Auditing Governance: Don’t Forget the ‘G’ in ESG

Corporate Governance

Imagine being the CEO of arguably the most successful artificial intelligence company in the world. You’ve created an app that accumulated 100 million active monthly users in just five days. Next, you brokered funding to the tune of more than $10 billion from one of the world’s biggest tech giants, sending the valuation of the organization into the stratosphere. And to thank you for your efforts the board hands you … a pink slip?

Welcome to the world of corporate governance. The example above, of course, is ripped right from the headlines with the experience of OpenAI CEO Sam Altman, and his roller-coaster ride late last year from being a hero to being fired to being reinstated, all over a period of a few days.

The example might be considered a case study in poor governance. Where you expect to see transparency and reliability, you get veiled statements about the recently fired CEO not being “consistently candid.” And OpenAI is hardly alone when it comes to corporate governance stumbles. Where you expect competence and knowledge, you get Silicon Valley Bank collapsing due to a lack of risk management knowledge on the Board and at senior executive level. Where you expect robust oversight for one of the largest companies in the market you get FTX collapsing with no board, no risk management, and “no internal controls whatsoever.”

ESG on the Radar

ESG has gained significant attention recently due to mounting investor pressure, heightened board awareness, and impending regulations like the Corporate Sustainability Reporting Directive in the European Union and the Security and Exchange Commission’s plans to require greater disclosure of climate change measures.

While discussions predominantly emphasize the “E” in ESG for Environment and to a lesser extent, the “S” for Social, the often overlooked “G” for Governance is the linchpin that intricately binds the trio together. Governance, though less prominent, plays a pivotal role as the backbone that holds the other areas together, ensuring not only their effectiveness but also contributing to the overall resilience and sustainability of a business.

Corporate governance is like the rulebook for a company’s participation in the business world. It sets guidelines to ensure fairness and transparency on how a company is run. To borrow a sports analogy, good corporate governance is like having a captain who looks out for the team’s best interests, ensures everyone plays fair, and helps the team achieve its goals, while also being accountable to the fans (stakeholders). Getting it wrong can mean the end of the road, no matter how successful the company is, how much money it is holding, or how clever the product offering is.

These critical risks are why corporate governance is such an important, but often overlooked, part of any audit Universe. While internal audits traditionally focus on financial statements and operational processes, corporate governance stands as the pensive coach orchestrating the company’s entire performance from the sidelines. It’s the compass guiding decision-making, ensuring fairness, accountability, and ethical conduct. Yet, its significance sometimes fades into the shadows, outside of the spotlight on other audit areas.

Elements of Corporate Governance

At its core, corporate governance is made up of several key parts, each playing a role in steering a company towards success:

  1. The Board of Directors: The board oversees the company’s strategy, appoints the CEO, ensures the company follows the rules, and acts in the best interests of stakeholders.
  2. Transparency and Accountability: Like referees overseeing a game, transparency ensures the company’s actions and financial information are visible and easily understood. Accountability means taking responsibility for decisions made and their outcomes, creating trust between the company and its stakeholders. This is why market disclosures and annual financial reports are so important.
  3. Ethical Behaviour and Code of Conduct: This is about playing fair and respecting the rules of the game. A strong Code of Conduct sets the ethical tone, guiding employees and management on doing the right thing in their interactions with customers, partners, and the communities they act in.
  4. Risk Management: Just as teams have tactics to minimise risks and maximise opportunities during a game, companies identify and manage risks too. Effective corporate governance involves assessing risks and having plans in place to navigate through challenges.
  5. Skills, knowledge, and diversity of thought: Just like in a sports game, you won’t get very far without your star players having the right skills, knowledge, and cultural fit to enact the strategy and corporate governance of the business.

Recent stories of corporate turmoil can all be boiled down to failures in corporate governance. FTX was one of the largest crypto exchanges in the world, once valued at over $32 billion but collapsed in just over a week as allegations of financial mismanagement and potential fraud swirled around the CEO, Sam Bankman-Fried.

The FTX story is still unfolding, but it was certainly incredible mismanagement of an internationally important company in an emerging technology field, and likely included crimes of money laundering, wire fraud, and securities fraud. All was allowed to happen due to the lack of a strong board of directors to provide oversight, a lack of risk management and internal control processes, and the company being run by people who did not have the right skills, knowledge, and experience.

OpenAI’s CEO flip-flop is another complex story with plenty more to be told, but arguably, in this case, the board was doing what they thought was right. Some might read between the lines of the vague board statements, which didn’t pinpoint a specific issue with Altman, and suggest that fundamentally, they didn’t trust him. But none of that matters if the board structure and bylaws result in four people with limited board experience are able to cause such a storm with no explanation on why or how the decision was made.

These recent scandals and economic shocks have brought corporate governance onto the front pages.

Lessons in Corporate Governance Failures

In 2003 the then commissioner of the SEC, Paul S. Atkins gave a speech at an awards dinner in the United States on the importance of corporate governance and the expected impact of the recently implemented Sarbanes-Oxley Act (SOX).

“A lesson from the recent corporate failures in America is the importance of corporate culture and what we call the “tone from the top.” A CEO’s tolerance or lack of tolerance of ethical misdeeds and a CEO’s philosophy of business conveys a great deal throughout the organization. The role of directors is to monitor and oversee that situation on behalf of stockholders.”

His words were in response to corporate and accounting scandals at the time, including those at Enron and WorldCom, but they ring just as true today.

The recently watered-down U.K. corporate governance code update (previously considered to be the “U.K. SOX”) is expected to be published this quarter and is likely to take forward the proposals around the declaration on the effectiveness of the risk management and internal control systems. This is a beefed-up version of what is currently required and another opportunity for internal audit to add value by interacting with the board on how to facilitate or review this process.

The Governance Internal Audit Check List

The emergence of these recent scandals serves as a poignant reminder of corporate governance’s critical significance. It also presents internal audit with a prompt to include corporate governance within their risk assessment and planning considerations for the coming year. This could involve scoping in relevant areas on existing reviews or including specific reviews on corporate governance such as:

  • Assessing governance structures and bylaws including board composition, diversity, and experience.
  • Evaluating board effectiveness by reviewing board meeting notes, decision making processes, and the level of oversight provided.
  • Reviewing corporate policies and procedures such as the Code of Conduct and if they align with ethical and regulatory standards.
  • Assessing risk management practices by evaluating the company’s risk management practices and how well they are integrated into the overall governance framework. This involves reviewing risk assessment methodologies, risk mitigation strategies, and the effectiveness of internal controls.

With the ever-increasing pressure on companies and boards in the world of permacrisis, Internal Audit can have a key role in providing the board with assurances that they are structured appropriately and suitable risk management and internal control processes exist to support the long-term sustainability of the business. As businesses navigate this complex landscape, 2024 could be a timely moment for the quiet partner in ESG—the “G”—to step out of the shadows and into internal audit’s watchful spotlight.   Internal audit end slug


Richard Clapton is an Internal Auditor for an international technology and automation company based in the United Kingdom.

One Reply to “Auditing Governance: Don’t Forget the ‘G’ in ESG”

  1. Very informative stuff, enjoyed this read! Never thought much about the governance part of ESG other than “good management”. I’d say it’s too early to judge if the board should have hired/fired Altman given the sensitive nature of the work at OpenAI, but I agree that the decision being down to 4 board members is certainly lacking!

Leave a Reply

Your email address will not be published. Required fields are marked *