← Blog

Mastering Proxy Advisory Firms: Audit & Compliance 2026

Pubblicato: 2026-06-10
proxy advisory firms corporate governance investor relations compliance management risk management
Mastering Proxy Advisory Firms: Audit & Compliance 2026

Why should a CISO, compliance lead, or audit manager care about shareholder voting at all?

Because a proxy advisor's recommendation often isn't just a market opinion. It becomes an external control signal that tests whether your governance claims are documented, consistent, and defensible under scrutiny. If your board oversight, cyber risk reporting, remuneration rationale, or engagement record can't be evidenced cleanly, the weakness won't stay confined to investor relations. It spills into audit readiness, regulator confidence, and board accountability.

That's the gap many organisations still miss. They treat proxy advisory firms as part of capital markets messaging when, in practice, they operate much closer to a governance verification function. Their questions force the same discipline that good compliance teams already need elsewhere: clear ownership, stable records, traceable decisions, and evidence that survives challenge.

Why Proxy Advisors Matter for Governance Systems

A lot of governance discussions still frame proxy advisors as a concern for the company secretary and investor relations team. That's too narrow. For risk and compliance leaders, proxy advisory firms matter because they create recurring, high-impact review events against public disclosures and board decisions.

Those events are operational. Someone has to gather the record, verify facts, reconcile policy statements with board minutes, and prove that disclosures reflect what the organisation did. If those steps depend on inboxes, memory, or informal spreadsheet chains, the underlying issue isn't the recommendation. It's the weakness in the governance system.

Governance pressure shows where evidence breaks

This is one reason debates about transparency matter beyond reputation. The wider challenge of corporate openness is really about whether organisations can make governance visible without losing accuracy, context, or accountability. Proxy advisors expose that problem quickly because they work from what can be seen, compared, and verified.

Board structure also matters here. If oversight responsibilities are diffuse or badly documented, external reviewers will often reach simplified conclusions from incomplete evidence. That's one reason a strong chair of the board model matters in practice. It creates a clearer route from board responsibility to board record.

Practical rule: If a governance claim would be difficult to evidence for an auditor, it will probably also be difficult to defend in a proxy review.

Recommendations are inputs into control processes

The right way to think about proxy advisory firms is not as a public commentary channel but as a predictable governance input. Their reports can trigger follow-up engagement, internal remediation, board discussion, and more detailed disclosures in the next cycle.

That makes them relevant to resilience frameworks as well. Mature teams already know that external scrutiny shouldn't depend on heroic last-minute effort. It should run through known owners, document controls, review paths, and retained evidence.

When that system exists, a negative recommendation is manageable. When it doesn't, even a routine governance question turns into an evidence hunt.

What Are Proxy Advisory Firms and Why Do They Exist

Proxy advisory firms exist because institutional investors can't analyse every vote at every portfolio company in the same depth. Large asset managers, pension funds, and mutual funds hold positions across thousands of issuers. Annual meetings generate ballots on director elections, executive pay, shareholder proposals, governance changes, and other matters that all need a voting decision.

Proxy advisors solve that scaling problem. They review the issuer's public materials, apply their own published voting policies, and provide research plus a recommendation. For a technical audience, the closest analogy is a code analysis or security rating service. It doesn't replace the final decision-maker, but it creates a standardised assessment layer that helps large organisations work at volume.

A useful overview of the broader governance context is this piece on environmental, social and governance, because many proxy votes sit at the intersection of formal governance, risk oversight, and public disclosure.

To make the workflow concrete, this concept map is useful:

A diagram illustrating the role of proxy advisory firms in guiding institutional shareholder voting decisions.

They exist because governance doesn't scale manually

Institutional investors aren't hiring proxy advisors because they lack views. They hire them because governance analysis at scale is an operational burden. Every proposal requires reading, classification, comparison against policy, and a documented rationale for the vote.

That creates three practical needs:

  • Policy consistency so voting decisions align with stewardship principles across large portfolios.
  • Research efficiency so portfolio-wide reviews don't stall at peak proxy season.
  • Decision support so internal stewardship teams can focus on exceptions, high-risk proposals, and issuer engagement.

The service is therefore less like outsourced authority and more like a structured decision input. The final vote still belongs to the investor.

Their product is judgement packaged for repeat use

The product isn't just a report. It's a repeatable analytical method. Proxy advisory firms publish policy frameworks on issues such as board independence, remuneration design, shareholder rights, and governance disclosures. They then apply those frameworks across issuers and produce recommendations that investors can review, adapt, or follow.

That's why companies often find their reports influential even when no one is legally bound by them. Standardised judgement scales well.

For a quick visual explanation, this short video gives useful background:

The operational implication is simple. If your organisation is subject to shareholder voting, then proxy advisor policy documents are part of your external governance environment. They're not regulations, but they do shape how your disclosures and board choices will be read.

How Proxy Advisors Analyse Companies and Influence Votes

Proxy advisory firms don't assess companies randomly. They apply published policy criteria to disclosed facts, board structures, prior voting outcomes, and proposal-specific details. In practice, that means an issuer is being tested against a standard that is both external and repeatable.

For risk and compliance teams, that matters because repeatable standards create predictable evidence demands. If a policy says the reviewer will assess board accountability, pay design, or risk oversight, then the organisation needs records that connect public claims to actual process.

This visual captures the typical categories people expect proxy analysis to cover, even though the exact weightings vary by firm and policy set:

A chart illustrating the key factors and weightings used by proxy advisory firms for company analysis.

Influence is strongest inside institutional workflows

The most important practical point is that proxy advisor influence is concentrated in professionally managed portfolios, not retail voting. A Harvard Law School summary of the empirical literature reports that an opposing ISS recommendation is associated with a 51% difference in institutional voting support, versus 2% among retail investors (Harvard Law School Forum on Corporate Governance).

That finding changes how issuers should think about response planning. The issue isn't mass persuasion. The issue is whether a small number of highly organised voting processes receive a negative signal and propagate it quickly through their stewardship operations.

A proxy recommendation matters most when it enters a voting workflow that is already standardised, time-bound, and designed to operate at scale.

What firms usually get wrong

Many issuers still assume the main task is to disagree with a recommendation after publication. That's usually too late to be effective. Effective work happens earlier, when the company decides how it will evidence governance quality in the proxy statement and supporting engagement.

What doesn't work:

  • Late narrative corrections after the analytical frame is already fixed.
  • Unstructured rebuttals that argue intention but don't resolve factual gaps.
  • Policy-free engagement where internal teams haven't mapped their position to the reviewer's published criteria.

What works better is more procedural:

Governance task Weak approach Strong approach
Board oversight claims General statements about active supervision Minutes, committee remit, decision trail, and disclosed linkage to risk topics
Executive pay explanation High-level defence of outcomes Clear rationale tied to policy, performance logic, and prior shareholder feedback
Correcting the record Email objections without evidence pack Version-controlled factual correction with accountable owner and source records

The proxy advisor doesn't need to agree with management's preferences. It needs a credible basis to assess the proposal under its policy framework. Teams that understand that distinction tend to engage more effectively.

The Global Landscape of Major Firms and Regulation

The proxy advisory market is unusually concentrated. That concentration explains both the influence of major firms and the degree of scrutiny they attract from issuers, investors, and regulators.

According to a U.S. Chamber report, by 2021 ISS held 48% of the proxy market for U.S. mutual funds, representing $26.8 trillion in assets across 144 fund families, while Glass Lewis held 42%, representing $23.6 trillion across 94 fund families. The same source notes that the SEC finalised its proxy advisor rule in July 2020 to increase transparency and reaffirmed that proxy advice is a “solicitation” subject to antifraud provisions (U.S. Chamber proxy roadmap).

Concentration changes the operating model

When two firms occupy that much of the market, companies don't face a diffuse ecosystem of minor reviewers. They face a relatively standardised external reading of governance choices. That has two effects.

First, issuers can prepare more systematically because the analytical frameworks are visible and recurring. Second, a weakness in disclosure discipline can spread quickly because the same issue may be surfaced through a small set of highly influential channels.

Regulation confirms they are market infrastructure

The regulatory angle matters because it places proxy advice inside a formal accountability perimeter. Once proxy advice is treated as a solicitation subject to antifraud provisions, the conversation moves beyond market commentary. Accuracy, transparency, and process quality become governance issues in their own right.

The presence of regulation doesn't remove disagreement. It does confirm that proxy advice sits inside a supervised market process, not outside it.

For compliance leaders, that's the essential understanding. Proxy advisory firms aren't informal observers standing at the edge of corporate governance. They are established intermediaries operating in a scrutinised environment, and their outputs can affect how institutional voting decisions are formed.

Critiques and the Future of Vote Analysis

The standard critiques of proxy advisory firms are familiar. Companies worry about factual errors, compressed timelines, and policy frameworks that can feel too uniform for unusual governance structures or local market context. Those concerns are real, especially when a complex board decision is reduced to a recommendation under a broad policy template.

The more important development, though, is architectural. Some of the largest investors are shifting parts of vote analysis in-house, which changes the engagement model for issuers.

A hand holds a magnifying glass over a corporate ballot paper highlighting the concept of one size fits all.

The one-size-fits-all problem is only part of the story

A published proxy policy can produce disciplined, comparable outcomes. It can also flatten nuance. A company with a legitimate governance rationale may still receive a negative recommendation if the rationale isn't legible within the reviewer's framework.

That's why rebuttal by assertion rarely works. “Our circumstances are different” isn't persuasive on its own. Teams need to show how the exception was governed, approved, and disclosed.

Common friction points include:

  • Local governance variation where market practice doesn't align neatly with a global benchmark policy.
  • Disclosure asymmetry where the board did the work but the proxy statement doesn't show enough of it.
  • Control ambiguity where responsibility is spread across committees and no one can produce a coherent record fast enough.

The next challenge is fragmented analysis

Recent reporting described by Skadden says JPMorgan and Wells Fargo will stop using proxy advisory firms for voting research and instead rely on in-house stewardship teams supported by proprietary analysis tools (Skadden on curbs on proxy advisors). That doesn't mean proxy advisors disappear. It means the decision logic may become less centralised and more bespoke.

For issuers, that creates a different operational burden. Instead of engaging mainly with a known external framework, they may face a mix of third-party policies, internal investor methodologies, and AI-assisted review pipelines that ask more customized questions.

If vote analysis moves inside large asset managers, the challenge shifts from responding to a published recommendation to evidencing governance quality across multiple analytical models.

That trend should interest security and compliance teams for one reason in particular. Internal investor models still depend on inputs. If your disclosures, committee records, risk narratives, and governance evidence are inconsistent, internalisation by investors won't reduce scrutiny. It will expose inconsistency through a wider range of review methods.

An Audit-Ready Framework for Engagement

Engagement with proxy advisory firms works best when it is treated as a controlled process, not a seasonal reaction. The practical aim isn't to “manage perception”. It's to ensure that every external governance judgement can be met with a documented, reviewable record.

One study summarised in Review of Finance found that firms treated by ISS after a low say-on-pay vote were 31% more likely to disclose engagement than controls, with regression-discontinuity estimates showing an 11.0 to 33.4 percentage-point increase depending on bandwidth choice (Review of Finance summary). That's useful because it shows proxy scrutiny can change issuer behaviour directly. Good teams shouldn't wait for that pressure to build the process.

This framework is a good operating baseline:

A cyclical process diagram outlining the five stages of a proactive proxy advisor engagement framework.

Start with policy mapping, not message drafting

Before proxy season, map the relevant advisor policies against your own governance areas. Don't treat this as a legal summary exercise. Treat it as control design.

A useful pattern is:

  1. Identify review topics that are likely to matter for your ballot and governance profile.
  2. Assign accountable owners for each topic across legal, compliance, company secretariat, remuneration, cyber, and sustainability functions.
  3. List the evidence that proves the board's decisions, oversight, and disclosures are consistent.
  4. Test retrieval so the record can be produced under time pressure.

A lot of teams skip step four. They know the evidence exists somewhere, but they haven't proved that it can be found quickly and reconciled cleanly.

Build an evidence pack that survives challenge

Engagement fails when claims outrun records. If you tell a proxy advisor that the board actively oversees cyber risk, the support shouldn't be a broad sentence in the annual report alone. It should include the underlying committee structure, reporting cadence, decision artefacts, and disclosure trail.

That's the same discipline required for audit evidence management. Teams that already work with structured records, ownership logs, and version control are at an advantage. For a practical view on what strong records look like, this guide to audit evidence is useful because it focuses on traceability rather than paperwork volume.

Consider this operating checklist:

  • Factual integrity first. Validate names, dates, committee responsibilities, and proposal mechanics before discussing interpretation.
  • Controlled narrative. Keep one approved explanation for each contested issue, linked to source records.
  • Version discipline. If disclosures or talking points change, preserve the prior version and record who approved the update.
  • Escalation path. Decide in advance who can authorise corrections, shareholder outreach, or board-level clarification.

There's also a lesson from adjacent audit work. Examples of Reducing audit effort with Automation Anywhere are relevant not because proxy engagement should be automated end-to-end, but because repetitive evidence collection and collation can be systematised while accountability stays with named owners.

Operational advice: Automate collection where you can. Never automate accountability.

Close the loop after the recommendation

The post-recommendation phase is where mature governance teams separate themselves from reactive ones. Whether the recommendation is favourable or not, document what happened, what evidence was used, what was challenged, and what should change before the next cycle.

A simple review table helps:

After-action question Why it matters
Which claims were hardest to substantiate? Reveals weak controls or poor record ownership
Which disclosures caused confusion? Shows where language and evidence diverged
Which functions responded too slowly? Identifies workflow and escalation failures
What should be embedded before next season? Turns one-off effort into governance improvement

That review should feed back into board reporting, disclosure drafting, and control maintenance. Otherwise the organisation keeps solving the same problem every year.

Conclusion From Recommendation to Resilience

Proxy advisory firms are often discussed as if the central question is whether they have too much influence. For risk and compliance leaders, the more useful question is simpler. Can the organisation demonstrate, with evidence, how its governance decisions were made, overseen, disclosed, and defended?

That's the fundamental operating test. A favourable recommendation may help. A negative one may create pressure. But neither outcome is the foundation of resilience. The foundation is a governance system that produces clear records, assigns responsibility, preserves decision trails, and supports challenge without improvisation.

When that system exists, proxy season becomes manageable. The organisation can explain itself consistently to investors, auditors, regulators, and the board because the underlying evidence is already organised.

When that system doesn't exist, proxy advisory firms don't create the weakness. They reveal it.

A strong governance function doesn't try to eliminate every external criticism. It makes criticism survivable through traceability, accountability, and disciplined response. That is what turns proxy engagement from a reputational concern into an operationally controlled process.

If you're building that kind of evidence-led governance process, AuditReady is designed for regulated teams that need clear ownership, traceable controls, and exportable audit packs without turning compliance into a scoring exercise.