'Audit is not a necessary
evil but a support tooi
that will help promote
better business.'
Live the matrix
Balancing act
Down to the letter
Future focus
Van der Linden. 'He is responsible for the control procedure,
and local management reports back to Harry on progress made
in the mitigation of those risks. He also plays an important role in
developing guidelines for fïlling in that Control Framework in a
local environment.'
The third line of defence is the ARG itself. 'Early warning about
potential risks is very important, but we also have to present our
fïndings in a way that stimulates management to improve their
businesses, not paralyse them. This can only happen if manage
ment views audit not as a necessary evil but as a support tooi
that will help them do their business better.'
An essential part of the audit plan is determining how governance
within Rl takes place. Rl has regional organisations, global product
lines and central organisations like operations and IT, and they all
have to cooperate with one another. Sometimes, key risks occurred
in Rl because it wasn't always clear who was responsible.
'By creating the management matrix, Hans ten Cate and Sipko
Schat changed the governance model in a way that clarifies
accountability and who is ultimately responsible,' Van der Linden
says. 'But it's our people and culture that will make this matrix
work. And ultimately, the manager who has end responsibility
will only succeed if he organises control over resources in the
right way.' A GAP analysis is now in place to help.
Gone are the days when auditors presented their fïndings to
management and then walked away. Van der Linden explains
that today, the ARG auditors are also expected to be advisors.
'On paper, we are a control tooi, but the way we execute means
we also have to be a management tooi. If management reads
my fïndings and agrees that repairs need to be carried out, it's
logical that they ask my opinion. But we have to be careful to
remain independent. It is sometimes a balancing act.'
At the end of each year, the most pressing issues must be
presented to, and discussed by, the Executive and Supervisory
Boards. The so-called "management letter" lists the primary risks
that threaten the continuity of the organisation.The issues in
the management letter are then translated into a "to-do" list and
an action plan for addressing each issue. Actions are executed by
the MBRI and progress is followed via the control procedure.
'Rabobank Group's internal audit committee discusses the
management letter every time we meet. The letter is dynamic,
because progress and development are ongoing,' he explains.
Van der Linden adds that ARG's plans for the future focus on 'further
improving the business background of the auditors so we can speed
up the developments within Rl. From the perspective of these
developments, the new governance model came at the right time.'
Van der Linden says that ARG acts as a mirror for Rl senior man
agement, reflecting how they fïll in their responsibilities, warns
if necessary and supports the management in making the right
choices to develop their business. 'At the end of the day, the
business within Rl has to be done by people who are interested
in clients and strive for opportunities in the market, but who also
recognise the importance of the right checks and balances.'