Internal Audit Function: Recommendations for Directors and Board Committees

Type

Codes & Guides

Themes

Codes & Regulations

Datum

2012

This paper seeks to provide useful guidance to boards, governing bodies and individual directors that wish to make effective use of the internal audit function, particularly in respect of gaining assurance concerning the adequacy of an organisation’s risk management and internal control systems.

Organisations want to be more robust in the future and need to strengthen their corporate governance. European listed companies are not achieving the full value and benefit from their internal audit departments. Recent ECIIA benchmarking shows that while most businesses have established such functions, they often fail to make a significant contribution to their strategic goals.

Making the most of the Internal Audit Function, published by ECIIA and ecoDa, aims to address that problem.

Effective internal audit can not only provide assurance over a company’s risk controls and governance processes, it can make sure that everyone is working effectively to that end with little waste or duplication. In addition, it can give comfort to directors and board committees that the decisions they make are based on sound assumptions and risk assessments – and can advise on how to improve the effectiveness of information flowing to the board.

The document poses ten major questions that companies must consider to achieve those benefits:

- Has there been a proper review of the need for an internal audit function where none exists?
- Has the board reviewed and approved an internal audit charter that gives the function the ability to act across the organisation and fulfil its assurance responsibilities?
- Does the chief audit executive report direct to the board and have unrestricted communication channels?
- Does the board contribute to the risk-based audit plan and approve it?
- Are internal audit staffing levels linked to the requirements of the risk-based audit plan?
- Is there a regular quality review of internal audit and who does it?
- Does internal audit give assurance on risk management across the entire organisation?
- How well does internal audit work with the external auditors?
- Does the board review internal audit reporting?
- And does it make sure internal audit recommendations have been followed through?

The document also challenges boards to put the three conditions in place that maximise internal audit’s contribution to good governance practice: strong reporting lines to ensure its independence, a risk-based approach to the audit plan, and an investment in the professionalism and quality of staff. It contains a sample internal audit charter, audit committee charter and explanation of the Three Lines of Defence model of corporate governance advocated by ECIIA.