|
Internal audit is a key component of modern corporate governance. However, board structures and corporate governance systems exhibit significant variation across Europe. In some countries (e.g. the UK, France), the board consists of both senior members of management and non-executive directors. In other countries (e.g. Germany, the Netherlands, the Nordic countries), the board or supervisory board may be entirely composed of non-executive board members. In such circumstances, senior management may sit on a separate executive board or be excluded from the board altogether.
In this guidance, the term “Board of Directors” is used as a generic term to refer to an organisation’s main governing body – however constituted – which assumes primary responsibility for corporate oversight on behalf of relevant stakeholders.
The purpose of this guidance is to assist the members of this governing body in making the most of the internal audit function in pursuit of their governance objectives.
The term “board” is also used to encompass the committees of the board – such as the audit or risk committees – which commonly play a particular role in terms of the board’s relationship with internal audit. Board committees – consisting of sub-groups of directors – are typically mandated by corporate governance codes or best practice in order to support the functioning of the main board in areas of more specialised boardroom activity.
However, it should also be recognised that there may exist significant variation in the role and functioning of such committees across differing European countries. For example, in the Nordic countries, a key role is played in governance by the nomination committee, which is a committee of the shareholders rather than the board. Local variation in governance practices should therefore be taken into account by directors when applying the recommendations of this guidance.
Notwithstanding the variation in corporate governance systems across Europe, there are some basic characteristics of governance frameworks that are typical in most countries:
To ensure the effectiveness of an organisation’s risk management framework, the board and senior management need to be able to rely on adequate line functions - including monitoring and assurance functions - within the organisation. In order to conceptualise these line functions, ecoDa and the ECIIA endorse the use of the “Three lines of Defence” model which is already widely adopted within the financial industry, but which can also be productively utilised in a wide range of sectors.
The “Three lines of Defence” structure is a conceptual delineation of an organisation’s internal control levels: first line controls, second level monitoring controls and third-line independent assurance. It also provides a framework with which the board can understand the role of internal audit in the overall risk management and internal control process of an organisation.
In such a framework, internal auditing is a key cornerstone of an organisation’s corporate governance. However, before considering the detailed recommendations of this guidance, it is important to stress that there are three fundamental issues that should be considered by boards in order to ensure that internal audit maximises its contribution to good governance:
Top 10 recommended board and committee practices in respect of internal audit oversight