Government regulators, ratings agencies, institutional investors, and individual shareholders alike now are exerting substantial pressure on the boards of public companies to maintain careful and critical oversight of the appropriateness of executive compensation and benefits (ECB) programs. Internal auditors can help directors fulfill this essential governance responsibility by implementing new risk-based practice guidance from The Institute of Internal Auditors (IIA).
“Based just on recent headlines, it’s obvious that strong oversight is needed for executive pay programs. Management is often in the position of designing its own compensation program, as well as recommending it for board approval. This, of course, could be a conflict of interest,” says IIA Director of Standards and Guidance Beryl Davis. “Internal auditors, due to their independence and objectivity, can help the board of directors balance its critical fiduciary responsibility to shareholders with its responsibility to compensate senior management fairly.”
One of the most valuable aspects of The IIA’s new Practice Guide, "Auditing Executive Compensation and Benefits," is the overview of key executive compensation risks which should be understood before assessing whether the controls and governance over ECB programs are effective.
These highly controversial risks include financial reporting, in which excessive, illegal, or unethical ECB could be misclassified or otherwise hidden within the financial statements. Also, operating or financial data could be manipulated to trigger incentive-compensation payments or artificially inflate the value of stock options.
Another risk is reputation. The IIA says that failure to effectively construct, communicate, and if necessary defend ECB strategies could expose the organisation to reputation-tarnishing challenges from shareholders, employees, the media, regulators, and other stakeholders. The organisation’s reputation also could be negatively impacted if stakeholders perceive that its ECB programs reward failure or socially unacceptable behavior such as disregard of the environment.
The employment market also pose a risk. If the ECB program is not competitive with those of peer organisations, key executives could depart, and the organisation could be unable to attract replacements with comparable skills and experience.
The resulting leadership void could render the organisation incapable of meeting the performance expectations of investors and other stakeholders.
The IIA also considers operations a source of risk. Highly complex ECB programs could trigger errors or fraud because calculating proper payments requires the effective operation of many in- house departments and systems. Poorly designed ECB programs tempt management to take excessive risks, commit fraud, or engage in unethical behavior to gain compensation tied to the achievement of short-term performance targets.
“Internal auditors can add great value to the organisation by continually monitoring related risks and controls and bringing their findings and recommendations to the attention of management and the board to avoid a crisis,” says Davis.
The guidance, whose application is strongly recommended but not mandatory under The IIA’s International Professional Practices Framework, also provides audit approaches and considerations due to the sensitivity of ECB information. For example, the engagement might comprise separate audits of the legal, human resources, payroll, accounts payable, and other relevant departments. The collective findings of these audits would enable the CAE to provide the board an overall opinion on the adequacy of ECB-related policies, processes, and controls.
The guidance also informs CAEs of the potential issues they need to consider as they plan an ECB audit including the skills and knowledge of the audit team, the team’s access to critical but sensitive information, and whether communications about ECB is privileged between the organisation and its legal counsel.