlie S. Field & Donna B. Stoddard, Harvard Business School5 Creating Stakeholder Value in the Information Age: The Case for Information Systems Governance, KPMG International

What Boards Need to Know About IT Governance

In a networked, connected and digitized commercial world,information technology (IT) has become the backbone ofbusiness. As Harvard Business School's Professor EmeritusRichard L. Nolan puts it: “The role of IT is expanding bothdeep within organizations and across organizations. Thenotion of a firm's boundaries has changed. Companies havebecome more permeable, and decisions affect entirenetworks of companies. Meanwhile, every organizationtoday is absolutely dependent upon IT.”2

Nolan observes that senior management is not really up tospeed on its degree of dependence on IT, or on informationtechnology's impact and strategic potential. “It's an accidentwaiting to happen. Someone needs to intervene, and theboard is the best mechanism for rendering this much neededtop-down leadership.”

Further, we're all aware of major IT projects that have failedto deliver. A global survey of IT project management 3

confirms that the problem isn't going away.

• Over the 12-month period covered by the survey,49 percent of respondents had experienced at least one IT project failure.

• In the same period, only 2 percent of organizations achieved their targeted IT benefits all of the time.

• Up to 25 percent of targeted benefits across their entire IT project portfolios were lost by 86 percent oforganizations.

In the words of two Harvard Business Review authors, ITremains an expensive mess. “Orders are lost. Customers

call help desks that aren't helpful. Tracking systems don'ttrack. Indeed, the average business fritters away 20 percentof its corporate IT budget on purchases that fail to achievetheir objectives, according to Gartner Research. This adds upto approximately US$500 billion wasted worldwide.”4 Theresearch organization, META Group, says that 70 percent ofIT departments are still perceived as cost centers ratherthan value centers, and 52 percent of CEOs question thevalue their IT departments ostensibly deliver.

It's time for boards to ask themselves if they're satisfied,and they are comfortable with their organization's approachto the oversight of risks and investment related toinformation technology.

A governance issue

Perhaps most boards aren't ignoring the IT issue altogether.However, a global survey of IT governance 5 suggests manyboards struggle to approach IT governance in a structuredand formal manner.

• More than half the organizations responding to the surveyfelt their IT governance was insufficiently integrated into their wider corporate governance frameworks.

• A similar proportion believed their IT governance practicescould be improved.

• While most organizations said they had some form of IT governance, their approach to the issue tended to be informal. (This informality may be less robust than required by current regulatory compliancestatutes. In fact, the research suggests that, in many

Effective governance of information technology is about straightforward, clear questions and frank answers,states Egidio Zarrella 1. The issue of information technology governance challenges many boards, yet it'sincreasingly one that boards can't afford to ignore.


companies, changes in the regulatory environment are yet to be reflected in IT governance practices.)

• Many respondents admitted to a relatively unsophisticated approach to IT outsourcing, with service-levelmanagement and performance monitored by only40 percent of organizations.

• Only 44 percent of respondents thought IT was astrategic business enabler.

In part it's a communication issue. Chief InformationOfficers (CIOs) and other IT professionals simply don'tspeak the same language as boards and executivemanagement. CIOs find themselves disconnected andisolated from senior management and board members. As aresult of this communication gap, the business value createdwhen a well-governed IT function is aligned with overallbusiness goals remains unrealized. The idea that IT is a blackhole into which capital simply disappears is perpetuated.

On the other hand, boards and CEOs don't demand plainspeaking from their CIOs, and struggle to clearly articulatehow they define the value they expect from their investment in IT.

A way forward

In a sense, boards have to seize control of the IT governanceagenda. They need to recognise that IT governance isinseparable from good corporate governance overall. It's theresponsibility of both the board and senior management,requiring a top down approach with IT objectives alignedwith broader business objectives.

As a possible starting point, boards should be asking thefollowing questions:

1. Is IT appropriately represented on the executivemanagement committee? If not, why not?

2.Do non-executive directors clearly understand the IT risks facing the organization?


3.Have clear and separate accountabilities been assigned for IT governance and IT management?

4.Does IT management understand the organization'sbusiness strategies and priorities? Are these reflected in its decisions?

5.Have IT strategies been agreed and understood by both ITand business unit management?

6.Has the business agreed on objectives and performance metrics for IT that includes measuring the value that IT generates?

7.Does the same project governance model apply to both ITand other business projects? Does it include all keystakeholders?

8.Does IT operate with the same risk management processesas the rest of the business? How formal are these processes?

More generally, boards and executive management shouldunderstand how value is derived from the use andmanagement of IT. They need to be presented withunderstandable metrics that measure this value. The realityis that many boards, CEOs and CIOs can neither define normeasure IT value. When value can't be defined ormeasured, a business almost always will have poorlydesigned IT governance.

Accountability for Commitments

Accountability is another critical issue in which boards canset the standard. CEOs and other senior executives aremaking increased commitments to achieve business resultsthrough IT investments, but are not being held fullyaccountable for the subsequent outcomes. IT governancepractices still focus on making commitments and less onensuring these commitments are kept. (According to the ITproject management survey, sponsoring executives or busi-ness unit heads were being held responsible for theachievement of IT project benefits in 87 percent of cases.Yet individual performance plans were tied to project out-comes in only 23 percent of cases.)

If there's a simple message about IT governance, it's that itneedn't be—and shouldn't be—complicated. In studies of ITgovernance, the common theme is that IT should bemanaged in the same way businesses manage finance,marketing, production, human resources and other“business” functions. It shouldn't be a special case.


Six Golden Rules for Getting Value from your IT Investments

Through KPMG's research, and its experience gained from working with a wide range of organizations aroundthe world in the area of IT governance and IT project risk management, we have identified six golden rulessummarizing what organizations can do to extract more value from their IT project investments:

Govern to achieve

Establish an integrated, end-to-end governance frameworkdriven by top management, starting with a business caseand ending with the measurement of value created.

Safeguard value

Control benefits leakage by clearly defining what value fromIT spending you expect to receive, how you will get it, andwhen you will get it. Reassess your projections regularlythroughout the life of the IT project.

Prioritize to realize

Establish an enterprise-wide process that objectively andcontinuously evaluates IT projects to maximize and realizethe value from IT investment.

Hold to account

Clearly define individual accountabilities for realizing benefitsfrom IT spending, including the integration of proposedbenefits with operational plans and budgets.

Align and adjust

Aim to clearly align all IT initiatives with business strategy,and, where appropriate, adjust to maintain alignment orreinvest funds elsewhere.

Invest in people and processes

Recognize project disciplines, acknowledging the linkbetween strategy and IT project execution. Developcapability, capacity and risk models to match organizationalmaturity and culture.


Internal Audit Reporting Lines

A company's objectives, its internal organization, and theenvironment in which it operates are continually evolving. Asa result, the risks it faces are continually changing. Acompany's internal controls and risk management processesshould keep pace with these changes, and, while it ismanagement's role to monitor, identify, evaluate and mitigaterisk, it is the internal audit function which is crucial inensuring that the process is effective.

Anecdotal evidence suggests that most audit committeesagree that the internal audit function should be givenunfettered access to company records, be staffed byqualified individuals with strong interpersonal skills, andshould be underpinned by a company-wide culture thatviews risk management positively. Where opinions differ,however, is to whom the internal auditor reports its findings.

The Belgian corporate governance code, or Code Lippens,clearly places the operation of internal audit under thepurview of the audit committee. Many companies haveadopted a reporting structure whereby the internal auditfunction reports to the audit committee functionally, while

being managed on a day-to-day basis by the executive. Thisreporting structure does have its critics. It is thought that inorder for internal audit to be fully integrated into themanagement framework, these reporting lines should bereversed. That said, the 2007 ACI International Surveyindicated that Belgian companies most commonly employthe traditional reporting structure, as advocated by CodeLippens. Of those who responded, 67 percent in Belgiumsaid that their internal audit function reported functionally tothe audit committee (against 72 percent internationally).

Of course, reporting to the audit committee chair can beproblematic. Having a boss that does not report to workevery week can be difficult, particularly when significantissues arise. The audit committee chair should ensure thatthere are open lines of communication between the twoparties at all times, so that issues of an extreme nature canbe dealt with on a timely basis.

So, if the internal audit function reports to the auditcommittee functionally, who does it deal with on a day-to-day basis? Our survey revealed that in Belgium, in terms of

We asked our members, in our recent ACI International Survey, which areas of oversight would be given thehighest priority on their agendas this year1. It was no surprise to find, given the increasingly complex companyenvironments, that risk management and internal controls were at the top of their lists.

1 Results of the ACI Second Annual Global Audit Committee Survey - Belgium 2007 can be consulted on our Website www.audit-committee-institute.be


administrative reporting, 37 percent reported to the CEO,while 30 percent reported to the CFO (40 percent and38 percent respectively internationally). There areadvantages and disadvantages to both models.

It can be argued that having direct access to the CFOmeans that the internal audit function is perhaps closer tothe financial side of the organization. However, a commoncriticism of this model is that it compromises the internalauditor's independence. Under this reporting structure, aninternal auditor is examining the work of his boss. While itmust be presumed that internal auditors would act withintegrity, and would not be directly influenced by the CFO,there may be circumstances that could make it difficult orawkward for the internal auditor to discuss problems ormistakes that have been discovered during the course of hisaudit. In addition, companies today not only need to be”doing the right thing”, but must be seen to be so behaving.An internal audit function that reports directly to the CFOmay not give the right messages to the rest of theorganization and to external stakeholders.

An alternative solution is to have an internal audit functionthat reports to the CEO. This relieves the problem ofpotential influence and conflict of interest, and has theadded benefit of ensuring that internal audit has unhinderedaccess to information. In addition, an internal audit functionwith a direct reporting line to the CEO makes it clear to therest of the company that risk management and internalcontrol are a high priority for the board. While this mayseem like a preferred option to some people, there is still arisk that internal audits' independence could be constrained.It is for this reason that some believe that the reporting lineshould be to the audit committee only, with direct access tothe CEO and CFO when required.

One thing is certain: there are no “right” answers. Whatworks for one organization may not work for another. Whatis important is that internal controls and risk managementare embedded in a company, and that internal audit is giventhe respect and profile within the organisation that it needsto be effective. The results of our international surveyindicate most companies have found their particular comfortin this respect: more than 90 percent of respondents aresatisfied with the effectiveness of their internal auditdepartment, and more than 90 percent of respondents areconfident that the chief audit executive would report anycontroversial issues involving senior management to theaudit committee.

If, indeed, the culture of the company means that theinternal audit function is valued and relationships arehandled properly, then who that person reports to becomesa secondary issue. However, in an age where companiesare scrutinized more and more closely, it is imperative thatany potential conflicts of interest are either avoided or dealtwith in a manner that is clearly communicated, both withinthe organization and externally.


What gets measured gets managed—Boards Performance Assessment

Richard LeBlanc, a commentator and researcher on corporate governance, and Mark Jones, a partner ofAdvisory in Australia, discuss a new approach to the measurement and assessment of board performance.

Many evaluations of corporate board performance relyheavily on the structural characteristics. Yet, experiencedcompany directors and shrewd observers of the corporatescene know that while structural elements are a necessary,they are not a sufficient condition of board effectiveness.They appreciate that information on structural conditionstells us a limited amount about how boards actually workand how they make informed decisions. They understandthat the structure of a board is an imperfect indicator of howwell it undertakes its primary responsibility to create andpreserve shareholder value. Thus, some boards that exhibitall the structural indicators of good governance can fail,while others that might be seen to be deficient usingstructural measures of good governance, still manage toperform exceptionally well over long periods.

Conventional structural measures of corporate governanceare limited in much the same way that traditional financialreporting is limited. Financial data which underpins thevaluation of public companies tells only part of the story. The“value” of non-financial factors will also affect anorganization's ongoing performance, and will be built into itsmarket valuation. Likewise, there are elusive intangible or“soft” elements of board performance that are difficult tomeasure, but which will certainly affect the quality andeffectiveness of an organization's governance performance.And, if these elements do not get measured, there is agood chance that any potential for improvement will not getmanaged.

So how should boards go about measuring—beyond thestructural aspects—the quality of their own performance,and how might this process be managed to ensure that theboard is performing adequately?

Many boards and board advisers have begun to look forbetter and tougher ways of measuring and managing boardeffectiveness. In doing so, boards are considering what theirown “effectiveness” means and looks like.

To support this introspection, we suggest that there arethree key attributes of board effectiveness that are currentlynot measured well. We call them the “Three Cs” of board

performance.

Chair effectiveness: Measuring the leadership behavioursof the chairman, and how that individual conducts boardmeetings and facilitates board decision making.

Competency of directors: Exploring the competencies thatdirectors need to bring to the boardroom.

Chemistry: understanding the personal interaction betweendirectors and the group dynamics of the board, includingtheir individual contributions to effective decision-making

Of course, any framework for measuring boardeffectiveness should exhibit certain qualities if it is to beapplicable in real-world boardrooms. These qualitiesconstitute our “Five Cs” board performance assessment.

Convenient: Frameworks should be rigorous, but easy toexecute. They should be user-friendly, but have a negligibleimpact on directors' workloads.

Confidential: They should encourage candor in aconfidentialenvironment.

Constructive: The results of a board assessment should beconsidered in a proactive manner that discourages fingerpointing, but encourages discussion about opportunities fordevelopment.

Comparative: Board effectiveness should be assessedagainst prior periods, and against other boards in otherorganizations.

Comprehensive: A holistic, integrated and detailedassessment of board function and performance.


Based on our own observations and other studies, webelieve few board assessments measure the Three Cs ofboard performance effectively, when using the Five Cs ofboard performance assessment criteria. New holisticapproaches by external facilitators can, however, helpboards assess more objectively the intangible or ”soft”attributes of superior performance.

The external facilitator is typically able to provide astructured, rigorous, comprehensive and constructive boardself-assessment process. He uses a measurable (throughself-assessment surveys and benchmarking) and qualitative(through individual director interviews, Chairman feedback,and facilitated boardroom discussion and debrief) evaluationapproach. This process builds on the strengths of—andhelps manage developmental opportunities for—the board.

To give some flavor of such an approach, the followingprovides an insight into the questions boards should usefullyask of themselves in assessing their performance, whilefocusing on the Three Cs.

The Three Cs of board performance

Chair effectiveness

• Does our chairman have an effective personal leadership style? Is he courteous, inclusive and sensitive, yetdecisive?

• Is our chairman building healthy boardroom dynamics? Is he relating well with directors and management, dealing effectively with dissent, and working constructively towards consensus?

• Does the chairman oversee an effective decision-making process? Does he ensure that for crucial decisionsalternatives are considered, thorough discussion and analysis is encouraged, and different perspectives are brought to bear?

• Are we satisfied that the best decisions are being made and that these are being subsequently supported by the board?

• Does the chairman ensure the board's workload isproperly managed?

• Are our committee chairs properly discharging their responsibilities, marshalling resources and expertise, and providing appropriate reporting and recommendations to the full board?

• Do we choose our board and committee chairs based on appropriate criteria? Are we properly considering the responsibilities of the position, including the ability,experience and expected performance of the candidate?

• Are our board and committee chairs setting a goodexample to the board, and holding us all to appropriate, high standards?

Competencies of directors

• In considering the appointment of new directors, does theboard consider any gap between its current competenciesand those likely to be required in the future?

• Are our processes for recruiting new directors working well? Are we taking account of prospective directors' character, ability, expertise, experience and behaviour, along with their ability to devote sufficient time to the job?Are candidates' credentials and references checked prior to appointment?

• Do the qualities of our directors as a whole—their ability, expertise, experience and knowledge of theorganization—match the future strategic needs of the organization?

• Is the ability and experience of board committeemembers appropriate to the needs of the committees?

• Do our directors exhibit a high level of integrity, including maintaining the confidentiality of board proceedings, and the appropriate disclosure and management of anyconflicts of interest?


• Are directors receiving relevant education and training, including internal company briefings and site visits,presentations from independent advisers, and relevant external courses and conference?

• Is inadequate performance or commitment on the part of individual directors being promptly addressed through peer remediation or intervention by the chairman?

Chemistry

• Does our board work constructively as a team throughcollegial, productive working relationships that foster trust and respect?

• Is the effectiveness of our collective decisions as a board greater than the sum of individual director contributions?

• Do I know as much about the qualities of my fellowdirectors as I do about those of our CEO?

• Do our board discussions enhance the quality ofmanagement decision-making? Do we engageconstructively with management to stimulate its thinking and performance?

• Does the board respond appropriately to management, building trust and encouraging openness and candor?

• Does management's involvement in board meetingscontribute to board effectiveness?

• Do the chairmen of our board committees maintainpositive working relationships with relevant managers?


Global Anti-Money Laundering SurveyCombating money laundering and terrorist financing continues to be a major challenge for the financial sector.A recent Global Anti-Money Laundering (AML) Survey 1 built on the findings of a previous survey, and exploredthe range of challenges that banking institutions face in complying with global AML requirements. Participatingbanks were drawn from the top 1,000 global banks by tier 1 capital. The caliber of respondents was high, withjob titles ranging from Group Money Laundering Reporting Officer (MLRO) to Head of Legal and Head of Risk.

The survey covered these ten topics, eachdiscussed in following paragraphs.

• The role of senior management in AML issues• The costs of AML compliance• AML policies and procedures• Formal monitoring of AML systems and controls• Taking a risk-based approach to “Know Your Customer”

activity• Politically Exposed Persons• Transaction monitoring• Training • Attitudes towards regulation• Sanctions compliance

Strong senior management engagementin AML efforts

Banks in the survey reported that senior management wasmore engaged in AML issues than it had been in 2004,when the previous survey was performed. The percentageof respondents reporting that its senior management andboard of directors take an active interest in AML increasedby 10 percentage points to 71 percent. This reflects a mix ofregulatory and international pressure on senior managementto take responsibility for the full range of risks in its business,including compliance, as well as a continued focus oncounter-terrorist financing. As the financial services industrybecomes more complex, and AML risks become morepressing, it will be important that this heightened interest inAML is directed towards ensuring systems and controls areeffective in practice.

AML costs have grown well beyondexpectations

Average AML costs were reported by the participants in thesurvey to have increased by 58 percent over the last threeyears. This was more than banks had expected according tothe 2004 survey. At that time, banks predicted costs wouldonly rise by 43 percent over the following three years.Despite the unexpectedly high increase in AML costs,respondents anticipate that growth will slow, with bankspredicting an average increase of 34 percent in AML costsover the next three years.

The main drivers of the past and future increases in costscontinue to be transaction monitoring and staff training,consistent with the 2004 survey. As banks develop morerisk-based AML programs, the pressure will be to focus onusing resources within compliance effectively and efficiently.This may involve considerable reallocation of resourceswithin compliance, as well as cost reduction through

1 More detailed results of the Global AML Survey can be consulted on our Website www.audit-committee-institute.be


outsourcing, going offshore, or the centralization of AMLfunctions.

Setting a global standard

With growth in the proportion of income derived frominternational business, banks have become more global intheir approach to managing AML risk. Nearly 85 percent ofinternationally active banks reported that they had a globalAML policy in place. As ever, though, the challenge is toensure effective implementation of policies at the locallevel.

More monitoring and testing of AMLsystems and controls

Greater regulatory focus on governance, and the resultingincrease in the accountability of senior management forAML, appears to have driven up the amount of independentmonitoring and testing of AML systems and controls. Morebanks report that they have a monitoring and testingprogram in place, and banks report that a wider range offunctions within their organizations are involved in this. Thekey to successful testing and monitoring, however, relies ona strong impetus from senior management, as well aseffective and timely follow-up and feedback ofimprovements into current systems and controls.

Broader acceptance of a risk-based approach

The survey shows an increase in the number of banks usinga risk-based approach to determine the level of duediligence performed on clients at the account-opening stage(“Know Your Customer” or KYC processes). In addition, awider range of risk factors are taken into account than wasthe case in the 2004 survey, recognizing the evolving inter-national best practice in this area and greater focus onreputational risk among banks. Going forward, banks inmany regions are likely to be under pressure to extend arisk-based approach to other areas of their AML strategy.Where they are given more flexibility in the design of AMLprocesses, they will be under pressure to document therationale for their approach so that they have an audit trailfor the decisions they have made.

More focus on Politically Exposed Persons(PEPs)

Increased regulatory and industry focus has led more banksto seek to apply additional scrutiny to PEPs. In the 2004survey, a surprisingly low number of banks performedenhanced due diligence on PEPs at account-opening(55 percent); this year, the figure has increased to 81 per-cent. Moreover, significant numbers of banks have put inplace specific procedures to identify and monitor PEPs onan ongoing basis (71 percent of all banks in the survey).However, with no universal definition of what constitutes aPEP, there are likely to be substantial differences betweenindividual banks' interpretation of the requirements inpractice. With greater sensitivity to the reputationalconsequences of dealing with PEPs, banks are likely to beunder pressure to examine how robust their procedures forPEPs really are. This is even more relevant in markets wherebusiness and politics are closely intertwined.

Continued strong investment in transactionmonitoring

Virtually all respondents rely heavily on their people to spotsuspicious activity, and with banking becoming more elec-tronically based, many are investing in sophisticated ITmonitoring systems. Transaction monitoring continues to bethe single greatest area of AML expenditure for banks, andis expected to remain so over the next three years. Despitethis, many banks want to improve the quality of theirtransaction monitoring, with many looking to invest inenhancing system capacity, functionality and coverage.Banks need to understand, however, that IT systems areonly one component of an effective AML strategy, and thatthey are no substitute for well-trained and vigilant staff.

Vigilant staff is the first line of defense,but the focus is now on the effectivenessof training

The proportion of banks training over 60 percent of theirstaff has grown by 9 percentage points since 2004, withface-to-face training the most commonly used mechanismas it is regarded as the single, most-effective method.Banks continue to report that properly trained staff is the


best AML control, and this is reflected in the continued ele-vated expenditure on training programs.

The regulatory focus now is moving to the effectiveness ofall this training, with pressure to implement more tailoredtraining and testing, and to the evidence that staff has thedegree of AML understanding it needs to carry out its role.

Broad-based support for regulatory AMLefforts, but more needs to be done

The survey shows continued support for global AML effortsby regulators, governments and law enforcement, with93 percent of banks saying the burden of regulation is eitheracceptable or should be increased. However, a 51 percentmajority of banks still believe that AML regulation could befocused more effectively, through clearer legislation, betterfeedback to the industry, and a greater endorsement of arisk-based approach. While some banks have called forwider acceptance of a risk-based approach to AML, there isconcern over whether regulators are willing to accept all ofthe consequences that flow from this. Even so, banks,governments, regulators and law enforcement agencies areunited in seeking more collaboration and informationsharing, although banks are uncertain as to how such apublic-private partnership will really work in practice.

Sanctions compliance a key challengefor banks

Sanctions compliance was a major driver of AML costs overthe past three years, being ranked the third greatest area ofAML expenditure after transaction monitoring and stafftraining. This reflects increased focus on counterterrorism,the long arm of U.S. law, the growth in the number of lists

that banks need to monitor against, and the tougherenforcement of sanctions requirements by regulators.Despite the progress made so far, there is more to do inthis area, as banks work to ensure they design operationalprocesses that are equal to the task of complying withsanctions rules that are detailed, complex and potentiallybroad in scope. A particular challenge is the design andimplementation of a sanctions compliance program that cansupport this goal.

Looking ahead

The survey results show significant investment in AMLsystems and controls and increased engagement fromsenior management. The challenge for many banks will beto maintain this focus as they enter a new phase ofregulatory initiatives (Basel II, EU regulatory change, and theextraterritorial effects of U.S. legislation being some of themore high-profile examples). Banks may also find itchallenging to adapt to many of the key changes that aretaking place in the financial services market, with increasedproduct complexity, greater involvement with emergingmarkets, and the integration of mergers that have takenplace on a new scale. All of these mean future challenges inrelation to AML compliance going forward.

Overall, although much has been achieved, there is stillmuch to do to make the financial system more robust in thefight against money laundering.

Resources

Those are some of the findings of a new study by accountingprofessors Jeffrey Cohen, Ganesh Krishnamoorthy and ArnieWright at Boston College and Northeastern University, whichis entitled Auditor Experiences of Corporate Governance inthe Post Sarbanes-Oxley Era. It follows up on a similar reportby the same authors, based on surveying 2,000 auditors.

Their study examines auditors' experiences in working withcorporate governance actors (e.g., audit committee, board,management and other committees) in the post-SarbanesOxley era.

Thirty audit managers and partners from three of the Big Fourfirms participated in the study. Auditors indicated that thecorporate governance environment has significantly improvedin recent years, in line with regulatory reforms. They said thataudit committees are substantially more active and diligent,and possess greater expertise and power to fulfill theirresponsibilities. As well, auditors report they rely, to a greaterextent, on corporate governance information in planning andperforming engagements.

Management continues to be seen as a major actor in thecorporate governance mosaic. With some concern, auditorsindicate that management is seen as a key driver indetermining auditor appointments and terminations. Similarto Gendron and Bédard (2006), results indicate that, in manyinstances, audit committees play a passive role in helping toresolve disputes with management. Respondents indicatedthat the auditor and management often try to resolve issuesbefore they come to the attention of the audit committee.Finally, the requirements for CEO and CFO certification arereported to have a positive affect on the integrity of financialreporting.

The text paper may be downloaded free of charge by searching for its

authors or title, Auditor Experiences of Corporate Governance in the Post

Sarbanes-Oxley Era, on the Social Science Research Network Website,

www.ssrn.com

Management still seems a major Corporate Governance actor

Management is still the driving force when it comes to appointing and dismissing auditors. While auditcommittees have become much smarter and more active since passage of the Sarbanes-Oxley Act of 2002,they are still feeling-out their new authority. Even though they wield more influence than ever over the hiringand firing of auditors, for example, management continues to hold greater sway in the decision. And, despitetheir new responsibility for resolving management-auditor disputes, many audit committees are still reluctantto do so.


Audit Committee Chairs give their view onInternal Audit

Internal audit has become an integral part of goodcorporate governance, but it continues to need thesupport of the audit committee to be effective. Inturn, internal audit is being seen by some auditcommittee chairs as a key source of assurance, evenmore appreciated as a non-executive board or auditcommittee member.

These are some of the many interpretations broughtforward by the Institute of Internal Auditors in a paperentitled A View from the Audit Committee, where UK auditcommittee chairs gave their views on the role and value ofinternal audit, and stated what they expect from the head ofinternal audit.

Indeed, the extent to which the audit committee chairs relyupon their heads of internal audit is often striking. Withoutexception, the audit committee chairs interviewed had highexpectations of their heads of internal audit. All of those

interviewed agreed that the key role for internal auditors isproviding assurance to the board.

This implies that the chief internal auditor is expected to besomeone with great integrity, someone who knows what isgoing on in the organization, and an individual who cutsthrough the mass of operational detail to give auditcommittees the information they really need to know. Hemust be someone who is not afraid to speak his mind andbe un-popular, if necessary.

Often, the most valuable insights internal audit can give,according to interviewees, relate to the corporate culture,especially in those companies that make large acquisitions.Internal audit is seen as a key thermometer for the boardand audit committee, telling them what is going on, andhelping their messages from the top reach down to thebottom.

The full publication, A View from the Audit Committee, may be

downloaded free of charge from the Knowledge Centre section of the

UK Institute of Internal Auditors Website, www.iia.org.uk.


Conflicts of Interest in Financial ServicesGroups

A recent paper of Eddy Wymeersch 1 analyses someaspects of intra-group conflicts of interest in financialconglomerate groups.

General company law restricts management action by bothparent and subsidiary following the Rozenblum test. Theprudential directives—essentially the financial conglomer-ates directive—contain rules that specifically address intra-group conflicts, while the capital requirements directiveallows supervision to waive solo supervision for consolidat-ed supervision. The latter rules, especially, may create ten-sion with general company law. Some of this possible riskcan be mitigated by constructing guarantees between thegroup entities. Others seem more difficult to avoid.

The European Directives on Credit institutions containprovisions that relate to the parent-subsidiary relationship.These directives essentially deal with supervisory issues,and aim at coordinating the action of supervisors at differentlevels of the group structure. Functionally, they constitute asignificant progress in structuring supervision in Europe.

However, some of the provisions of the directives mayresult in tensions with the general principles of companylaw, especially those relating to groups of companies. Theseprinciples have not yet been harmonized, so that it isimportant to note the differences and nuances in nationalcase law. Further issues may arise on the basis of generalnegligence law, as applied in a company law context.

A close analysis of the main relevant provisions in thisfield—Articles 69 and 129 of the Capital RequirementDirective—reveal that in some cases there may be conflictsbetween the two approaches. This should urge supervisorsto be particularly careful in granting exemptions fromregulatory requirements. Some simple guidelines mightcontribute to a balanced result. A close scrutiny of the riskevaluation, measurement and control procedures, as calledfor by the directives, and a detailed analysis of the possibledifficulties under national company law, might avert some ofthe more unexpected pitfalls.

The full publication Conflicts of Interests in Financial Services Groups

may be downloaded free of charge from the Working Paper Series

section of the Financial Law Institute Website, www.law.ugent.be/fli.

1 Chairman of the Belgian Commission Bancaire, Financière et des Assurances, and Professor at the Ghent University Law School.


EU business wants a single, pan-Europeantax system, says international study

Tax professionals in Europe's biggest businesses arein favor of European Commission proposals for aharmonized, pan-European corporate tax system, anew study has found.

Finance directors, tax directors and tax managers from over400 companies, including some of the largest, companiesfrom all 27 EU countries and Switzerland, were asked theirview of European Commission plans for a CommonConsolidated Corporate Tax Base (CCCTB).

The plans propose that the profits of businesses operatingin more than one EU member state should be calculatedaccording to a single EU-wide formula, rather than the27 different formulae used today. Profits would then bereallocated to the countries in which the businesses areactive, to be taxed at those countries' tax rates. The ideawas supported by 78 percent of respondents acrossEurope.

Although the study focuses on the European dimension ofthe CCCTB, the answers of the Belgian respondents arealso very interesting. First the Belgian respondents largelysupport the idea of harmonization of the corporate tax baseon a consolidated basis. The lack of a consolidated corporate

tax base in Belgium, as opposed to our neighbouringcountries and most EU member states, surely influencedthe answers on questions such as criteria of profit allocationand on the support for the Commissions initiative as awhole.

Finally 90 percent of the Belgian respondents said that inaddition to the common corporate tax base, they would liketo see a single corporate tax rate for the whole of Europe inthe future.

The Commission proposals are due to be made public in2008, and the Commission hopes that they will be in placeby 2010. Many respondents thought that this timetable wasoptimistic, but 66 percent expected the system to be inplace by 2015 and 85 percent by 2020. Only 15 percent saidthat it would never happen.

The complete study referred to can be downloaded free of charge from

the Resources section of our ACI website,

www.audit-committee-institute.be.

Fraud and Examination Tools

The Association of Certified Fraud Examiners (ACFE)supports the anti-fraud community by providingprofessionals the information needed to fight fraudeffectively. A new section of ACFE.com provides arange of tools and resources from a variety ofsources, in multiple formats, some of which seemuseful to audit committee members as well.

Though we cannot judge the quality or effectiveness of thetools offered, audit committee members could take, forexample, the fraud prevention check-up, read the casesummaries, and use the sample checklists, forms, andcontracts to assist them or those under their direction in thedetection, investigation, and prevention of fraud.

Also, free video training tools are available. Fraud and theTone at the Top in particular is a Web-based video trainingprogram, produced in cooperation with the AmericanInstitute of Certified Public Accountants (AICPA), to help thebusiness community provide corporate fraud preventiontraining to personnel at all levels.

These fraud tools and resources are now available free of charge from

the Resource Center section of the ACFE Website, www.acfe.com


Habits of Highly Effective Audit Committees

The five years that have passed since the Sarbanes-Oxley Act gave audit committees greater responsibilityfor overseeing public companies' accounting, financialreporting, internal controls and audits. Many of thesecorporate governance watchdogs have become quiteadept at performing their expanded duties. Others,though, have not developed this expertise as rapidlyas others.

A recent AICPA article offers eight time-tested bestpractices for improving numerous aspects of auditcommittee performance, as well as insights from threeseasoned CPAs who have led or served on the auditcommittees of many organizations. What follows is anexecutive summary for your convenience.

To ensure that your committee is up to its mission, youmust first define the mission by drafting a strong charterthat identifies audit committee functions, authority andresponsibilities, along with the skills and experience itsmembers must possess.

Success is not automatic. Specify critical success factors ascompetencies audit committee members must possess forthe committee to discharge its duties and function effectively.

Committees need to know what their core values are. Open

communication, equitable dispute resolution and the activeparticipation of all members are all critical.

The committee needs to be free and willing to interviewanyone it chooses. This can be aided by providing a “safehaven” for interviewees, but the committee should notavoid asking incisive questions and taking action on itsfindings.

All members should be involved in setting the agenda.Meetings should be carefully planned so that prioritybusiness is acted upon in a timely manner.

Decision-making processes need to be determined before acrisis occurs. Each committee needs to evaluate its uniqueneeds when laying out its ground rules.

Meetings should start and end with summaries so that allmembers have a common understanding of what hastranspired and what the priorities are.

The full article Eight Habits of Highly Effective Audit Committees may be

downloaded free of charge from the Audit Committee Effectiveness

Center section of the AICPA Website, www.aicpa.org


ACI Events

Roundtable Series

ACI facilitates interactive audit committee roundtables twice a year.Every Roundtable features one or more guest speakers, and providesfor an exchange of views and insights on topics of interest to membersof boards and audit committees for a limited number of professionals.

The ACI roundtable sessions can provide you with knowledge you willfind helpful in your increasingly responsible oversight role through afocus on current topics, enhanced competence by the sharing of bestpractices, and personalized assistance by providing opportunities forinteraction with your peers.

The next Roundtable event will be organized on Thursday 10 April 2008.Members of audit committees and boards of listed (and other large)companies will receive a personal invitation to participate. We willexplore many topics around Remuneration and its surrounding corpo-rate governance environment. Prominent experts such as Emmanuel

Van Innis — President Brussels Enterprises Commerce and Industryand Director at SUEZ-TRACTEBEL Vice-President Human Resources,and Herman Daems — Chairman of GIMV member of theRemuneration Committee, will definitely flavor our fields of interest.

Seminars

The ACI Seminar is an exclusive event organized by the AuditCommittee Institute for selected Board members who share similarchallenges to their oversight roles. The Code Lippens states under itsfourth corporate governance principle that “Directors should updatetheir skills and improve their knowledge”.

Our ACI Professional Development Seminar program aims to enhanceboth the awareness of board members and their ability to implementeffective oversight processes. It is focused on the needs of board andaudit committee members and provides, on a timely basis, an under-standing of the principles and developments in financial reporting, tax,company law and corporate governance.

ACI Seminars are held at a carefully chosen venue and attendees willhear pertinent and practical information presented by knowledgeableguest speakers. The seminars offer you a unique and valuableopportunity to exchange best practices and enjoy contacts with yourpeers.

For more information on ACI please visit our Website, www.audit-committee-

institute.be, or contact us via e-mail at [email protected].

About us

The Belgian Audit Committee Institute (ACI) was establishedwith the purpose of providing members of audit committeesand other board members with the knowledge required tocarry out their responsibilities. ACI follows developments inthe field of governance, audit issues, accounting, andfinancial reporting, both in Belgium and internationally.

The professionals of the ACI are:

• Theo Erauw, ChairmanKPMG Holding (Belgium), Chairman, Qualified Auditor

• Sophie Brabants, DirectorKPMG Bedrijfsrevisoren, Partner, Qualified Auditor

• Mike Boonen, Senior ManagerKPMG Bedrijfsrevisoren, Senior Manager, Qualified Auditor

Contributing editors of this quarterly newsletter are:

• Nicola Collins ManagerKPMG LLP London

• Peter Coox, DirectorKPMG Bedrijfsrevisoren - Financial ServiceAdvisory Services

• John Darlington, Managing DirectorKPMG LLP London

• Jos Goubert, DirectorKPMG Tax and Legal Advisers - Tax Administration

• Els Hostyn, PartnerKPMG Advisory - Management Assurance Services

• Mark Jones, PartnerKPMG Australian Services Trust - Risk Advisory Services

• Wouter Lauwers, DirectorKPMG Tax and Legal Advisers - Corporate Tax

• Guido Moetewiel, Senior ManagerKPMG Advisory - Management Assurance Services

• William Oelofse, DirectorKPMG Advisory – Forensic Services

• Paul Op de Beeck, Managing PartnerKPMG Tax and Legal Advisers – Corporate Tax

• Peter Sarasyn, DirectorKPMG Advisory – Information Risk Management

• Egidio Zarrella, Global Partner IT AdvisoryKPMG Australian Services Trust - Risk Advisory Services

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual

or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate

as of the date it is received, or that it will continue to be accurate in the future. No one should act on such information without appropriate

professional advice after a thorough examination of the particular situation.

©2007 KPMG Support Services ESV/GIE is a Belgian firm

providing services to local member firms of KPMG International,

a Swiss cooperative. Responsible editor: Theo Erauw, Avenue du

Bourget - Bourgetlaan 40, B-1130 Brussels.

All rights reserved. 4th Quarter 2007. Printed in Belgium.

Contact us

Sophie Brabants

Audit Committee InstituteBourgetlaan - Avenue du Bourget 40B-1130 Brussel - Bruxelles

www.audit-committee-institute.beE-mail: [email protected].: +32 3 821 18 66Fax: +32 3 825 20 25

audit committee quarterly - kpmg...profile of a typical fraudster 6 a whole new ball game 9 what...

Documents