Topical Requirements, the newest component of the IPPF (International Professional Practices Framework) will ensure that all internal audit functions – large, small, private, or public – apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area.
The use of Topical Requirements will be mandatory when an internal audit function scopes an audit engagement that includes the topic covered.
Conforming with Topical Requirements will support internal auditors in the specific challenges of auditing that topic. These requirements are designed to strengthen the ongoing relevance of internal audit to the evolving risk landscape and enhance the consistency and quality of internal audit services across industries and sectors.
The IIA defines governance as “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” The first version of the UK Corporate Governance Code (1992) still provides what many consider a classic definition:
Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders’ role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place.
The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. The board’s actions are subject to laws, regulations and the shareholders in general meeting.
When internal audit provides assurance over governance, it therefore has an opportunity to share insights at the highest levels, whether board or divisional.
Why should internal auditors act?
Any IPPF Topical Requirements will be in addition to existing models such as COSO and requirements from the Financial Reporting Council (FRC).
Organisations based in or operating out of EU member states will also have to comply with the Corporate Sustainability Reporting directive, which covers diversity on boards and therefore an element of governance.
What should you consider?
As the Chartered IIA advises in ‘What is good corporate governance?’ , there is no single model or requirement.
There is no 'one size fits all' governance model. Governance structures and practices should be individually tailored to the organisation. There may be legal and regulatory requirements, mandatory and optional practices prescribed by national governance principles and practices which are required by the environments that the organisation operates in.
This is why it is crucial for internal auditors to understand the regulations and expectations specific to their jurisdiction and industry. Examples include EU directives, OECD requirements, the FRC’s UK Corporate Governance Code (2018), the UK Charity Governance Code or the Financial Services Code.
Assessing corporate or organisational governance is not a one-off activity. It is an approach encompassing processes, standards, rules, and practices. It guides not only operations and administration, risk management and compliance, but also ethics and more. Organisational governance sets and reflects the ‘tone from the top’ – as such, it affects every internal audit engagement, whether assurance or consultancy.
If you are conducting an assurance engagement, the Chartered IIA has existing guidance (see Further Reading and Resources, below, for the link) on auditing corporate governance. It specifies elements that benefit from an overall understanding and assessment of the organisation’s governance. For instance, in considering the audit committee’s assurance requirements:
In determining the scope of the audit, the internal auditor will need to consider their stakeholders’ expectations – including the organisation’s regulators, board, audit committee, senior management, head of internal audit – as well as the responsibilities documented in the internal audit charter. In particular, the non-executive members (NEDs) of the board and committees play a key role in corporate governance and their expectations are key.
If we look at current expectations from, for instance, government and even supranational bodies, this broadens the field even further. One of the hardest and most important tasks for internal auditors is to look outwards and well as inwards, upwards as well as downwards. If we fail to refresh our knowledge of the standards and legal requirements organisations must adhere to, our understanding and assessment of their governance will be flawed.
The IIA’s 2012 practice guide entitled Assessing Organizational Governance in the Private Sector’ sets out the variety of contexts in which internal auditors function. These include “publicly traded companies, not-for[1]profit organizations, associations, government or quasi[1]government entities, agencies, academic institutions, private companies, commissions, and stock exchanges.” As well as this practice guide, the IIA published one for public-sector organisations – links to both are in Further Reading and Resources.
Whether public, private or third sector, all organisations must have a focal point for governance. As the IIA states, this is the board.
It is the link between the stakeholders and the organization’s executive management. To be effective, the board should be independent, engaged, and committed. The board bears primary responsibility for the governance of its organization. … The board directs and provides oversight of the executive leader and senior management in setting strategic objectives, establishing appropriate risk levels, instituting effective control systems, tracking performance, and providing transparent, complete, clear, and timely communication to stakeholders.
To understand and assess organisational governance, internal audit must understand and assess the board, including its understanding of external requirements. The assessment criteria may seem endless. However, as all internal auditors have discovered – and as the practice guide wryly notes – “you may find that the governance process documentation is not adequate. If this condition exists, it should be reported to the board as an initial opportunity to strengthen governance practices.” The guide then goes on to reiterate the importance of understanding the range of laws, regulations, codes and guidance relevant to the organisation’s activity, sector and jurisdiction/s.
Action
There is a wide variety of guidance on this topic.
All internal auditors should refresh their understanding of their organisations’ governance.
What has changed, internally and externally? Which national, regional or sectoral requirements will force a re-think at board and committee level? How can internal audit improve governance through analysing current gaps and opportunities?
As always, by understanding both the organisation and its broader context, we can help it achieve its strategic objectives.
Further Reading and Resources