In 2018 the UK woke up to the news of the collapse of construction giant Carillion, an event that raised serious questions about the effectiveness of corporate governance in our biggest organisations. In a country where we are meant to have rigorous requirements in place to avoid this kind of failure, how could Carillion, the UK’s second biggest construction firm and a major service provider for the government, go into liquidation with an insurmountable debt and pension deficit? Paul Goddard, Scrutton Bland’s Risk and Assurance Partner looks at the importance of having robust risk management and internal audit frameworks in order to maximise business success.
A salient question to consider is whether the work of the auditors had sufficient status and influence to question the basis (information and evidence) on which key strategic decisions were taken. We know that before the financial crisis internal audit was not always valued enough in the financial services sector, but it has since become clear that other sectors beyond financial services could benefit from more formal guidance on internal audit.
At Scrutton Bland LLP we are clear about the importance of internal audit and the need to earn status and respect from the leadership team of the clients we work with, in order to enable internal audit to promote its independence and objectivity and to do its job effectively.
It is critical that internal audit has influence at the board and audit committee level of the organisation. In a best-practice environment, internal audit is a vital governance tool, helping board members to understand what’s happening on a day-to-day basis instead of them having to feel their way in the dark by relying solely on advice from senior management.
Heads of internal audit need to have a reporting line straight to the audit committee chair to achieve its independence and give it direct access to the board. It is then up to the board, as advised by the audit committee, to ensure that management responds to the actions the auditors suggest are necessary to improve the organisation’s risk management, controls and corporate governance.
Of course, internal audit can never offer 100 per cent guaranteed assurance, and nor should it be expected to. Instead, it should be viewed as a critical function for mitigating, not eliminating risk and helping to improve the overall governance of an organisation.
How can outsourcing risks be minimised?
A key part of the Carillion story relates to outsourcing and it is widely acknowledged that outsourcing, supply chains and third-party risk all pose significant and often hidden risks to an organisation. While some companies have begun to view in-housing certain activities as a more attractive, less risky option, each and every business operation, process or function has the potential to be handled outside of the organisation, and business activities can be spread far and wide outside of an organisation’s own borders. Supply chains have lengthened as the world has become more globalised over the long term, meaning that third-party risk may not even apply to third parties at all, but fourth, fifth or even sixth.
Administrative operations are a primary candidate for outsourcing. These are operations which must be carried out efficiently to ensure the success of the business, but which do not fall into the core customer-facing operations of the firm. Migrating data entry, payroll, IT support and even the finance function can allow a business to focus on its core efforts and at the same time reduce costs and lessen the HR burden of staff acquisition and retention. The risk/reward profile of doing so has changed in light of heightened regulatory oversight of data security, and with third parties outsourcing to their own sub-contractors (fourth parties), this becomes an even more pressing consideration given that the first party has no legal contract in place with the fourth parties that are indirectly servicing them.
It is important to keep in mind that fourth parties may not be subjected to the level of scrutiny and oversight that the organisation has over the legally contracted third party. This calls for businesses to take even greater care in managing supplier risk, taking steps to understand the risk exposure of fourth parties by asking their outsourced providers how they use sub-outsourcing and identifying any critical processes that are handled by fourth parties.
Taking an inventory of core processes and functions that are outsourced, reviewing the governance around procurement and contract management, and important mitigating actions and a right to review are all clauses which should be written into supplier contracts. Other things to consider, besides monitoring the effectiveness of the services provided and their commercial viability, include data security (how key suppliers keep the organisation’s data safe and whether it is shared with other partners); as well as concentration risk to monitor. whether the organisation is over-reliant on a small number of suppliers, and whether suppliers have their own concentration risk. How easily the business can switch suppliers without being disrupted should also be reviewed.