27 July 2018

Auditing corporate governance

Chartered Institute of Internal Auditors

This guide sets out the steps internal auditors should take when conducting a review of corporate
governance. We look at how to provide consultancy and assurance based upon potential risks.

Developing the audit plan

Research and gather background information
Audit committee assurance requirements
The second line of defence and the need for coordination
How to prepare internal audit plans: what to audit and how
Prepare for an audit of corporate governance
Skills and experience required
Performing corporate governance audits – content
Risks

Developing the audit plan

The head of internal audit is responsible for developing a risk-based audit plan based on a
documented risk assessment. In preparing this plan, the head of internal audit should assess the
relative risk of governance processes, determine the audit approach – assurance versus consulting
– and consider the input of senior management and the board.

It may be appropriate to undertake a specific review of corporate governance, organisation reviews of

specific subject areas and/or incorporate aspects of corporate governance into other reviews which
form part of the audit plan.

Governance processes should be interwoven into the culture and activities of the organisation and to
help prevent corporate governance failures in the future there should be adequate coverage within
the annual internal plan and internal audit assignments.

Research and gather background information

The company secretary/corporate secretariat is responsible for the efficient administration of a

organisation, particularly with regard to ensuring compliance with statutory and regulatory
requirements and for ensuring that decisions of the board of directors are implemented. The auditor
should confirm the role and responsibilities of the company secretary/corporate.

Audit committee assurance requirements

In determining the scope of the audit – the auditor will need to consider their stakeholders’
expectations – including the organisation’s regulators, board, audit committees, senior

1
© Chartered Institute of Internal Auditors
 management; head of internal audit – as well as the responsibilities documented in the internal
audit charter (where one exists).

Internal audit functions are increasingly asked to undertake Board Effectiveness Reviews. Such
reviews include traditional areas of audit focus such as the integrity of management information
produced, the content and scope of board meeting agendas, the allocation of time during meetings
to cover topics such as quality, performance, etc, and processes to record board discussion,
judgement and actions.

Internal auditors may be asked to make subjective judgements such as how effective on-boarding
and training sessions for NEDs are and the effectiveness of NED input, challenge and discussion at
board level.

The second line of defence and the need for coordination

The relationship among governance, risk management, and internal control should be considered.
This item is addressed in Practice Advisory 2110-2 and guidance published by the IIA entitled
Coordination of assurance services both of which explain that governance does not exist as a set of
distinct and separate processes and structures. Rather, there are relationships among governance,
risk management, and internal controls. Effective governance activities consider risk when setting
strategy.

Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and
tolerance, risk culture, and the oversight of risk management). Effective governance relies on
internal controls and communication to the board on the effectiveness of those controls.

Where appropriate there should be discussion and co-ordination between internal audit and the
second line of defence, to avoid duplication of effort, where possible.

How to prepare internal audit plans: what could be audited and how

Consider if corporate governance should be audited as a separate review looking at governance

overall, or as part of other audits?

The list that follows provides some of the key risks relating to corporate governance which may
impact an organisation, the possible response or controls which may be implemented to mitigate
the risk and the method by which internal audit may provide assurance.

When determining which of these risks and controls to include in any audit of corporate governance,
please consider the objectives of your specific organisation, for example:

• a listed company may have objectives to grow the business and make profits for shareholders
• a government department’s objectives may be to spend public money appropriately and deliver
specific policy matters in an efficient manner
• a charity’s objectives will be to achieve a particular charitable purpose (which will also be subject
to the public benefit test).

The specific risks to not achieving these objectives should be considered and assessed as

2
© Chartered Institute of Internal Auditors
 appropriate.

Prepare for an audit of corporate governance

The first step is to establish whether management has identified the appropriate regulations or
specific practices relating to corporate governance which are relevant to the organisation.

Next, the auditor should confirm if management has assessed the risks related to corporate
governance and whether management considers that they have adequate controls in place to
manage them. Internal Audit should report any failings in this process and be prepared to support
management in taking remedial actions.

Where internal audit identifies instances of suspected or actual breaches of regulations or best
practice guidance, this should be brought to the attention of the board, the audit committee and
senior management as soon as possible.

Skills and experience required

The skills, experience and knowledge required by the auditor who will be completing the review.
This type of review will include dealing with senior management and assessing compliance with
legal /regulatory requirements which may require a specific level of skill or experience.

Auditors will be required to meet with senior stakeholders in the business including executive
directors and non-executive directors and must have the skills to be able to discuss, assess and
challenge these individuals as part of their activities in assessing the effectiveness of governance.

Where the internal audit function does not have the specific skills or experience, consideration
should be given to using co-sourcing arrangements to complete the audit (or outsource the
completion of the audit).

Performing corporate governance audits – content

Any review will need to include providing assurance on the design and effectiveness of governance
controls and the outcome of these controls.

The following list provides some of the key risks relating to corporate governance which may impact
an organisation, When determining which of these risks and controls to include in any audit of
corporate governance, consider the objectives of your specific organisation.

The specific risks to not achieving these objectives should be considered and assessed as
appropriate.

The auditor should assess the design and operating effectiveness of any controls operated by the
company secretary/corporate secretariat function.

Any audit of corporate governance will have a high profile in the organisation, not least due the
seniority of those who will be impacted by the results of the audit. With this in mind, it is important

3
© Chartered Institute of Internal Auditors
 that these engagements are adequately supervised.

Internal audit should not ‘second guess’ the decisions of the board but should include in within its
scope the processes and controls supporting strategic and operational decision making. It should
assess whether the information presented to the board and executive management fairly represents
the benefits, risks and assumptions associated with the strategy and corresponding business
model (financial services code).

Risks

These are some of the key risks relating to corporate governance which may impact an
organisation. We look at the possible response or controls which may be implemented to mitigate
the risk, and the method by which internal audit may provide assurance.

Risk 1

The actions of the board, including the development of strategic objectives, are taken without due
consideration of the impact on the organisation, its stakeholders including shareholders, employees
and the wider community.

Cause
• Individuals on the board are not sufficiently experienced or there is insufficient independent
representation.
• Individuals on the board do not have an in depth knowledge of the risks within the organisation or
individual focus on their own business line/part of the organisation.
• Management information is not sufficient to allow the board to undertake informed decisions (they
may be genuinely unaware of the impact an action will have).
• A lack of constructive and challenging dialogue leading to ‘group think’.

Response/controls
• Board composition is determined to a majority of independent individuals (in line with corporate
governance requirements, where applicable).
• Board composition is sufficiently diverse including, but not limited to, gender and race.
• The required skills for each member of the board are determined and only individuals with the
appropriate skills and experience are recruited to the board.
• Boards to have an in depth knowledge of the risks within a firm’s business model.
• Information provided to boards must be sufficient for them to make informed decisions, and be
aware of the impacts of those, including opportunity costs.

Ways for internal audit to provide assurance

• Assess the composition of the board considering the level of independent individuals and the
skills, experience and diversity of the individuals that make up the board.
• Review the recruitment process to ensure that individuals match the required skills (CVs).
• Review any training undertaken with board members to ensure they understand the organisation’s
risks.
• Review information provided to the board to ensure it is relevant, timely, accurate, and holistic,

4
© Chartered Institute of Internal Auditors
 and includes forecasts of the impact of decisions.

Risk 2

Non-executive directors (NEDs)/independent members of the board are unable to give independent,
robust challenge to the executive/senior management.

Cause
Individuals on the board do not have an in depth knowledge of the risks within the organisation.

There is a lack of robust challenge of management due to the NEDs not fully understanding the
organisation, the sector or the key requirements of key stakeholders including regulators.

The NEDs do not have the personal skills to be able to effectively challenge management.

Response/controls
Effective on-boarding for NEDs to include education on the organisation/the regulatory requirements
for NEDs and ongoing training to ensure that their skills remain current.

There are adequate opportunities for the NEDS to meet independently with the external and internal
auditors and perhaps other assurance providers.

Ways for internal audit to provide assurance

Assess the recruitment process for NEDs to confirm that arrangements are in place to identify and
assess the skills of individuals prior to appointment.

Assess the on-boarding process including training for new NEDs and the ongoing training to ensure
that NEDs remain aware of the risks within the organisation, the expectations for the role of a NED.

Assess the adequacy of opportunities for the NEDS to meet independently with the external and
internal auditors and perhaps other assurance providers. Review the evidence of any
discussion/challenge and the actions taken as a result of these meetings.

Risk 3

The board does not have sufficient, complete or timely information on which to base its decisions.

The board is not monitoring or taking action on the most significant risks to the organisation.

Cause
Management information provided to the board is incomplete, inaccurate or not timely.

Management information provided to the board is overly detailed or unclear.

Response/controls
Management information provided to the board is reviewed independently to confirm its integrity;
completeness; coverage of the organisation; clarity; and that it includes appropriate content to meet
needs of board.

5
© Chartered Institute of Internal Auditors
 The duration and frequency of board meetings are such to allow sufficient time for the discussion of
key issues and to ensure that any key decisions are made in time for any statutory deadlines.
There should also be some flexibility in the scheduling to allow for 'extraordinary' meetings to be
called in response to unexpected events.

Ways for internal audit to provide assurance

Assess the controls in place to confirm the completeness, coverage of the organisation, clarity, etc.
of the management information presented to the board.

Confirm that management information is independently reviewed prior to submission to the board.

Confirm that the content of the management information includes all topics/material information that
would be needed by the board on which to base its decisions.

Assess the quality and content of the pack provided to the board which it uses to make its
decisions, consider:

• The level of information/data provided is it of sufficient detail/too much detail; does it include all
part s of the organisation?
• Where matters require approval is this clear; are the decisions required clear; have the different
options been explained; are there recommendations for action where appropriate?
• Is the pack provided on a timely basis to allow the board members sufficient time to read and
understand the content, and to gather additional information prior to the board meeting, where
appropriate?
• Is all jargon explained; look for use of acronyms or technical terms which may not be understood
by all directors, in particular non-executive directors?
• Are reports provided by all parts of the business including legal, compliance, finance, etc
(consider first line of defence and second line of defence). Is there any part of the business that is
not included?

Assess whether or not the duration and frequency of board meetings are such to allow sufficient
time for the discussion of key issues and to ensure that any key decisions are made in time for any
statutory deadlines. There should also be some flexibility in the scheduling to allow for
'extraordinary' meetings to be called in response to unexpected events.

Risk 4

Evidence of the decisions made by the board, including the challenge process, is not retained
and/or is not transparent in confirming the decision process.

Actions agreed by the board are not completed or not completed on a timely basis.

Cause
Decisions made by the board may not be subject to an appropriate level of challenge or discussion
of concerns.

Particularly strong characters on the board may adversely impact or unduly influence the decisions
made by the board.

Decisions may not be agreed by an appropriate quorum of individuals.

6
© Chartered Institute of Internal Auditors
 Regulators and other interested parties may not be able to see the extent of any challenge made in
respect of decisions made by the board.

Actions agreed by the board may not be completed or may not be completed on a timely basis.

Response/controls
Processes are in place to record board discussions; votes, raising concerns; escalations (and
actions (tracking and follow-up)).

The terms of reference of the board defines an appropriate quorum that is required for all key
decisions.

The chair of the board checks to ensure that all decisions are agreed by an appropriate quorum of
individuals, and that records are appropriately maintained.

Ways for internal audit to provide assurance

Assess the controls in place to record the minutes of board meetings – confirm that these are
sufficiently detailed to evidence the level of debate, discussion and challenge for any board
meetings.

Where discussions take place prior to the board meeting – confirm that these discussions are also
evidenced.

Confirm that all decisions are approved/agreed by the correct quorum and documented appropriately
in the minutes.

Assess controls for the tracking, follow-up and completion of actions agreed by the board.

Risk 5
Committees set up by the board may not fulfil their obligations or there are too many committees
each with individual roles meaning that the oversight of the organisation is fragmented and not
effective.

Cause
Decisions made by the board may not be subject to an appropriate level of challenge or discussion
of concerns.

Particularly strong characters on the board may adversely impact or unduly influence the decisions
made by the Board.

Decisions may not be agreed by an appropriate quorum of individuals.

Regulators and other interested parties may not be able to see the extent of any challenge made in
respect of decisions made by the board.

Actions agreed by the board may not be completed or may not be completed on a timely basis.

Response/controls

7
© Chartered Institute of Internal Auditors
 Processes are in place to record board discussions; votes, raising concerns; escalations (and
actions (tracking and follow-up)).

The terms of reference of the board defines an appropriate quorum that is required for all key
decisions.

The chair of the board checks to ensure that all decisions are agreed by an appropriate quorum of
individuals, and that records are appropriately maintained.

Ways for internal audit to provide assurance

Assess the controls in place to record the minutes of board meetings – confirm that these are
sufficiently detailed to evidence the level of debate, discussion and challenge for any board
meetings.

Where discussions take place prior to the board meeting – confirm that these discussions are also
evidenced.

Confirm that all decisions are approved/agreed by the correct quorum and documented appropriately
in the minutes.

Assess controls for the tracking, follow-up and completion of actions agreed by the board.

Assess the committee structure and consider if there is an appropriate structure in place so
oversight is not fragmented and is effective.

Risk 6
The board is not effective in covering the risks relating to remote offices or does not have
responsibility/oversight for all parts of the organisation.

Cause
The board does not have adequate or effective global/regional oversight.

Where regional or legal entity boards/committees exist the reporting arrangements to the global
board are not effective.

Response/controls
Responsibilities at a global regional/legal entity level are agreed – and cascaded from the main
Board.

Ways for internal audit to provide assurance

Assess the arrangements in place to agree and cascade responsibilities from the main board to
regional/legal entity boards or committees.

Assess the effectiveness of reporting/ oversight of regional/legal entities.

Risk 7

Policies, procedures and projects are not aligned to the organisation’s objectives.

8
© Chartered Institute of Internal Auditors
 Cause
Part of the organisation may implement policies and procedures which either conflict with, or do not
support, the organisation in the achievement of its objectives.

Response/controls
Framework and structure for the setting, approval and cascade of policies that support the
organisation’s objectives.

Ways for internal audit to provide assurance

Assess the controls in place to ensure that responsibilities for setting and approving policies are
agreed and cascaded appropriately to ensure consistency and alignment to the organisation’s
objectives.

Risk 8

The culture of the organisation is not defined or does not support the organisation in achieving its
objectives.

Cause
The culture of the organisation has either not been determined or is not appropriate meaning that
parts of the organisation may not be performing or operating in a manner that supports the
organisation in achieving its objectives.

The ‘tone from the top’ may not reflect or may be at odds with the objectives of the organisation.

The culture of the organisation may be at odds with the ‘tone from the top’.

Response/controls
The organisation determines its culture, which is agreed at board level and then cascaded
throughout the organisation.

All communications from management are in line with the culture determined by the organisation,

Training is provided to all staff to help them understand what is expected including how they are
expected to behave.

Management is able to monitor adherence to the culture through staff surveys, controls that indicate
inappropriate activity, for example sales at the expense of appropriate advice to customers

A Code of Ethics is documented and approved by the board and is cascaded to all staff. On a
regular basis, all staff are expected to confirm adherence to the Code of Ethics.

There are avenues for employees to escalate or report any deviations from the expected cultures
with adequate arrangements in place to effectively deal with these.

Ways for internal audit to provide assurance

Determine if management has set and communicated the ‘culture’ of the organisation.

Assess how this was communicated, did it come from ‘the top’, were all levels of staff involved.

9
© Chartered Institute of Internal Auditors
 Be aware of communications or other actions either during an audit or as part of more general
contact with stakeholders/auditees that may indicate that the culture is not being applied
throughout the organisations.

Assess the controls that management uses to identify the level of adherence to the expected
culture, and how management is made aware of any deviations from expected cultures, for example
through the whistle-blowing hotline..

Review the process for the approval of the Code of Ethics, and assess the controls in place to
determine if all staff regularly attest to adherence with the Code.

Risk 9

Risks are accepted or taken which are outside of the organisation’s risk appetite.

The organisation’s risk appetite may conflict with the objectives and values of the organisation.

Cause

Part of the organisation may take actions which either conflict with, or do not support, the
organisation in the achievement of its risk appetite.

The risk appetite may have been set inappropriately or may be at odds with the objectives and
values of the organisation meaning that risks may be accepted that are not in line with the
expectations of the board.

The reward structure recognises/rewards excessive risk taking, or individual risk taking without
reference to wider business risk appetite.

Response/controls
Risk governance: framework and structure; risk appetite developed and approved at ‘group-level’;
cascaded throughout organisation’ monitoring of risk appetite and actions taken when risk appetite
is exceeded.

Ways for internal audit to provide assurance

Assess the controls in place to develop and approve the risk appetite – assess the quality/input
information used in the developments. Assess the controls in place for the regular review of the risk
appetite to ensure that it remains fit for purpose.

Assess the controls in place to cascade the risk appetite throughout the organisation.

Assess the controls in place to monitor and action any risk appetite breaches.

Review the process to report risks accepted to the audit committee or board.

Risk 10

In the event of material financial distress or failure, or other situation such as environmental

10
© Chartered Institute of Internal Auditors
 incidents or catastrophic loss of life or assets there is an adverse effect on the wider economy or
society.

Cause
Financial services organisations are expected to have a “living will” to facilitate “rapid and orderly
resolution, in the event of material financial distress or failure.”

Disastrous environmental situations, catastrophic loss of life or assets – may have huge impact and
then need to be dealt with appropriately, e.g. Chernobyl, BP oil spill, etc.

Response/controls
The board has agreed and approved a ‘living will’. This ‘living will’ is subject to regular review and
update to ensure that it continues to provide an appropriate solution to the organisation in the event
of material financial distress or failure.

The board has contingency arrangements in place, which are subject to regular review, to deal with
other significant incidents such as disastrous environmental situations, catastrophic loss of life or
assets.

Ways for internal audit to provide assurance

Review and assess the process for determining, documenting and approving the living will’. Assess
the appropriateness and completeness of the information provided to the board to consider the
various options available to it.

Confirm that the ‘living will’ is reviewed and subject to update, where required, on a periodic basis.

Review and assess the contingency policy/process and plans for dealing with other significant
incidents such as disastrous environmental situations, catastrophic loss of life or assets. Assess
the appropriateness and completeness of the information provided to the board to consider the
various options available to it.

Confirm that the agreed contingency policy/process and plan are subject to update, where required,
on a periodic basis.

Risk 11

The governance requirements of any regulatory or legislation requirements are not met leading to
increased regulatory risk including sanction, censure or closure of a business.

Cause
Where an organisation fails to meet regulatory requirements or regulations the organisation may be
subject to fines or censure which could adversely impact its reputation and may result in a loss of
business or inability to achieve its objectives.

Response/controls
The board has an appropriate process to ensure that existing regulatory/ legislation requirements
are identified, and actions taken to ensure that the organisation is compliant with these. Appropriate
controls are implemented to ensure that these are met and the outcome of these controls is
reported to the board on a regular basis.

11
© Chartered Institute of Internal Auditors
 The board has an appropriate process to identify new and future regulatory/legislation requirements.
Controls are implemented to ensure that these are met and the outcome of these controls is
reported to the board on a regular basis.

Ways for internal audit to provide assurance

Identify the regulatory/legislation requirements for governance based on the type of organisation
being assessed. Confirm how the organisation identified and meets these requirements, and test
the controls as appropriate.

Confirm that the board receives appropriate reports on the ongoing compliance with these
regulations (this may be from internal audit or from management’s own risk and control processes
(first or second line of defence activity).

Assess the controls in place to identify new/emerging regulatory requirements/legislation and the
actions taken by the board to ensure that these are addressed timely. Assess the level of reporting
to the board on the progress of actions to address these requirements.

Risk 12
Communications from the board are not effective as they are not timely or complete meaning that
parts of the organisation may not be operating in line with board expectations and may not support
the organisation in achieving its objectives.

Cause
If communications from the board are not clear, complete and timely, different parts of the
organisation may take actions that do not support the achievement of the organisations objectives.
Actions may be taken, for example, that contradict the board’s expectations or which take the
organisation in a different direction to that intended.

Response/controls
Matters to be communicated are agreed by the board, and appropriate methods of communication
are determined and implemented. Communications are clear and provided by senior individuals to
indicate the requirements of the board.

Ways for internal audit to provide assurance

Assess how the board communicates its decisions – ensure that these communications are
provided by appropriately senior individuals, are clear and include all relevant parts of the
organisation.

Further reading

Financial services code

International Standards:
2110 Governance

Practice advisories:
PA 1111-1 Board interaction

12
© Chartered Institute of Internal Auditors
 PA 2110-1 Governance: definition
PA 2110-2 Governance: relationship with risk and control
PA 2110-3 Governance: assessments

External resources

Seven smart things growing companies do

13
© Chartered Institute of Internal Auditors