03 December 2012

ECIIA/ecoDa: Making the most of the internal audit function - Recommendations for Directors and Board Committees

Internal audit is a key component of modern corporate governance. However, board structures and corporate governance systems exhibit significant variation across Europe. In some countries (e.g. the UK, France), the board consists of both senior members of management and non-executive directors. In other countries (e.g. Germany, the Netherlands, the Nordic countries), the board or supervisory board may be entirely composed of non-executive board members. In such circumstances, senior management may sit on a separate executive board or be excluded from the board altogether.

In this guidance, the term “Board of Directors” is used as a generic term to refer to an organisation’s main governing body – however constituted – which assumes primary responsibility for corporate oversight on behalf of relevant stakeholders.

The purpose of this guidance is to assist the members of this governing body in making the most of the internal audit function in pursuit of their governance objectives.

The term “board” is also used to encompass the committees of the board – such as the audit or risk committees – which commonly play a particular role in terms of the board’s relationship with internal audit. Board committees – consisting of sub-groups of directors – are typically mandated by corporate governance codes or best practice in order to support the functioning of the main board in areas of more specialised boardroom activity.

However, it should also be recognised that there may exist significant variation in the role and functioning of such committees across differing European countries. For example, in the Nordic countries, a key role is played in governance by the nomination committee, which is a committee of the shareholders rather than the board. Local variation in governance practices should therefore be taken into account by directors when applying the recommendations of this guidance.

Notwithstanding the variation in corporate governance systems across Europe, there are some basic characteristics of governance frameworks that are typical in most countries:

• The board provides direction to senior management by setting the organisation’s risk appetite. It also seeks to identify the most significant risks facing the organisation. Thereafter, the board assures itself on an ongoing basis that senior management is responding appropriately to these risks.
• The CEO and senior management are delegated primary ownership responsibility for the operational functioning of an organisation’s risk management and control framework. It is management’s job to provide leadership and direction to the employees in respect of risk management, and to control the organisation’s overall risk-taking activities in relation to the agreed level of risk appetite.

To ensure the effectiveness of an organisation’s risk management framework, the board and senior management need to be able to rely on adequate line functions - including monitoring and assurance functions - within the organisation. In order to conceptualise these line functions, ecoDa and the ECIIA endorse the use of the “Three lines of Defence” model which is already widely adopted within the financial industry, but which can also be productively utilised in a wide range of sectors.

The “Three lines of Defence” structure is a conceptual delineation of an organisation’s internal control levels: first line controls, second level monitoring controls and third-line independent assurance. It also provides a framework with which the board can understand the role of internal audit in the overall risk management and internal control process of an organisation.

In such a framework, internal auditing is a key cornerstone of an organisation’s corporate governance. However, before considering the detailed recommendations of this guidance, it is important to stress that there are three fundamental issues that should be considered by boards in order to ensure that internal audit maximises its contribution to good governance:

• internal audit should have a reporting line within the organisation which ensures that it is able to function with sufficient independence;
• internal audit should utilise a risk based approach in developing and executing the internal audit plan;
• a consistently high level of professionalism and quality must be sustained in the internal audit staff’s work.

Top 10 recommended board and committee practices in respect of internal audit oversight

1. Evaluating the need for establishing an internal audit function when such function does not exist.
2. Assessing and approving the internal audit charter.
3. Ensuring effective communication lines between the Chief Audit Executive and the board.
4. Evaluating the internal audit plan.
5. Assessing the staffing of the internal audit function.
6. Gaining assurance regarding the quality of the internal audit function’s work.
7. Overseeing the relationship between the internal audit function and the organisation’s centralised risk monitoring function.
8. Coordinating the internal audit function with the work of external audit.
9. Assessing internal audit reporting.
10. Monitoring management follow-up of internal audit recommendations.

Press release

Full paper

© ECIIA