The Cadbury Report

The Origins of the Report

The Committee on the Financial Aspects of Corporate Governance, forever
after known as the Cadbury Committee, was established in May 1991 by the
Financial Reporting Council, the London Stock Exchange, and the
accountancy profession in response to continuing concern about standards of
financial reporting and accountability, particularly in light of the BCCI and
Maxwell cases.
The committee was chaired by Sir Adrian Cadbury and had a remit to
review those aspects of corporate governance relating to financial reporting
and accountability. The final report 'The financial aspects of corporate
governance' (usually known as the Cadbury Report) was published in
December 1992 and contained a number of recommendations to raise
standards in corporate governance.

An Insight into the cases

Robert Maxwell's death in 1990 shone a spotlight on his company's affairs.
A series of risky acquisitions in the mid-eighties had led Maxwell
Communications into high debts, which was being financed by diverting
resources from the pension funds of his companies. After his disappearance,
it emerged that the Mirror Group's debts (one of Maxwell's companies)
vastly outweighed its assets, while 440 millions (GBP) were missing from
the company's pension funds. Despite the suspicion of manipulation of the
pension schemes, there was a widespread feeling in the City of London that
no action was taken by UK or US regulators against the Maxwell
Communications Corp. Eventually, in 1992 Maxwell's companies filed for
bankruptcy protection in the UK and US. At around the same time the Bank
of Credit and Commerce International (BCCI) went bust and lost billions of
dollars for its depositors, shareholders and employees. Another
company, Polly Peck, reported healthy profits one year while declaring
bankruptcy the next.

Cadbury report
The report was published in draft version in May 1992. Its revised and final
version was issued in December of the same year. The report's
recommendations have been used to varying degrees to establish other codes
such as those of the European Union, the United States, the World Bank etc.

The Contents of the Report
The suggestions which met with such disfavour were considerably toned
down come the publication of the final Report in December 1992, as were
proposals that shareholders have the right to directly question the Chairs of
audit and remuneration committees at AGMs, and that there be a Senior
Non-Executive Director to represent shareholders' interests in the event that
the positions of CEO and Chairman are combined. Nevertheless the broad
substance of the Report remained intact, principally its belief that an
approach 'based on compliance with a voluntary code coupled with
disclosure, will prove more effective than a statutory code'.
The central components of this voluntary code, the Cadbury Code, are:
that there be a clear division of responsibilities at the top, primarily that
the position of Chairman of the Board be separated from that of Chief
Executive, or that there be a strong independent element on the board;
that the majority of the Board be comprised of outside directors;
that remuneration committees for Board members be made up in the
majority of non-executive directors; and
that the Board should appoint an Audit Committee including at least
three non-executive directors.

The provisions of the Code were given statutory authority to the extent that
the London Stock Exchange required listed companies to comply or explain
that is, to enumerate to what extent they conform to the Code and, where
they do not, state exactly to what degree and why. The detail of this
explanation, and the level of implied censure on companies which do not
adhere to the Code, have both varied over time, but the basic 'comply or
explain' principle has endured over the intervening years and become the
cornerstone of UK corporate governance practice.
Cadbury Committee Report (1992)

The report was mainly divided into three parts:-
Reviewing the structure and responsibilities of Boards of
Directors and recommending a Code of Best Practice The boards
of all listed companies should comply with the Code of Best Practice.
All listed companies should make a statement about their compliance
with the Code in their report and accounts as well as give reasons for
any areas of non-compliance. The Code of Best Practice is segregated
into four sections and their respective recommendations are:-
1. Board of Directors - The board should meet regularly, retain
full and effective control over the company and monitor the
executive management. There should be a clearly accepted
division of responsibilities at the head of a company, which will
ensure a balance of power and authority, such that no one
individual has unfettered powers of decision. Where the
chairman is also the chief executive, it is essential that there
should be a strong and independent element on the board, with
a recognised senior member. Besides, all directors should have
access to the advice and services of the company secretary, who
is responsible to the Board for ensuring that board procedures
are followed and that applicable rules and regulations are
complied with.
2. Non-Executive Directors - The non-executive directors should
bring an independent judgement to bear on issues of strategy,
performance, resources, including key appointments, and
standards of conduct. The majority of non-executive directors
should be independent of management and free from any
business or other relationship which could materially interfere
with the exercise of their independent judgment, apart from
their fees and shareholding.
3. Executive Directors - There should be full and clear disclosure
of directors total emoluments and those of the chairman and
highest-paid directors, including pension contributions and
stock options, in the company's annual report, including
separate figures for salary and performance-related pay.
4. Financial Reporting and Controls - It is the duty of the board
to present a balanced and understandable assessment of their
companys position, in reporting of financial statements, for
providing true and fair picture of financial reporting. The
directors should report that the business is a going concern,
with supporting assumptions or qualifications as necessary. The
board should ensure that an objective and professional
relationship is maintained with the auditors.
Considering the role of Auditors and addressing a number of
recommendations to the Accountancy Profession
The annual audit is one of the cornerstones of corporate
governance. It provides an external and objective check on the
way in which the financial statements have been prepared and
presented by the directors of the company. The Cadbury
Committee recommended that a professional and objective
relationship between the board of directors and auditors should
be maintained, so as to provide to all a true and fair view of
company's financial statements. Auditors' role is to design audit
in such a manner so that it provide a reasonable assurance that
the financial statements are free of material misstatements.
Further, there is a need to develop more effective accounting
standards, which provide important reference points against
which auditors exercise their professional judgement. Secondly,
every listed company should form an audit committee which
gives the auditors direct access to the non-executive members
of the board. The Committee further recommended for a
regular rotation of audit partners to prevent unhealthy
relationship between auditors and the management. It also
recommended for disclosure of payments to the auditors for
non-audit services to the company. The Accountancy
Profession, in conjunction with representatives of preparers of
accounts, should take the lead in:- (i) developing a set of
criteria for assessing effectiveness; (ii) developing guidance for
companies on the form in which directors should report; and
(iii) developing guidance for auditors on relevant audit
procedures and the form in which auditors should report.
However, it should continue to improve its standards and
procedures.
Dealing with the Rights and Responsibilities of Shareholders
The shareholders, as owners of the company, elect the directors
to run the business on their behalf and hold them accountable
for its progress. They appoint the auditors to provide an
external check on the directors financial statements. The
Committee's report places particular emphasis on the need for
fair and accurate reporting of a company's progress to its
shareholders, which is the responsibility of the board. It is
encouraged that the institutional investors/shareholders to make
greater use of their voting rights and take positive interest in the
board functioning. Both shareholders and boards of directors
should consider how the effectiveness of general meetings
could be increased as well as how to strengthen the
accountability of boards of directors to shareholders.









The Turnbull Report-Internal Control and Risk Management
Executive Summary
The report of the Cadbury Committee in 1992 provided a framework for
corporate governance which has become the basis for the arrangements
whereby UK companies govern themselves. However, the Cadbury Report
left a significant piece of unfinished business. The Code contained a
recommendation that the boards of listed companies should report on the
effectiveness of their systems of internal control, and that the auditors
should report on this statement. This requirement was controversial, as
neither company managements nor auditors were willing to take
responsibility for expressing an opinion on internal control effectiveness. It
was not until 1999 that the report of the Internal Control Working Party
under the chairmanship of Turnbull resolved the problem of reporting on
internal control.

The Turnbull Reports guidance required companies to report whether the
board had reviewed the system of internal control and risk management, and
encouraged, but did not require, the board to express an opinion on the
effectiveness of the system. The close coupling of internal control and risk
management in the Turnbull Report echoes similar developments in the US
and Canada where other influential reports have emphasised the importance
of risk management as well as internal control. Although previous research
among leading companies has indicated that formal systems of risk
management and risk based approaches to internal audit are in use, other
research has suggested that in many companies internal audit is more
traditional. In this situation there is considerable potential for a high level of
adjustment costs borne by firms in complying with the Turnbull guidance,
whether or not the individual firm benefits from embracing risk-based
internal audit and control techniques.

At the same time the Institute of Internal Auditors has been seeking to
professionalise the work of internal auditors by issuing standards of work,
providing certification of education and training and enhancing the
prominence of internal audit in the business community. The Cadbury
Committee provided an enhancement for the role of internal audit and a
presumption that listed companies would have an internal audit function, or,
if not, would review the need for one periodically, the Turnbull guidance
reinforced this.

Against this background, this study explores the range of activities
undertaken by internal audit departments, their role within companies and
the impact of the Turnbull guidance on internal audit.

The investigation uses qualitative research methods to gather the
perceptions, on a wide range of issues, of senior internal auditors in large
businesses, all but one being FTSE 350 companies. Between 1999 and 2001
twenty-two interviews were conducted with heads of internal audit or their
deputies. The research takes a grounded theory approach and does not seek
to provide statistical generalisations about the frequency of particular
practices and arrangements for internal audit and risk management, but to
generate understanding of the inter-relationship of different factors that are
causing changes in risk management processes in companies and in the role
of internal audit.

Findings from interviews with internal auditors

Turnbull and internal audit

The impact of Turnbull on companies that had already embraced risk-based
approaches was not perceived as very significant. The impact on some,
usually smaller, companies had been greater in terms of adjustment to
processes and some mention was made of increased costs. Internal auditors
generally viewed Turnbull as beneficial to their cause and said it had helped
to alter the perceptions of internal audit in a positive way, so that operating
departments frequently sought the advice of internal audit when
implementing new or changed processes.

Risk identification, assessment and management

Formalised risk management procedures were at different stages of
development. The Turnbull Report had encouraged formalisation of
processes in most companies, although many considered their processes
Turnbull compliant prior to the publication of the report. Several companies
had set up risk committees. The relationship of internal audit with risk
management varied from that of outside observer to influential insider. In
particular, internal auditors had roles as facilitators and organisers of risk
identification and assessment, generally through workshops. Risk
assessment tended to be based on expected value of impact principles but
the assessment was frequently summarised in the form of a score, a matrix,
or traffic lights. The risk identification and assessment process generally
included the production of risk registers in various guises, either maintained
centrally or at operating units. When adverse events occurred (
crystallisation of risk) internal audit was frequently involved in reporting on
events and making recommendations for improved controls.

Organisation of internal audit

There was a wide diversity of arrangements. Some companies had dedicated
internal audit functions but in most companies the function was combined
with risk management, process review or similar activities. Some auditors
acknowledged a traditional compliance checking role but there was a
widespread view that monitoring of compliance was a function that should,
as far as possible, be the responsibility of line management.

Outsourcing of the entire internal audit function was rare in the companies
examined although co-sourcing arrangements, where external providers
(generally audit firms) supplied expertise in specific areas such as IT, were
fairly common. Outsourcing of internal audit meant forgoing most of the
important educational and development benefits of internal audit and the
view was generally expressed that providers of outsourced services neither
understood the businesses that they were auditing nor were they committed
to it in the same way as in-house staff.

The work programme of internal audit was, to a greater or lesser extent, an
outcome of companies risk identification and assessment processes in many
of the companies. However, other factors, such as rotation of coverage and
the priorities of the board or audit committee, also affected the design of the
programme.

Relationships and engagement with boards and audit committees and
other risk functions

Some boards and audit committees were more proactive than others. All the
internal audit reports were made available to audit committees and all heads
of internal audit attended audit committee meetings. Most companies had
other risk functions apart from internal audit, such as health and safety and
insurance. Where separate processes existed, the integration of risk
management could only occur at the level where the lines of reporting
intersected, usually at board level.

Involvement in strategy

In view of the role that external auditors seemed to be seeking as business
advisers, interviewees were asked about the level of involvement of internal
audit in the formation and implementation of business strategy. Internal
auditors did not have, nor did they seek, a prominent role in strategic
decision making, although those who were more involved with process
improvement thought that they had a role in implementation.

A number of facets of internal audit emerged strongly from the interviews
which were not originally included in the interview questions:
o Communication;
o Education and development;
o Independence;
o Change.
Communication

Much of the activity that internal auditors undertook could be classified as
communication, especially talking with divisional and business managers,
running workshops and making presentations to senior management. The
workshop, in particular, seemed to be an important way in which auditors
facilitated the identification and assessment of risks or dealt with other
issues.

Education and development

Internal auditors saw three important educational roles: they trained their
own staff, they educated line managers in control and risk management, and
they provided a function where new entrants to the organisation, or existing
staff, could spend a short period as a means of understanding the business.
Although this feature of internal audit is well-known, the interviewees
placed considerable emphasis on it.

Independence

Although a few of the interviewees fiercely guarded the independence of
internal audit, refusing to accept ownership of any processes or undertake
work which they felt would compromise their independence, most
departments were involved in risk-management and process improvement in
ways which meant that they would at some point be auditing processes that
they had helped to design or implement. This qualified independence was
viewed as beneficial, although auditors were conscious of the need to
maintain a balance. The direct line of reporting to the audit committee was
seen as reinforcing independence, and some auditors believed that they were
more independent than the external auditors, whose position could be
compromised by their business advisory role and their vested interest in
selling additional services.

Change

During the interviews it was apparent that the work of internal audit was
influenced both by frequent specific changes, such as acquisitions and
divestments, and by a pervasive climate of change. In many organisations,
risk-based approaches could be seen as one response to change since
businesses were rarely stable long enough for processes to be designed,
implemented and standardised so that a classical, systems-based approach to
audit could be established. Moreover, the occurrence of specific changes
provided internal audit with a role in recommending and developing
processes to adapt to those changes, as well as a prioritisation, based on risk
assessment, of where to expend control and risk management effort.

Implications

The diversity of the findings suggests that, although the Turnbull Report has
significantly raised the profile of internal audit in organisations by
highlighting its role in internal control and risk management, the
organisational role of internal audit varies widely. The role as the stern
enforcer of compliance with company systems has largely been abandoned,
wherever it existed, but has not been replaced by a uniform model.

Internal audit provides some useful organisational tools for
management in a dynamic environment:

o internal audit can identify and spread best practice, where the
development of central policies would be too slow and costly;
o internal audit can gather intelligence on risks;
o internal audit can assess risks and the robustness of systems; and
o internal audit can help to maintain an organisational culture.

Risk management has become a central focus of corporate governance. Its
processes provide an organisational defence in a changing environment. The
interviewees told their stories against a background of continual change,
including changes in organisational structure and changes in assurance
requirements. In the context of new organisational paradigms, such as the
concept of the learning organisation, where knowledge assets and
information flows assume great significance, internal audit can potentially
raise its profile greatly by emphasising its education, facilitation and
communication roles.