Internal Control and Audit relates critically to corporate governance. Corporate governance principles can effectively and efficiently be practice by companies with strong internal control and audit policies.

Corporate Governance In Action

When we talk about Corporate Governance in Action, three things come to mind.

These are; Segregation of roles, Committee & Internal Audit.

Segregation of roles

Best practice and strongly recommended under corporate governance codes in many jurisdictions (e.g. the ‘Combined Code’ governing listed companies in the UK) is that the roles of:

  • Chairman of the board and
  • Chief executive officer; should be held by different individuals.

The chairman’s role

  • Non-executive.
  • Ensures full information and full discussion at board meetings.
  • Ensures satisfactory channels of communication with the external auditors.
  • Runs the board of directors
  • Ensures the effective operation of subcommittees of the board.

The Chief executive’s role

  • Ensures the effective operational functioning of the company.
  • It is important that there is a distinction between the chief executive and chairman as effectively one person assuming both roles is a conflict of interests. The chief executive heads up the executive directors and the chairman heads up the non-executives.
  • Not only that, but having one person in both roles means there is a lot of power vested in that one person. They would be able to sway the decisions taken by the board. Those decisions may not be made in the best interests of the shareholders but in the best interests of the directors.

Audit Committee

An audit committee is a committee consisting of nonexecutive directors which is able to view a company’s affairs in a detached and independent way and liaise effectively between the main board of directors and the external auditors.

Best Practice for Listed Companies:

  • The company should have an audit committee of at least three nonexecutive directors (or, in the case of smaller companies, two).
  • At least one member of the audit committee should have recent and relevant financial experience.

The Objectives of the Audit Committee

  • Increasing public confidence in the credibility and objectivity of published financial information (including unaudited interim statements).
  • Assisting directors (particularly executive directors) in meeting their responsibilities in respect of financial reporting.
  • Strengthening the independent position of a company’s external auditor by providing an additional channel of communication.

The Function of the Audit Committee

  • Monitoring the integrity of the financial statements.
  • Reviewing the company’s internal financial controls.
  • Monitoring and reviewing the effectiveness of the internal audit function.
  • Making recommendations in relation to the appointment and removal of the external auditor and their remuneration.
  • Reviewing and monitoring the external auditor’s independence and objectivity and the effectiveness of the audit process.
  • Developing and implementing policy on the engagement of the external auditor to supply non-audit services.
  • Reviewing arrangements for confidential reporting by employees and the investigation of possible improprieties (‘whistleblowing’).


In addition to meeting the objectives stated above, audit committees have the following advantages.

  • It may improve the quality of management accounting, as it is well placed to criticise internal functions.
  • It should lead to better communication between the directors, external auditors and management.


Audit committees may lead to:

  • fear that their purpose is to catch management out
  • non-executive directors being overburdened with detail
  • a ‘two-tier’ board of directors
  • additional cost in terms, at least, of time involved.

Audit Committee and Internal Audit

Best practice is that the audit committee should:

  • Ensure that the internal auditor has direct access to the board chairman and to the audit committee and is accountable to the audit committee.
  • Review and assess the annual internal audit work plan.
  • Receive periodic reports on the results of internal audit work.
  • Review and monitor management’s responsiveness to the internal auditor’s findings and recommendations.
  • Meet with the head of internal audit at least once a year without the presence of management.
  • Monitor and assess the effectiveness of internal audit in the overall context of the company’s risk management system.

Other committees

  • The nomination committee.
  • The remuneration committee

The nomination committee:

The function of the nomination committee is to suggest suitable candidates for appointment to the board and other senior posts.

The nomination committee should ensure that the best person is chosen for the job.

The remuneration committee:

The function of the remuneration committee is to determine fair rates of pay and other compensation – pension rights, share options etc. – for management and other senior employees.

  • The remuneration committee should ensure that directors are not paid excessive amounts.
  • They should be paid enough to attract good people to the role but not too much.

Risk Committee: Risk management

Business risk

All companies face risks of many kinds.

  • The risk that products may become technologically obsolete
  • The risk of losing key staff.
  • The risk of a catastrophic failure of IT systems.
  • The risk of changes in government policy.
  • The risk of fire or natural disaster.

Companies, therefore, need to:

  • identify potential risks and
  • decide on appropriate ways to minimize those risks.

Ways of reducing risk include:

  • Identify the risks a company faces and maintain a risk register.
  • Risks can be of many types – e.g. operational, financial, and legal.
  • The company should then assess the relative importance of each risk by scoring it on a combination of its likelihood and potential impact.

This could take the form of a ‘risk map’.

  • insurance
  • implementing better procedures, e.g. health and safety provisions outsourcing
  • discontinuing especially risky activities
  • improving staff training.

Sometimes the company may be forced to accept the risk as an inevitable part of its operations.

Internal controls and risk management

One way of minimizing risk is to incorporate internal controls into a company’s systems and procedures.

Examples might be as follows:

  • One person checking another person’s work.
  • Locking important documents in a safe.
  • Restricting access to places with security systems.
  • Restricting access to information and systems held on computers through passwords etc.
  • An internal audit department which checks that procedures and systems are operating as they should.

But they may be able to:

  • reduce the risk that financial statements contain material errors
  • reduce the risk of theft of the company’s assets
  • reduce the risk that your business secrets might be handed over to a competitor.

Internal audit and corporate governance

What do internal auditors do?

Internal auditors provide assurance to the company’s management:

  • systems are operating effectively
  • internal controls are effective
  • laid down procedures are being followed
  • financial and other information being produced is sound and reliable.

Internal auditors do this by:

  • carrying out assignments and
  • producing reports of their findings.

If the internal audit department is to be effective in providing assurance it needs to be:

  • Sufficiently resourced in terms of budgets and people.
  • Well organised so that it has:

– well developed work practices

– competent staff who receive high-quality training.

  • Independent and objective.

Limitations of the internal audit function

The main limitations of internal audit are:

  • Independence (or lack of) – an internal audit be truly independent of the organisation of which it is a part?
  • Variation of standards – not uniform across the profession. Compare this with external auditors who, on a global basis, have ISAs against which their performance can be measured.
  • Relatively new profession – still evolving.
  • Expectations gap – the problem of what the internal auditor’s role is perceived to be.
  • Understanding of internal audit – negative view by some – perhaps seen as ‘checking up’ on other employees on behalf of ‘the bosses’.

Consideration of outsourcing the internal audit function

In common with other areas of a company’s operations, the directors may consider that outsourcing the internal audit function represents better value than an in house provision. Local government authorities are under particular pressure to ensure that all their services represent ‘best value’ and this may prompt them to decide to adopt a competitive tender approach.


  • Greater focus on cost and efficiency of the internal audit function.
  • Staff may be drawn from a broader range of expertise.
  • Risk of staff turnover is passed to the outsourcing firm.
  • Specialist skills may be more readily available.
  • Costs of employing permanent staff are avoided.
  • May improve independence.
  • Access to new market place technologies, e.g. audit methodology software without associated costs.
  • Reduced management time in administering an in house department.


  • Possible conflict of interest if provided by the external auditors (In some jurisdictions – e.g. the UK, the ethics rules specifically prohibit the external auditors from providing internal audit services).
  • Pressure on the independence of the outsourced function due to, e.g. threat by management not to renew the contract.
  • Risk of lack of knowledge and understanding of the organisation’s objectives, culture or business.
  • The decision may be based on cost with the effectiveness of the function being reduced.
  • Flexibility and availability may not be as high as with an in house function.
  • Lack of control over the standard of service.
  • Risk of blurring of roles between internal and external audit, losing credibility for both.

Minimising these risks

Some general procedures to minimise risks associated with outsourcing the internal audit function will include:

  • Controls over the acceptance of internal audit contracts to ensure no impact on independence or ethical issues.
  • Regular reviews of the quality of audit work performed.
  • Separate departments covering internal and external audit.
  • Clearly agreed scope, responsibilities and reporting lines.

Internal audit assignments

We consider below examples of Internal Audit assignments.

In this section we look at generic types of assignment:

  • Value for money/best value assignments.
  • Assignments dealing with IT.
  • Project auditing.
  • Financial audit.

Value for money (VFM) is concerned with obtaining the best possible combination of services for the least resources. It is, therefore, the pursuit of

‘Economy’, ‘Efficiency’ and ‘Effectiveness’ – often referred to as the 3Es.

  • Economy – least cost. Accomplishes objectives and goals at a cost commensurate with the risk.
  • Efficiency – best use of resources. Accomplishes goals and objectives in an accurate and timely fashion with minimal use of resources.
  • Effectiveness – best results. Providing assurance that the organisation objectives will be achieved.

Examples of local government indicators are given below:

  • Economy – the cost of waste collection per local taxpayer.
  • Efficiency – the number of households (premises) covered per waste collector.
  • Effectiveness – % of waste recycled measured against the target for the year.

The 4Cs

Best value is a requirement for local authorities to demonstrate achievement of the ‘4C’ principles, as well as demonstrating service delivery and meeting customer needs through effective performance management systems.

  • Challenge – review internally the different options for providing services and question the status quo.
  • Compare– compare with other service providers to review options for improving performance.
  • Consult– consult all users of services and those affected by services.
  • Compete– demonstrate through performance management and continuous improvement that the most efficient and effective service is being provided.

Project auditing

Best value and IT assignments are really about looking at processes within the organisation and asking:

  • were things done well?
  • did the organisation achieve value for money?
  • were the objectives achieved?
  • was the project implemented efficiently?
  • what lessons can be learned from any mistakes made?

Financial internal audit

Financial auditing was traditionally the main area of work for the internal audit department. It embraces

  • the conventional tasks of examining records and evidence to support financial and management reporting in order to detect errors and prevent fraud
  • analysing information, identifying trends and potentially significant variations from the norm.

Operational and internal audit assignments

Operational auditing covers:

  • Examination and review of a business operation.
  • The effectiveness of controls.
  • Identification of areas for improvement in efficiency and performance including improving operational economy, efficiency and effectiveness – the three E’s of value for money auditing.

We will now look at operational internal audit in practice, considering four of the main areas where such an approach is commonly used

  • procurement
  • marketing
  • treasury
  • human resources.

Internal audit reports

Key principles

Who is the report for?

With any report, the most important person in the process is the reader, not the writer.

  • If the report does not address the objective of the assignment.
  • If the recipient of the report cannot understand its recommendations and the reasoning behind them, then the report might as well never have been written.

Purpose and structure of the report

Short and sweet

Clear, concise, easy to read format will mean it is more likely to be read and understood.

Measurable/quantifiable outcomes

It is easy to recommend in a report that something should be improved, but without;

  • clear recommendations about how this is to be done
  • some way of measuring whether the recommendations have been successfully implemented


The important content needs to be readily accessible, not buried in the back of an appendix somewhere.

Avoid surprises

Discuss with management as points arise. This will mean less argument over facts or detail when the draft report is issued and will allow management to take steps promptly.


Balanced and constructive reporting will be welcomed by management and the organisation. For example, recognising where controls are good and how they could be used elsewhere within the organisation. Ensure consistency across reports, particularly where ‘ratings’ are used. If management feels unfairly treated or criticised, they will respond negatively to the report.


Other related reads

Corporate Social Responsibilities