Time to Mandate Internal Audit?


The Institute of Internal Auditors (IIA) has been campaigning for regulatory change in Australia for more than 10 years. Much of what they’ve been saying has fallen on deaf ears. 

Australia has one of the highest public exposures to listed shares as a result of mandatory superannuation. While prudent fund managers should be underweight in poorly governed companies, this doesn’t happen in practice. If a company share price spikes and the company hits the ASX/S&P200, your super fund just bought the stock, even if governance is shocking. 

Australian regulation has fallen behind in some respects, resulting in laggards in the ASX/S&P lists, and owned by your super funds.

To be fair, there are some areas where Australian regulation leads. Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused generational change in the entire profession. Other countries would benefit form this.

Similarly the requirements for boards and management to focus on whether the organisation really understands the material business risks they face, rather than just saying that they comply with the relevant risk standards has been a great thing for Australia’s competitiveness internationally. 

But alas, these are suggestions only. They are not mandatory. Companies can weasel out of them or ignore them entirely. Even worse, some of the fundamentals have been skipped over, particularly internal audit which is a cornerstone of most governance frameworks elsewhere. 

While internal audit is mandated for listed companies in the United States and throughout Asia, in Australia it is not. Similarly while the UK and South Africa have disclosure triggers on internal audit, Australian companies have nothing. This results in many companies outside the ASX/S&P 50 not having an internal audit function let alone one which is effective or risk-focused. 

IIA has put together a policy agenda for reform. It contains five principles, two of which are yet to be pushed by the ASX or ASX Corporate Governance Council.

  • Internal audit is fundamental to good governance
  • Internal audit should operate at a consistently high standard

IIA Australia’s policy principles and recommendations are helpful for most mid-cap companies but many have not implemented them. They do this at their peril. Lagging performance on risk and assurance will force regulators to step in. Indeed if they had done so sooner your superannuation balances would be looking a lot healthier, as would mine.

This article first appeared in the April 2011 edition of Risk Management Magazine.

Download the IIA’s Policy Agenda (Australia)