|
The ECIIA believes the key principles are applicable universally to all organisations regardless of sector or industry.
The governing body of an organisation is responsible for strategic risk oversight. The board and audit committee (or equivalent) should be required to, among other things, define a clear delegation and accountability for risk management and internal control through the “Three Lines of Defence” model. In this model, internal audit assumes responsibility for providing overall assurance to the governing bodies, consistent with existing financial sector regulation. On this basis, internal audit should be required for most organisations.
Factors that need to be considered are the complexity of the organisation and the need for the governing body to obtain systematic, continuous independent assurance, rather than the size of the company.
Internal audit must be properly structured in order to achieve the objective of global assurance.
In addition, regulatory references to ‘the auditor’ should be specific as to whether they are referring to external audit or internal auditing.