Keynote Address


YBhg Tan Sri Zarinah Anwar, Chairman, Securities Commission Malaysia

at the

Asian Confederation of Institutes of Internal Auditors (ACIIA) Conference 2009, Conference on Internal Auditing

Theme: “Towering experience: Towards sustainable success”

19th October 2009, Kuala Lumpur Convention Centre


En Hashim Mohammed, President, Institute of Internal Auditors Malaysia
Mr Richard Chambers, President and CEO, Global Institute of Internal Auditors, USA
Mr Leonardo Matignas, President, Asian Confederation of Institutes of Internal Auditors
Distinguished guests
Ladies and Gentlemen
Good morning.


Thank you, first of all, for inviting me to deliver this keynote address. It is a pleasure for me to be here and I would like to join the Institute of Internal Auditors Malaysia in extending a warm welcome to all foreign delegates.


This is a conference that is extremely timely, and with a theme and agenda that befit the current challenging environment, providing those involved in internal audit, risk management and governance an excellent opportunity to learn from leading practitioners on how best to further enhance the effectiveness of their roles in the light of the current challenges.

The Global Crisis and Its Impact on Corporate Governance


I have been asked to speak on regulating corporate governance in current times. Given the gathering of internal auditors in this forum, I would like to explore the subject with particular reference to the role of the internal audit profession, a group that occupies a position within corporations and institutions that makes them particularly well-placed to bring about change to the quality of corporate governance.


The global financial crisis has indeed exposed various shortcomings in corporate governance. The devastating consequences of the crisis for economies, corporations, communities and individuals the world over have prompted governments, international regulatory bodies, multi-lateral agencies, professional groups and industry to investigate ways of dealing with and mitigating the impact of the crisis, not least in the area of corporate governance.


It is inevitable that a situation of crisis forces those affected to identify the root causes, review their roles and accountabilities, re-assess the adequacy of existing policies, frameworks, rules and regulations, and revisit practices that may have contributed to the crisis. And I believe it is the same for the internal audit profession.

Corporate Governance Weaknesses Identified by Crisis


The Organisation for Economic Co-operation and Development (OECD) recently issued a report1 highlighting several corporate governance weaknesses that emerged during the recent financial crisis. Firstly, the remuneration or incentives system is seen as a key corporate governance weakness, with the OECD identifying the need for remuneration structures to be aligned with the objectives of encouraging and rewarding long-term sustainable performance and the avoidance of excessive risk-taking. The OECD recommended that remuneration schemes must be as transparent as possible allowing companies to explain the main characteristics of their performance that are related to remuneration in concise and non-technical terms.


Secondly, the effective implementation of robust risk management systems is viewed as a critical aspect in implementing a company’s strategy. In many cases, during the crisis, risk was not managed on an enterprise wide-approach and risk managers were often kept separate from management, thus depriving the board of having an overall view of the risks facing the company. It is also noted that incentives systems typically encouraged and rewarded high levels of risk taking, compounded by the fact that risk management committees tended to be at its weakest when there has been a period of high growth.


This now brings me to the role of the board. The financial crisis has pointed in a large number of cases to boards of companies that were ineffective and not capable of exercising objective and independent judgements. The structure, quality, composition and skills of these boards have also been weak. I cannot over-emphasise the fact that leadership inevitably sets the “tone at the top”, and developing a culture of ethics is the responsibility of the board and senior management. Leaders must therefore be committed to the values they advocate and must visibly embrace these values through their actions, including management and decision-making.


This crisis has seen the collapse of major corporations across the globe despite reputations built over the course of decades, while other companies have managed to remain afloat. Although the causes of the crisis are complex and can be attributed to a variety of factors, and there are many issues and challenges that need to be dealt with, there is no doubt in my mind that the standards of corporate governance practices in these organizations have a large role to play in the difference between extinction and sustainability. When boards are unable to manage risks effectively and lose touch with critical parts of their business, this represent a failure of internal controls, a key governance responsibility of boards of directors.


Finally, the role of shareholders and the need for them to exercise their right-s to challenge, and to be proactive instead of reactive, cannot be over-emphasised. Institutional investors who have the clout and the means to monitor corporate conduct and influence corporate decisions need to intensify their voice. They must invest in active monitoring and effective challenge of boards and management, and altogether undertake seriously their responsibility to play a more active and informed role and eliminate any situation of conflict that will inhibit their ability or willingness to pressure the board and management.


At the same time, there is a critical need for companies to do more to encourage constructive engagement with their investors, and ensure equitable treatment of all shareholders.

The role of auditors in the crisis
Ladies and Gentlemen


How does this translate to the role of internal auditors? In a survey conducted by the Institute of Internal Auditors (IIA) and the IIA research Foundation’s Global Audit Information Network2 on the Financial Crisis and its Impact on the Internal Audit Profession, a slight majority of respondents3 agreed that internal auditors could have done more to help their organisation identify key risks to prevent some of the economic impacts on the organisation. These results are significant in that it reinforces the instrumental role that internal auditors play in any corporation.


It is imperative that internal auditors fully understand the corporate governance shortcomings that were revealed by the financial crisis, and the critical role they play in ensuring that appropriate standards of governance are implemented to mitigate or pre-empt risks of losses, fraud or corporate wrongdoing.


The major failures during the crisis have brought to light the ineffectiveness of the internal audit function in many corporations. Madoff did not have an internal auditor, but many of his investors were entities that did possess internal as well as external audit functions. Given that investments were a material item on their balance sheets, the auditors should, at the very least, have been aware of whether or not the investments exist, its value, collectability and rate of return. The internal auditor has a responsibility for ensuring that the company minimises, if not eliminates, its risks to investment scams.


The crisis also showed that while some of the financial institutions affected had risk management models, risks had not been managed on an enterprise basis, critical risks facing the company had not been fully understood and agreed upon, and the governance process within those organisations had failed to allow excessive risk taking, thus leading to their eventual failure. In these cases, internal auditors tasked with assuring internal control and governance processes have a role to play in asking the right questions and raising sufficient warnings to the audit committees to ensure the adequacy and effectiveness of the institutions’ risk management processes.

Evolving role of auditors in corporate governance
Ladies and Gentlemen,


It is certainly timely therefore that internal auditors globally are reviewing their role and expanding the scope of their responsibilities from the traditional boundaries of audit work, to focus more on the emerging risks that have surfaced from the changing business and economic environment. Internal auditors must increase their coverage of risk areas to include among others, financial, operational, reputational and liquidity risks, as well as company exposure to third parties in financial distress.


It is important that internal auditors play a more substantive role in pre-empting losses, by being more vigilant and pro-active in raising red-flags and ensuring that their audit coverage and scope includes an assessment of sound risk management practices, effective whistle blowing policies, and checks on the ethical culture of the organisation


Internal auditors are in a unique position in that they are the “independent insiders” and “in-house regulator”, and have the ability to act preemptively before the occurrence of the fraud. They must therefore work closely with and complement the roles of the board, the management, external auditors and risk managers.


Internal auditors should to have the ability to challenge proposals on strategy, satisfying themselves that board discussions and decision making on material matters are based on accurate and comprehensive information. They need to be able to pose tough questions, including, whether management can provide a holistic view of the company’s major risks, whether the risk information is up to date, whether the key risks facing the company are understood and agreed on, and how does remuneration and other incentive arrangements impact the company’s risk profile4. While this may cause tension and misalignment between the internal auditor and the board and management, it is imperative that internal auditors remain steadfast in raising these important issues, and continue to exercise high standards of professionalism in discharging their responsibilities.


In this regard, internal auditors can also act as a catalyst for change. They have the ability to advise and advocate improvements to enhance organisational governance structure and practices.

Good governance is a shared responsibility

Ladies and gentlemen,


It is my firm belief that corporate governance is a shared responsibility. Regulatory discipline must work hand in hand with market discipline and self discipline to ensure confidence and integrity in the financial markets. The capital formation process depends on investor confidence in the integrity and fairness of the market as well as the ethical way in which the market functions. In this regard, it is the dynamic composite of the efforts of the regulators and the market that will make for a robust and credible corporate governance environment, with each bearing the responsibility for establishing and enforcing the appropriate corporate governance standards in their respective spheres of influence.


Market discipline must impose incentives on companies to conduct their business in a sound and efficient manner. Thus the market’s assessment of corporate performance should be reflected in their stock prices, bond spreads and credit ratings. Directors and senior management of companies must establish their own best practices on corporate governance and promote integrity, transparency and accountability.


Regulators must ensure that the regulatory framework is continuously assessed and enhanced. While codes, regulatory requirements and other prescriptions provide the basis for regulatory discipline, these alone are not sufficient. It is implementation and enforcement that matter, with regulators needing to step up efforts at supervision, surveillance and enforcement, monitoring closely corporate activities, scrutinising financial statements and engaging with directors and management of companies on a regular basis. This is consistent with the findings of the OECD Report on Corporate Governance and the Financial Crisis where it was acknowledged that while the OECD Principles in general provide a sound basis to adequately address the key concerns raised by the Report, the major failure amongst policy makers and corporations appears to be due to the lack of effective implementation of the agreed standards.


In this regard, it is essential that all companies must embrace the need for sound ethical practices. It should be noted that while many corporate failures can be attributed to poor governance and breaches of the law, at the heart of these failures, is the failure of ethics and morality. The crisis has shown that the reckless pursuit of growth and profits with scant regard for ethical and prudential considerations had culminated in the most devastating consequences for companies, investors and the financial markets; indeed, on global economies.


When these debacles occur, it is instinctive to turn to the regulators and law enforcers to demand action. Indeed this the regulators must do. However it will do us all well to remember that while regulators can develop and establish a strong legal and institutional framework, prescribe good governance standards and enforce the laws, we cannot legislate on ethics and morality; and it is ethics and morality that are the foundations of responsibility and accountability. Ethics is beyond the law. Acting ethically is not just about “not breaking the law and not doing the wrong thing”, but it is also about “doing the right thing”.


But experts in business ethics say that not all businesses hear this message. Many companies pay lip service to corporate ethics and compliance, maintaining such departments but sidelining them in major decisions. It is essential therefore that corporations follow not just the letter, but also the spirit of the law, and ensure that compliance with corporate governance practices is not a mere box ticking exercise. More than just publishing codes of conduct, companies need to commit resources and efforts to change their corporate culture and practices to embrace the substantive principles of good governance.


Sound corporate governance practice is a proxy to the world regarding the quality of the board and management, and demonstrates a company’s commitment to enhancing shareholder value and the creation of wealth. Indeed a ranking of major companies on their ethical standards over the last three years by Ethisphere Institute, an international think tank dedicated to the creation and advancement of best practices in business ethics, found that there was a marked correlation between companies that had strong commitment to ethics and transparency, and strong financial results.

Strengthening the Role of Internal Audit in the Governance Process

Ladies and gentlemen


While the crisis has not indicated a broad-based failure in the overall corporate governance framework, and many corporate governance systems in national jurisdictions remain broadly fit for purpose, various shortcomings have surfaced, and there is no room for complacency. The crisis provides an opportunity to re-evaluate and mend the cracks. In Malaysia, the lessons learnt from the Asian financial crisis of 10 years ago have enabled us to make significant advances in corporate governance practices, with improvements in the areas of disclosure and transparency, shareholder activism and enforcement. Our Code of Corporate Governance was amended recently to mandate the requirement for an internal audit function in PLCs. But there is a need for constant vigilance and certainly we cannot rest on our laurels.


There are challenges that need to be addressed. We need to enhance the effectiveness of non executive directors on boards of PLCs, to improve communication between the boards of companies and their investors, and to enhance shareholder activism. Companies need to ensure the highest standards of transparency and disclosure and ensure that shareholders have the appropriate information to enable them to make informed decisions.


Changing stakeholder expectations, certainly require all governance partners to be vigilant. And this is no different with the internal audit profession. Professor Mervyn King, the corporate governance guru recently articulated the need for internal auditors to move from the backroom to having board room presence. But in order to do this effectively, internal auditors must strive to raise their level of skills and competence, and ensure adequate knowledge of the business and all aspects of control and governance to enable them to effectively support the board in discharging its responsibilities. By upholding high standards of professionalism and integrity and commitment to good governance, internal auditors working together with other governance partners can add value to the company and enhance its resilience to future challenges.

Thank you.

1 OECD Report: Corporate Governance and the Financial Crisis: Key Findings and Main Messages, June 2009

2 March 2009

3 40 per cent

4 KPMG Ten To-Do;s for Audit Committees in 2009