The relationship between corporate governance and internal audit

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


This assignment is an effort to describe the relationship between corporate governance and internal audit. But the first thing that has to be done is to understand what really corporate governance and internal audit are, and how they can be defined.

Corporate Governance cannot be defined precisely; however, there are some theories and definitions. Corporate Governance can be considered as "a field in economics that investigates how to secure / motivate efficient management of corporations by the use of incentive mechanisms, such as contracts, organizational designs and legislation". But, it is often limited in how financial performance can be improved. For example, how the company's owners can secure that the managers will deliver a positive rate of return (Mathiesen 2002, cited in Another theory defines the corporate governance as the way of how firm and organizations can be managed and controlled (OCED 1999).

Moreover, companies select the managers in order to be accountable and trustworthy to the shareholders. However, sometimes the interests of the two sides are controversial and can diverge. For instance, managers want to increase the market share and on the contrary, shareholders wish to exploit the Firm's value. Obviously, there is a confliction between the two sides. The intention of Corporate Governance is to resolve this confliction in order effectiveness and profitability can be achieved. (Tirole 2001; Berle & Means 1932; Shleifer & Vishny 1997)

Corporate governance is consisted of three main pillars: Management, Board of Directors and the External auditor. However, internal audit is supposed to be the fourth. Internal audit can be defined as an autonomous assurance and consulting method that has been created in order to increase value and improve company's operations. Moreover, aids the company to achieve its goals by using a systematic and disciplined methodology to estimate and increase the efficiency of governance, control and risk management procedures (KPMG, 2007; Rezaee, 2002).

Internal audit

Internal audit and internal control should not be confused each other because they are two totally different meaning.

Moreover, internal control is a procedure, caused by a company's board of directors and management, which is established to deliver realistic assurance regarding the accomplishment of company's goals in the succeeding categories:

Effectiveness and efficiency of operations.

Reliability of financial reporting.

Compliance with applicable laws and regulations.

Moreover, internal control's purpose at organizational level is to: ensure the reliability of the provided financial reports, to give a suitable feedback on the accomplishment of company's strategic or operational objectives, and to assure that company complies with regulations and legislation. At transactional level, internal control refers to the activities that company has been made in order to accomplish particular objectives such as payments to third parties. Additionally, internal control has significant role in averting and perceiving fraud and also in protecting company's assets, both tangible and intangible. (Cattrysse, 2005; KPMG, 2008).

On the other hand, as it was referred before, internal audit aids the company to attain its goals by using specific methodologies to estimate and upsurge the efficiency of governance, control and risk management and has been created in order to increase value and improve company's operations. As it could be easily understood internal audit's role is very significant not only for the Board of Directors but for the External Auditors and the Audit Committee too. (Deloitte, 2009; KPMG, 2007)

Nevertheless, except from its controlling and supporting operations, it can also be referred as consultative, because can provide information of prospective flaws of the company both in business and financial level. Furthermore, the Board of Directors through internal audit can be informed about the company's internal control function (KPMG, 2007).

To continue with, the main objectives of the internal audit are:

Define the crucial risks that the company's activities cope within the scope of the audit

Establishment and implementation of a risk-based testing method to examine if the most important controls are functioning properly

Identifying and reporting problems to the management and suggest actions to address them

Investigate and evaluate every operational and financial information

Examine and evaluate internal control system and framework

Analyze in depth every financial statement, in order to examine: a) whether the company operates effectively b) and if its objectives have been achieved (Morariu, A., 2009)

The above objectives can vary and some of them may not take place, because of many factors such as: company's nature, complexity of the activity being audited and the available resources. Moreover, auditors could support the company to achieve its objectives by evaluating and recommending possible improvements in critical areas. But, all these benefits of the internal audit cannot be trustworthy when the auditor is from company's internal environment and not independent. Auditor could lose his integrity if he deals with daily processes that are being audited. (Morariu, A., 2009; KPMG, 2007)

The role of Internal Audit Unit, Audit Committee and External Auditor

Internal Audit Unit is a vital part of the company. It is established by top management executives who are qualified and trained to suggest corrective actions when a problem occurs. It has an independent purpose and it is directly committed to the administration of the company. The reasons that exists are numerous but the majors are the succeeding:

To describe the company's control type

To determine unprejudiced risk assessment,

To indicate the several procedure forms of the company

To present the compliance framework,

To demonstrate and examine both the financial and the operational performance

To make recommendations for maximizing the usage of the available resources

To evaluate if the desired objectives have been achieved

To be responsible for feed backing about company's ethics and values (Hermanson & Rittenberg, 2003; KPMG, 2008).

Additionally, the role of the internal audit in the company is mainly based on the company's size. The higher the company is the higher the role the internal audit is and the higher its responsibilities are. Moreover, the formation of the internal audit committee depends on one main factor, whether the company is listed in Stock Exchange or not. Whether the company is listed in the stock exchange, internal audit could be more efficient as the only person in charge is the CEO. Contrariwise, whether the company is listed, the internal audit has to be supervised by the Audit Committee (Hermalin B. & Michael W., 2001).

Audit Committee is in charge of monitoring and supervising disclosure and financial reporting. Its members are selected from the Board of Directors of the company, and the chairperson is selected amongst the members of the Audit Committee. Moreover, Audit Committees are authorized to obtain the consulting resources and the knowledge which are considered to be required in order to execute their responsibilities efficiently. Their responsibilities are:

Monitoring the financial reporting and the disclosure procedure

Overseeing accounting principles and policies

Controlling the internal control progression

Supervising the performance of external and internal auditors

Overseeing the risk management policies and suggests improvements to company's management

(Hermanson & Rittenberg, 2003; McMullen D.A. & Raghunandan K. 1996; AICPA Committee On Auditing Procedures)

External auditing is very significant process for the appropriate corporate governance which is being made from independent qualified professionals. Moreover, the external auditor executes an audit, according to particular laws and principles, on the financial statements of the company. As the auditor is completely independent of the companies or entities being audited, his financial information reports are unbiased and also reliable for the investors and government agencies. Moreover, the audit reports are of significant use for the company because are focused mainly on company's financial results and performance and examines management issues in order to avoid probable risks (Pop et al., 2008; Ojo, M., 2009).

However, it is compulsory for the external auditors to be member of one recognized accountancy bodies and of course their qualifications, their format of reporting are defined by the state and sometimes may differ from country to country. (Omega Accountancy Company).

Internal Audit and Corporate Governance

The role of internal audit in implementation of the Corporate Governance principles is very crucial. Moreover, internal audit -always based on consistency, accountability and transparency- records and examines the internal processes in practice, presents the weaknesses in the system and propose corrective actions and adjustments. The main objective of internal control is to establish a strong connection between managers and divisions of the company and to force company to adapt its existing institutional framework (Allen S., 2008).

The internal audit can be characterized as a mechanism for overseeing the operation of principles of corporate governance and for ensuring the shareholders' interests. Additionally, the internal audit management examines whether the company's activities operate properly, without been limited only in financial and accounting activities, or not (Baker C.R. & Owsen D.M., 2002)

The importance of the internal audit and the audit committee was understood early and for that reason Corporate Governance regulations and recommendations have been created and adopted by all countries.

In 1992 Cadbury Report was established to make some adjustment to the existing framework by introducing new principles such as integrity, accountability and openness. Cadbury Report was mainly focused on separating the role of CEO and the chairman. Briefly the main points were:

Audit Committee should be staffed by at least three non-executive directors

Every contract should expire after three years

Non-executive directors should be independent from management and must be unrestricted from other responsibilities or companies (Cadbury A., 1992; Cattrysse, 2005)

However, despite the fact that Cadbury's report regulations were applied internationally, some major corporate scandals occurred such as Enron and WorldCom. For this reason, the US Government was enforced to establish in 2002 the Sarbanes-Oxley Act (SOX) in order to prevent another fraud. Moreover, SOX included 11 sections with regulations which are focused mainly on corporate responsibility, auditor's independence and corporate fraud accountability. The section 404 of the act makes recommendations for internal auditing (Sarbanes-Oxley Act, 2002; Gillan, S., 2007)

Sarbanes-Oxley Act states that internal audit should: consult on the company's existing internal control and suggest adjustments if needed examine and support the role of the management when it creates stress tests to evaluate the efficiency of the internal control and help in the educational and training part of the internal control. Additionally, it refers that management should only supervise if the internal control's processes are applied on financial reporting (Deloitte, 2009).

In 2010 Combined Code has been established by the Financial Reporting Council to enhance the role of Corporate Governance. This Code is a combination between Cadbury's, Greenbury's and Hampel's Report and it is focused on the corporation performance, accountability and prosperity. Moreover, the Combined Code:

Includes risk averting principles

Give to the non-executive directors new responsibilities related on strategic issues

Enforces the shareholders of all the listed companies to re-elect annually the directors

Established a principle that forces all the executives to be cognizant of their major shareholders (Combined Code, 2010).

Corporate Scandals

In past decades major corporate scandals have been recorded and finally lead to the financial crisis of 2007-2009.The most significant are Enron, WorldCom and Lehman Brothers.

Enron was established in 1985 as a natural gas company. In 1999 the company transformed into a leading company in gas, electricity and oil with a stock value reaching $45 per share. In 2000 it stock value reached in $91 per share. In 2001, Sherron Watkins, who was the president of the company, decided to write a letter anonymously to the CEO of the company Ken Lay. Watkins informed him that company was dealing major problems with its alliances regarding the audit part of them, the role of the CFO in them and the probable negative impact on the market if all these information were published.

Meanwhile, the company's traded shares worth approximately about $ 41 million. Also, other members of the company traded $ 71 million in shares. The value of the share dramatically decreased to $28, after the terrorist attack of September 11. One month later the company announced $618 million loss in the third trimester, $1.2 billion considering the aforementioned reports (Gudikunst A., 2002).

As it can be easily understood, the main reasons that led Enron in bankruptcy were the inadequate internal audit, the CFO's exorbitant salaries and the inability of CEO to administrate his own company efficiently.

Moreover, another worth-mentioning case of bankruptcy is WorldCom. The main problems were:

Bad cash management - cash flows manipulation

Operating expenses were treated as Capital Investment

Weak internal Control

Questionable Ethics (Gillan, S. 2006)


As it was mentioned, Internal Audit Unit, Audit Committee and the External Auditor were some supervising authorities which have been established in order to help companies to work more efficiently and to improve their performance. Additionally, Cadbury Committee Report, Sarbanes-Oxley Act and the Combined Code 2010 were created for better Corporate Governance practices and to limit companies' activities, prevent frauds and to protect the investors- Something that seems to go well-.

However, despite the harsh regulation and the supervising of the authorities some companies succeed in overcoming the existed legislation and committed major corporate scandals and frauds.

As it can be understood, regardless of how many reports, legislations will be created, companies will find again ways to overcome them and commit financial crimes. Because the main problems is not the framework of internal audit or the efficient implementation of the corporate governance's principles but the deontology, corporate culture and the ethics that the companies have. These are the first things that should be corrected and all the others are of minor importance.