ECIIA response to the EU Green Paper on ‘The EU corporate governance framework’

21 July 2011

Generally, the ECIIA response concentrated on questions 11 and 12 which dealt with Risk Management, the major area of internal auditors' expertise. However, the point was made that Internal Audit has a responsibility to evaluate the complete structure within an organisation.

It is important to note that the internal audit role is one of overall assurance, consistent with the Basel Committee reports and best practice (but not limited to the financial sector), and should be fully taken advantage of in order to monitor potential conflicts or inconsistencies or inefficiencies between control functions, such as risk management or compliance and operational units.

The internal control system as a whole must be efficient and integrated and the internal audit role should be required by the audit committee or the board to provide assurance in this context. This will provide value by reducing costs from inefficiency and losses on unmanaged risks. The efficiency of the internal governance system, as well as the external financial audit process, will also reduce the need for burdensome measures of outside monitoring bodies.

For the above reasons we ECIIA believes that the presence of internal audit should be included in the requirements covered under the ”comply or explain” of corporate governance codes, through recommendation by the EC. In general, if the company is sufficiently large to have an audit committee, or in the case of Supervisory Boards, then internal audit is necessary as an operational arm to that body for global assurance.

The audit committee in fulfilling its requirement of monitoring risk management, internal control and internal audit as foreseen in Article 41 of the 8th Directive should be called on to consider for each level of defence:

Corporate governance reports which include the main features of the risk management and internal control framework help stakeholders to understand the level in which the Company has addressed risk management, while “boilerplate” responses must be avoided.

Full paper


© ECIIA