The European Confederation of Institutes of Internal Auditing represents national internal audit institutes in 36 countries and is part of IIA Global. One of our missions is to promote improvements to risk management, internal control and corporate governance systems among European organisations in all sectors. When trying to raise standards across the board, it can help us to look at the characteristics of sound corporate governance and internal control systems. Is there a common factor?
I believe we need a model that is not one size, but is fit for all – a model that is fit for every single entity, yet has enough flexibility built in so that it doesn’t prevent businesses from achieving their strategic objectives.
So how can that work? First, let’s look at the four attributes shared by all organisations with sound corporate governance and internal control systems: board responsibility, board competence, a risk framework and the “three lines of defence” (3Lod) model.
Most internal auditors agree that the board or governing body of an enterprise assumes ultimate and full responsibility for its risk management and control. This is one size that does fit all. There is also consensus about the board’s competence. Its members’ skills must be adequate and diverse enough to ensure the capability of its oversight over the commercial, financial and risk aspects of the organisation’s activities.
But, while we may agree on what boards should be doing, experience tells us that not all of them are getting it right. We need to look at how the board’s mandate is achieved in practice. This brings me to the third factor: the risk framework. To develop a sound corporate governance system, a board must adopt one of the several available international frameworks on risk management. Doing so forces it to set the foundation for a structured process of risk management throughout the organisation. The one that I prefer – the enterprise risk management framework – gives the board the right structure for its internal control framework and the tools it needs in order to oversee this effectively. But it tailors that framework to the business itself.
There is one final minimum requirement on which consensus should be sought: 3Lod, which makes internal audit integral to the governance process and the success of an organisation. Internal auditors are experts in control and accountability and, time and again, their work shows that weak governance can arise where duties are excessively combined or are partially duplicated. If roles are not properly segregated or articulated, or if there is duplication, it can create confusion and a lack of accountability, which ultimately weakens the governance objectives for which these roles were intended.
Our research shows that the 3Lod model is highly effective where roles are made clear at the outset and resources are properly measured. Line management must, of course, assume a primary role and second-line functions must create checks and balances. But, left on their own, imbalances in risk management can arise, because there is a lack of integration in a true single mission and a unified risk governance. These imbalances can be detected by internal audit and brought to the board’s attention. But, rather than be the inspector that it once was, internal audit must be the adviser and risk specialist that it is today.
Studies have shown that a well-structured and properly resourced internal audit function can make an entity more resilient. Perhaps this is why 90 per cent of EU corporate governance codes require or recommend internal audit for independent assurance.
So European organisations must create a corporate governance framework that meets the demand for proportionality, but forms the basis of rigorous internal governance, based on the four aspects of board responsibility, board competence, a risk framework and the 3Lod model. If this can be achieved, we will be well on our way to creating a common understanding of good corporate governance and a clearer role for internal audit.