Internal audit and its role in corporate governance
Internal audit plays a key part in the corporate governance environment. Alan Simpson CA considers its role.
The board of directors is ultimately responsible for the organisation’s effective governance. Corporate governance is the collective name given to the various policies, rules, practices and processes established by authority of the board to govern the organisation effectively, monitor their application and to meet its objectives.
Internal audit can play a key role here providing what is sometimes known as the Third Line of Defence.
The Institute of Internal Auditors has published a position paper on Internal Auditing’s Role in Corporate Governance in which it states that “Internal audit’s role in governance is vital. Internal audit provides objective assurance and insight on the effectiveness and efficiency of risk management, internal control and governance processes. A vibrant and agile internal audit function can be an indispensable resource supporting sound corporate governance.”
Internal audit can give additional value by including reviews of the organisation’s processes and procedures in areas such as:
- Corporate culture
- How the organisation first identifies and then chooses how to manage risks
- Sustainability
- Cybersecurity
- Business planning
- Geopolitical risk
UK requirements on corporate governance
The UK has produced the following requirements and principles for corporate governance:
1. Listed companies
For companies listed on the London Stock Exchange (LSE), the FRC have published the UK Code of Corporate Governance. The Code is applicable to all companies with a premium listing on the LSE, whether that company is incorporated in the UK or elsewhere. The latest version of the Code (“2018 UK Code of Corporate Governance”) applies to accounting periods beginning on or after 1 January 2019.
2. Larger private companies
The UK Government introduced secondary legislation in June 2018 (The Companies (Miscellaneous Reporting) Regulations 2018 ) which requires all companies with more than 2,000 employees and in addition have a turnover of more than £200 million and a balance sheet total exceeding £2 billion that are not already required to give a corporate governance statement, to provide details of their corporate governance arrangements. To assist large private companies (as defined above) to comply with this legislation, in December 2018 the FRC published in December 2018 the Wates Corporate Governance Principles for Large Private Companies.
How the different elements of governance come together
All LSE-listed companies are required by the Code to have an audit committee which operates in effect as a sub-committee of the Board but there is no requirement in this Code for any company, irrespective of size, to have an internal audit function.
1. The Board
The Code, in Section 4 (“Audit, Risk and Internal Control”), requires the Board to:
“…establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.”
“…present a fair, balanced and understandable assessment of the company’s position and prospects.”
“… establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives”
2. Audit committee
Section 4 of the Code requires that much of the above responsibilities are delegated to the audit committee. This is a key committee and it is required to consist of at least 3 (2 for listed companies below the FTSE 350 threshold) independent non-executive directors and that the Chair of the board is excluded from membership. The committee is responsible for carrying out governance responsibilities in respect of audit, risk and internal controls and will report to the board as appropriate.
There is also a requirement that the company’s annual report must describe what the audit committee does. If there is no internal audit function, then the annual report must give “an explanation for the absence, how internal assurance is [otherwise] achieved, and how this affects the work of external audit…” . The Code stipulates that one of the duties of the audit committee is thus “monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board .”Formed in 2015, the ACCIF (Audit Committee Chairs’ Independent Forum) is an independent group based on FTSE 350 company audit committees. It was established to ‘promote good governance by enhancing the leadership of Audit Committee Chairs through the sharing of experiences and the establishment of best practice’. Jock Lennox, an ICAS member, is the Chair of its Board and Mike McKeon, the current ICAS President, is also a Board member.
3. Internal audit
Where an internal audit function exists, the audit committee will place great reliance on its work to give an independent, objective view on how well (or otherwise) the organisation is addressing major business risks. It is thus vital that internal audit is given adequate oversight and support by the committee to enable it to provide increased value to the organisation in fast-moving times which are likely to bring fresh risks. This requires:
- Regular meetings during the year between the audit committee, the head of internal audit and the external audit partner.
- Internal audit is closely involved in the organisation’s discussions on risk.
- A properly resourced and staffed internal audit function.
- An independent review by outside consultants every two or three years of the adequacy of the internal audit function.
- Internal audit’s independence from operational management and internal politics is monitored and protected by the audit committee.
- That the head of internal audits feels able to raise informally and timeously any pressing concerns on risk or on internal controls with the audit committee chair.
Please also refer to the ‘What makes a good internal audit’ article for the comments of audit committee members on what they regard comprises an effective internal audit.
Is it compulsory for a company to have an internal audit function?
Surprisingly, no. Whilst many large UK companies do indeed have an internal audit function, you may be astonished that there is no compulsion for a limited company (regardless of its size, or whether it is listed on the London Stock Exchange or not) for it to have an internal audit function. The FRC’s 2018 UK Corporate Governance Code only requires companies to either have an internal audit function on a comply or explain basis.
In contrast to the UK, the world’s largest stock exchange, the New York Stock Exchange (NYSE), made it compulsory from 2013 for all companies listed on it to have an internal audit function. Unlike the world’s second-largest stock exchange, the US NASDAQ (National Association of Security Dealers Automatic Quotation), which does not require companies on it to have an internal audit function.