ECIIA: Corporate Governance Codes on internal audit - Current status in the EU

15 November 2012

The ECIIA has conducted a review of the Corporate Governance Codes currently in place in its member bodies, in order to determine the extent that internal audit is considered in the governance structure of listed companies under the typical "comply or explain" regulations.

The ECIIA believes the key principles are applicable universally to all organisations regardless of sector or industry.

The governing body of an organisation is responsible for strategic risk oversight. The board and audit committee (or equivalent) should be required to, among other things, define a clear delegation and accountability for risk management and internal control through the “Three Lines of Defence” model. In this model, internal audit assumes responsibility for providing overall assurance to the governing bodies, consistent with existing financial sector regulation. On this basis, internal audit should be required for most organisations.

Factors that need to be considered are the complexity of the organisation and the need for the governing body to obtain systematic, continuous independent assurance, rather than the size of the company.

Internal audit must be properly structured in order to achieve the objective of global assurance.

• organisational independence
• exclusion of limitations to its scope of review
• full and unrestricted access to any information and person necessary to achieve its objective
• the adoption of The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards), including internal and external quality assessment reviews.

In addition, regulatory references to ‘the auditor’ should be specific as to whether they are referring to external audit or internal auditing.

Press release

© ECIIA