Position paper: Independence and objectivity


Download this policy paper in the format of a briefing document


Main message

Internal audit is a vital function for private and public sector organisations in support of the board’s governance responsibilities. To carry out their duties effectively, offering independent and objective judgement and advice to boards and their committees, internal audit teams must be appropriately qualified (ideally, where relevant, IIA-qualified), experienced, trained, and properly resourced, and work to the IIA Global International Professional Practice Framework (IPPF). They must have unrestricted access to all parts of the organisation and operate free from interference or obstruction. While it works closely with the executive, internal audit must be independent of the activities it is auditing, and its functional accountability must be to the board, either directly or through an audit committee. 


What do we want?

The 2014 revision to the UK Corporate Governance Code still does not adequately promote internal audit’s independent and objective support to the board on the oversight of risk management, governance and internal control. IIA calls on the FRC to strengthen the UK Corporate Governance Code at the next opportunity by specifying, as it does for external audit, that audit committees should review and monitor internal audit’s objectivity and independence of management.  

While the FRC’s Guidance on Audit Committees is more specific about the relationship between internal audit and the audit committee, there are areas that need to be strengthened, such as giving examples of indicators of independence and objectivity, including the audit committee or its chair playing a direct role in the remuneration and appraisal of the head of internal audit. The guidance could also incorporate measures to strengthen internal audit’s effectiveness, for example by ensuring its scope is unrestricted and it has sufficient standing to challenge all levels of management.


Supporting points

In an increasingly complex and challenging global and national environment, Boards need independent and objective assurance that risks are being managed by the executive, that internal control mechanisms are working effectively, and that the organisation has effective governance. Internal audit, with its detailed knowledge of the organisation’s mission, objectives and operations, is uniquely placed to do this.

International best practice calls for the establishment of an internal audit function reporting either directly to the Board or through an audit committee (OECD Principles of Corporate Governance, Basel Committee Principles, and IIA Global Standards). This reporting line offers

  • independence from the audited activities (the freedom from conditions that threaten the ability to carry out internal audit responsibilities in an unbiased manner)

and allows internal audit to achieve

  • objectivity (no quality compromises made, judgements not subordinated to others within the executive).

Boards must define the risk appetite of the organisation. They task internal audit to provide assurance that systems and operations are working to deliver outcomes that are in line with the risk appetite, and that mechanisms exist to alert the board to policies or proposals that may conflict with the desired level of risk.

Internal auditors must be free to advise the board, directly or through an audit committee, on risk management, governance and internal control issues, having unrestricted access to all parts of the organisation.

While internal auditors should work closely with the executive to resolve issues that arise in their work, their accountability is to the board, not management, and they should operate free from interference or obstruction.

Internal audit teams need suitably experienced, qualified and trained staff to produce the best advice and judgements for boards and management. Boards should ensure that internal audit work is sufficiently resourced to allow it to fulfil its mandate, that staff in key positions have a recognised skill set appropriate to their functions, and that staff receive the training and development they need to deal with the increasing challenges organisations are facing. 

Internal auditors should report at least annually to the board on their risk management, governance and internal control work, recognising that it may be drawn on in the statement of internal control as part of the organisation’s Annual Report.

Internal audit should report functionally to the board, where appropriate through the audit or other board committee, and administratively to the Chief Executive. Functional reporting includes overseeing ongoing internal audit activity, setting the budget, monitoring the agreed internal audit Work Programme, identifying new areas of work, noting recommendations implemented by the executive and ensuring that unresolved issues are addressed. The board / audit committee should also actively participate in the Head of Internal Audit’s (HIA) performance evaluation and remuneration process. Where the HIA’s remuneration package includes incentives, these should be linked to the performance of internal audit and not the short term performance of the organisation. Administrative reporting should not include functions that might undermine objectivity, such as decisions (e.g. on remuneration) that might make internal audit beholden to the executive.

While most large companies have their own internal audit function, the FRC UK Corporate Governance Code, only requires companies to have an internal audit function on a comply or explain basis. Neither the Code, nor its accompanying guidance, specify fully how independence and objectivity of internal audit are to be achieved and maintained.

IIA recognises that companies should be given flexibility to establish their internal audit arrangements according to their size and circumstances. But, given the specific terms of the OECD Guidelines, the IIA International Standards and the Basel Principles (see Annex) IIA believes the FRC Code and Guidance need to set out in greater detail how independence and objectivity are to be protected. 


ANNEX: Relevant extracts from international and UK codes and guidelines

IIA International Standards for the Professional Practice of Internal Auditing

1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Interpretation:

Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.

1110 – Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Interpretation:

Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

 Approving the internal audit charter;

 Approving the risk based internal audit plan;

 Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters;

 Approving decisions regarding the appointment and removal of the chief audit executive; and

 Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.

1111 – Direct Interaction with the Board

The chief audit executive must communicate and interact directly with the board.

Financial Reporting Council

UK Corporate Governance Code

THE UK CORPORATE GOVERNANCE CODE

Main Principle

The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.

The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting, risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditors.

Code Provision

C.2.1 The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated.

C.3 Audit Committee and Auditors

Main Principle

The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditor.

Code Provisions

C.3.1

The board should establish an audit committee of at least three, or in the case of smaller companies, two, independent non-executive directors. In smaller companies the company chairman may be a member of, but not chair, the committee in addition to the independent non-executive directors, provided he or she was considered independent on appointment as chairman. The board should satisfy itself that at least one member of the audit committee has recent and relevant financial experience.

C.3.2 The main role and responsibilities of the audit committee should be set out in written terms of reference and should include:

 

  • to review the company’s internal financial controls and, unless expressly addressed by a separate board risk committee composed of independent  directors, or by the board itself, to review the company’s internal control and risk management systems;”

 

  • to monitor and review the effectiveness of the company’s internal audit function;

 

C.3.6 The audit committee should monitor and review the effectiveness of the internal audit activities. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report. 

Financial Reporting Council

Guidance on Risk Management, Internal Control and Related Financial and Business ReportingSeptember 2014

Section 3

Exercising Responsibilities

27. The board should establish the tone for risk management and internal control and put in place appropriate systems to enable it to meet its responsibilities effectively. These will depend upon factors such as the size and composition of the board; the scale, diversity and complexity of the company's operations; and the nature of the principal risks the company faces. But in deciding what arrangements are appropriate the board should consider, amongst other things:

  • The culture it wishes to embed in the company, and whether this has been achieved.

As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depend on the individuals responsible for operating the systems that are put in place. In order to ensure the appropriate culture is in place it is not sufficient for the board simply to set the desired values. It also needs to ensure they are communicated by management, incentivise the desired behaviours and sanction inappropriate behaviour, and assess whether the desired values and behaviours have become embedded at all levels.

This should include consideration of whether the company’s leadership style and management structures, human resource policies and reward systems support or undermine the risk management and internal control systems. 

  • The flow of information to and from the board, and the quality of that information.

The board should specify the nature, source, format and frequency of the information that it requires. It should ensure that the assumptions and models underlying this information are clear so that they can be understood and if necessary challenged. Risks can crystallise quickly and the board should ensure that there are clear processes for bringing significant issues to its attention more rapidly when required, and agreed triggers for doing so. The board should monitor the quality of the information it receives and ensure that it is of a sufficient quality to allow effective decision-making.

  • What assurance the board requires, and how this is to be obtained.

The board should identify what assurance it requires and, where there are gaps, how these should be addressed. In addition to the board, committee and management’s own monitoring activities, sources of assurance might include reports on relevant matters from any compliance, risk management, internal control and internal audit functions within the company, the external auditor’s communications to the audit committee about matters it considers relevant in fulfilling its responsibilities, and other internal and external sources of information or assurance. The board should satisfy itself that these sources of assurance have sufficient authority, independence and expertise to enable them to provide objective advice and information to the board.

Section 5 

Monitoring and Review of the Risk Management and Internal Control Systems

39. The existence of risk management and internal control systems does not, on its own, signal the effective management of risk. Effective and on-going monitoring and review are essential components of sound systems of risk management and internal control. The process of monitoring and review is intended to allow the board to conclude whether the systems are properly aligned with strategic objectives; and satisfy itself that the systems address the company’s risks and are being developed, applied and maintained appropriately.

40. The board should define the processes to be adopted for its on-going monitoring and review, including specifying the requirements, scope and frequency for reporting and assurance. Regular reports to the board should provide a balanced assessment of the risks and the effectiveness of the systems of risk management and internal control in managing those risks. The board should form its own view on effectiveness, based on the evidence it obtains, exercising the standard of care generally applicable to directors in the exercise of their duties.

41. When reviewing reports during the year, the board should consider: how effectively the risks have been assessed and the principal risks determined; how they have been managed or mitigated; whether necessary actions are being taken promptly to remedy any significant failings or weaknesses; and whether the causes of the failing or weakness indicate poor decision-taking, a need for more extensive monitoring or a reassessment of the effectiveness of management's on-going processes.

42. In addition to its on-going monitoring and review, the board should undertake an annual review of the effectiveness of the systems to ensure that it has considered all significant aspects of risk management and internal control for the company for the year under review and up to the date of approval of the annual report and accounts. The board should define the processes to be adopted for this review, including drawing on the results of the board’s on-going process such that it will obtain sound, appropriately documented, evidence to support its statement in the company’s annual report and accounts.

43. The annual review of effectiveness should, in particular, consider:

  • the company’s willingness to take on risk (its “risk appetite”), the desired culture within the company and whether this culture has been embedded; the operation of the risk management and internal control systems, covering the design, implementation, monitoring and review and identification of risks and determination of those which are principal to the company;
  • the integration of risk management and internal controls with considerations of strategy and business model, and with business planning processes;
  • the changes in the nature, likelihood and impact of principal risks, and the company's ability to respond to changes in its business and the external environment;
  • the extent, frequency and quality of the communication of the results of management’s monitoring to the board which enables it to build up a cumulativeassessment of the state of control in the company and the effectiveness with which risk is being managed or mitigated; issues dealt with in reports reviewed by the board during the year, in particular the incidence of significant control failings or weaknesses that have been identified at any time during the period and the extent to which they have, or could have, resulted in unforeseen impact; and
  • the effectiveness of the company's public reporting processes.

Appendix C

Questions for the Board to Consider

Questions which the board may wish to consider and discuss with management and others such as the risk or internal audit functions are set out below. If the answers to the questions pose concern for the board it may wish to consider whether action is needed to address possible failings. The questions are not intended to be exhaustive and not all will be appropriate in all circumstances, but should be tailored to the company.

Risk appetite and culture

  • How has the board agreed the company’s risk appetite? With whom has it conferred?
  • How has the board assessed the company’s culture? In what way does the board satisfy itself that the company has a ‘speak-up’ culture and that it systematically learns from past mistakes?
  • How do the company's culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control systems?
  • How has the board considered whether senior management promotes and communicates the desired culture and demonstrates the necessary commitment to risk management and internal control?
  • How is inappropriate behaviour dealt with? Does this present consequential risks?
  • How does the board ensure that it has sufficient time to consider risk, and how is that integrated with discussion on other matters for which the board is responsible?

Risk management and internal control systems

  • To what extent do the risk management and internal control systems underpin and relate to the company’s business model?
  • How are authority, responsibility and accountability for risk management and internal control defined, co-ordinated and documented throughout the organisation? How does the board determine whether this is clear, appropriate and effective?
  • How effectively is the company able to withstand risks, and risk combinations, which do materialise? How effective is the board’s approach to risks with ‘low probability’ but a very severe impact if they materialise?
  • How has the board assessed whether employees have the knowledge, skills and tools to manage risks effectively?
  • What are the channels of communication that enable individuals, including third parties, to report concerns, suspected breaches of law or regulations, other improprieties or challenging perspectives?
  • How does the board satisfy itself that the information it receives is timely, of good quality, reflects numerous information sources and is fit for purpose?
  • What are the responsibilities of the board and senior management for crisis management? How effectively have the company’s crisis management planning and systems been tested?
  • To what extent has the company identified risks from joint ventures, third parties and from the way the company’s business is organised? How are these managed?
  • How effectively does the company capture new and emerging risks and opportunities?
  • How and when does the board consider risk when discussing changes in strategy or approving new transactions, projects, products or other significant commitments?
  • To what extent has the board considered the cost-benefit aspects of different control options?
  • How does the board ensure it understands the company’s exposure to each principal risk before and after the application of mitigations and controls, what those mitigations and controls are and whether they are operating as expected?

Monitoring and Review

  • What are the processes by which senior management monitor the effective application of the systems of risk management and internal control?
  • In what way do the monitoring and review processes take into account the company’s ability to re-evaluate the risks and adjust controls effectively in response to changes in its objectives, its business, and its external environment?
  • How are processes or controls adjusted to reflect new or changing risks, or operational deficiencies? To what extent does the board engage in horizon scanning for emerging risks?

Public reporting

  • How has the board satisfied itself that the disclosures on risk management and internal control contribute to the annual report being fair, balanced and understandable, and provide shareholders with the information they need?
  • How has the board satisfied itself that its reporting on going concern and the longer term viability statement gives a fair, balanced and understandable overview of the company’s position and prospects?

 

Financial Reporting Council

Guidance on Audit Committees

December 2010

The Internal Audit Process

4.10 The audit committee should monitor and review the effectiveness of the company’s internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report.

4.11 The need for an internal audit function will vary depending on company specific factors including the scale, diversity and complexity of the company’s activities and the number of employees, as well as cost/benefit considerations. Senior management and the board may desire objective assurance and advice on risk and control. An adequately resourced internal audit function (or its equivalent where, for example, a third party is contracted to perform some or all of the work concerned) may provide such assurance and advice. There may be other functions within the company that also provide assurance and advice covering specialist areas such as health and safety, regulatory and legal compliance and environmental issues.

4.12 When undertaking its assessment of the need for an internal audit function, the audit committee should also consider whether there are any trends or current factors relevant to the company’s activities, markets or other aspects of its external environment that have increased, or are expected to increase, the risks faced by the company. Such an increase in risk may also arise from internal factors such as organisational restructuring or from changes in reporting processes or underlying information systems. Other matters to be taken into account may include adverse trends evident from the monitoring of internal control systems or an increased incidence of unexpected occurrences.

4.13 In the absence of an internal audit function, management needs to apply other monitoring processes in order to assure itself, the audit committee and the board that the system of internal control is functioning as intended. In these circumstances, the audit committee will need to assess whether such processes provide sufficient and objective assurance.

4.14 The audit committee should review and approve the internal audit function’s remit, having regard to the complementary roles of the internal and external audit functions. The audit committee should ensure that the function has the necessary resources and access to information to enable it to fulfil its mandate, and is equipped to perform in accordance with appropriate professional standards for internal auditors

4.15 The audit committee should approve the appointment or termination of appointment of the head of internal audit.

4.16 In its review of the work of the internal audit function, the audit committee should, inter alia:

  • ensure that the internal auditor has direct access to the board chairman and to the audit committee and is accountable to the audit committee;
  • review and assess the annual internal audit work plan;
  • receive a report on the results of the internal auditors’ work on a periodic basis;
  • review and monitor management’s responsiveness to the internal auditor’s findings and recommendations;
  • meet with the head of internal audit at least once a year without the presence of management; and
  • monitor and assess the role and effectiveness of the internal audit function in the overall context of the company’s risk management system.

The Irish Corporate Governance Annex

Audit Committee

5.1 Companies should include a meaningful description of the work carried out by the audit committee during the financial year. Issuers should not simply recycle the committee’s terms of reference, which are required to be made available to investors in accordance with provision C.3.3 of the UK Code.

5.2 The description should, in particular, explain the work done by the Committee relating to the oversight of risk management on behalf of the board1. If the board has assigned work on risk management to a specific risk committee, a meaningful description of the work carried out by that committee should also be included.

OECD Principles of corporate governance

“It is an important function of the board to oversee the internal control systems covering financial reporting and the use of corporate assets and to guard against abusive related party transactions. These functions are sometimes assigned to the internal auditor which should maintain direct access to the board.”

“Ensuring the integrity of the essential reporting and monitoring system will require the board to set and enforce clear lines of responsibility and accountability throughout the organisation. The board will also need to ensure that there is appropriate oversight by senior management. One way of doing this is through an internal audit system directly reporting to the board. In some jurisdictions it is considered good practice for the internal auditors to report to an independent audit committee of the board or an equivalent body which is also responsible for managing the relationship with the external auditor, thereby allowing a coordinated response by the board.”

HM Treasury Corporate governance in central government departments:

Code of good practice 2011

Principles

5.1 The board should ensure that there are effective arrangements for governance, risk management and internal control for the whole departmental family. Advice about and scrutiny of key risks is a matter for the board, not a committee. The board should be supported by:

 an audit and risk assurance committee, chaired by a suitably experienced nonexecutive board member (NEBM);

 an internal audit service operating to Government Internal Audit Standards;

 sponsor teams of the department’s key arm’s length bodies (ALBs).

5.2 The board should take the lead on, and oversee the preparation of, the department’s governance statement for publication with its resource accounts each year.

Government policy

5.3 The board’s regular agenda should include scrutinising and advising on risk management.

5.4 The key responsibilities of NEBMs include forming an audit and risk assurance committee.

Supporting provisions

5.5 The head of internal audit should periodically be invited to attend board meetings, where key issues are discussed relating to governance, risk management or control across the department and its ALBs.

5.6 The board should assure itself of the effectiveness of the department’s risk management system and procedures and its internal controls. The board should give a clear steer on the desired risk appetite for the department and ensure that:

there is a proper framework of prudent and effective controls, so that risks can be assessed, managed and taken prudently;

there is clear accountability for managing risks;

departmental officials are equipped with the relevant skills and guidance to perform their assigned roles effectively and efficiently.

5.7 The board should also ensure that the department’s ALBs have appropriate and effective risk management processes through the department’s sponsor teams.

5.8 The board should ensure an ALB makes effective arrangements for internal audit. It is good practice to work with a group or shared internal audit provision, for example covering a department and its ALBs. In any case, the board should ensure it provides for internal audit access to its ALBs.

Basel Committee on Banking Supervision

Principles for enhancing corporate governance. October 2010

33. The board should regularly review policies and controls with senior management and internal control functions (including internal audit, risk management and compliance) in order to determine areas needing improvement, as well as to identify and address significant risks and issues. The board should ensure that the control functions are properly positioned, staffed and resourced and are carrying out their responsibilities independently and effectively.

100. The board and senior management can enhance the ability of the internal audit function32 to identify problems with a bank’s governance, risk management and internal control systems by:

  • · encouraging internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors;
  • · requiring that audit staff have skills that are commensurate with the business activities and risks of the firm;
  • · promoting the independence of the internal auditor, for example by ensuring that internal audit reports are provided to the board and the internal auditor has direct access to the board or the board's audit committee;
  • · recognising the importance of the audit and internal control processes and communicating their importance throughout the bank;
  • · requiring the timely and effective correction of identified internal audit issues by senior management; and
  • · engaging internal auditors to judge the effectiveness of the risk management function and the compliance function, including the quality of risk reporting to the board and senior management, as well as the effectiveness of other key control functions.

Basel Committee on Banking Supervision:

The internal audit function in banks. June 2012

Principles relating to the supervisory expectations relevant to the internal audit function

Principle 1: An effective internal audit function provides independent assurance to the board of directors and senior management on the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation.

Principle 2: The bank's internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignments with objectivity.

Principle 3: Professional competence, including the knowledge and experience of each internal auditor and of internal auditors collectively, is essential to the effectiveness of the bank’s internal audit function.

Principle 4: Internal auditors must act with integrity.

Principle 5: Each bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank in a manner that promotes an effective internal audit function as described in Principle 1.

Principle 6: Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.

Principle 7: The scope of the internal audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan.

Principle 8: Each bank should have a permanent internal audit function, which should be structured consistent with Principle 14 when the bank is within a banking group or holding company.

Principle 9: The bank’s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control system and, accordingly, the board should support the internal audit function in discharging its duties effectively.

Principle 10: The audit committee, or its equivalent, should oversee the bank’s internal audit function.

Principle 11: The head of the internal audit department should be responsible for ensuring that the department complies with sound internal auditing standards and with a relevant code of ethics.

Principle 12: The internal audit function should be accountable to the board, or its audit committee, on all matters related to the performance of its mandate as described in the internal audit charter.

Principle 13: The internal audit function should independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes created by the business units and support functions and provide assurance on these systems and processes.

Principle 14: To facilitate a consistent approach to internal audit across all the banks within a banking organisation, the board of directors of each bank within a banking group or holding company structure should ensure that either:

(i) the bank has its own internal audit function, which should be accountable to the bank’s board and should report to the banking group or holding company's head of internal audit; or

(ii) the banking group or holding company's internal audit function performs internal audit activities of sufficient scope at the bank to enable the board to satisfy its fiduciary and legal responsibilities.

Principle 15: Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for the internal audit function.

1. The internal audit function

11. The internal audit function should develop an independent and informed view of the risks faced by the bank based on their access to all bank records and data, their enquiries, and their professional competence. The internal audit function should be able to discuss their views, findings and conclusions directly with the audit committee and the board of directors, thereby helping the board to oversee senior management.

(a) Independence and objectivity³

Principle 2: The bank's internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignments with objectivity.

3 Both “independence” and “objectivity” have a specific meaning in an internal audit environment. The Glossary of The Institute of Internal Auditors refers to independence as the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Objectivity is referred to in the Glossary as an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgement on audit matters to others 

13. On the basis of the audit plan established by the head of the internal audit function and approved by the board of directors, the internal audit function must be able to perform its assignments on its own initiative in all areas and functions of the bank. It must be free to report its findings and assessments internally through clear reporting lines. The head of internal audit should demonstrate appropriate leadership and have the necessary skills to fulfil his or her responsibility for maintaining the function’s independence and objectivity.

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006

2. Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia:

(a) monitor the financial reporting process;

(b) monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems;

(c) monitor the statutory audit of the annual and consolidated accounts;

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

© Chartered Institute of Internal Auditors, March 2015

Download PDF
Content reviewed: 19 July 2018