Practitioners and academics alike debate best practices in corporate governance, but rarely do companies reveal how they determine what governance practices work best for them. In a new paper, we report the results of interviews on this topic with 29 chief audit executives (CAEs) from U.S. publicly traded companies.
CAEs are in a unique position to evaluate corporate governance, most often reporting administratively to the CEO or CFO and functionally to the audit committee. This reporting structure allows them to regularly interact with management, while also being held accountable as the “eyes and ears” of the board. CAEs lead their internal audit function in evaluating various processes and controls throughout the organization. While many think that internal auditors focus solely on financial reporting, they also evaluate compliance or regulatory matters, core operations, corporate culture, expense reduction, cybersecurity, enterprise risk management (ERM), fraud prevention, and information technology. Survey data from the Institute of Internal Auditors (IIA) show internal auditors’ broad scope of responsibility, with testing of financial reporting controls accounting for less than 15 percent of their annual budget, on average.
We began our study expecting internal audit functions to have processes for evaluating corporate governance. IIA Standard 2110 states that “internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes,” including consideration of “organizational performance management and accountability,” “ethics and values within the organization,” and communication of “risk and control information to appropriate areas of the organization.”
What Are Current and Potential Practices for Evaluating Corporate Governance?
We found, however, that such processes are often piecemeal and incomplete. The majority of CAEs report that their internal audit function is involved with the annual board and committee evaluation processes (20 of 29 interviews), and that they do benchmarking or make informal recommendations based on best practices observed at peer companies (17 of 29). They also report evaluating at least one aspect of governance as part of their normal audit plans (24 of 29). For example, they may evaluate board structures or processes (12 of 29), procedures around risk and ERM (9 of 29), culture, ethics, or tone at the top through surveys and interviews (8 of 29), or board or management authorization structures and reporting lines (3 of 29). Collectively, though, none of our interview participants said they conduct comprehensive evaluations of corporate governance, nor did they appear to aggregate governance-related findings across different aspects of governance to form conclusions about the overall governance system.
Based on these early findings, we became concerned that CAEs may not be the right interview subjects or trained in how to conduct governance evaluations. To alleviate this concern, we emailed with several board members and general counsels to identify other executives within the organization to interview but were not told of anyone else who performs a top-to-bottom evaluation of corporate governance. Nominating and governance committees oversee board self-evaluations, but this is just one piece of an overall governance evaluation and one that prior research has examined.
Although professional standards and our knowledge suggest that CAEs would conduct such an evaluation, they did not appear to do so. So we asked participants to set aside what happens at their own companies and envision starting fresh, with access to unlimited time and resources, and to design a corporate governance evaluation process for a peer firm.
In contrast to the abbreviated and piecemeal descriptions at their own companies, CAEs described rich and thoroughly planned evaluation processes. Aggregating their responses, we learned that CAEs would generally pursue the following steps:
Step 1: Define company-specific expectations of corporate governance
- Consider listing exchange requirements, regulatory requirements, corporate objectives, and company-specific policies
- Remember that governance is not one-size-fits-all; significant judgment is needed to decide whether a company’s corporate governance is good enough for their specific needs
- Have or enlist sufficient professional experience to benchmark against peers and current practices, which is needed to perform the evaluation
Step 2: Collect publicly and privately available data
- Find out how decisions are made within the company, including how employees, management, and the board interact with one another
- Avoid a “check the box” mentality and focus on substance over form. For example, conducting a meeting or seeing evidence of approval is not sufficient: Did individuals challenge one another, is there evidence of push back or revisions to original plans?
- Exercise professional skepticism appropriately. For example, do all board members rate themselves with perfect scores in all evaluations? Do board members always rate the CEO’s performance as exceeding expectations, with no opportunities for improvement?
Step 3: Conduct interviews and surveys
- Capture qualitative information as pre-existing data alone will not likely be sufficient to evaluate corporate governance
- Listen with your eyes and ears. As one participant stated, the goal is “to assess the tone, level of appreciation, and level of rigor that they [companies] put into it [their governance systems], because they could have a framework in place, and they’ll probably say all the right things, but you just need to get into the guts of it.”
Step 4: Conclude on the effectiveness of corporate governance
- Step back and look at all the evidence together, while also being cautious not to overly rely on quantitative data to measure governance
Our study provides additional details, including the types of governance processes that CAEs would consider evaluating and the types of questions they would consider when determining if each aspect of governance is operating effectively.
Why Aren’t Companies Evaluating Corporate Governance More Systematically?
We use the concept of decoupling from institutional theory to analyze why companies are not evaluating corporate governance systems more systematically. Decoupling suggests a separation between outward appearances and actual internal processes. Often influenced by external pressures (e.g., regulatory or social pressures to develop robust governance structures), decoupling can occur when internal evaluations are vague and nonexistent, according to seminal research.
When we asked CAEs about the challenges in evaluating corporate governance, the primary issues included the following: corporate governance is inherently subjective and difficult to measure (15 of 29 interviews), management and the board need to be willing participants (13 of 29), governance failures are inherently easier to observe relative to instances when governance is operating “well” (10 of 29), it can be difficult to communicate deficiencies to management and the board (8 of 29), and constraints on internal audit’s time and budgets (7 of 29).
Next Steps: Opportunities for Practice and Future Research
Our study highlights several interesting findings and areas for future research as well as important factors for organizations to consider if they wish to develop and devote more resources to evaluations of their corporate governance.
Although CAEs are able to describe the evaluation process in great detail from the perspective of a peer reviewer, evaluation processes within their own companies do not have the same level of detail or scope. Therefore, we encourage future research to better understand the potential benefits and costs of a comprehensive evaluation process. Even when CAEs did describe more robust governance evaluations, they suggested that their company lacks a formalized process for systematically reaching conclusions on the collected evidence. Thus, future research could help design methods of aggregating evaluation results across the wide range of corporate governance elements. As for the difficulty of reporting governance issues to management and the board, research could assess alternatives for the relationship between CAEs and the board, including whether modifying reporting lines or responsibility over their performance evaluation and compensation might make it easier to report issues. More broadly, with the rise in governance analysts, advisory services, and shareholder proposals on governance issues, future research could explore the extent to which governance evaluation processes should be publicly disclosed.
As evidenced by the summary above, and discussed at length in our paper, there are a significant number of opportunities for organizations to enrich their corporate governance systems by incorporating more comprehensive evaluations and, likewise, significant opportunities for research to support such an undertaking.
This post comes from Lauren Cunningham and Terry Neal at the University of Tennessee, Knoxville’s Neel Corporate Governance Center, Christie Hayne at the University of Illinois’ Gies College of Business, and Sarah Stein at Virginia Tech’s Pamplin College of Business. It is based on their recent paper, “The Evaluation of Corporate Governance: Evidence from the Field” available here.